Feature Intangibles and security

The intangible value of security in a volatile global

It is not just bad management that can harm the value of intangible assets; they can be deliberately targeted for both criminal and political reasons

shows a sample of companies across all By Robert P Liscouski and Nir Kossovsky of the major US trading exchanges disclosing in their 2006 annual reports risks from During the highly contested 1992 elections terrorism. That such risks are disclosed in for the US Presidency, Democratic adviser filings to the US Securities and Exchange James Carville realised he had to focus Commission indicates that company boards both the electorate and his candidate, recognise the materiality of these risks and, Bill Clinton, on what really mattered: as such, accept that it is a board-level “It’s the Economy, Stupid.” responsibility to oversee management of In our volatile geopolitical environment, these risks. the economy of nation-states – most often the United States – is seen by those seeking Security perils are not intangible to bring about political collapse as Carl von Since 2001, US businesses and other Clausewitz’s centre of gravity. And in an icons have increasingly become the primary economy where intangible assets comprise focus, as enemies of the state have shifted upwards of 80% of the market capitalisation their targets from assets owned by the of traded companies, the centre of gravity government to assets owned by the private resides somewhere within the value of business sector with the goal of maximising intellectual properties and other intangibles. enterprise damage. And consistent with Intangible assets interdependently the economic focus, an increasingly larger support a company’s enterprise value. This share of the known US targets are in the article looks at security as an intangible financial sector. asset and defines board-level strategies now Security perils are not limited to non- being examined by the Intangible Asset state actors (terrorists). State-sponsored Society’s (IAFS) Security Risk sources of peril, organised crime groups, Management Committee that can help extortionists and common criminals can all companies realise and protect that value. find value in destroying, or threatening to destroy, the intangible asset value of a Security is an intangible asset business or industry sector. Table 2 Like , safety and quality, security summarises recent publicly disclosed IAM magazine is the official organ of comprises elements of what is generally terror threats and attacks, not only on US the Intangible Asset Finance Society known as a brand and interdependently businesses and icons but also on those (www.iafinance.org), formed to leverage supports other intangibles comprising from other western countries. the power of the capital markets to extract intellectual properties. Collectively, superior the maximum potential value of intangible management of security and other Good security risk management practices assets through education, advocacy and intangibles is associated with higher gross The Security Risk Management Committee the promulgation of standards. In each margins, net income, earnings multiples, of the IAFS has been evolving corporate issue, IAM publishes a contribution from enterprise value and market capitalisation. governance standards for intangible asset the Society on a noteworthy intangible In companies spanning a wide range of management based, in part, on a risk asset finance matter. industries, security risk is recognised as analysis model initially developed at the US being material to the enterprise. Table 1 Department of Homeland Security. The first

www.iam-magazine.com Intellectual Asset Management June/July 2007 49 Intangibles and security

