RESILIENCE RETURN ON INVESTMENT – AN IMPOSSIBLE ARGUMENT?

Mukta Agrawal and Casey Church

Analytic Services, Inc.
2900 South Quincy Street, Suite 800, Arlington VA 22206
+1-703-416-3076, mukta.agrawal@hsi.dhs.gov

Gaining stakeholder buy-in for resilience-related investments faces two significant challenges:
first, resilience manifests itself through the system’s ability to withstand disruptive events which
are typically low frequency/high impact. These are generally difficult to predict in both time and
magnitude of impact, making return on investment (ROI) analysis difficult. Second, in the case
of privately owned critical infrastructure, resilience enhancements frequently require investment
from industry, but the greatest potential benefit is to the public. Does resilience ROI face an
impossible argument? Systems Thinking perspectives and tools may offer advantages in both the
analysis and communications of stakeholder perspectives and incentives, as well as aid in
identifying potential intervention points where government may best intervene.

Keywords: Resilience, ROI, Systems Thinking

INTRODUCTION

Resilience has been a topic of much interest in the critical infrastructure field and the focus of
numerous studies and commissions. The National Infrastructure Advisory Council for example
published reports dedicated to the topic in 2009 (1) and 2010 (2). While most literature on
resilience focuses on technical aspects of resilience, such as measures and metrics, such reports
often speak of policy challenges such as gaining stakeholder buy-in for resilience-related
investments. This paper examines the topic of return on investment (ROI). In this paper we
establish a definition of ROI; identify challenges in assessing ROI in resilience applications;
discuss differences in resilience ROI perspectives for government owned systems and those that
are private-industry owned; and suggest that Systems Thinking may offer an approach and tools
that can benefit the evaluation of resilience ROI.

BACKGROUND

Herrmann (3) states “In simplest terms, ROI implies that a measurable benefit will accrue as a
result of expending funds for a specific purpose.” In examining ROI in the field of security
controls, she points out that rather than looking only at financial ROI, one must consider a
variety of parameters. These may be divided into the following eight categories:

 Problem identification and characterization

 Total cost of security feature, function, or control
 Depreciation period
 Tangible benefits
 Intangible benefits

- 1-
  Payback period
 Comparative analysis
 Assumptions

There is not just one calculation that answers all ROI questions—instead, one must look to a
series of metrics which are evaluated and aggregated. Some of these metrics take the form of
actual measurements, whereas others are approximations or estimates.

This approach may be relevant to resilience ROI. Three of these categories are particularly
challenging to evaluate in terms of resilience investment - tangible benefits, intangible benefits,
and payback period. Herrmann (3) describes tangible benefits, the traditional metric used to
calculate ROI (Figure 1), as the benefit derived from implementing the feature, function or
control, which can readily be measured and translated into financial terms. The total cost is
comprised primarily of the initial implementation cost plus any sustainment costs. The return,
which typically begins at the completion of implementation, can be evaluated based on how
much it exceeds the sustainment costs each year and thereby, when it will recover the
implementation costs – the break-even point. The number of years between project initiation and
the break-even point gives us the payback period. Intangible benefits, those not lending
themselves to expression in financial terms (such as public perception, attractiveness of the
company to potential partners, or positive impact on the corporate culture) may be also
considered, but are generally secondary to the “financial bottom line”.

Traditional ROI

implementation
investment
$ per
year

return

sustainment cost
years break-even
Payback period point
Figure 1 Traditional ROI elements

RESILIENCE-RELATED ROI

With the traditional view of ROI analysis in mind, we can now appreciate a number of additional
challenges that resilience-related investments face. First, in the absence of a disruptive event, the
benefits of resilience investments are principally intangible benefits, such as the ability to better
accommodate potential events, deterrence effects on would-be attackers, and a greater sense of
security within the community. Tangible benefits will likely only be recognized when/if an event
occurs which would have otherwise resulted in disruption and financial loss (from operation

- 2-
disruption or repair/replacement costs). For example, a government funded project to enhance
river levees could produce only intangible benefits for years, until water levels reached a height
that would have otherwise resulted in the pre-existing levees failure and spilling of floodwaters.
As such, the benefit is in avoided costs rather than additional profit. This perspective frames
investments for resilience enhancements as being financed through borrowing against the
estimated costs of potential future losses.

