A business case based on metrics can help the security department effectively present a project to the C-suite and win support for implementing the program.
After security managers at W. W. Grainger conducted a risk assessment, they found that physical security varied widely among the industrial supply company’s 390 branches throughout the United States. The security team at Grainger was concerned that the company’s branches, which supply facilities-maintenance products, were more likely to fall victim to crime if located in high-risk areas. However, the security team needed to prove that the risk was real and that steps needed to be taken to ensure employee safety and protect company assets.
Security used targeted crime statistics and forecasts along with the results of an employee safety risk survey for each branch to quantify local risk. There had been several reports of security-related incidents in the previous 18 months near one particular Grainger property. After completing a risk assessment, security developed a business case describing the problem and pointing out some of the details of the crimes. Recommendations were made to enhance physical security at this location to help deter criminal activity and to provide a safer work environment. A request for capital funding to install a 12-camera CCTV system was submitted to management along with the business case. The capital request was reviewed and quickly approved.
On another occasion at Grainger, the $9 billion company started to face significant losses—external fraud had historically been low—when its business strategy shifted to aggressively grow e-commerce sales. A business case to identify a fraud management solution was developed with the support of internal business partners. The business case included an executive summary with a description of the risk, a quantitative analysis projecting potential losses, a cost benefit analysis for the next five years, and a recommended solution. The business case was presented to senior management and approval was received to proceed with the project. The fraud management solution provided a cost effective solution and a quick return on investment.
Both of these security successes hinged on the presentation of the business case. The business case is considered standard practice to justify budget or capital requests throughout private and public industry, and in a metrics-focused business environment, security practitioners must be able to understand and apply the process. A well-written business case provides the compelling justification for initiating a project or task. It is often presented in a formal way, through a written document that includes the reasoning for the undertaking and a recommendation based on the estimated costs versus the expected gains and offset by any identified risks. The premise of the business case is that, whenever requesting resources, those resources should be in support of a specific, well-defined need.
A good business case adequately captures both the quantifiable and unquantifiable characteristics of a proposed project. A typical business case describes the business problem, the possible solutions, the risks and benefits of each course of action, and the solution recommended for approval. One of the most important purposes of the business case is that it assists organizational stakeholders in making decisions regarding the viability of a proposed project.
Security managers can improve their chances of successfully obtaining funding by ensuring that the business case is interesting. To do this, the business case should provide the reader with a real picture or vision while minimizing jargon and conjecture. Communicating all relevant facts as part of the overall story is important since this is a chance to prove that the author has done his or her homework. Making it business oriented and concerned with business capabilities and impact, rather than having a technical focus, is also a key point, so decision makers can easily determine the bottom-line impact. Managers must ensure that the reasons for the project are in line with and support the organization’s strategy.
The business case should include a comparative analysis that provides evidence-based research and justifies the data. The document should clearly impart how the benefits will be realized and should set out what will define a successful outcome and which option is preferred. Demonstrating the short-term and long-term value the project brings to the organization while including the nonfinancial, as well as financial, project costs, resource needs, and risks is the final point to remember.
How to Write a Business Case
Many companies have a formal process for requesting capital funds or resources related to a project or program. An important step in this process is to develop a good business case to justify the resources and capital investment. The business case is the place where all relevant information is documented and linked together into one cohesive story.
A business case contains eight essential parts: executive summary, project description, business impact, justification, cost-benefit analysis, alternatives and analysis, recommendation, and approval.
1.) Executive summary. The executive summary is the first section of the business case. It is a short summary of the entire business case and should be comprehensive because it may be the only part of the document that executives will actually read. This section should provide general information on the challenges surrounding the issue. Managers should mine the details of the larger sections of the report to build a complete summary of the case. It should briefly describe the business problem that the proposed project will address. It should highlight the benefits it will provide and how it aligns with the goals and objectives of the organization. The executive summary is an opportunity to win over those in the decision making hierarchy, and it should be constructed with careful consideration of the audience.
Because security investments can have two kinds of payoffs—an improved security picture and an improved financial picture—it is important to characterize these benefits carefully. Knowing how to quantify an investment and its projected return in ways that the CFO and other financial decision makers are accustomed to seeing can be pivotal to obtaining approval, especially in tough economic times.
Many experts recommend that summaries span no more than a page or two, but the best rule of thumb is to know your audience. Some CFOs, for example, will read only the executive summary, so it may be necessary to include supporting details that wouldn’t fit into a two-page summary.