The von Clausewitzian centre of gravity

of two central tenets of this model is that • Battling complacency. Carl Phillip Gottfried von Clausewitz (1780- risk arises from the difference between 1831) penned the magnum opus On War threat capability/probability and Priorities (1832), one of the two most important precautionary capability/effectiveness In every industry, certain aspects of its Western works ever written on the theory (Figure 1). This model implies that an operations provide all stakeholders with of warfare and strategy. The other is by optimal level of security product deployments assurances that the goods and services the Athenian writer Thucydides: The and security process implementations is delivered will meet quality standards. Peloponnesian War (circa 400 BC). relative, and that acute changes in either the In the food industry it is freedom from A central metaphore of On War, a text threat or precautionary capabilities create contaminants, toxins and poisons. Thus, increasingly used in business schools, is periods of maximum relative risk. For the Tylenol poisoning (criminal), the Taco the centre of gravity. Its use remains example, Figure 2 shows that the capital Bell and spinach E Coli scares (accident) essentially consistent with the concept’s markets recognised the rise in relative risk and the current scare over pet food representation in the mechanical sciences: associated with US-based hotel chains contamination (culprits, if any, undetermined “It is against that part of the enemy’s forces following the 11th September 2001 attack at this time) all represent central intangible where they are most concentrated that, if a on the World Trade Center. priorities where security threats may blow were to occur, the effect would The second tenet is that events will manifest. In the travel industry, it is a emanate the furthest; furthermore, the nevertheless occur. In such instances, combination of health (cruise line Norwalk greater the mass our own forces possess recovering, reconstructing and/or virus matter), customer service (Jet Blue IT when they deliver the blow, the more certain reconstituting the lost intangible assets – systems collapse) or the most basic we can be of the blow’s success.” resilience, in security parlance -– will freedom from assault (cruise line Achille Striking at or otherwise upsetting the determine whether the impairment is Lauro). Identifying the areas where an attack centre of gravity can cause the object to ultimately fatal or merely disruptive. will cause maximum damage to enterprise lose its balance or equilibrium and fall to the Insurances can provide capital to support value (the centre of gravity) is the first step ground. The US economy is the centre of a good practice for optimising resilience in in good security intangible asset risk gravity of the US government and intangible companies where corporate controls at the management practice. assets are at the heart of the US economy. board level have paved the way for the adoption of a robust intangible asset management philosophy, and the Table 1. Companies disclosing in their 10-K SEC filing a material security risk establishment of highly protected risks (within the insurance industry, Highly Ticker Name Market Business Protected Risk (HPR) is a status awarded when the insured object meets higher SMTC SEMTECH CORP NasdaqGM Semiconductor – integrated standards in order to obtain significantly MPR MET PRO CP NYSE Diversified machinery lower premiums. Protections relate to DEBS DEB SHOPS INC NasdaqGS Apparel stores conformance with good risk management TAG TAG IT PACIFIC INC AMEX Textile – apparel clothing practices and best practice standards). SAI SAIC INC NYSE Technical services ARSD.OB ARABIAN AMER DEV CO OTC BB Oil & gas refining & marketing A framework for good security risk PVH PHILLIPS VAN HEUSEN NYSE Textile – apparel clothing management practices JCP PENNEY J C CO HOLDIN NYSE Department stores Operationally, the primary challenge for those tasked with preserving enterprise value by maximising resilience – the Table 2. Recent attacks and threats to enterprise value corporate board – is setting targets for management. There are no standards for Target Year(s) Actor what is secure enough, no meaningful actuarial measure of threat and no framework Achille Lauro – (target was cruise ship 1985 Palestine Liberation Organisation for reasonableness of capital investment. with American passengers) In fact, the only certain fact is that security Pan Am 103 (target was “US airlines” 1987 Libya – state sponsor events, or threats of security events, can of which Pan Am was most iconic) be catastrophic in terms of enterprise value. McDonald’s as an iconic US business Frequent target Various nationalist, ecological and We suggest a process comprising five in Europe and other parts of the world since the 1980s far left-inspired organisations steps that, similar to good manufacturing World Trade Center, 1992 Al Qaeda practices and other process standards, World Trade Center, New York City 2001 Al Qaeda cannot guarantee a good outcome but can CitiGroup Buildings, New York City Summer 2004 Al Qaeda threat improve the probabilities: Wall Street/NY Summer 2004 Al Qaeda threat • Identifying the priorities. Prudential Insurance Company Summer 2004 Al Qaeda threat • Managing risk in a dynamic and BP in Colombia Current Regional terrorist organisations ambiguous threat environment. Shell Nigeria and Algeria Current Regional terrorist organisations • Ensuring commitment. Mobil Nigeria and Algeria Current Regional terrorist organisations • Making the business case.

50 Intellectual Asset Management June/July 2007 www.iam-magazine.com Intangibles and security

Building resilience into the business leadership, two cultural values must flow to protect against enterprise value loss through the organisation: following an attack includes both repairing • A culture of communication. Those at the people, products and processes impaired tactical level closest to threat data must by an attack, and devising a world-class understand that they are empowered to communications plan resulting in sustainable question security assumptions. market and consumer confidence in the • A culture of action. There is never company’s ongoing ability to deliver its enough or proper information and those products and honour its financial obligations. empowered to act need to be willing and able to act on the basis of information Managing risk in a dynamic and available. As Clausewitz noted: “It is ambiguous threat environment even better to act quickly and err than to Recognising that risk is relative, as hesitate until the time of action is past.” illustrated in Figures 1a and 1b, good risk management practices call for a rich Initial and ongoing investments Figures 1a and 1b. understanding of the baseline geopolitical The business case for risk mitigation and Risk arises from the difference between and criminal threat environment as those insurances to protect enterprise value threat capability/probability and threats relate to the companies’ against catastrophic security risk may not precautionary capability/effectiveness vulnerabilities. This involves the constant conform to a conventional ROI analysis. (1a). This implies that an optimal level of flow of information to senior decision On the other hand, in the absence of security product deployments and security makers regarding evolving threat conditions; reasonable efforts, liability falls squarely process implementations is relative and and accurate identification and assessment on those charged with corporate governance, that acute changes in either the threat or of an entity’s baseline security measures affirming the principle that catastrophic risk precautionary capabilities create periods and vulnerabilities. In our practice, we management is a core strategic concern. of maximum relative risk (1b) tend to segment businesses by industry Two aspects of good intangible asset category and organisations on the basis risk management practices warrant of people processes, physical measures repeating: Figure 1a. Time series of threat and and cyber measures. • Monitor and establish procedures to capability volatility reduce vulnerabilities above the baseline Organisational commitment as the threat changes. As with other matters that speak to • Seek insurances and other efficient risk enterprise value, an organisation must transfer instruments to cover the costs engage its leadership at the highest level – arising from implementation of a plan ie, board and C-level leadership. Within this leading to resilience.

Figure 2. Hotel index beta relative to S&P 500 Magnitude The interplay between security and stock price volatility. Note the rise in beta of an index of US corporate hotel businesses over the past few years as high-profile security events have increased concerns about the sector’s economic security.

Precautionary capability/effectiveness 2.5 Threat capability/probability Precautionary capability/effectiveness 2

Figure 1b. Time series of relative risk 1

0.5

0

-0.5

-1 JW Marriott 05 Aug 03, Jakarta

Magnitude -1.5

-2 World Trade Center Hyatt, Radisson & Days Inn 11 Sep 01, New York 10 Nov 05, Amman -2.5 Relative risk Relative risk Maj. US hotel index beta Events Hotel index 6 month moving average

www.iam-magazine.com Intellectual Asset Management June/July 2007 51 Intangibles and security

Figure 3. Questions for a board of directors, the answers to which would be part of a Table 4: Exemplary source materials company-specific intangible asset management standard for crafting intangible asset management standards relating to security and enterprise value Physical Prevent Protect Detect Attribute Respond Recover

People Selected cross-industry best practices/guidelines: Cyber • ISO17799 Code of Practice for Cyber

Where to focus resources – How to share information How to respond quickly to Security. insiders or outsiders – and without losing competitive ensure continuity of the • ISO13335 Risk Management Controls. across what business advantage or disclosing business process while • ISO15408 Common Criteria. processes? sensitive information? minimising operational impact? • NFPA1600 Standards for Physical Safety. • ASIS Security Guidelines for Homeland How to analytically select How to quickly analyse Which locations and what is critical and how information to validate who services to recover first, Security. much protection is needed? is responsible with a high in what order, and with degree of certainty? what service levels? Selected sector-specific best practices/guidelines: • Responsible Care Standards Battling complacency brands and intangible assets. The changing (chemical). The absence of an event may lead to a lack risk environment demands forward thinking • NERC1200 (energy). of focus and appreciation of the magnitude on this topic as many past incidents have • FFIEC Handbook for Audit (financial of the security perils to intangible assets demonstrated that the intangibles are now services). and therefore enterprise value. Financial perceived as the centre of gravity. • AAR Class I Freight Guidelines pressures may lead to a questioning of the In most traded companies, the buck (transportation). ongoing wisdom of sustained investments. stops with the CEO and the board of • American Lifeline Alliance Standards The single most effective means of directors. In companies where intangible (oil & gas). combating complacency is to conform to assets comprise a material fraction of the • FTA Emergency Preparedness good practices and ensure the periodic market capitalisation, shareholders (transportation). board-level examination of the risk reasonably expect that the company will management processes (Figure 3). have in place systems to ensure the optimal management of those assets and resilience Good security risk management standards should those assets be impaired. Security The IAFS’s Security Risk Management triggers are one source of catastrophic peril. Committee recognises that security issues Controls and related processes can be are historic matters of corporate concern reflected in good practice standards and can and much work has been done by industry, reduce the variance associated with asset associations and certain government management. The IAFS’s Security Risk agencies, such as the Department of Management Committee invites comments Homeland Security in the US, to craft and participation as it labours to promulgate guidelines for different operational risks. IAM standards. As James Carville might say The Committee recognises that industry today: “It’s the intangibles, stupid.” knows best how to govern its processes and will draw upon these sources, and Robert P Liscouski is an executive-in- others, to craft an integrated standard residence with Centurion Holdings LLC, that defines standards at the corporate New York and chairs the Intangible Asset governance level. Exemplary resources Finance Society’s Security Risk Management include general guidelines useful across Committee. He is former Assistant many industries and sector-specific Secretary, Infrastructure Security, guidelines from industries that tend to be Department of Homeland Security. closely regulated (Table 4). [email protected] The board of directors oversees management and the audit committee Nir Kossovsky, MD, is CEO of TOPCAP, oversees financial controls that include Pittsburgh, and also serves as the asset utilisation and protection. The IAFS’s Executive Secretary of the Intangible Asset Security Risk Management Committee Finance Society. believes it is critical that the board and [email protected] senior company management abandon the historical notion that security relates The authors thank Alfred Fasola, CEO of to guns, gates and guards, and adopt a Johnson & Higgins Private Equity Solutions, comprehensive approach to protecting its for his thoughtful comments.

52 Intellectual Asset Management June/July 2007 www.iam-magazine.com