If challenges exist in analyzing the avoided costs of prevented or reduced damage in the
aftermath of an event (i.e. after the river levels have subsided), then the challenges of supporting
ROI analysis of proposed resilience investments are clearly far greater. As shown in Figure 2,
predictions would be required for both potential magnitude of the cost impact, but also of the
frequency of occurrence, or alternatively the probability of occurrence within a particularly
period. Prediction of a payback period compounds magnitude and frequency, making it all the
more uncertain.

Resilience ROI

Potential Return
(in losses and costs
avoided) Challenges in predicting
$ per (in losses avoided) magnitude of impact
year
implementation
investment Challenges in predicting
probability/frequency of
occurrence

years
Challenges in predicting
payback period
Figure 2 Resilience ROI components

ORGANIZATIONAL CHARTER AND ROI

In the previous example of reinforcements of levees, we considered a government-funded project

to enhance the levee system’s resilience and thereby to potentially provide benefit to the local
population. An alternative scenario could involve an industry-owned critical infrastructure
system. We will examine both cases.

Resilience ROI for Government “Owned” Systems

Local, state and federal governments exist to do work, execute control, and establish policy and
laws for the public benefit. As agents for the public, government agencies routinely make
decisions about how best to allocate funds collected through taxation for the benefit of our
nation.

- 3-
Although stakeholder input can reflect opposing perspectives and incentives, it is largely left to
the government to determine which projects are prioritized within the budgetary constraints. This
is not to trivialize the careful analysis that must be done in determining which projects are most
deserving, but in the simplest view the government’s job is to apply tax dollars in the manner
that best services the tax payer.

Resilience ROI for Industry Owned Systems

Private industry clearly operates under different incentives than government agencies. Through
the sale of goods or services within the marketplace, industry strives to generate self-sustaining
profit, and in the case of publicly-traded companies, shareholder value. Industry must be
profitable to fund growth, internal investment, interest on debt, and in some cases to produce
dividends. It is with this perspective that industry assesses its investments in resilience.

For many industries, decisions about resilience investment may be similar to those previously
discussed. For example, a company that manufactures consumer electronics may choose to invest
in more versatile tooling equipment in order to be more flexible should the market shift in the
future. Critical infrastructure companies present a more complicated case. These companies
provide goods and services that are widely relied upon by the public. The “critical” in “critical
infrastructure” is an expression of this public reliance.

Tying this back to our concept that resilience offers the potential for tangible return in the form
of possible reduction in future costs, we can ask “potential return to whom?” If a telephone,
internet, or electricity distribution company can repeatedly repair damaged lines with less
expense than would be required to reduce the frequency of damage (such as burying the lines)
we cannot be surprised by their reluctance to make resilience investments that they do not
believe will benefit their bottom line (4).

In the absence of a market, where consumers can choose between providers based on factors
such as reliability and cost (such as in the case of utilities), we typically find some form of
regulators, whose role it is to serve as the interface between industry (and its profit-driven
efficiency) and the public (that wants inexpensive service available to meet all demand) (5).
Meaningful regulation must balance the investment required to ensure critical infrastructure
resilience with the potential benefits that will be realized by multiple stakeholders – industry,
government, and the general public – should the disruptive event occur. Figure 3 illustrates the
conceptual benefits from resilience enhancement to critical infrastructure as consisting of the
return to industry (savings from reduced downtime and cost to repair); return to the government
(reduction in disaster management and relief costs); and return to the public (losses from
damage, impact to businesses, etc.).

How can government intervene?

