What happens when a firm makes a successful supply chain security investment? If you didn't blurt out your answer, then you've answered properly-the answer of course: "Nothing."
When a supply chain security investment prevents a loss, a breach or other disruption; basically, nothing happens. While this is the target and means good news, it's difficult to calculate an ROI where you can't show the cost that was avoided.
It may be possible to show an ROI if the initial investment does result in a lower loss rate; but this only applies in the first year of implementation. Beyond that, investment will still be required, even though there may not be any additional loss reduction, since that investment is protecting the improved loss level.
This presents a predicament for security groups in gaining financial support for initiatives that are effectively preventative in nature. Ultimately, the security investment that does not show ROI does not make a compelling business case.
There is promise, however, in identifying potentially useful "collateral benefits" from security investments. By this, I mean the unanticipated operational benefits that may come from making security investments. For example, security investments in asset tracking may provide useful information about inventory location which may reduce the uncertainty in the supply chain.
With lower uncertainty in the system, it may be possible to reduce inventory stock levels and therefore free up working capital since inventory is often used as a buffer to offset uncertainty.
In the words of one automotive firm executive I've interviewed, "Ultimately, you need to tie risk [of attack, disruption] to business performance."