muniBLOG: Asset Management

From Security Assessments to Security Governance: Why Municipalities Are Re-Thinking How Security Is Managed

Across Canada, municipalities continue to invest in physical security risk assessments, audits, and technical reviews. These exercises are valuable. They identify vulnerabilities, document risks, and often produce well-reasoned recommendations that help organizations understand where their security posture is exposed or outdated.

 

Yet a recurring problem persists: security is assessed but not governed.

 

Once the final report is delivered, findings slowly lose relevance. Staff turnover occurs. Capital plans shift. Incidents happen. Council priorities change. What was once a defensible, risk-informed position gradually becoming outdated until the next incident forces renewed attention.

 

This gap between assessment and sustained oversight is where many municipal security programs quietly fail.

 

Why One-Time Security Assessments Plateau

Most municipalities do not struggle with identifying security risks. They struggle with maintaining institutional memory, accountability, and continuity over time.

 

In practice, this often shows up in predictable ways. Security incidents may recur without meaningful longitudinal analysis to determine whether risk is increasing, shifting, or simply unmanaged. Access control and CCTV systems age in place, operating well past their intended lifecycle, without a clear modernization or replacement roadmap. When auditors or insurers ask how security risks are being managed, documentation exists but it is outdated, fragmented, or no longer reflective of current conditions.

 

These challenges are compounded by turnover in Facilities, Corporate Security, or Operations roles, where critical knowledge about why certain decisions were made leaves with the individual. The issue is frequently brought to the surface following a public or high-visibility incident, when Council pressure accelerates questions that should have been addressed gradually and proactively.

 

In these moments, the organization is not starting from zero. Controls exist. Assessments have been done. But the municipality is often operating without a living security governance framework that connects past decisions to present realities.

 

Security findings decay when there is no stewardship mechanism in place to track how risks were accepted or mitigated, confirm whether recommendations were implemented as intended, and reassess underlying assumptions as operations, threats, or environments change. Without that structure, even well-executed assessments plateau.

 

Security as an Operating Discipline, Not a Project

Mature municipal risk disciplines such as finance, health and safety, and emergency management are not treated as episodic projects. They are governed functions, supported by defined cadence, oversight, and reporting structures that persist regardless of individual staff changes or political cycles.

 

Security should be no different.

 

A resilient municipal security posture depends less on individual technologies and more on how security is governed. Clear lines of ownership, consistent visibility into performance, and decision-grade information for senior leadership and Council matter far more than any single system or control. Without governance, technology becomes reactive, investments become fragmented, and accountability becomes unclear.

 

This is where Security Program-as-a-Service enters the conversation not as outsourcing, but as structured governance support.

 

What Security Program-as-a-Service Actually Is

Security Program-as-a-Service (SPaaS) is best understood as a standing advisory and assurance function that supports municipal leadership in governing security risk over time. It is designed to provide continuity, independent oversight, and forensic-level discipline to how security risks are identified, tracked, and reported.

 

Equally important is what it is not.

 

SPaaS does not involve guard force management, day-to-day incident response, or the transfer of operational authority. It does not replace internal decision-making or accountability. Instead, it operates as an embedded governance partner, helping municipalities maintain clarity, consistency, and defensibility in their security posture.

 

The line is drawn clearly:

| SPaaS governs the program; it does not run operations.

 

How SPaaS Works in a Municipal Context

While tailored to each organization, a typical municipal SPaaS engagement follows a predictable and disciplined structure. Quarterly governance reviews are aligned with Council reporting and budget cycles, ensuring security risk remains visible at the right level and at the right time.

 

A living security risk register is maintained and updated as conditions change, rather than revisited only when an incident occurs. Vendor and integrator performance is reviewed to confirm that security investments are delivering their intended outcomes, not simply being maintained out of habit. KPI and KRI dashboards translate technical findings into executive-level insight, allowing leadership to see trends, emerging risks, and areas requiring attention.

 

An annual program refresh provides a formal checkpoint to validate assumptions, reassess threat context, and confirm whether residual risk remains acceptable.

 

The cadence is predictable. The outputs are decision-oriented. The focus is governance, not gadgets.