2.) Project description. The project description is usually the second part of the business case, and it introduces the reader to the details of the project and helps define or shape everything else in the case. This section should provide a detailed explanation of the business issue being addressed. It should include goals and objectives, performance criteria, assumptions, constraints, and milestones. Managers should include any expected benefits from the investment of the organizational resources into the project. The description of the project’s purpose should include a clear statement of the problem or problems to be solved, as well as the solution. In many ways, the results of the case are determined when the description is stated correctly. It’s important to address two primary decision components: value and priority. Executives will ask: “Is it worth it?” Answering this question requires a general understanding of what the program will accomplish and why it is important.
3.) Business impact. The business impact section should outline what business functions or processes may be affected. It should describe how the proposed project will modify or affect the organizational processes, hardware, and software. In this section, managers should explain any additional resource requirements such as staffing or training. It should also include a SWOT (internal strengths, internal weaknesses, external opportunities, external threats) analysis, which is also known as situational analysis. Specifically, this section should include the impact that the approval of the business case may have on the overall company. It should include a discussion about what services would be involved and additional risks incurred if the proposal is not accepted. The business case will involve the expenditure of limited resources towards a goal that must compete against other noble causes to further business needs. The business impact section should describe the advantages of the proposal and involve decisions that benefit the company. Costs and advantages work in opposition to each other. In general, for a business case to be successful and its arguments persuasive, advantages will trump costs.
4.) Justification. The justification section explains why the recommended project should be implemented and why it was selected over other alternatives. Where applicable, quantitative support should be provided, and the impact of not implementing the project, including the costs and risks of inactivity, should also be stated. From this information, the justification of the project is derived.
5.) Cost-benefit analysis. The cost-benefit analysis section is one of the most important parts of a business case because the bottom line is usually “does it save money or generate extra revenue?” Since corporations have historically viewed security as a necessary expenditure to reduce risk and avoid loss, it is important to help management see its financial value via a cost-benefit analysis. The purpose of the analysis is to illustrate the costs of the project and compare them with the benefits and savings to determine if the project is worth pursuing. A well-documented and supportable business case can be a powerful tool for the security professional competing for limited business resources. The business case can help decision makers prioritize how investment dollars will be spent.
Nonfinancial benefits and costs can prove helpful in a business case, but are often overlooked. Issues such as “better workplace safety” or “intellectual property loss” are often omitted because they can be difficult to quantify. But nonfinancial outcomes are a part of every proposition, and cash flow statements or other budgeting tools can be blind to them. Managers should include intangibles such as “shorter customer wait time” or “improved employee parking” as they are real benefits that affect the business. Some of the intangibles that may affect a business case without involving cost are worker productivity, process improvements, employee morale and retention, corporate culture, risk mitigation, workplace safety, increased awareness, and improved compliance. Some “intangibles” can also be translated into financial terms. For example, a new security device could reduce the time that employees spend going through inspection at facility entrances, and it may be appropriate to multiply staff salaries by the amount of work time saved by the new device. (These and other examples of quantifying “soft” security benefits can be found in The United States Security Industry: Size and Scope, Insights, Trends and Data, ASIS International/IOFM, 2014.)
6.) Alternatives and analysis. When developing the alternatives and analysis section it is imperative to identify options and alternatives to the proposed project. Further analysis of these potential options should be performed to identify a preferred solution. The following key questions should each be answered in a separate section.
How will we get there? This section should present viable options and associated costs that are analyzed and used to determine a recommendation.
What is the best option? This question could be answered by conducting a financial appraisal to ascertain funding and affordability in relation to benefits and risks.
While all phases in the business case development process are necessary, the analysis and recommendation phases are considered the heart of the business case. The analysis will also be helpful to the leadership team in prioritizing the project against many other projects in the business that may require capital investment and resources.
7.) Recommendation. When the recommendation section is read it should clearly bring closure to the business case. It summarizes the approach for how the project will address the business problem. Most cases offer options to consider that include full adoption of the proposal, a blended or middle possibility, and a “do nothing” option. A business case can provide as many options as are necessary, including options for a phased approach that considers limitations due to budget or staff. It is important to make sure the recommendation is clear and concise. This section should also describe how desirable results will be achieved by moving forward with the project. The recommendation should flow naturally from the evidence presented in the earlier sections of the report. Conclusions should refer directly to the business impacts and justification, drawing out the business advantages from the analysis sections.
8.) Approvals. The final section is for approvals, which is the ultimate goal of the business case. Once approval is granted or denied, the business case becomes a historical document to support project implementation and future associated development. Further, this historical document provides accountability for related projects and strengthens the foundation for security’s future procurement and development activities.
The proper research, combined with understandable metrics and presented in clear and concise language, can result in a winning business case. Learning to compile a business case can improve a security professional’s chances of gaining approval for projects and promoting the department within the organization.
Nathan Boberg, CPP, is the west regional security manager for Progressive Casualty Insurance where he oversees the physical security program. Keith Blakemore, CPP, is the director of corporate security for W. W. Grainger.