Strategic Security Plan
Management should develop and submit to the Board for its consideration and approval a business strategy that takes into account the organization’s mission statement, values, strategic objectives, business and economic environment, financial position, and risks to which the organization is or will be exposed in conducting its operations. The time-frame of the plan should be three to five years, and will cover all significant operations.
“Risk strategy” and “risk appetite” may be treated as separate concepts but they must be considered together. The strategic plan must consider how much risk the organization wishes to take on, the type of risk it will knowingly assume, the rate of return the organization expects on the risks that it does knowingly assume, and the control steps the organization will take to reduce the impact of risk it does not wish to assume.
The Strategic Security Plan is derived from the organization’s overall strategic business plan and addresses what needs to be done from a security point of view, and in what priority. This plan should cover the same time period as the strategic business plan. It will consider branch renovation, new construction and security equipment and staffing that will need to be expensed over several accounting periods. It should consider both expected losses (based on probability) as well as unexpected loss (based on possibility).