The 30/60/90-Day Security Action Plan Explained

An audit without a plan is a book report.

You can write the best security audit in Southwest Florida, and if it does not end with a clear, realistic plan for what to do about it, the organization will put it on a shelf and keep living the same program.

The 30/60/90-day plan is the bridge between the report and the work. It turns observations into commitments. It tells leadership what to do first, what to do next, and what to prepare for. It gives the safety team lead something to point to in Tuesday meetings.

Without a plan, an audit is history. With one, it is direction.

How we decide what goes where.

Every finding in the audit gets a priority assignment. The decision is not arbitrary. Three criteria drive it.

Criterion 1: How much risk does it reduce?

High-risk findings go in 30-day when possible. Moderate-risk findings go in 60 or 90. Low-risk findings go in 90 or later, unless they bundle cleanly with a higher-priority item.

Criterion 2: How hard is it to implement?

Some high-risk items cannot be done in 30 days. Replacing a camera system, upgrading access control across a campus, or rolling out a new staff training program takes longer. Those get honest timelines even if the underlying risk is high. The 30-day bucket should hold things that are both important and achievable.

Criterion 3: How much does it cost, and who approves?

Items under discretionary spending authority can move fast. Items requiring board approval, capital budget allocation, or procurement cycles need more lead time. The plan respects the real governance rhythms of the organization, not an idealized version.

What the buckets usually look like.

In practice, for a typical church, daycare, senior living facility, or nonprofit in Fort Myers, Cape Coral, Naples, or Port Charlotte, the buckets tend to populate predictably.

30-day items

These are the things that can be done now, should be done now, and largely do not require new budget or board approval.

• Change keypad codes and rotate access credentials for anyone no longer needing them
• Revoke fobs, badges, and keys belonging to former staff and volunteers
• Update the monitoring service contact list and verify the call chain
• Brief staff on specific protocol changes (drop-off, visitor management, offering procedures)
• Fix immediate physical issues (broken lighting, damaged locks, exterior hazards)
• Schedule a tabletop exercise for the most relevant scenario surfaced by the audit

60-day items

These are items that require coordination, a small budget decision, or a training rollout.

• Purchase and install specific camera additions in flagged zones
• Roll out updated written protocols (children's check-in, visitor management, cash handling)
• Conduct a full alarm system test with the monitoring service
• Refresh volunteer background check compliance for any lapsed volunteers
• Schedule initial active shooter or medical response training for staff and key volunteers
• Implement a lone-worker or close-of-day protocol for staff finishing alone

90-day items

These are larger initiatives that require real planning, procurement cycles, or board decisions.

• Upgrade or replace a significant technology component (access control, alarm panel, major camera expansion)
• Build out an initial security team structure, with named roles and training expectations
• Establish a formal relationship with local law enforcement and first responders
• Draft and adopt a comprehensive emergency action plan
• Plan and run a full live drill with debrief and after-action report
• Evaluate grant opportunities for larger security expenditures

Pacing matters.

Tempting though it is, you should not try to do everything in the first 30 days. A plan that moves too fast creates change fatigue. Staff and volunteers who feel flooded with new rules often default back to old habits. The program loses more ground than it gains.

A well-paced plan respects the capacity of the organization. The 30-day bucket carries the urgent and the easy. The 60-day bucket carries the important-but-complex. The 90-day bucket carries the larger lift that needs runway. Done this way, each phase builds on the last. The team that closed the 30-day items is stronger, more engaged, and better prepared for the 60-day work.

Ownership, not assignment.

A plan without named owners does not execute. Every item in the 30/60/90 gets assigned to a specific person, not a committee. That person may delegate execution, but they own completion.

For smaller organizations, the most common ownership pattern looks like:

• Most 30-day items: safety team lead or senior staff
• 60-day items: department heads or the executive director
• 90-day items: the executive director or the board, depending on budget size

The ownership table is part of the plan itself. When we deliver the report, we walk through the ownership decisions with leadership. Sometimes the initially-assigned owner is the wrong choice, or the work needs to be distributed differently. Better to make that call before the clock starts.

The Hurricane Ian follow-through case.

After Hurricane Ian in 2022, we helped several Southwest Florida organizations run post-event audits. What stood out, months later, was which organizations had completed their action plans and which had not.

The pattern was not about size or resources. The organizations that completed their plans had two things in common: they had assigned explicit owners to every item, and they had scheduled a specific 90-day close-out meeting at the start. The date was on the calendar. That single calendar entry turned out to be one of the most powerful variables in predicting completion.

The verse is a promise about committed work. The operational parallel is straightforward. Plans that are committed, assigned, and calendared get done. Plans that are vague in any of those dimensions do not.

Tracking progress.

A good plan has a simple tracking rhythm. Weekly status for 30-day items. Biweekly status for 60-day items. Monthly status for 90-day items. A single shared document, updated by the owners, visible to leadership.

We deliberately do not recommend elaborate project management software for most small and mid-size organizations. A shared spreadsheet or a simple written status memo works better in practice. The tool is not the point. The rhythm is.

What the close-out review covers.

At 90 days, the plan hits a decision point. For organizations on a one-time audit, we recommend a formal close-out review at 90 days. The review covers:

• What closed on time
• What is still open, and why
• What was deferred to the next cycle
• What has emerged since the audit that needs attention
• Whether a follow-up audit is warranted, and on what timeline

For organizations on fDoS engagements, this review is built into the monthly cadence from day one. The 30/60/90 plan never really closes. It rolls. New items enter as old ones close.

A plan is a commitment, honestly made.

The reason to build a 30/60/90-day plan is that it forces honesty. About priorities. About capacity. About who actually owns what. An organization that can build a plan it believes in, and execute against it, is an organization whose security posture is actually improving.

The plan is not the report. The plan is what happens after the report. That is where the work lives.

If you want an audit that ends with a plan your team can actually run, we would be glad to walk your facility in Fort Myers, Cape Coral, Naples, or Port Charlotte and start the conversation.