Skip to main content

Information Security and Economic Profit

(0 comments)

This is the third in a series of blog posts (that I hope to be able to finish, because otherwise these first ones will seem stupid). My goal is to provide information security professionals a basis for discussing risks with business professionals - especially finance people - and to dispel some myths. In the first post, I discussed how businesses create value arguing that reducing risk increases value. In the second, I bitched about how I hated the term 'ROI', it's over-use in marketing and it's short-comings. While NPV is better, it too has some shortcomings, including the fact that it isn't a very good tool for ongoing evaluation.  NPV basically states "According to these assumptions, this project should create value".  However, it does not track the outcome nor can it easily be used as a basis for incentives.

The tool I prefer is Economic Profit (sometimes referred to as Economic Value Added, but that terms is trademarked). Economic Profit is defined as "The difference between the revenue received from the sale of an output and the opportunity cost of the inputs used", where the primary input used means capital. If you invest $200,000 in a business you are going to want a higher return than you could get in a safer investments, such as a municipal bond. (Avoiding references to the 'riskless rate on US Government T-bills' at the moment until we see how risky they are.) Economic profit is the profit or loss after net income and a charge for the use of the capital. For example:

Investment 200
Cost of Capital 10%
Revenue 100 100 100 100 100 100 100 100 100 100 100 100
Expenses 70 70 70 70 70 70 70 70 70 70 70 70
Taxes 9 9 9 9 9 9 9 9 9 9 9 9
NOPAT 21 21 21 21 21 21 21 21 21 21 21 21
Capital Charge 20 20 20 20 20 20 20 20 20 20 20 20
Economic Profit 1 1 1 1 1 1 1 1 1 1 1 1

Doesn't that math look a lot simpler than NPV's? The beauty is that it is just like an income statement or balance sheet: it can change over time. For example, what if you can reduce your costs:

Investment 200
Cost of Capital 10%
Revenue 100 100 100 100 100 100 100 100 100 100 100 100
Expenses 70 70 70 70 70 70 65 65 65 65 65 65
Taxes 9 9 9 9 9 9 9 9 9 9 9 9
NOPAT 21 21 21 21 21 21 21 21 21 21 21 21
Capital Charge 20 20 20 20 20 20 20 20 20 20 20 20
Economic Profit 1 1 1 1 1 1 6 6 6 6 6 6

Or, as in the case of Information Security and Risk Management, what if you can reduce the risk of the cash flows?

Investment 200
Cost of Capital 9%
Revenue 100 100 100 100 100 100 100 100 100 100 100 100
Expenses 70 70 70 70 70 70 70 70 70 70 70 70
Taxes 9 9 9 9 9 9 9 9 9 9 9 9
NOPAT 21 21 21 21 21 21 21 21 21 21 21 21
Capital Charge 18 18 18 18 18 18 18 18 18 18 18 18
Economic Profit 3 3 3 3 3 3 3 3 3 3 3 3

What proponents of Economic Profit will tell you is that it encompasses all the ways a firm creates value: increasing the return on existing capital, investing where the return is greater than the cost of capital and divesting where the return is less than the cost of capital. Information security pros know that risks change over time. Attacks get cheaper, data becomes more valuable. regulations tighten, etc. Economic profit allows you to change those assumptions over time

By the way, you can still take the NPV of a stream of economic profit.

I have used Economic Profit at a previous company. We needed a good bonus system that would be easy to understand, provide for growth, but recognized that the companies revenue fluctuated. We ended up keeping our base salaries very low and paying a bonus of 1/3 of the 3 month rolling-average economic profit of the firm every month. We plowed back into the company 2/3 of the economic profit and the capital charge. If we hired someone and they didn't start paying for themselves in 3 months, we all felt it in our own pockets. We also always made money.

Note that books have been written about how to correctly calculate Economic Profit (in particular I recommend, Bennett Stewart's The Quest for Value).  It can get very complex depending our your organization's complexity.  However, I have used it in a very simple way too and it provided great value.  

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom