Q. We always strive to show the business side that corporate security is more than just “security tactics.” That what we do is strategic and makes a business contribution. Any thoughts on this?
A. One way to achieve this goal is to identify and create metrics that articulate the value the security group can bring. The first step is determining where the data resides. The security group may not have direct access to discrete cost data, particularly since we are often in operating divisions where elements of risk management fall under different business functions. In those circumstances, the ability to find key financial advisors to assist in hunting down numbers will be helpful. For example, a security group at a large metals and manufacturing firm polled their comptrollers worldwide for data when they kicked off their global security effort a couple years ago.
To find data for your metrics, look to inventory or survey risk outcome costs from accidents, business interruptions, crimes, injuries, litigation, turnover, etc. Sources of this data may likely be external to the organization; for example, Bureau of Justice Statistics, crime compensation research, European Sourcebook of Crime Statistics, National Crime Victimization Surveys and other sources of research on the cost or economics of crime, violence and injury.
The following are some examples of sources of internal data for security metrics:
- Cash/inventory shortage
- Casualty loss
- Compliance fines and penalties
- Injuries – workers comp and others
- Insurance claims
- Litigation and settlement
- Profit and loss statement
The security leader and his team at an aircraft manufacturer used this method to research external cost of emergency response. They were able to effectively demonstrate the savings the company could achieve by running the program internally. As we examine the incident response rates against risk outcomes we really get to the value assertions Security needs to demonstrate that we have a return on investment.
As an example, let’s say we know that the average cost of a homicide or assault in the business environment is X. We can use cost avoidance attribution because we are undertaking activities that lend themselves to a safer workplace. Using available per population crime statistics Security may be able to report that the organization has avoided any number of incidents that might otherwise be valued at Y.
The organization begins to understand that had they experienced those negative incidents insurance would be increasing. Management distractions and business interruptions would occur. Security can then make the case that unwanted incidents in an otherwise prospering environment will have a negative impact on the business and they can “connect the dots” to show that Security preventing or mitigating those incidents is resulting in hard cost savings.
These are a few of the things to start to look at as when attempting to get into where the data resides in your organization. Make sure that you understand what the relevance of the numbers are; what the priorities of the business are; where the cultural sensibilities lie; and align any reported metrics with a good explanation that demonstrates the value security offers.