After security managers at W. W. Grainger conducted a risk assessment, they found that physical security varied widely among the industrial supply company’s 390 branches throughout the United States. The security team at Grainger was concerned that the company’s branches, which supply facilities-maintenance products, were more likely to fall victim to crime if located in high-risk areas. However, the security team needed to prove that the risk was real and that steps needed to be taken to ensure employee safety and protect company assets.
Security used targeted crime statistics and forecasts along with the results of an employee safety risk survey for each branch to quantify local risk. There had been several reports of security-related incidents in the previous 18 months near one particular Grainger property. After completing a risk assessment, security developed a business case describing the problem and pointing out some of the details of the crimes. Recommendations were made to enhance physical security at this location to help deter criminal activity and to provide a safer work environment. A request for capital funding to install a 12-camera CCTV system was submitted to management along with the business case. The capital request was reviewed and quickly approved.
On another occasion at Grainger, the $9 billion company started to face significant losses—external fraud had historically been low—when its business strategy shifted to aggressively grow e-commerce sales. A business case to identify a fraud management solution was developed with the support of internal business partners. The business case included an executive summary with a description of the risk, a quantitative analysis projecting potential losses, a cost benefit analysis for the next five years, and a recommended solution. The business case was presented to senior management and approval was received to proceed with the project. The fraud management solution provided a cost effective solution and a quick return on investment.
Both of these security successes hinged on the presentation of the business case. The business case is considered standard practice to justify budget or capital requests throughout private and public industry, and in a metrics-focused business environment, security practitioners must be able to understand and apply the process. A well-written business case provides the compelling justification for initiating a project or task. It is often presented in a formal way, through a written document that includes the reasoning for the undertaking and a recommendation based on the estimated costs versus the expected gains and offset by any identified risks. The premise of the business case is that, whenever requesting resources, those resources should be in support of a specific, well-defined need.
A good business case adequately captures both the quantifiable and unquantifiable characteristics of a proposed project. A typical business case describes the business problem, the possible solutions, the risks and benefits of each course of action, and the solution recommended for approval. One of the most important purposes of the business case is that it assists organizational stakeholders in making decisions regarding the viability of a proposed project.