Category Archives: Article

What’s Security Worth?

3/1/2004 | Palmer, W., Security Management Magazine

(Originally published in Security Management Magazine, March 2004)

Limited resources and a growing set of responsibilities continue to plague many security departments despite security’s higher profile in the world at large. If security directors are to improve their situations, they must learn to better articulate the department’s value to the overall organization, such as by selling the security function to senior management as a profit center. However, attempts to do so must go beyond simply introducing a new lexicon with phrases such as value-added, profit center, and return on investment or introducing new titles such as chief security officer.

The long-term success of the security function depends on the delivery and fulfillment of these concepts in a manner that can be articulated to management and demonstrated by data. Dave Farrell, president and CEO of Bob’s Stores, headquartered in Meriden, Connecticut, sums up this idea: “I’m not interested in squeezing the loss prevention department’s budget. I’m interested in generating the best financial return for our company and that comes from squeezing loss rates in the most effective manner.”

The question for security department directors, then, is how to demonstrate financial return to the entire organization overall. The answer combines solid performance data and standard financial analysis tools.

Get the facts. Imagine for a moment that you had $50,000 to invest, and as a result, scheduled a meeting with a financial planner. What information might you want to know about the company before entrusting your savings to it? You would want to know how many years it had been in business, what training or certifications the professionals in its employ hold, and, most importantly, the kinds of financial results they have produced for others.

Now, assume that the organization has been in business for 13 years and the person handling your investment is a certified financial planner. However, the planner is unable to provide any data about the investments he has made in the past, what those recommendations were based on, how they performed, and how his previous clients benefited from his work. How likely would you be to entrust your hard-earned savings to this individual? Not very.

Yet there are still some business executives, including security and loss prevention professionals, who will walk into the chief financial officer’s office at budget-review time with little more performance data than our imaginary financial planner had. For example, at a recent retail loss prevention roundtable meeting that I attended, one consultant observed that when his company is working with a client and asks for data on refund fraud rates, many senior executives say they can’t identify that information, a surprising response given that this is a key metric. This anecdotal evidence is likely indicative of a general lack of data relating to performance within the security function. Without this type of information, the case for security cannot be made.

Thus, the first step in identifying security’s value is to identify and collect objective data for items that recur frequently, such as workloads and service levels. The goal is to develop a clear understanding of where the department spends its time and efforts, creating a baseline for comparison when the program is changed in some way. If security professionals do not devote the energy and time to develop these metrics and data streams, they will never be able to compete with other business functions for budgets, resources, and attention from senior management. Without data, security does not have the building blocks for the next process-financial analysis.

Costs and benefits. Once the key metrics associated with security’s contributions to the organization have been identified and data about them collected, the value to the organization must be calculated in terms of a financial return on investment (ROI). What does ROI consist of? Consider a loss prevention situation. One might consider the number of cases resolved, the amount recovered, and the cost of the program. Simply put, is the investment in the activity, when considering all expenses associated with it (payroll, travel, liability, etc.) worth the return to the organization, considering all possible returns-financial recoveries as well as such other effects as positive impact on operations and morale or deterrence effects?

Security and loss prevention leaders should be asking if the costs of a project or activity are outweighed by the benefits, both tangible and intangible. If not, the threshold required for investing in that activity has not been passed. This question is addressed by a number of financial analysis methodologies, discussed in more detail in the next section. But first, an incremental cash flow statement must be constructed.

Incremental cash flow statement. The security manager first needs to gather data for a cash flow statement that identifies the financial impact of the project over its useful life by showing the cost of installation, the cost of maintenance, any other costs, and the impact in terms of savings to the company.

An illustration of this type of incremental cash flow in the retail industry might concern installation of an electronic article-surveillance (EAS) program. It should include the program’s up-front and long-term cost and then the resulting savings, including retail sales statistics, cost-to-retail ratio, baseline shrink rates, and shrink rates from this program.

As numbers are crunched, the security manager must make sure that the data can be explained. For example, with regard to shrinkage, the manager should be ready to tell senior managers what the projected shrink rate is based on¾whether the number of the assumed reduction in shrink is based on other, similar installations at the organization, benchmark data from other companies, or test data. Similarly, the manager should discuss any other projects being introduced at the same time and whether they likewise are included in the estimate for shrink reduction.

As all subsequent analysis depends on the accuracy of the assumptions in the incremental cash flow statement, the importance of this step cannot be overestimated.

Analysis techniques. Once the data have been identified and an incremental cash flow statement constructed, specific analysis techniques may be used. The most common of these relate to payback period, net present value, and internal rate of return.

Payback period. Payback period is the simplest way to look at ROI and as a result is often used when a quick comparison of projects is required. This statistic identifies how long it will take to earn back the money that has been spent on a project (based on the incremental cash flow statement). The formula for calculating payback period-measured in years-divides the cost of the project by the annual cash inflow that can be attributed to that project. Thus, if a project cost $75,000 and is expected to return $20,000 annually, the payback period would be 3.75 years.

Under payback period analysis, those projects where the payback periods are shorter are considered preferable to those with longer paybacks. Projects with shorter payback periods allow companies to recoup their investment more rapidly so that the money can be reinvested elsewhere more quickly, providing more liquidity of funds.

There are two primary downsides to examining payback period. First, it ignores any benefits that might accrue after the payback period is complete. In addition, the time value of the money put into the investment in the original project is not included in calculations.

Net present value. Net present value (NPV) is a widely accepted financial analysis tool that allows organizations to consider a critical component in the evaluation of projects and activities-the time value of money. When funds and effort are spent to implement a project, usually the money is spent at the beginning of the project and the benefits accrue over time. However, $1 five years from now is not the same as $1 today – it is worth less due to inflation and other financial factors. Those future returns must be stated in terms of today’s dollars to ensure an “apples to apples” comparison.

NPV is expressed in the following equation: PV (present value of future cash flows) – I (initial investment) = NPV. The PV is determined by taking the cash flows from future years and reducing them according to a discount factor table, available in print and through computer applications. The amount of the “discount” is determined by the cost of capital-how much will the money to be used for the project cost in the long run? Think about buying a car: If you finance it, your cost of capital would be the interest rate of your loan. But even if you are going to pay cash, there is still a cost of using that money: opportunity cost. In other words, what else might have been done with that money to create a financial return? If put in a savings account or a certificate of deposit, the money would earn interest. In that situation, the cost of capital would be the rate that would have been earned if that money had been invested in an interest-bearing financial instrument.

Internal rate of return. The internal rate of return (IRR) is a measure of profitability that is closely related to NPV. However, this figure expresses return in percentage terms rather than dollars. IRR is a discount rate that makes the NPV equal to zero. For example, using the sample incremental cash flow, with an initial asset cost of $75,000 and a discount factor of 12 percent, the NPV would equal $24, 120. However, if the discount factor instead was set at 24 percent, the NPV would be approximately equal to zero. Therefore, the IRR for this project is 24 percent.

By expressing the ROI in terms of percentages, the IRR allows one to compare returns from projects that have different economic scales. From an organizational perspective, it also allows a firm to establish a cutoff rate (also called a hurdle rate or a required rate of return) based on the cost of capital, opportunity costs, and risk. A project whose IRR falls below this cutoff rate is not approved, while those above it will be considered for implementation.

The tools mentioned here can help organizations to identify ROI in their security and loss prevention departments. ROI is only part of the equation, however. The security department must also make sure that projects are tied to the functional objectives of both security and the overall organization. These objectives may concern risk or loss avoidance or customer satisfaction, for example. The data collected for ROI would then focus on results that further these objectives. For a hospital, for example, the goal might be patient satisfaction-a key metric that drives revenue for most healthcare institutions.

Security professionals who are not comfortable with financial concepts should not try to go it alone. This situation is a prime opportunity to forge a partnership with the organization’s finance group: Finance can explain how they evaluate ROI, what hurdle rates they use, and which analysis techniques are best suited to the organization.

The benefits. Running the numbers is important not only in terms of selling security to senior management but also in making management decisions within the department. For example, the senior security executive for a national specialty retailer recently told the author that he eliminated a number of projects and activities after adopting an ROI methodology to formally evaluate the program. He said that after he put down his department’s actual numbers on paper, he couldn’t defend the assumptions behind the programs in any objective way. In some cases, the numbers based on assumptions showed that the programs did not result in a positive ROI. The bottom line was that he realized the department had been doing things for years simply because everyone believed those programs added value. They didn’t.

Another example of the value of running the numbers comes from Shane Sturman, partner and vice president of operations for Wicklander-Zulawski. He explains that when he was a director of loss prevention for a wholesale warehouse chain, the security department wanted to show the value of its detective program.

“Since we were a ‘membership’ club, we had extremely reliable data about how many times an average customer shopped at our locations. We took that figure and compared it to our shoplifting cases and made an assumption that [shoplifters] ‘shopped’ our store at the same rate,” he says. “Once they had been caught, we looked at each shoplifter’s own shopping pattern to validate that they frequented the store at about the same rate as the average customer.”

By using that data and multiplying it by the number of shoplifters apprehended and the dollar amount of merchandise with which they were apprehended, Sturman was able to estimate future loss, making an extremely strong case for justifying the company’s in-store detective program. “When we looked at how much future loss was avoided by the apprehension of these shoplifters, we were talking millions of dollars over a three-year period,” Sturman says. “And that was just assuming that the shoplifters didn’t take more as time went on or begin to shoplift the location more frequently.”

In another case, a company first ran a pilot test of an EAS program. The test had shown that with EAS baseline shrink decreased by 30 to 40 percent. But a formal ROI showed that some stores couldn’t justify the expense of the EAS system even if they achieved a 50 percent reduction in shrink. The combination of sales volume and baseline shrink just didn’t come to enough dollars to cover the expense.

Remember what management guru Peter Drucker once said: “What gets measured, gets managed.” And if the security department is to manage its future better, it must begin by measuring its progress today.


Originally published in Security Management Magazine, March 2003

© 2004, Walter E. Palmer, PCGsolutions, All Rights Reserved

The Changing Dynamics of Retail Shrinkage

12/1/2000 | Palmer, W., ADT SolutionSource Newsletter

In today’s ultra-competitive retail industry, the pace of change initiatives, introduction of new customer service initiatives, and implementation of new technology and systems continues to quicken as companies strive to win market and purse share. When combined with the on-going issues of high turnover and low training of personnel, systems and operational context is rapidly overtaking other historical factors as the key determinant of shrinkage performance.

Retail loss prevention executives, charged with controlling shrinkage and losses, can no more stand in the way of these changes than a child can plug a leak in a dam with their finger. Rather, they are challenged to support these changes and improvements while maintaining losses at budgeted levels. There are two primary reasons these initiatives and projects can adversely affect shrinkage – lack of loss prevention involvement and lack of budget for necessary controls and interventions.

Lack of Loss Prevention Involvement

This challenge can only be met by taking an active role in the planning process of these projects, most of which are not considered to be “loss prevention” projects. In fact, in many cases, project leaders do not even seek out the loss prevention function, not because of any Machiavellian impulse, but, rather, because they do not realize potential loss exposures or see any pertinence to shrinkage efforts.

Therefore, it’s incumbent on the loss prevention executive to actively seek out and engage themselves in these projects to assess potential shrinkage impacts. Projects such as upgraded distribution systems, automated price change capture, POS enhancements, relaxation or elimination of traditional controls and management approvals, implementation of stored value cards, and implementation of RF scanning are just some examples of projects which have caused retailers significant degradation of shrinkage results.

Through early engagement and involvement in the development process, the loss prevention executive can anticipate potential exposures and influence the business specifications to eliminate or mitigate these exposures. They can also incorporate controls, deterrents, reporting, and education into the implementation phase to address potential issues before they become a painful reality manifesting increased losses and theft.

No Budget for Necessary Controls

Once the exposures are identified, the next key objective of this early involvement in the project planning process is to incorporate the expenses necessary to prevent shrinkage into the project budget. Since the primary driver for most of these projects comes from outside the loss prevention function, most project plans and budgets have not incorporated expense projections for necessary controls such as exception reports, physical security measures, loss prevention payroll, training expenses, etc.

The loss prevention executive must make a solid business case for inclusion of the appropriate expenses associated with the implementation of the new project, procedure, or technology by using return on investment analysis. Additional supporting statistics such as case histories and benchmarking other retailers’ implementation of a similar initiative can also be used to support the requested expenses.


The rewards of this level of involvement in business projects are not only shrinkage control, but also a better understanding and involvement in core processes that elevate the loss prevention executive from the functional level to the strategic level. It seems clear that shrinkage performance and results will become more and more closely tied and integrated into the overall business objectives and strategies. The loss prevention executive who can succeed in this new context will be in high demand.