Created by George Campbell, Security Executive Council Emeritus Faculty member
The January/February 2011 issue of Financial Executive magazine included an article titled “Corporate Performance Metrics to Top Board Agendas,” written by Ken Daly, then President and CEO of the National Association of Corporate Directors (NACD), the nation’s largest member-based organization for corporate board directors.
The article is now dated in some ways, but it offers many insights that should still be instructive for security management’s agenda today. Daly writes, “Why corporate performance metrics? Because they link corporate strategy and corporate performance — traditionally the top two issues for directors by far… Strategy is about the future, performance is about the past, and metrics align the two.”
Daly goes on to point out that corporate oversight is an increasingly difficult challenge given the complexity of the governance environment and the sea of numbers often put at the center of the boardroom table. These challenges have spawned scores of financial and non-financial metrics, but which ones provide the quality and priority essential to their informed oversight and direction?
There are, of course, the usual suspects in the financial realm — profits, margins, cash flow, earnings, ROI, revenue growth. But it is the non-financial board metrics that should really inform our decisions on which security metrics we target for reporting up.
Daly identifies 18 categories of measurable value drivers for the enterprise. Let me comment on several that I believe have relevance for our input.
• Competition/market share: A security program that is effectively aligned with business strategy will bring tools and capabilities to the table that protect shareholder assets and customer confidence.
• Culture and tone at the top:These corporate characteristics signify intolerance of misconduct and an established role for an integrity-based security program.
• Environment, health and safety: These are a clearly established set of mission responsibilities for many security organizations. Even in the more traditional settings, “safety” may be translated to a safe and secure work environment, which absolutely resides within corporate security’s aegis.
• Legal/regulatory compliance: Avoidance of sanctionable defects and litigation for any number of workplace security assurances is within our scope of risk mitigation accountabilities.
• Logistic capabilities: We have a clear role in the safe, secure travel of executives and staff as well as significant elements within the scope of business continuity programming.
• Ethics: We are the ethics gatekeeper, with our background check and due diligence examination programs, and we contribute significantly to the identification of ethical shortcomings in our internal investigations.
• Reputation: Security breaches, advertised flaws in key safeguards or internal controls, and failure to protect shareholder assets all negatively impact our reputation in the marketplace.
• Risk management: If we are not an integral element in the enterprise risk management strategy, we likely are failing in several of the scorecard areas noted above. Risk is why we have a job.
There is no question that both boards and senior executives are increasingly engaged in driving the need for, and evaluation of, a variety of key performance indicators — metrics that matter. Our unique perch provides rich and relevant input to that scoreboard. The question for us in our roles in the governance infrastructure is how we can most reliably use this unique experience and data to formulate and present metrics that provide a more robust picture of enterprise risk.