From Hard Numbers to a Value Proposition: Crafting a Story for the C-Suite with Metrics
Sean Sportun was thinking about closing down one of the convenience stores he oversaw in Ontario, Canada.
Robbers had struck the Mac’s Convenience Store, located in Thunder Bay, eight times between January and March 2012. One of those instances involved three teenage robbers, who had a standoff with the police after trying to hold up the store at knifepoint. The store also abutted an alleyway where prostitutes and drug users often loitered, and its exterior walls were regularly graffitied.
A disciple of crime prevention through environmental design (CPTED), Sportun repeatedly ordered for any new graffiti to be removed or painted over within 24 hours of its appearance, authorized the installation of new cameras, and fenced off an area that provided bad actors an escape route.
But “no matter what we did to this store from a CPTED perspective of lighting, taking away exit points—you name it, we did it—it didn’t work,” says Sportun, who at the time was the security and loss prevention manager for Mac’s Convenience Stores. At this point, he considered shuttering the store altogether.
Instead, he decided to throw a party.
Calculating the Value of Community Outreach
In years prior, Sportun directed part of the loss prevention program to focus on community engagement efforts that also improved the company’s relationships with communities around its stores. He had seen success in a program where law enforcement provided coupons for free drinks to break the ice with local youths and reward them for positive behavior. Sportun had also heard of a crime prevention effort in Toronto where graffiti was used to beautify neglected buildings.
So, Sportun decided to commission local graffiti artists to give the Thunder Bay site a facelift. With support from law enforcement, the store’s landlord, the mayor, and other stakeholders, the artists completed the mural in May 2012. The design featured elements that the community said it wanted to see, such as sketches provided by local high school art students. To commemorate the mural’s completion, the store hosted a party outside of the facility with music, performances, youth artists, food, and more.
“It worked,” Sportun says. The store no longer saw the robberies it had before, and Sportun decided to try the same experiment at a different store. The second store had not been directly targeted, but was near enough to areas where violent crimes had been committed that Sportun thought the project could result in a better relationship between the store and the community. And then he picked a third store for the mural project. After successes at all three stores, the project caught the attention of researchers at Harvard Business School (HBS), who helped provide funding for murals at additional stores, with 17 murals commissioned throughout the region by 2016.
The projects cost roughly $2,400 CAD ($1,850 USD) per site; however, researchers determined that stores with these murals saw an average sales increase of $62,371 CAD ($48,170 USD) per year. There were also reports of year-over-year decreases in the number of negative or violent incidents experienced at Mac’s stores in central Canada. Incidents decreased from 139 in 2012 with $54,243 CAD ($54,275) in associated losses to 72 incidents in 2015 and $9,914 CAD ($7,770) in losses. There was a slight increase in 2016 with 87 incidents but a decrease to $9,708 CAD ($7,490) in associated losses.
The murals generated positive news around the Mac’s brand, with the murals or the parties celebrating their completion often resulting in press coverage and essentially free advertising. Compare this to an average of $1.2 million CAD ($926,760) that Mac’s spent on radio commercials that reach 60 percent of Ontario residents for 26 weeks, according to the HBS case study.
“There’s a story to tell here because of the things that we’ve been doing, and the robberies have gone down drastically,” Sportun says.
He estimates that the art projects resulted in $10.6 million CAD ($8.2 million) in loss prevention savings. The decreased robberies also meant that employees were not injured on the job and could safely work, avoiding productivity losses and impacts to the company’s insurance premiums.
In their bare bones form, the numbers alone would not have told the full story. Sportun knew that for the project to continue its spread, he would have to present other landlords, his C-suite, and law enforcement with a compelling story. HBS researchers and Sportun created a document and a short film about the project, allowing Sportun to show others the impact of the project and how it could improve other sites.
Part of telling this story about crime prevention through community engagement was understanding how other Mac’s departments and external stakeholders would find the numbers compelling.
Sportun notes that finding the right narrative and format helped convince others that the project could result in benefits to the company, landlords, law enforcement, and community leaders.
“Then, before we knew it, we had 25 of these things up. And it became a thing within the policing world where it was making it into their annual reports,” Sportun says.
Police departments in other areas also reached out to him to ask if they could select a store in specific areas where another mural could be commissioned. “Not only did it start reducing incidents of criminality, but it started becoming a brand reputation thing,” he adds, pointing to another benefit of the program.
Sportun is not alone in blending math and language to create a compelling story that can generate support and excitement for security. When applied by and to a security team, metrics can indicate how effective certain measures have been and whether they remain a worthwhile investment.
Targeting Useful Information
“Identifying the efficacy of a security program or solution is about measuring the quality of targeted results from the rich pool of information on our program performance,” says George Campbell, an emeritus faculty member for the Security Executive Council, a research and advisory firm specializing in corporate security risk mitigation solutions.
At their core, metrics are data points that numerically or statistically reflect interactions and incidents.
“Metrics are the switches and dials for security program performance measurement,” says Campbell, former CSO at Fidelity Investments. They can be used to analyze, evaluate, and adjust the performance of a solution, team, department, or even an entire organization.
“Risk-related metrics not only direct security response planning and performance measurement but become the CSO’s communication and influencing strategy,” adds Campbell, who was formerly CSO at Fidelity Investments. “We need to leverage metrics to tell security’s quality and value story.”
