Printer Friendly

A model for security's bottom line.

THE BOOK OF Exodus includes the story of Moses, who led the Israelites from their empoverished lives as slaves in Egypt to the promised land. En route, Moses left his followers temporarily and climbed Mount Sinai to receive the Ten Commandments. He returned only to find they had built a golden calf in his absence. Moses angrily told them they were unfit to enter the new land until they had changed.

How did Moses affect this cultural change? He wandered with his followers in the desert for 40 years until all the former slaves had died. And then the culture changed.

Security management is on the brink of change. But it cannot wait 40 years for corporate thinking toward security to die off before cultural changes can occur.

Security managers, like their counterparts in other corporate functions, are under fire to reduce costs. To survive, they must demonstrate they can use available resources to the organization's best advantage and secure new resources when necessary to improve the corporate bottom line.

Addressing these concerns was the goal of the ASIS Foundation's Atkinson Project. In 1991, the foundation approached The Wharton School at the University of Pennsylvania with an idea first proposed by James J. Atkinson, CPP, director of security for Johnson and Johnson.

Atkinson speculated that by using traditional financial analysis security management decisions could be approached in the same way as other financial management decisions. He believed a corporation's investments in security could parallel virtually any other corporate investment. As a result, security could be seen as a profit center with objectives focused on corporate financial performance.

As Atkinson posed the problem, the issue was not merely one of justifying the purchase of security resources by showing cost savings. The real issue was quantifying in financial terms the value added by the security department to the corporation's overall financial performance.

The multifaceted Atkinson Project lays the foundation for changing corporate thinking about security. A theoretical financial model, the Atkinson Model, quantifies how security adds value to corporations.

The model was applied to an actual corporate setting to test its structural logic and establish guidelines on data collection. Papers that discuss these stages were included in the January 1992 edition of Security Journal, which is published by Butterworth-Heinemann in conjunction with the ASIS Foundation.

Because it develops a program for quantifying the financial effect of investments in security functions, the Atkinson Model can act as a lever to help change corporate thinking about security. At the least, it repositions security in the corporate structure by merging general financial management procedures directly into security decision making.

Why should a company invest in new packaging equipment? Why should it invest in an expanded sales force? Why should it upgrade its CCTV equipment? Security managers should be able to show corporate decision makers what an investment in security will realize in financial terms--and do it in a way that allows for a clear comparison of those returns with investments in any other type of business opportunity.

The Atkinson Model provides a theoretical methodology for accomplishing these goals. Before this theory can become reality, however, data bases that support the quantitative analysis of the value added for various industries and the current software need to be refined.

At the same time, however, a corporate change in thinking must occur. Corporate decision makers--including security managers--must stop viewing and valuing security as a cost center and consider it as a profit center.

THE ATKINSON MODEL'S INTERPRETATION of cost center versus profit center is relatively simple: Cost centers incur costs but don't generate revenues--or at least traceable revenues. Money is spent and justified according to whatever budget a company has allocated to security in a given year. Profit centers, on the other hand, incur costs but also generate traceable revenue streams.

Advantages and disadvantages can be ascribed to each approach. The advantages of treating the security department as a cost center can be listed easily. The approach is used in many firms, and it parallels the procedures used for other corporate functions such as human resources, advertising, or public relations.

The cost center approach is also quite flexible. The budgeting process responds to the personal and political relationships that develop between security directors and senior management. Requests for funds obviously must be supported by corporate priorities, but this goal is often tempered and adjusted by the security manager's judicious description of experience data.

Perhaps the most important advantage of treating security departments as cost centers is flexibility in a crisis. If money is needed for security because bottles of Tylenol have been found to be tainted, for example, Johnson and Johnson's security manager can turn quickly to the senior corporate executives and request funds immediately without having to justify the expense first.

No one can or wants to take the time to make full-blown financial analyses in such cases--and a cost-center approach does not require one.

The disadvantages of treating security departments as cost centers are also clear. First, budget allocations do not rely on assessments of security risks, making it difficult to justify specific resource allocation decisions. By failing to recognize overall corporate financial goals, the effects of competing investments in security functions are also difficult to assess.

For example, in many security departments treated as cost centers, comparing the need for an alarm system with the need for guard services would be unnecessary. Historically, both have been deemed necessary and, since the budget allows for it, both are purchased for the organization.

There has been no impetus for change because there has been no attempt to rank investments in security strategies according to their independent effects on financial performance. The financial goal is simply to stay within the fiscal constraints of the department's budget.

In addition, cost-center budgeting does not always permit security managers to argue effectively for resources because the main bargaining tool is political persuasion. Security managers can do little more than approach senior management with requests for additional funds for upgrading or expanding a system.

Although no breach may have occurred, the security manager often couches the request in terms of professional judgment, analogies to events at other companies, or the introduction of a new technology. Even if a vulnerability is identified, the argument underlying the bargaining is weak.

The main advantages of a value-added approach to security management is that it provides clear financial guidelines to senior managers who must make the overall investment and allocation decisions.

Equally important, security managers can use the same procedures to identify the relative value of alternative investment strategies and monitor results over time.

Profit-center budgeting allows security managers to focus directly on those investments that would produce real value to a corporation. This value-added approach aligns the objectives of security management with other corporate objectives: to maximize the market value of the stockholders' or owner's stake in the firm.

As with any other part of the organization, at some point the stockholders, shareholders, and debt holders--the investors as a group--want to see some value being added based on the level and allocations of investments by the organization.

The financial logic underlying the model is complex; its foundations, however, are based directly on analyses that have been used in the investment community for more than two decades. What has been accomplished at this point is to translate a financial concept into a framework that corresponds more directly with the risk-based information that is at the heart of the security manager's decision-making process.

