Almost all security, loss prevention, crisis or risk managers know the challenge of determining ROI - Return on Investment - when it comes to convincing management.
Although no one doubts the need for a security budget, people still face the difficult task of proving the added value of measures implemented or those about to be implemented. Successful safety investments are characterized by damage prevention, while the ROI is calculated on an immediate benefit.
The return on security investment (ROSI) must therefore be determined in a different way.
Not only should the actual investment be taken into account, but it is also necessary to know how physical protection measures, among others, can be strategically designed and integrated into existing structures and ultimately implemented in an operational way.
"Calculating security measures is seldom an easy task, as noted above. Relying on a classic ROI calculation, is not very useful. Anyone who wants to secure investments in the field of security technology, relevant software solutions, the employment of properly trained security personnel, internal training and continuing education or expenditure for the optimization of existing structures in the design of the physical protection system must be able to demonstrate the extent of the damage potentials that an organization can avoid by investing in its security. "
Therefore, the security ROI formula differs significantly from the ROI calculation. According to the general definition, ROI is the result of success divided by the capital investment or, in other words, the expected return on funds minus the budget of the respective security measures divided by the costs of those measures.
The return on ROSI security investments is based on variables such as “damage cost” and “damage prevention%” to account for the deficits mentioned above. Unlike ROI, ROSI is based on the assessment of specific risks that must be neutralized by an investment in security.
The following parameters should be taken into account when calculating the ROSI ratio:
- expected losses / year,
- one-time expected loss,
- occurrence rate / year,
- mitigation rate which describes the percentage of risks that would be covered by the planned investment.
This is always successful when the costs of the measures can be determined holistically. However, the most difficult part is probably the reliable estimation or calculation of the damage costs. With constant damage costs, like the regular theft of some valuables from businesses, it can be successful, but what if the damage costs are not constant or vary?In principle, we can assume two scenarios. If neither the claim costs nor the information on the possibility of preventing the loss can be reliably determined, the calculation of the ROSI is only possible under a number of assumptions.
The significance of ROSI therefore depends largely on the quality of the hypotheses. If, however, a reliable calculation of the cost of claims and information on the possibility of preventing the damage is possible, then the ROSI is applicable.
A neutral approach to the respective risk factors and their objective assessment can ensure that the decision whether or not to invest in security is correct. This means that in each risk model, the utility and risk dimensions must be identified and compared. For this, the company must take collective and transversal decisions to obtain the most precise results possible. It should be noted that this data is generally based on experience and simulation calculations which do not necessarily correspond to reality. "