New York, September 27, 2004 —  A single breach of security anywhere in a company’s supply chain can result in staggering losses around the world, one of the key findings in a new study by Deloitte Touche Tohmatsu.  The study also shows that security is increasingly becoming a focus for directors of corporate boards who view it as a strategic investment that can reap measurable benefits.

Estimates for the loss from a security breach of one shipping container alone can amount to US$1 trillion, the study points out.  The cost of cyber attacks against companies worldwide reached US$12.5 billion in 2003, and a case of mad cow disease in 2002 cost the Canadian beef industry US$2.5 billion, according to reports cited in the study. 

In its comprehensive study, Prospering in the Secure Economy, Deloitte says that the essence of security for companies has expanded from primarily protecting assets and people to sustaining business no matter what type of interruption might occur, from a sudden spike in interest rates or the spread of a computer virus, to an act of terrorism.  As a result, the study finds, a new “secure economy” is evolving characterized by greater vulnerability to business disruption, increased awareness of threats, regulatory compliance, and an expanding ability to respond rapidly to change.

“While governments continue to create safeguards to protect national borders and patrol the skies, the managements of global business organizations are now squarely in the front line when it comes to protecting their supply chain, their data, their brand, and their very existence,” says Jerry Leamon, Deloitte Global Managing Partner for Clients & Markets.  “If companies don’t take steps to protect their employees, customers, shareholders, and society from the risks now inherent in their businesses, they also risk more costly mandated government regulations.  In the new secure economy, CEOs are not only asking themselves how they can increase shareholder value but, increasingly, ‘What can destroy our brand?’”

The business case for creating a secure economy
According to the study, conducted by Deloitte Research, there are many opportunities to disrupt a global supply chain in an interconnected global economy.  Companies must therefore move beyond compliance with local government security measures to ensure that their full range of operations continues without disruption. 
 
Deloitte has found that a secure economic environment results in measurable business benefits:

• Cost reduction.  Security investments can drive efficiency into the supply chain.  For example, one major private-public supply chain initiative generated cost savings of between US$378 and US$462 per shipping container.
• Enhanced revenues.  New technologies such as RFID (radio frequency identification) tags track the location of containers and products at any point along the supply chain and help to reduce costly excess inventory.
• Better risk management.  Proactive security policies help firms better manage operational and information technology failures from security incidents, including loss of life.
• Brand protection.  Security investments protect a brand, the most valuable asset for many companies, against a crisis such as product tampering.

Deloitte says that a secure economy is defined by five new realities:

• Rapid change. The global business climate has been nothing if not tumultuous in recent years.
• New regulatory requirements.  Businesses now find themselves confronting a host of new government security requirements around the world.
• Heightened threats and greater uncertainty. Companies remain unclear about what kinds of threats warrant the greatest concern, how they would be affected if particular kinds of attacks occurred, what marketplace conditions would follow, and when the heightened threat will pass.
• Complex and interdependent risks. For all the advantages of the extended enterprise and its interdependent supply chains, this organizational model also puts businesses at greater security risk due to the multiple partners and handoffs involved in production and distribution.
• Globalization and the 24/7 news cycle. Globalization and the 24/7 news cycle mean companies now have only minutes—not hours or days—to respond proactively to a security incident before risking possible damage to brand.

Protecting brand equity
“Companies view risk to their brands as their single biggest business hazard,” said Greg Pellegrino, Deloitte’s Global Public Sector Industry Leader and a senior advisor to the study.  “If customers lose faith or trust in a company, it can threaten the very survival of the organization.”  He said that in the wake of a security-related incident customers will judge a company on how well it managed the crisis.  Global enterprises must master several key challenges in guarding against security risk:

• Assess and manage threats specific to the company.
• Strengthen capabilities to manage a crisis.
• Implement an enterprise-wide security plan.
• Achieve end-to-end supply chain security.
• Maximize shareholder value through investments in security.

A new approach to managing risk and uncertainty
While companies must first understand their greatest risks, many are unaware of their vulnerabilities.  Deloitte suggests a new approach to traditional risk management, which too often focuses on responses to a specific operational risk such as threats to a vessel at sea.  Instead a company would build a portfolio of scenarios allowing it the strategic flexibility to address potential security breaches.  To get started, companies need to:

• Identify key drivers.  Assess advances in technology, changing societal values, government actions, geopolitics, and industry and company activities posing a threat.
• Define scenarios.  For each scenario, identify potential perpetrators, how the attack would occur, and ramifications to the company.
• Formulate strategy.  Develop the core elements and responses to deal with the threat in each scenario.

Government incentives
Governments should assume a greater role in offering incentives to the private sector to invest in security, the study says.  For example, Initiative D21, a German public-private initiative, promotes cooperation on IT security and other threats.  Governments also need to ease ill-conceived and onerous regulations that hinder global trade and impede private security initiatives.  Sharing information is essential, and both sides must overcome long-standing mistrust to make it work.  Several public-private partnerships are under way to improve food safety and security.  In Australia, a joint venture tracks individual animals from birth to slaughter.

According to the study, a positive new development is that global standards are emerging through international groups such as the World Customs Organization to alleviate the current hodgepodge of incompatible country-specific security requirements.  For example, the International Ship and Port Security Code (ISPS) went into effect in July 2004 applying to all vessels over 500 tons engaged in international voyages.

“Businesses have the opportunity to turn compliance with new security regulations into business value,” says Leamon.  “Government can be a facilitator by providing incentives to invest in security and, wherever possible, working to ensure that multinationals are not forced to comply with incompatible country-specific security requirements.” 

About Deloitte Touche Tohmatsu
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas—audit, tax, consulting, and financial advisory services—and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.
 
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names.

About Deloitte Research
Operating through a network of research professionals, senior consulting and accounting practitioners, academics, and technology partners, Deloitte Research delivers innovative, practical insights companies can use to improve their overall business performance. Through its in-depth publications, surveys, reports, and commentary, Deloitte Research identifies, analyzes, and explains the major issues confronting businesses today and shaping tomorrow's marketplace.