New York University

Intercep: International Center for Enterprise Preparedness

The Business Case for Preparedness

Effective Enterprise Risk Management and Security Can Lower Costs

May 23, 2008 11:48 AM

Corporate resilience is a contributor to profitability, shareholder value and competitiveness.

Effective risk management and security can prevent business disruption. It can also lower costs, enhance corporate reputation value and improve overall business performance.

Source: "Navigating Risk -- The Business Case for Security", Thomas E. Cavanagh, The Conference Board (Purchase required), October 2006

Official Website:
http://www.conference-board.org/publications/describe.cfm?id=1231

Website with abstract:
http://www.conference-board.org/publications/describe.cfm?id=1231

Article summarizing key findings and stats:
http://www.continuitycentral.com/news02885.htm

Key Points:

* In order to gauge acceptance of the business case for security, the U.S. Department of Homeland Security (DHS) sponsored a survey of senior corporate decision makers that was undertaken by The Conference Board. The survey purposely did not include security directors, risk managers, or chief information security officers in the sample. Rather, the focus was on determining support for security initiatives among executives whose responsibilities do not ordinarily include security functions."
* The companies that participated represent a cross section of the American business community. A total of 113 firms were in critical infrastructure industries as defined by the U.S. Department of homeland security, and 93 were in non-critical industries; the remaining seven could not be classified. ..51 respondents were companies with less than $250 million in annual sales, 47 with sales between $250 million and $1 billion, 63 with sales between $1 billion and $5 billion, and 49 with sales of $5 billion or more. There were 41 companies with less than 500 full-time equivalent employees, 63 with 500 to 2,499 employees, 50 with 2,500 to 9,999 employees, and 58 with 10,000 or more employees, and 58 with 10,000 or more employees."
* Senior executives were asked which metrics they found especially helpful in determining the appropriate level of spending for security in their companies. In general, the most useful metrics were those which enable executives to determine how much a security problem would cost the firm in terms of liabilities or foregone business. The most helpful metrics were the cost of business interruption, cited by 64 percent of executives; vulnerability assessments (60 percent); and benchmarking against industry standards (49 percent). Another group of helpful metrics was explicitly related to insurance costs, such as the value of facilities (mentioned by 44 percent), the level of insurance premiums (39 percent), and the cost of previous security incidents (34 percent)."
* In sum, enterprise risk management is becoming a vital element in the rebranding of security as a corporate function. Security needs to be seen as a source of value, and not just a cost center within the company. Security can avoid cost and prevent disruption of the business. It can also add intangible value to the brand by serving as a marker of performance excellence and a symbol of concern for the integrity of products and the safety of customers and employees. Employing the concepts and terminology of risk management can enable security executives to more effectively perform their jobs and, in so doing, improve the performance of their companies in the marketplace."