 

What Municipalities Gain

Municipalities using this model gain far more than updated documentation. They gain continuity, even as staff or leadership changes occur. They gain defensibility when questioned by auditors, insurers, or the public about how security risks are being managed.

 

Early visibility into emerging risks allows issues to be addressed before they escalate into incidents. Institutional memory is preserved beyond individual roles, and leadership is supported with a clear, consistent security narrative they can stand behind.

 

Most importantly, security decisions shift from reactive to deliberate.

 

What It Is Not

To be explicit, Security Program-as-a-Service is not a guarding solution, an IT or SOC monitoring service, or an investigations unit. It is not a substitute for municipal authority or accountability.

 

It is a governance and assurance model designed to help municipalities own their security posture with clarity and confidence.

 

From Projects to Programs

Security incidents will continue to occur. Public scrutiny will not diminish. Budgets will remain constrained, even as expectations for transparency and accountability continue to rise.

 

In this environment, the question facing municipalities is no longer whether security risks should be assessed, but how those risks are governed over time. One-time studies, however well executed, capture only a moment in time and are not designed to carry an organization through staff turnover, evolving threat environments, or shifting Council priorities.

 

Moving from one-time projects to an enduring program model is not a technological shift. It is a governance decision, one that determines whether security remains reactive, or becomes a managed, defensible municipal function.

 

If your Municipality wants to learn more about this topic , contact me directly at [email protected] for further assistance.

Share

Our Knowledge Partners Present… Tools for Your Municipality!

Logos for muniSERV, ASSOCIUM, CAFAE, Dye & Durham

With a plethora of technology tools available in today’s marketplace, municipal staff have the challenge of sifting through the offerings and determining which tools offer the most in terms of productivity and attaining the goals and objectives set out by their councils and leadership. This webinar will showcase the benefits of various tools and services available to municipal decision-makers with a focus on productivity and transparency.

Presentations will be made by Dye and Durham, ASSOCIUM, and CAFAE.

February 11 at 1:00 PM EST

See the Event Page for more information.

Register Now

Brought to you by muniSERV.

Share

2025: A Year of Secruity, Done Properly

In an environment where security is often discussed in absolutes, more technology, more controls, more urgency. 2025 reinforced a quieter but more important truth: effective security is not about volume or visibility. It is about judgment.

 

Over the past year, organizations across public, private, and critical environments have faced increasingly complex risk landscapes. Physical security threats have not disappeared; they have diversified. Operational constraints, governance expectations, regulatory scrutiny, and reputational risk now intersect in ways that demand clarity rather than reaction.

 

This year’s work reinforced a consistent theme: security that is fit for purpose, defensible, and aligned to organizational reality outperforms security that is simply performative.

 

Physical Security, Risk, and Governance in Practice

Physical security cannot be treated as a standalone discipline. In 2025, the most effective programs were those that treated security as a governance function, one that integrates risk management, policy, operational capability, and executive oversight.

 

Across multiple engagements, the focus was not on identifying every conceivable threat, but on understanding which risks materially mattered to the organization. This distinction is critical. Not every vulnerability requires remediation, and not every risk justifies investment. Mature security programs differentiate between theoretical exposure and operational consequence.

 

Risk-informed decision-making grounded in evidence rather than assumption, allowed organizations to allocate resources deliberately, defend decisions internally, and communicate clearly with leadership.

 

Risk Assessments as Decision Tools

Threat and risk assessments were not treated as static reports or compliance exercises. Instead, they were used as structured decision tools.

 

Effective assessments in 2025 demonstrated several common characteristics:

  •  Clearly defined accountability
  • Aligned with actual operational capability
  • Reflected regulatory and legal realities
  • Enabled enforcement rather than exception

The value of these assessments was not in identifying risk, but in enabling informed trade-offs. Leadership does not require certainty; it requires defensible reasoning. When assessments were framed accordingly, they supported strategic conversations rather than operational debate.

 

Policy and Governance Frameworks That Function

Policy development and governance frameworks represented a significant portion of security work this year. Not because policies were missing, but because many existed without clarity, ownership, or operational linkage.

 

Effective governance frameworks in 2025 moved beyond aspirational language. They:

  • Clearly defined accountability
  • Aligned with actual operational capability
  • Reflected regulatory and legal realities
  • Enabled enforcement rather than exception

Importantly, governance was positioned as an enabler, not a constraint. When policies reflected how organizations actually functioned, compliance improved and risk posture became more consistent across sites and business units.

 

Executive and Board Advisory: Speaking the Right Language

Security discussions at the executive and board level require translation. Technical detail must give way to consequence, exposure, and decision thresholds.

 

Advisory work this year focused on helping leadership understand:

  • What risks were being accepted, and why
  • Where controls were sufficient, and where they were not
  • How security aligned to broader enterprise risk management

The most productive conversations occurred when security was framed not as a cost center or protective function, but as a governance responsibility tied to duty of care, operational resilience, and organizational credibility.

 

Measured. Defensible. Fit for Purpose.

These three principles consistently defined effective security outcomes in 2025.

 

Measured security avoids reaction. It relies on proportionate response, calibrated controls, and evidence-based prioritization.

 

Defensible security withstands scrutiny. It can be explained, justified, and supported when challenged by regulators, auditors, executives, or the public.

 

Fit-for-purpose security acknowledges context. What is appropriate for one organization, facility, or risk environment may be excessive or insufficient for another.

 

Together, these principles form a foundation for security that is sustainable rather than reactive.

 

Looking Ahead

As organizations move into 2026, the expectation on security functions will continue to rise, not necessarily for more control, but for better judgment. Clarity of purpose, governance alignment, and defensible decision-making will remain the differentiators between mature security programs and those that struggle to justify their existence.

 

Progress this year was made possible through collaboration with clients, partners, and internal teams willing to engage honestly with risk rather than avoid it.

 

Thank you to those who allowed us to engage with them to do this work. The path forward is not about doing more security. It is about continuing to do it properly.

 

If your Municipality wants to learn more about this topic and read the full article version visit here. Feel free to contact me directly at [email protected] for further assistance.

Share

Your Insights, Our Focus: Advancing Security Risk Management Together

Over the years, we’ve explored numerous critical areas of security and risk management together, diving deep into topics that shape the resilience and safety of our organizations. We’ve engaged many members with thoughtful discussions on Physical Security Trends and Predictions, comprehensive explorations in our nine-part series on Crime Prevention Through Environmental Design (CPTED), and insights into Business Continuity Management to maintain operational integrity during challenging times.

We’ve addressed essential themes like Situational Awareness, critical insights on Security Risk Budgeting, the foundational elements contributing to Risk and Security Program Success, confronting Risk Complacency, and cultivating Organizational Resilience. Moreover, we’ve analyzed broader frameworks such as Enterprise Security Risk Management (ESRM) and practical guides for conducting effective Security Risk Assessments.

As valuable as these discussions have been, the most crucial insights often come directly from you. We understand that security and risk management may not be your primary area of expertise, and your days are busy managing numerous municipal priorities. Yet, your perspective, challenges, and questions are essential.

Now, we’re turning the conversation back to you. We want to hear directly about what matters most in your daily responsibilities—what areas of security risk management do you wish were clearer, more accessible, or simply better addressed?

Your feedback and questions will guide our future content, ensuring it’s relevant, actionable, and tailored precisely to your needs. Whether it’s a specific issue you encounter regularly, a broader conceptual framework, or practical guidance you wish to explore, we’re eager to listen and respond.

Please take a moment and reach out to share your thoughts, questions, or topic suggestions. Your input is vital, valued, and appreciated.

Contact me directly at [email protected]. Let’s continue building safer, more resilient communities—together.

Share

A Year in Review: Physical Security Trends and Predictions for 2025

As 2024 comes to a close, it is crucial to reflect on the lessons learned, challenges faced, and advancements made in the field of physical security. This year saw significant shifts in the way organizations, governments, and individuals perceive and implement security measures. Emerging technologies, evolving threat landscapes, and geopolitical tensions all played a role in shaping the physical security landscape.

