What's Security Worth?
A growing set of responsibilities and limited resources continue to plague many security departments despite security’s higher profile in the world at large. If security directors are to improve their situations, they must learn to better articulate the department’s value to the overall organization, such as by selling the security function to senior management as a profit center. However, attempts to do so must go beyond simply introducing a new lexicon with phrases such as value-added, profit center, and return on investment, and they must do more than simply introduce new titles such as chief security officer.
The long-term success of the security function depends on the delivery and fulfillment of these concepts in a manner that can be articulated to management and demonstrated by data. Dave Farrell, president and CEO of Bob’s Stores, headquartered in Meriden, Connecticut, sums up this idea: “I’m not interested in squeezing the loss prevention department’s budget. I’m interested in generating the best financial return for our company and that comes from squeezing loss rates in the most effective manner.”
The question for security department directors, then, is how to demonstrate financial return to the entire organization. The answer combines solid performance data and standard financial analysis tools.
Get the facts. Imagine for a moment that you had $50,000 to invest and, as a result, scheduled a meeting with a financial planner. What information might you want to know about the company before entrusting your savings to it? You would want to know how many years it had been in business, what training or certifications the professionals in its employ hold, and, most importantly, the kinds of financial results they had produced for others.
Now, assume that the organization has been in business for 13 years and the person handling your investment is a certified financial planner. However, the planner is unable to provide any data about the investments he has made in the past, what those recommendations were based on, how they performed, and how his previous clients fared. How likely would you be to entrust your hard-earned savings to this individual? Not very.
Yet there are still some business executives, including security and loss prevention professionals, who will walk into the chief financial officer’s office at budget-review time with little more performance data than our imaginary financial planner had. For example, at a recent retail loss prevention roundtable meeting that I attended, one consultant observed that when his company is working with a client and asks for data on refund-fraud rates, many senior executives say they can’t identify that information—a surprising response given that this is a key metric. Without data about performance, the case for security cannot be made.
Thus, the first step in identifying security’s value is to identify and collect objective data for items that recur frequently, such as workloads and service levels. The goal is to develop a clear understanding of where the department spends its time and efforts, creating a baseline for comparison when the program is changed. If security professionals do not develop these metrics and data streams, they will never be able to compete with other business functions for resources. Without data, security does not have the building blocks for the next process—financial analysis.
Costs and benefits. Once the key metrics associated with security’s contributions to the organization have been identified and data about them collected, the value to the organization must be calculated in terms of a financial return on investment (ROI).
What does ROI consist of? Let’s look at a loss prevention situation. One might consider the number of cases resolved, the amount recovered, and the cost of the program. Simply put, is the investment in the activity, when considering all expenses associated with it (payroll, travel, liability, etc.), worth the return to the organization, considering all possible returns—financial recoveries as well as such other effects as deterrence and positive impact on operations and morale?
Security and loss prevention leaders should be asking if the costs of a project or activity are outweighed by the benefits, both tangible and intangible. If not, the threshold required for investing in that activity has not been passed. This question is addressed by a number of financial analysis methodologies, discussed in more detail in the next section. But first, an incremental cash flow statement must be constructed.
Incremental cash flow statement. The security manager first needs to gather data for a cash flow statement that identifies the financial impact of the project over its useful life by showing the cost of installation, the cost of maintenance, any other costs, and the impact of the project in terms of savings to the company.
An illustration of this type of incremental cash flow in the retail industry might concern installation of an electronic-article-surveillance (EAS) program. It should include the program’s up-front and long-term cost and then the resulting savings, based on retail sales statistics, cost-to-retail ratio, baseline shrink rates, and shrink rates from this program.
As numbers are crunched, the security manager must make sure that the data can be explained. For example, with regard to shrinkage, the manager should be ready to tell senior managers where the projected shrink rate numbers come from—is the rate based on other, similar installations at the organization, benchmark data from other companies, or test data. Similarly, the manager should discuss any other projects being introduced at the same time and whether they likewise are included in the estimate for shrink reduction.
As all subsequent analysis depends on the accuracy of the assumptions in the incremental cash flow statement, the importance of this step cannot be overstated.
Analysis techniques. Once the data have been identified and an incremental cash flow statement constructed, specific analysis techniques may be used. The most common of these relate to payback period, net present value, and internal rate of return.
Payback period. Payback period is the simplest way to look at ROI and as a result is often used when a quick comparison of projects is required. This statistic identifies how long it will take to earn back the money that has been spent on a project (based on the incremental cash flow statement). The formula for calculating payback period—measured in years—divides the cost of the project by the annual cash inflow that can be attributed to that project. Thus, if a project costs $75,000 and is expected to return $20,000 annually, the payback period would be 3.75 years.
