Quarterly Policy Review: The Living Security Plan

Policy is the program’s memory.

Every organization has some policies it wrote once, filed away, and now runs mostly from oral tradition. “We’ve always done it this way.” “The new volunteer learns from watching.” “The director handles that on a case-by-case basis.”

Oral tradition works, until the staff member who held the memory leaves. Then the policy on paper becomes the only remaining source of truth, and everyone discovers simultaneously that it does not reflect what the organization has actually been doing for three years.

Written policy is the program’s memory. It only works if it is kept current. Quarterly review is how that happens.

The rotation, explained.

Most small and mid-size organizations in Southwest Florida have between six and ten active security-relevant policies. A full review every quarter is unrealistic and unnecessary. Instead, we rotate through the set on a planned schedule.

Example rotation for a church or nonprofit

• Q1: Emergency action plan, volunteer handbook
• Q2: Child safety policy, access control policy
• Q3: Cash handling procedures, visitor and guest management
• Q4: Technology acceptable use, incident reporting, media and communications

The rotation ensures every policy is touched once per year. Policies with higher change velocity (staffing-linked documents, for example) can be reviewed more often if the circumstances warrant.

Adjusting the rotation mid-year

The schedule is a default, not a cage. If a significant event forces a mid-year review of a specific policy, we move it up. Common triggers:

• A material staff change affecting a specific function
• A new program or facility addition
• An incident, near-miss, or industry event that makes a specific policy urgent
• A regulatory or legal change affecting compliance
• A new insurance requirement

The quarterly review is structured to adapt to reality, not override it.

What we actually look for.

When we read a policy in review, we are asking a short list of questions.

Is it current?

Are the people named in the policy still in the roles described? Are the systems referenced still in use? Are the locations mentioned still accurate to the current facility? Most minor updates fall in this category.

Is it consistent?

Does the policy agree with related policies? A child safety policy that says “two adults present” and a volunteer handbook that allows “a volunteer to supervise alone when a parent stays nearby” is internally inconsistent. Quarterly review is where those conflicts get identified and resolved.

Is it practiced?

This is the hardest question. Does the policy describe what the organization actually does? We combine the written review with observations from the monthly walkthroughs and staff conversations. When practice and policy have drifted apart, we surface it and help leadership decide which way to close the gap.

Is it enforceable?

A policy that no one has the authority, training, or willingness to enforce is not a policy. It is a wish. Quarterly review asks whether the policy as written is something the organization is actually prepared to enforce, and if not, whether it should be changed or the enforcement gap should be addressed.

What changes between quarters.

Real policies shift in predictable categories.

People changes

Staff and volunteer turnover is the single most common reason policies need updating. A policy written for “Pastor Dave” does not automatically transfer to “Pastor Mark.” A protocol that relied on a specific long-tenured volunteer breaks when they leave.

Facility changes

A new wing, a renovated lobby, a reconfigured children’s area, a relocated office, a new playground. Every physical change to the facility has implications for emergency plans, evacuation routes, supervision protocols, and access control.

Program changes

New programs bring new security considerations. A church that adds a weekday food pantry now has different visitor patterns than before. A nonprofit that adds evening events has different after-hours dynamics. Policies need to adapt.

Threat environment changes

The threat environment is not static. National events, regional incidents, and industry-specific patterns shift the landscape over time. Policies that reflected 2019 realities may not capture 2026 realities.

Regulatory and legal changes

Florida’s regulatory environment for child care, senior living, and nonprofit governance evolves. Insurance requirements change. Federal grant programs like NSGP have specific compliance elements. Quarterly review keeps policies aligned.

The Hurricane Ian revelation about emergency plans.

After Hurricane Ian in 2022, many Southwest Florida organizations pulled their emergency action plans for the first time in years. The gap between the written plan and current reality was often substantial. Staff listed in the plan had left years ago. Phone numbers were disconnected. Shelter-in-place and evacuation decision criteria had been written for different facilities or different threat profiles.

The organizations that had maintained a quarterly review rhythm were in a different position. Their plans reflected their current staff, current facilities, and current decision frameworks. They activated those plans with confidence.

The event did not create a new kind of policy gap. It made a pre-existing gap visible.

Seeing clearly requires current eyes on current reality. Policies that have not been reviewed are older eyes looking at older reality. Quarterly review keeps the sight line current.

The artifact produced.

Each quarterly policy review produces:

• A revised version of the policy or policies reviewed, with changes tracked
• A brief review memo summarizing what changed and why
• A note on any enforcement gap identified and how it will be addressed
• A record of who was present for the review
• An update to the rotation schedule for the next quarter

The record of changes, built over time, becomes one of the most useful documents an organization produces. When new leadership takes over, or when a board asks for evidence of the security program’s evolution, the quarterly review record tells the story better than any single document.

Doing this without an fDoS engagement.

If you do not have a fractional Director of Security in place, you can still run quarterly policy reviews in-house. The key elements to preserve:

• A rotation schedule, written down, followed
• A named owner for each policy and a named facilitator for each review
• Enough time blocked for actual reading, not just formal sign-off
• A comparison between policy and practice, not just a read of the document
• A written change log
• External eyes at least once a year (if not monthly), to catch what internal review misses

The external eyes piece matters. A policy review done entirely in-house tends to miss the gaps that only an outsider can see. For most small and mid-size organizations, that is the argument for combining internal quarterly rhythms with an annual audit or ongoing fDoS engagement.

The document that stays alive.

Written policy is only useful if it reflects what the organization actually does. The living security plan is the plan that is reviewed, updated, and enforced on a rhythm. The fDoS quarterly review is the mechanism that keeps it living.

If your organization in Fort Myers, Cape Coral, Naples, or Port Charlotte has policies that have not been read end-to-end in a year or more, quarterly review is the habit worth building. We would be glad to help start the rhythm.