George Campbell is emeritus faculty of the Security Executive Council (SEC) and a former CSO. His book, “Measures and Metrics in Corporate Security,” may be purchased from the SEC. The SEC works with security executives to provide strategy, and proven practices to reduce risk and add to corporate profitability. For more information, email firstname.lastname@example.org or visit www.securityexecutivecouncil.com/?sc=std.
We categorized several areas of preventive service and incident response, as seen in the chart. The bottom line comparison was impressive: Company cost = $4.5M; Alternative = $16.45M.
Last month I proposed to lay out a few metrics I believe qualify as “must have.” I started with a bucket of key risk indicators, because risk, after all, is why we have jobs in this business. This month, my bucket contains a few of what I like to call value indicators.
Our value has to be connected to our success in measurably impacting risk. What are the measures, and how are you communicating the critical messages? Sure, every program is delivering some statistics — typically lists of incidents or activities that they sell as “metrics.” But real metrics inform by creating a storyline that implies the need for action. Lists are just the nails you use to build these stories.
I recently worked with a CSO of a global manufacturing company who launched an initiative to identify metrics across the security organization “to tell the value story to management” and to “demonstrate in measurable ways where and how we bring value to the bottom line of our company.” He found value delivered in guard force operations, investigations, background vetting, risk assessments, supply chain protection, workplace violence response and a variety of previously unprobed corners of security service delivery. Let’s explore their fire and life safety first responders.
This company’s industrial operations involve the potential for fire, the presence of hazardous materials, and accompanying employee safety risk. To help manage this risk, the security organization developed an internal first responder team. The assumption going in was that management would see Security’s maintenance of a first responder program as wasteful, because the company already supported qualified public fire departments with its taxes. Why pay twice?
We categorized several areas of preventive service and incident response, as seen in the above chart. The bottom line comparison was impressive: Company cost = $4.5M; Alternative = $16.45M.
But the real value story is about the quality of response:
- When employees return to work quickly, productivity increases.
- Faster, better-prepared and equipped response equals less production downtime.
- Faster, high-quality response contributes to employee safety and morale.
- Preventive operations result in lower construction and insurance costs.
- Proactive inspection programs mitigate fire, safety and business interruption risk.
- OSHA and other regulatory sanctions are avoided with aggressive inspection.
- Company and individual health insurance costs are reduced.
Several employee lives were saved by the Corporate Security first responders in the course of this year of analysis (2010).
Of course, the average security executive doesn’t have an internal first responder service in their organization. But think about what services you do deliver that can tell your unique value story.
Protective operations: Are your officers trained to respond to health and safety events and have they done so successfully in the past? Are their tours organized to identify and eliminate hazards or to identify exploitable vulnerabilities that could result in loss, such as business interruption or asset compromise?
Risk assessments: Do you have a program that proactively examines the range of security-related risks to critical assets? What would the cost of compromise have been for those vulnerabilities your team found and eliminated? What fines or litigation were avoided by eliminating a failed security measure or risky practice?
Timely response: When security programs deliver faster, quality response to risk events, you measurably reduce the cost of impact.
Awareness: When you deliver learning to the business, you impact intelligent accountability and contribute to prevention of loss.
The idea here is to think about how we prevent bad things from occurring and reduce the consequences when they do occur. We add value in many ways, but we often fail to document and tell our story. What is your story?
George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the SEC website. The SEC (www.securityexecutivecouncil.com) is aproblem-solving research and services organization focused on helping businesses effectively manage and mitigate risk; and helping security leaders initiate, enhance or innovate security programs, build their leadership skills, and bring quantifiable value to their organizations. For more information, email email@example.com. This article is copyrighted by the SEC and reprinted with permission. All rights reserved.