The economic impact of implementing an OPSEC program
It is a mistake to look at OPSEC as reducing losses. Rather, OPSEC should be looked at as increasing revenues. How does this work?
Due to the magnitude of the figures involved, it is a safe assumption that your company is an unknowing contributor to the $300 billion lost each year to competitive intelligence, economic espionage, and theft. Let’s model what this means for a manufacturing company. Keep in mind that the model will apply to each independent division of a multi-national. That is to say that if one division makes automobiles and a second makes electronic goods, each will face losses independent of the other.
Working backwards, we know that the cost of the average loss in a manufacturing environment is $50 million. We also know that if we encounter one incident we more often than not encounter another two. This puts the theoretical potential loss of revenues at $150 million. Let us also assume a cost for a fully functional OPSEC program to be $1 million. This figure is high, but a nice round sum.
We also assume that a company that has implemented an OPSEC program has a much lower probability of being a victim, and that, if they are a victim, that there will more often than not be only one incident that slips through.
Finally we assume that a company has the choice to implement internal controls or not implement internal controls. Note that the likelihood of being a target is not affected by the presence or absence of an OPSEC program, but that the likelihood of becoming a victim decreases when there are adequate internal controls in place.
If we run the model we get the following:
What this shows if that if you have not implemented an OPSEC program your revenues for that operating unit are likely to be $90 million below where they should be. And that if you have implemented an OPSEC program they are likely to be $15 million below where they should be.
Looked at from the perspective of revenue, if you implement an OPSEC program your revenues are likely to be, after the cost of the program, $75.5 million dollars higher than if you chose not to implement.
This model does not account for three factors.
First, it deals with one operating unit. If you have more than one operating unit, each faces the same exposure.
Second, as with most programs, the cost of implementing OPSEC across operating units is not linear. That is to say if you spent X dollars to implement the first program, you now have a lot of expertise and infrastructure in-house, so the second implementation will cost less. This is as true of implementing an OPSEC program as it is implementing a new accounting system.
Third, since the SEC has said that “the Sarbanes-Oxley Act of 2002 and the Commission’s rules promulgated under the Act seek to strengthen pre- existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property,” senior managers face a higher risk if there is a shareholder lawsuit over lost revenues, plus potential SEC follow-up action for noncompliance with SOX if there is a lawsuit. The liability largely disappears if you in fact have the internal controls in place, and this reduction in liability is not reflected in the model.