When used effectively, the data can condense a story, giving security practitioners the ability to hit the highlights in minutes or even seconds—time that’s valuable when you only meet with someone from the C-suite once a year.
The metrics should be able to tell the story quickly and with little to no need for an explanation. When done right, an executive viewing the data or graphics that convey the information will be able to quickly comprehend the message they tell, understanding the performance and value of the product or system that the metrics represent, according to Dave Komendat, former vice president and CSO for Boeing, currently CSO and partner with Corporate Security Advisors.
“If you’re going to get 45 minutes a year with the CEO and his or her leadership team to tell your story, you better be able to tell it quickly and effectively,” Komendat says. “And the best way to do that is with value-added facts and data.”
These metrics need to show how an investment into security has resulted in a return on investment (ROI).
If you’re going to get 45 minutes a year with the CEO and his or her leadership team to tell your story, you better be able to tell it quickly and effectively.
Campbell, who has been teaching CSOs—including Komendat—about metrics for decades, offers some tips on how to paint a picture with this data.
When you’re first looking for key metrics, Campbell recommends considering how well security vulnerabilities are being identified, along with analyzing if actionable metrics are helping achieve an adequate resolution.
“If we can’t deliver solid information here, we are failing in our basic responsibility to communicate and engage management,” Campbell says. “This is our value story and what management must hear.”
You should also focus on identifying key risks and pinpointing what key performance indicators (KPIs) are tied to those risks. These KPIs should have currency and staying power, so they can change over time. For example, some KPIs today would likely be indicative of cyber threats, regulatory risks, climate change impacts, and business resilience.
Lastly, Campbell recommends engaging with key stakeholders and inserting yourself into the conversation on business risk strategy and management. Understanding other departments’ and key players’ motivations and goals will help you craft a message or story from the data that resonates beyond security.
“Understand the part or parts we can play in enabling the board’s strategic and enterprise risk management objectives,” Campbell says. “Focus key program delivery with metrics that clearly demonstrate how our programs are contributing to the success and the health of the enterprise.”
The Power of a Human Angle
Before retiring from Boeing, Komendat says that one of his goals was ensuring the C-suite and the company at large viewed the security department as a business enabler instead of a cost center.
“I wanted leadership in the Boeing company to know that I and my team understood and supported the strategy of the company,” he says.
To achieve this, Komendat focused on metrics that demonstrated value instead of ones focused on activity. Activity metrics indicate a count, such as the number of calls answered by a company’s global security operations center (GSOC). However, the number of phone calls or alerts placed to a GSOC is unlikely to adequately demonstrate the value presented by the GSOC. Komendat would instead highlight the responses to these calls. How many of these calls were related to an issue with production, a medical emergency, or a critical incident? These metrics would showcase how the GSOC provides support for business continuity and employee safety—supporting the larger mission of the organization.
If we can’t deliver solid information here, we are failing in our basic responsibility to communicate and engage management.
Getting these numbers and stories to leadership can help a team secure new resources when necessary and even retain them when the larger organization is struggling. Komendat recalls using metrics to show executives why the company maintained an on-site fire department. Without disclosing hard numbers, he notes that the fire department, which also provided emergency medical services, would get called upon more than once a year to respond to a medical emergency on the production floor.
“If you were having a cardiac event and I am putting an EMT next to you with an AED within 3 minutes, you have a 70 percent chance of surviving that event,” he says.
But without the internal EMTs, who are familiar with the physical layout of the facilities, the employee would not get medical care as quickly.
“On their best day, it’s going to take them 6 to 9 minutes to get into the facility. They’re going to have to find the person. We have huge, complex facilities,” Komendat says.
And if it takes 6 to 9 minutes for help to arrive and treat someone experiencing a cardiac event, the chance of survival decreases significantly.
The impacts extend beyond the possibility of one death. There are also going to be side effects on other employees—coworkers and friends of the patient who just died will likely experience some trauma. But by maintaining the internal fire department, those same employees are likely to see company emergency responders saving a life and administering care.
“That is a powerful, impactful scene. And it’s a powerful, impactful metric when you start to get pressure,” Komendat says.
While contractual obligations provide another strong reason to keep an internal team in the face of budget cuts, it doesn’t resonate as strongly as the employee retention and employee goodwill borne from a real-life medical drama. This is on top of the other work performed by this internal team, such as cleaning up hazardous materials.
“That’s a positive brand—that’s ‘the company cares about me’ type of response. So, being able to articulate and tell stories like that are important,” Komendat says.
Because when you can talk about how the surviving employee came back to work days or weeks later, how their teammates didn’t need to use PTO or bereavement leave to deal with the trauma, and how the surviving employee and their family visited the EMTs to thank them for saving his or her life, it strikes an emotional chord with leadership.
“It sounds corny, but it wins,” Komendat says. “And who’s going to sit there after hearing a story like that and go, ‘Hey, you’ve got to take $10 million out of your fire budget?’ Nobody does that.”
This approach is reflective of a larger scale need—that security metrics must become more proactive rather than reactive, according to Campbell.
“The threat landscape, regulatory compliance, and the demands of more risk-aware and engaged boards of directors have driven this evolution,” he adds.
Sara Mosqueda is associate editor for Security Management. Connect with her on LinkedIn or send her an email at [email protected].