Under payback-period analysis, those projects where the payback periods are shorter are considered preferable to those with longer paybacks. Projects with shorter payback periods allow companies to recoup their investment more rapidly so that the money can be reinvested elsewhere more quickly, providing more liquidity of funds.
There are two primary downsides to examining payback period. First, it ignores any benefits that might accrue after the payback period is complete. In addition, the time value of the money put into the investment in the original project is not included in calculations.
Net present value. Net present value (NPV) is the most widely accepted financial analysis tool; it allows organizations to consider a critical component in the evaluation of projects and activities—the time value of money. When funds and effort are spent to implement a project, usually the money is spent at the beginning of the project and the benefits accrue over time.
However, $1 five years from now is not the same as $1 today—it is worth less due to inflation, plus the dollar you have today could have been invested elsewhere and earned interest, so it would be more than $1 at the end of the five years in question. Those future returns must, therefore, be stated in terms of today’s dollars to ensure an “apples to apples” comparison.
NPV is expressed in the following equation: PV (present value of future cash flows) – I (initial investment/project cost) = NPV of the project. The PV is determined by taking the cash flows from future years and reducing them according to a discount factor table, available in print and through computer applications.
The amount of the “discount” is determined by the cost of capital, which is what it would have cost you to borrow the money or what you could have earned with that cash. For example, if put in a savings account or a certificate of deposit, the money would earn interest. In that situation, the cost of capital would be the rate that would have been earned if that money had been invested in an interest-bearing financial instrument.
Internal rate of return. The internal rate of return (IRR) is a measure of profitability that is closely related to NPV. However, this figure expresses return in percentage terms rather than dollars. IRR is a discount rate that makes the NPV equal to zero. In other words, as explained on one Web site (www.toolkit.cch.com) “it allows you to find the interest rate that is equivalent to the dollar returns you expect from your project.”
By expressing the ROI in terms of percentages, the IRR allows one to compare returns from projects that have different economic scales. From an organizational perspective, it also allows a firm to establish a cutoff rate (also called a hurdle rate or a required rate of return) based on the cost of capital, opportunity costs, and risk. A project whose internal rate of return falls below this cutoff rate is not approved, while those above it will be considered for implementation.
Business objectives. The tools mentioned here can help organizations to identify ROI in their security and loss prevention departments. ROI is only part of the equation, however. The security department must also make sure that projects are tied to the functional objectives of both security and the overall organization. These objectives may concern risk or loss avoidance or customer satisfaction, for example. The data collected for ROI would then focus on results that further these objectives. For a hospital, for example, the goal might be patient satisfaction—a key metric that drives revenue for most healthcare institutions.
Partnerships. Security professionals who are not comfortable with financial concepts should not try to go it alone. This situation is a prime opportunity to forge a partnership with the organization’s finance department team. Finance staff can explain how they evaluate ROI, what hurdle rates they use, and which analysis techniques are best suited to the organization.
The benefits. Running the numbers also ensures good decisions within the department. For example, the senior security executive for a national specialty retailer recently told the author that in some cases, the numbers showed that the programs did not result in a positive ROI. The bottom line was that he realized the department had been doing things for years simply because everyone believed those programs added value. They didn’t.
Another example of the value of running the numbers comes from Shane Sturman, partner and vice president of operations for Wicklander-Zulawski. He explains that when he was a director of loss prevention for a wholesale warehouse chain, the security department wanted to show the value of its detective program.
“Since we were a ‘membership’ club, we had extremely reliable data about how many times an average customer shopped at our locations. We took that figure and compared it to our shoplifting cases and made an assumption that [shoplifters] ‘shopped’ our store at the same rate,” he says. “Once they had been caught, we looked at each shoplifter’s own shopping pattern to validate that they frequented the store at about the same rate as the average customer.”
By using that data and multiplying it by the number of shoplifters apprehended and the dollar amount of merchandise with which they were apprehended, Sturman was able to estimate future loss, making a strong case for justifying the detective program.
“When we looked at how much future loss was avoided by the apprehension of these shoplifters, we were talking millions of dollars over a three-year period,” Sturman says. “And that was just assuming that the shoplifters didn’t take more as time went on or begin to shoplift the location more frequently.”
In another case, a company first ran a pilot test of an EAS program. The test had shown that with EAS installed, the baseline shrink decreased by 30 to 40 percent. But a formal ROI showed that some stores couldn’t justify the expense of the EAS system even if they achieved a 50 percent reduction in shrink. The combination of sales volume and baseline shrink just didn’t cover the expense.
Remember what management guru Peter Drucker once said: “What gets measured, gets managed.” And if the security department is to manage its future better, it must begin by measuring its progress today.
Walter E. Palmer, CPP, CFE (certified fraud examiner), is CEO/president of PCGsolutions. He is a member of the ASIS International Council on Retail Security.