When applied specifically to security, the trick is to translate the financial model so that it takes into account not only the need to maximize the net present value of investments in security, but also the need to minimize the net present value of expected security losses over a base line.

The key, then, is to determine the expected number of occurrences of specific types of security breaches over a set time, multiply this number by the value of each type of avoided breach at some discounted rate, and use this value as the basis of comparison of investment options.

By working systematically through the model with a variety of scenarios, security managers can use the results to highlight those security investments that generate the greatest surplus cash flow relative to the greatest avoided security losses over a baseline. It is assumed, of course, that the security manager can generate the relevant scenarios to be examined.

In a sense, security managers already know these concepts. Their goal is to institute and manage security programs that help companies avoid or mitigate risk and minimize expenditures by judiciously investing in security products.

The model also has the potential to produce financial reports that read like those that come out of other departments. As a result, security managers will not have to rely on experience or intuition. The model puts security managers in a better position to convince corporate decision makers that investments in security functions are sound financial options.

Admittedly, a number of security investments are based on intangibles, which are difficult to quantify. Profit-center thinking does not ignore intangibles such as public image or employee morale. For example, a company may not debate the need to allocate resources for an officer to patrol its parking lot because a rape occurred there in 1973; the company's image may depend on that high level of security presence.

At some point, however, a valuation should be included in the argument. It may not overwhelm the decision, but it gives management a reason for committing resources to the department--and a basis for comparing the option selected with alternatives.

WHILE THE ATKINSON MODEL IS AVAILable in a computer-based format, it is not yet set up to be easily accessible and user friendly. The next phase will be to move from the theoretical to the applied stage by turning the value-added model into a computer program where users will simply enter data and select menu items.

To produce these results, several additional steps need to be completed. The ASIS Foundation and the University of Pennsylvania plan to continue work on producing a user-friendly software version of the model.

Also, a series of workshops on how to set up data bases and resolve data collection issues will continue. The goal of these workshops will be to instruct security managers on how to use the software when it is more readily available.

To test the software, five companies identified through surveys of 20 organizations in various industry or service sectors will be recruited as test sites. The participants will be selected on the basis of the quality of their existing data collection procedures since the intent is to demonstrate the capabilities of the model.

Participants in the in-depth site analyses will be expected to provide access, on a confidential basis, to company-specific data bases and corporate security procedures as well as make time available for an on-site interview.

As part of the same project, benchmarking data reporting standards for the security industry in these five sectors will be undertaken. The intent is to provide a basis for the accumulation of industry-wide information over time in much the same way that the Associated Factory Mutual Insurance Corporations accumulate industry-wide data on safety concerns.

The experience gained in analyzing the data from the five participating companies will be used as the basis for a broader process of designing and simplifying information on the kinds of data now available and how it is used. The result of this effort is intended to provide all security managers with insights on what other companies are doing and guidelines for developing similar information resources.

Convincing security managers to see the value of sharing data on security breaches will not be easy. At some point--industry by industry, company by company--security managers must recognize that transferring information into a form that is useable for analysis is worthwhile. At a minimum, it wilt help support targeted investment decisions by their organizations even when the incidence rate, or exposure, is low.

To this end, another phase of the joint venture between the ASIS Foundation and the University of Pennsylvania is on the drawing board. This project will establish the standards and guidelines underlying the collection of data for the measurement of security risks in general for the security industry.

To support this effort, however, an investment has to be made by corporations and across industries to collect data, test applications, and establish an organization that will organize, store, and disseminate the data. Obviously, this proposal is highly sensitive, but it does have parallels.

The University of Pennsylvania, aided by the ASIS Foundation, is ready to move future projects out of the research stages and into practice. However, while academics can set up and test models, the security industry needs to develop and use comparative data on an ongoing basis in much the same way as other industries use Information Management Systems, Dun & Bradstreet, or any other data pool.

This pool must be viewed as a resource that will provide information for the effective financial analysis of security investments. Without it, the security manager is left in a weakened position when defending investment decisions--a scenario likely to be even more obvious in the future when investment decisions will be based on highly sophisticated technologies, organizational structures, and global positioning.

Admittedly, any single model, however well tested and supported, cannot be treated as if its conclusions were knockdown punches. Politically, this approach is dangerous and minimizes the critical role played by experience. Even with the data resources currently available, security managers should be able to generate quantified value-added estimates that demonstrate to corporate decision makers that their organizations can get a return on their security investments.

But one point must be underscored: Security managers must be able to analyze which strategy produces the highest value-added investment among the available security options and then communicate their findings in a manner that can be clearly understood by senior management. Ultimately, by looking at vulnerabilities across industries, security managers will be able to make such estimates with greater confidence.

Security managers need not wander for 40 years in the wilderness hoping for corporate change. Change is at hand, and the security manager of the future can take the lead in shaping that change.

Stephen Gale, PhD, is a faculty member at the University of Pennsylvania's College of Arts and Sciences and serves as the director of the Dynamics of Organization program. He is the chairman of the regional science department in Arlington, VA. Charles H. (Sandy) Davidson is staff director of the ASIS Foundation, Inc.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Special Report
Author:Gale, Stephen; Davidson, Charles H.
Publication:Security Management
Date:Sep 1, 1992
Previous Article:Thrill seekers find their quarry.
Next Article:The ABCs of developing TQM.

Related Articles
Introduction to Security.
Bringing contract services on-line.
The Rise and Rise of Digital Certificates.
UL-listed wireless security.
Profile of an Attractive Model.
Magnetic locks.
Reclining chairs.
Molson Q1 losses larger than stated.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters