Making Cents of Security

Value is the watchword of 21st century business. We challenge business leaders to contribute value to the top and bottom lines. We expect them to set goals and measure success.
Security and life safety programs are no exception. Organizations demand that security serve the broader business strategy. CSOs can only compete for budget resources if they deliver demonstrable value. Ask CSOs what keeps them up at night, and many will say return on investment (ROI).

This is never truer than when upgrading technology. Security technology reduces risks to life, safety, tangible assets and intellectual property. It streamlines operations and creates efficiencies. It can even help maximize revenue. The CSO’s challenge is to prove it.

Proving ROI begins with sound plans. Security plans drive value when they speak to the goals of the organization’s overarching strategic plan. They emerge from a process that considers the organization’s values, infrastructure, key assets, strengths, weaknesses, opportunities and threats.

Then the CSO faces a choice. There are three approaches to ROI. The first, the risk management approach, considers the actuarial risk of undesirable outcomes. Consider a retail setting — a store, for example, may calculate the probability that inventory will be stolen and then multiply that probability by the inventory’s value. It can then use the likely dollar value of its annual loss as a benchmark against which to gauge its loss prevention program.
Another approach is through measuring cost savings. For example, security technology can help hospitals comply with privacy regulations by auditing who accesses medical records. Technology yields positive ROI if the high-tech solution costs less than the hospital’s previous, manual compliance program.

The third method, which we term the “value added approach,” considers the long-term benefits of a best-in class, comprehensive, holistic security and life safety program. This is the approach adopted by the Sears Tower in Chicago.

As one of the tallest buildings in the world, the 110-story structure features leading edge security and life safety, building and IT communications systems. In a multi-tenant office building, these systems encourage higher occupancy. The Sears Tower’s owners and managers have adopted the value-added approach to ROI for these reasons. Smart, efficient, leading-edge security and life safety systems assist in reassuring lessees and maximizing occupancy and revenue.

Let’s take a closer look at all three approaches to measuring the ROI in security technology.

Risk Management Approach: What Are the Odds?
Risk management is the essence of security. Security incidents disrupt business and carry other potential costs such as property loss, damage and civil judgments. Businesses are wise to avoid the mentality, “That can’t happen to us.”

Instead, many organizations are embracing a risk management approach to security. It compels CSOs to quantify security and safety risks and then adopt a sober, dollars-and-cents approach to mitigating them.
What would it cost your business in productivity if internal systems shut down for an hour? What is the price of vandalism? How much money would it take to replace stolen inventory or other assets? What would acts of violence cost your organization in morale, retention, liability and sales? How expensive would the fines be for failure to comply with privacy or other regulations? And how much does the organization save by preventing these occurrences?

The risk management approach to calculating security ROI grows out of scenario planning. Security planning teams ask themselves what risks are threatening life, safety and property. Then they consider two calculations: the financial impact of an incident and the probability it will occur. Security investments have a positive impact on the bottom line when they cost less to purchase and operate than the probable costs they prevent.
Organizations approach this risk management exercise with varying degrees of sophistication. Investing in software can help organize the process. Software can also supply actuarial data to help calculate incident probability — whether or not the organization has its own data or in-house actuarial expertise.

The risk management approach enables a company to see the cost of having inadequate security in black-and-white. When this cost is flipped to show the effect of incident prevention on the financial bottom line, many companies find that the system pays for itself sooner rather than later.

When companies see the probability of incidents in numbers and percentages, many decide that the risk is too high. The financial cost of installing integrated security technology is countered by the rewards of a safe, productive and uninterrupted workplace.