Any seasoned business leader knows when it comes to buying a new solution or software, they’ll face some tough questions.
Leadership often asks a series of inquiries, including: What’s the ROI? Will this save us money? How much profit will we make?
These questions all have one thing in common: They focus on a quantifiable outcome or metric.
This line of thought isn’t wrong. It actually aligns with the traditional thought process behind most business decisions. Every MBA program teaches us the ultimate success of a company depends on a tangible increase in profits. For every dollar spent, you must get more money in return.
But what if that’s no longer the case? What if there are additional return on investment (ROI) methods that cannot be neatly quantified or don’t show up on the bottom line?
For example, how do you measure the worth of preventing a building evacuation, avoiding weather-related supply chain hiccups or even saving a life?
The Many Definitions of Return on Investment
First, let’s take a step back and look at the different ways to measure ROI.
- Return on Investment (ROI): ROI is a standard business performance metric that directly calculates the benefit (or return) of an investment compared to its cost. Simply put, ROI gauges an investment’s profitability in terms of dollars.
- Value of Investment (VOI): While ROI measures tangible benefits, VOI focuses on the impact of intangible assets like knowledge, processes and abilities on an organization’s performance. VOI includes ROI but encompasses more than just money.
- Return on Security Investment (ROSI): Adding another layer of complexity to the ROI equation, ROSI measures the amount of risk reduced by a security solution versus the amount spent. This combines elements of tangible and intangible assets, including the probability of an event occurring as well as its potential impact on the bottom line.
- Return on Resilience Investment (RORI): A relatively new term, RORI (also known as Resilience Return on Investment) is the convergence of risk and resilience analysis. It’s the dynamic, ongoing process of maximizing solutions to reduce weakness and avoid negative consequences. That is, it attempts to measure the ability of a system to anticipate, absorb and recover from hazardous events.
It's important to recognize there are multiple concepts and methods to justify ROI. There are many factors that play into which “X on Investment” definition you default to, but it comes down to your point of view based on your profession, responsibilities and departmental key performance indicators (KPIs).
The Significance of RORI in Risk and Security
This article will focus on the significance of RORI for risk and security professionals, who often have to justify expenditures that don’t produce tangible profits. It can be difficult to gain buy-in from executives without a concrete way to show the important benefits of their work.
Security, risk and IT departments need systems to monitor, identify and respond to threats, as well as methods to communicate with their people to keep them safe. Technology like critical event management (CEM) solutions can look expensive on paper, but in reality, they save the entire organization money in many other ways.
When risk and security professionals have to present their proposals to the C-suite, how do they claim or justify their budgets when their solutions may not provide dollar-value profit but instead bring loss prevention and cost avoidance?
Should they evaluate vendors on their ability to help them avoid negative impacts and mitigate risk? Will that be a sufficient answer when trying to purchase solutions for that purpose?
There doesn’t seem to be an easy answer to any of these questions for the risk and security professionals of the world. They’re tasked with keeping employees, assets and infrastructure safe. They need to be aware of potential threats before they happen to avoid negative consequences like physical harm or organizational downtime.
This leads us to new questions: How should security professionals evaluate, calculate or justify their return on resilience investment? Does it essentially come back to the value of investment?
Tangible and Intangible RORIs
Executives will want to understand the RORI on a new solution before they spend any money. Expenditures for a unified platform built for critical event management are often difficult to evaluate with a traditional ROI, since the benefits cannot often be directly assigned a dollar value. Instead, it can be useful to frame the benefits in terms of loss avoidance, in both quantifiable and non-quantifiable ways.
OnSolve released a Global Risk Impact Report in August 2022, analyzing physical threat data from its risk intelligence platform over a 30-month period. The chart below shows the potential lost revenue of a hypothetical Fortune 1000, Fortune 100 and Fortune 10 organization if just one of 20 machines was taken out by various physical threats.
While the chart specifically examines the direct impact of lost revenue, we know there are many other side effects that cannot be so readily quantified. Let’s explore a severe weather event (a tornado) as an example of the tangible and intangible impacts of a single emergency event on a business. The reputational damage, customer churn, employee turnover and shifted operational resources caused by threats can be difficult to quantify. However, there are ways to estimate the Average Lost Revenue (ALR) from the direct impact of a crisis or threat.
Imagine a severe tornado touches down on a distribution center responsible for 5% of your revenue, forcing it to close for 20 days. If your company earns $2 billion annually, the ALR from the direct impact of the tornado would be $5.5 million.
That’s a big number for anyone’s bottom line. But it doesn’t take into account the additional costs of physical damage and repairs; loss of assets, products, customers or employees; or harm to your reputation. If you’re not prepared to manage the butterfly effects of a single emergency, the negative impact on your organization could be long-lasting and severe.
The importance of a comprehensive critical event management solution may seem obvious to the risk and security professionals of the world. However, gaining buy-in from executives may require reframing the need for risk solutions and their long-term benefits to the organization.
Be sure to check out Part 2 of this blog, where we’ll look at specific recommendations to help gain executive buy-in for security solutions.
And download the Global Risk Impact Report to learn more about measuring the loss associated with physical threats based on the impact to key business outcomes.