Metrics for success

The knowledgeable insider is at the top of the list of threats to any organization - public or private. Part of our job is to make business leaders aware of the seriousness of this threat by using metrics that catch their attention. This month's graph measures one small aspect of reputational risk: the time involved in resolving an insider misconduct case resulting in termination for cause.

Objective: 1) To obtain and track data that documents the financial impact of identifying, investigating and adjudicating an employee who is the subject of alleged misconduct rising to the level of termination or prosecution. 2) To use this data to sensitize business unit and HR leaders to the necessity of setting expectations and monitoring questionable business conduct.

Considerations: What is the value of a company's reputation to its shareholders and the marketplace? Ask British Petroleum. Where are Enron and Arthur Andersen? Sure, these are really big deals compared to one insider going bad, but even a single insider incident can rise to the level of a serious crisis. Assessing the steps in a case like this (or any investigation for that matter) provides one of several potential views of incident consequences.

In this simplified case, let's say the employee's manager was suspicious of several items in two prior travel and entertainment claims and confronted him. The employee denied any wrongdoing, and an argument ensued. Over the next few weeks Security performed audits of several prior claim forms, and investigation confirmed multiple fraudulent entries. In subsequent interviews the employee admitted to the false claims and was terminated.

In all, 91 days were required to go through the steps from identification of the potential problem to resolution of the case and replacement of the employee. Moreover, there were 85 days of lost productivity by the incumbent. If we use an average loaded hourly rate of $75.00/hr. for all staff working the steps seen in the graph, the cost from initial confrontation to termination would be $105,600. If this were a more consequential, high-profile fraud, this cost would not account for the financial impact to the bottom line or the potential damage to the brand when the case was highlighted in the upper right-hand corner of The Wall Street Journal.

Measuring reputational risk: While our graph focuses only on the potential financial impact of an investigation and termination for questionable conduct, this area of operational risk really centers on the market's perception of the trustworthiness of the business and the potential impact of lapses of corporate integrity on shareholder value. Think about the potential for internal misconduct or criminal activity by insiders at your company. What events could cause significant financial impact or longer-term loss of market share?

As I have said in numerous prior articles in this space, we enjoy a unique perch from which to view the resilience of the ethical framework - the hygiene - of the organization. We need to send up red flags when incident post mortems indicate trends in sloppy internal controls and lack of management engagement. We need to seek common denominators across multiple types of internal investigations. We need to share our well-thought-out and documented concerns with our corporate governance colleagues in Audit, Risk, Legal and HR and work together to connect the dots.

Security incidents offer unique opportunities to drill down and identify a finding or two that can be used to demonstrate to management that we are not simply responding but digging for root causes of business risk. The message in this simple example is not the cost of one employee gone bad, but the need to set clear expectations for doing the right thing and to use commonsense controls to test for conformance.

George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, "Measures and Metrics in Corporate Security," may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge, the Council serves all aspects of the security community. To learn about becoming involved, e-mail or visit The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.