George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securityexecutivecouncil.com. The SEC draws on the knowledge of security practitioners, experts and strategic partners to help other security leaders initiate, enhance or innovate security programs and build leadership skills.
I am constantly hunting for metrics examples, and I am intrigued by the variety of ways experienced organizations present data. One vital measure of good data is its ability to inform and drive action in a specified direction.
Consider news organizations like The Wall Street Journal, which convert reams of data into meaningful copy that reveals a message to knowledgeable, time-challenged readers every day. Or think about medical lab work — next time you have a physical, ask for a copy of your bloodwork results and see if you can determine your health quotient. Sure, there are a few we have all memorized, like the bad this or the good that; but, it is typically line after line of unintelligible gobbledygook — really important gobbledygook.
Your senior management and board members follow, absorb and make crucial business decisions based on a host of spreadsheets, graphs and trend lines. What kind of decisions would they make from gobbledygook?
I work with a variety of companies who have their own approach to data presentation. Frequently, it focuses on timekeeping activities and incidents per whatever — per month, per shift, per quarter. This is data we must maintain to plan and manage, but I have beat the drum on many occasions about the limitations of counting things rather than analyzing our hard-earned data so that we may inform and influence.
We often forget that our typical customer does not see the data we present through anything remotely close to a level of informed judgment. Oh, they are disturbed by that trend that shows the 21-percent increase in workplace violence at Plant X, but then do we leave them to draw their own conclusions on the root cause of these events? There has to be a story here that drives judgment and moves action.
Good metrics demand a story. The story reveals the lesson, the learning from the conclusions drawn by analysis of the data. Like any good story, you have to know your audience and select your theme to connect with their frame of reference. In the Plant X workplace violence example, analysis reveals a prevalence of alcohol use on the night shift with an obvious lack of supervisory oversight. In drilling down, it becomes clear that shift supervisors, security and HR are unclear on roles and reporting, and there is a general absence of policy and protocols around workplace behavior. The Security Director builds a briefing around these well-founded conclusions and is able to engage HR, Legal and plant management on solutions that subsequently reduces these incidents to near zero. The story told to top management not only demonstrates leadership in resolving a potentially serious set of risks, but establishes Security’s role as an effective collaborator and business partner.
Good metrics must convey reliable information. We may be tempted to look at our data and make gut conclusions. The result may reveal symptoms and miss root causes. The story then is substantially fiction rather than fact. Fiction is not a good thing in our business. Effective, actionable risk management requires disciplined analysis. We have the knowledge to understand the data we have gathered. Counting incidents covers the How Much, but we have the obligation to probe the What, Where, Why and How to construct those scripts that reliably inform and influence.
When you look at your incident data for the past several months, what theme emerges? Pick a trend and drill down. What are the common denominators? How many of these risk events were preventable? What vulnerabilities contributed to their occurrence? What few cost-effective actions will most impact improvements?
Now tell me the story.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge, the Council serves all aspects of the security community. To learn about becoming involved, e-mail firstname.lastname@example.org or visit www.securityexecutivecouncil.com/?sc=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.