In this article, we explore the key physical security trends of 2024, analyze the common threats and risks faced, and provide insights into what the coming year may bring, including the growing significance of Crime Prevention Through Environmental Design (CPTED) principles.

Key Physical Security Trends in 2024

1. Integration of Physical and Cybersecurity

One of the most noticeable trends of 2024 was the convergence of physical and cybersecurity. With the rise of Internet of Things (IoT) devices, particularly in surveillance and access control systems, vulnerabilities in cybersecurity increasingly posed risks to physical security. For example, ransomware attacks on physical security infrastructure, such as smart locks and video surveillance systems, became more frequent.

Key takeaway: Security professionals must adopt a holistic approach that considers both physical and cyber threats as interlinked aspects of overall safety.

2. Advancements in AI-Powered Surveillance

Artificial Intelligence (AI) played a transformative role in video surveillance. AI-driven systems enhanced capabilities in detecting suspicious activities, recognizing individuals, and even predicting potential threats through behavioral analytics. However, concerns regarding privacy and ethical use of these technologies remained a significant issue.

Key takeaway: The balance between enhanced security and privacy compliance will remain a focal point moving forward.

3. Focus on Workplace Violence Prevention

With workplace violence incidents on the rise globally, organizations prioritized measures to safeguard employees. These included more robust access management, improved training programs, and the integration of early warning systems to detect potential threats.

Key takeaway: Comprehensive risk assessments and proactive training programs are essential in preventing workplace violence.

4. Increased Emphasis on Sustainability and CPTED

Sustainability and Crime Prevention Through Environmental Design (CPTED) principles became intertwined as organizations sought security measures that aligned with global environmental goals. CPTED principles—such as natural surveillance, territorial reinforcement, and access control—were increasingly incorporated into sustainable designs for urban planning, commercial developments, and even residential neighborhoods.

Examples included:

  • Natural Surveillance: Using landscaping and lighting to maximize visibility in public areas, reducing opportunities for crime.
  • Territorial Reinforcement: Designing physical spaces to foster a sense of ownership and deter unauthorized access, such as defined property boundaries and community-focused layouts.
  • Access Control: Integrating physical barriers like fencing, gates, and bollards in a way that complements architectural aesthetics.

Key takeaway: The integration of CPTED into sustainability initiatives is not just a trend but a necessity, helping create safer and environmentally friendly communities.

 

Threat Trends in 2024

1. Insider Threats

Insider threats continued to dominate the risk landscape. Disgruntled employees, social engineering tactics, and poor access management protocols contributed to many security incidents. The overlap between insider threats and hybrid work environments amplified the challenges for security teams.

2. Geopolitical Tensions and Critical Infrastructure

Heightened geopolitical tensions increased the targeting of critical infrastructure, such as power grids, water facilities, and transportation networks. These attacks often combined cyber and physical elements, exemplifying the need for cross-functional security measures.

3. Climate-Related Risks

Natural disasters, exacerbated by climate change, posed threats to physical infrastructure. Security measures needed to account for severe weather events, from securing facilities against flooding to managing evacuation protocols. CPTED principles, such as defensible space and proper site planning, were increasingly applied to address climate risks in urban environments.

4. Public Spaces and Mass Gatherings

Public spaces and mass gatherings remained vulnerable to violent incidents, including active attacker situations and terror attacks. Security for these venues required greater emphasis on rapid response capabilities and crowd management strategies. CPTED principles, such as controlling pedestrian flow through thoughtful design and incorporating natural barriers, played a vital role in reducing vulnerabilities.

 

Common Areas of Physical Risk

1. Access Management

Despite advancements in technology, unauthorized access remained a persistent risk. Common vulnerabilities included poorly managed visitor access, unsecured entry points, and reliance on outdated lock-and-key systems.

2. Video Surveillance Gaps

While surveillance systems have become more sophisticated, gaps in coverage, insufficient storage capabilities, and inadequate monitoring persisted as vulnerabilities.

3. Emergency Preparedness

Many organizations struggled to maintain comprehensive emergency response plans. Limited training, lack of coordination with first responders, and outdated communication systems were frequent issues.

4. Design Flaws in Public Spaces

Design flaws in public and shared spaces emerged as a common area of risk. Poor lighting, obstructed sightlines, and lack of clear territorial markings contributed to increased vulnerability to crimes. These issues underscored the importance of incorporating CPTED principles during the planning and retrofitting phases of public and commercial developments.

 

Looking Ahead: Predictions for 2025

1. Wider Adoption of Biometric Systems

Biometric access management systems, such as facial recognition and fingerprint scanning, are likely to become more prevalent. These technologies offer enhanced security but will require careful implementation to address privacy concerns and mitigate false positives.

2. CPTED for Smart Cities

As urban areas embrace “smart city” initiatives, CPTED principles will be adapted to fit interconnected and data-driven environments. Smart lighting, integrated traffic management systems, and AI-enabled public safety networks are poised to redefine urban security. For instance, AI-powered streetlights could adjust their brightness based on pedestrian activity, enhancing natural surveillance.

3. Hybrid Security Models

The future lies in hybrid security models that combine physical barriers with advanced digital technologies. For instance, integrating drones for perimeter surveillance with AI-powered monitoring systems could enhance security coverage significantly.

4. Regulatory Changes and CPTED Guidelines

Governments are expected to introduce stricter regulations around data protection and privacy in security systems. Simultaneously, CPTED-specific guidelines may evolve, emphasizing community safety in the context of sustainable urban design.

5. Greater Emphasis on Training and Resilience

With threats becoming more unpredictable, training programs will focus on building organizational resilience. This includes not only physical security measures but also psychological preparedness, CPTED-informed crisis management strategies, and enhanced communication protocols.

 

Conclusion

 

The past year underscored the evolving nature of physical security, marked by technological advancements, new threat paradigms, and a growing emphasis on sustainability and CPTED principles. As we enter 2025, security professionals must remain agile, continuously learning and adapting to the dynamic risk landscape. By leveraging technology responsibly, incorporating CPTED into all phases of design, and fostering cross-functional collaboration, the physical security community can rise to meet the challenges ahead.

 

If your Municipality wants to learn more about this topic and read the full article version visit here. Feel free to contact me directly at [email protected] for further assistance.

Share

Peel Region’s Asset Management Journey

By Leanne Brannigan, Acting Director, Enterprise Asset Management, Region of Peel (ON)

How do you “do” asset management… and where do you start?

The simple answers are, “Just do it”, and “Start from wherever you are”!

Peel Region LogoEvery municipality is at a different place in their journey, and that’s okay. They have differing levels of asset management maturity, differing data and information and different levels of organizational buy in and support. The best tip is to start where you are and reach out to your local communities of practice (yes they exist across the country, I am most familiar with Asset Management Ontario), the Canadian Network of Asset Managers, the Federation of Canadian Municipalities or any of the numerous asset management training partners across the country. Many have free tools to figure out where you are, your best next steps to gap fill, and tools to help you along that journey.

At Peel, we have been on our asset management journey since 2007 (Journey is documented on page 27 & 28 of our EAMP that I have added for reference at the end of this write up). Our leadership recognized that the Region’s infrastructure is necessary to provide service levels that the public expects, achieve Term of Council Priorities, and realize the vision of the Region of Peel as a Community for Life. This realization of our senior leadership that using tangible capital asset accounting (TCAA) data is a backwards looking exercise, and that asset management allowed us to look forward to ensure that we continued to meet the levels of service that our community expected was foundational for our journey. Maintaining existing assets in a state of good repair and building new infrastructure which meets current and future needs is critical to the success of the Region of Peel.

Across the organization we had data and asset information gaps, and the data that we did have was a different levels of maturity, age, accuracy and in different systems and sources. That did not stop us from using what we did have to compile and show evidence of the necessity of an infrastructure levy to support future infrastructure and service delivery and to help establish intergenerational equity. The ones using the infrastructure should be the ones paying for it. Council established our first infrastructure levy in 2008 based on the work that our asset management team did and our journey has continued from there.

Establishing an asset management team soon followed and Peel developed a risk-based approach to asset management. This approach is integrated with the Region’s Strategic Plan and the Long Term Financial Planning Strategy and supports the desired service outcomes and the long term goal of a Community for Life. This did not happen over night and was a slow progression as our maturity developed and we built confidence with the Program and service delivery areas, senior leadership and Council

Today, Enterprise Asset Management is an integral part of the Region of Peel’s strategic and long-term planning practices. It focuses on developing sustainable plans to maintain the infrastructure over a planning horizon that can be as long as 100 years. Guided by the principle of continuous improvement, these plans support Council’s level of service targets and long-term financial strategies. The Region’s Asset Management program is guided by industry best practice, as well as regulatory requirements. The program is continuously evolving to leverage opportunities and address challenges.

The Enterprise Asset Management Plan uses lifecycle models to forecast infrastructure condition, reinvestment needs, and asset related risks to service. The models are specific to the Region’s assets and use the most recently available asset information, allowing us to regenerate risks and recommendations multiple times per year to support Capital Planning, and support annual Public issuing of our Infrastructure Status and Outlook Report which is a report card style report, as well as our more comprehensive Enterprise Asset Management Plan.

However, despite our accomplishments and being embedded in the organization, you are never done in asset management. To support the Region’s approximately $43 Billion of infrastructure we are committed to being a strong steward of the public’s infrastructure assets and are on a continuous improvement journey to ensure continued provision of high quality and affordable municipal services to the Peel community. We are currently supporting the organizational implementation of an Enterprise Asset Management System, development and improvement of decision support systems, integration of climate change adaptation and mitigation into our risk analysis and recommendations and have initiated work on a Diversity, Equity and Inclusion Strategy for integration into asset management considerations. It is a journey that makes asset management an exciting, strategic and valuable part of the municipal framework and an enviable profession to be a part of.

Enterprise Asset Management Road Map

Steps in Asset Management Road MapEnterprise Asset Management is an integral part of the Region of Peel’s strategic and long-term planning practices. Introduced in 2007, the program focuses on developing sustainable plans to maintain the infrastructure over a planning horizon that can be as long as 100 years. Guided by the principle of continuous improvement, these plans support Council’s level of service targets and long-term financial strategies. The Region’s Asset Management program is guided by industry best practice, as well as regulatory requirements. The program is continuously evolving to leverage opportunities and address challenges.

Although the Region of Peel’s long-term asset planning program has been in place since 2007, it is still good practice to review the program to accommodate emerging trends. In 2017, the Region retained an independent third-party consultant to initiate a comprehensive asset management program review. The objective of the review was to align the Region’s asset management practices with industry best practices. As a result of the review, over the next several years several initiatives have been proposed. These initiatives will address emerging trends as well as focus on identified gaps.

Changes since the 2018 Enterprise Asset Management Plan

Asset Management Changes

  • Enterprise Asset Management (EAM) division established within the Finance department.
  • The Region’s Asset Management Policy has been updated to meet the new Ontario Regulation 588/17.
  • Assets supporting the Affordable Housing service managed by Peel Housing Corporation and Police service managed by Peel Police are incorporated into Asset Management reporting.
  • Operations and Maintenance costs incorporated into Service areas for full lifecycle costing considerations.

Improvements for the Future

  • Staff is undertaking many technical studies and condition assessments to improve knowledge of the Region’s infrastructure conditions.
  • Asset Management planning process improvements are being made across several services to improve investment forecasting and to manage risks to Regional services.
  • An Enterprise Asset Management System will be introduced to support asset management functions across the organization.
  • Assets supporting Peel Information Technology Infrastructure and Green Infrastructure will be added to the Enterprise Asset Management Plan in the 2024 reporting cycle.

1 In accordance with ISO (International Organization for Standardization) 55000

Related Articles

Additional information about Asset Management can be found in the following articles by the Region of Peel.

Influents Cover Winter 2011 “Balancing Act – Troy Mander Helps Peel Manage Its Corporate Assets”; Influents, Winter 2011
 
Influents Cover Winter 2011 “Integrating Program Asset Management into Strategic Decision Making at the Region of Peel”; Influents, Winter 2011
Share