Government has three principal means to intervene in private-industry resilience efforts. First it
can mandate compliance with policies and standards it passes down. As an example, in 2007
U.S. law mandated the development of voluntary private sector programs in preparedness
accreditation and certification, as coordinated through the U.S. Department of Homeland
Security (6).

- 4-
A second option is to incentivize, as in through the use of tax credits in return for resilience
enhancements deemed sufficiently beneficial to the public.
Total Potential Return

Addition of return to public

(in losses avoided)

Addition of return to government

$ per (in disaster management & relief costs
Industry-born
year avoided)
implementation
investment

Base - return to industry

(in losses avoided)return

years
Figure 3 Potential return (losses and costs avoided) components.

A third approach is that of partnerships. An example of improved information sharing through

public-private partnership is the establishment of the critical infrastructure Sector Coordinating
Councils and their counterpart Government Coordinating Councils (7)(8). Public-private
partnerships have also been formed to share costs of insuring against risks. Examples include:

 Hurricane risk in Florida: Coverage available through both private insurers and a state-run
company “Citizens”, with Citizens now representing more than 30 percent of the market.
Private companies and Citizens both benefit from extremely advantageous reinsurance
from the state-run reinsurer, the Florida Hurricane Catastrophe Fund. (9)
 Earthquake risk in California: Insurance is provided through the California Earthquake
Authority, which is a risk-sharing arrangement between private insurers and the state. (9)
 Flood risk in the United States: The federal National Flood Insurance Program began in
1968 in response to the belief that flood peril was uninsurable by the private sector alone.
Private insurers sell insurance policies and settle claims on behalf of the federal
government. The program covers over $1 trillion in assets today. (9)

The previous discussion identified a number of significant challenges to assessing the ROI of
resilience investment, including the prediction of event occurrence and the magnitude of
potential impacts. It can now be seen that a number of additional challenges exist in the case of
private-industry owned critical infrastructure, where we see conflicting measures of success
between the public and private sectors, complex constraints on how cost can be shared between
these sectors, and a variety of mechanisms for government intervention.

- 5-
BENEFITS OF A SYSTEMS THINKING APPROACH

Senge (10) described systems thinking as a unique approach to extended enterprise problems,
such as private-industry resilience ROI evaluation, through analyzing the identifying
characteristics and behavior of the system in its entirety, as well as by describing the interactions
and relationships among its parts. Systems thinking can be used both for developing and
understanding a system and for analyzing and solving system-level problems. Systems thinking
acknowledges the strong interactions among the system components, along with the emergent
behaviors and unintended consequences that may result from these interactions.

Recognition of the value in a system oriented view is not unique to systems thinking. The ASCE
Board of Direction established the Critical Infrastructure Guidance Task Committee to develop a
guide to ensure quality in critical infrastructure systems that may involve multiple constituents,
multiple jurisdictions, and complex financing (11). Four guiding principles, developed to protect
public safety, health, and welfare, have been laid down: quantify, communicate, and manage
risk; employ an integrated systems approach; exercise sound leadership, management, and
stewardship in decision-making processes; adapt critical infrastructure in response to dynamic
conditions and practice.

In an effort to advance the resilience ROI discussion, we will describe a number of systems
thinking methodologies which offer benefits in establishing an analytic framework and
identifying potential intervention points in the trade-space between financial return and public
benefit.

An assessment framework

Attempting to solve problems related to resilience ROI can be quite daunting without a suitable
framework to guide the effort. Boardman and Sauser (12) presented a systems thinking tool
which can provide such a framework. The Conceptagon comprises seven triplets of system
characteristics which provide a guide to assess the system with a balance of analysis and
synthesis.

Figure 4 Conceptagon framework

- 6-
The triplets each consist of two attributes linked by a unifying concept, such as Boundary being
the unifier between Interior and Exterior. Balance is here sought between making the boundary
expansive enough to include the necessary components and relationships, but narrowly enough
to keep the problem tractable. Transformations define the purpose of the system in that they
identify what Inputs come into the system, and what desired Outputs leave the system.
Relationships speaks to the importance of recognizing that understand the Whole of the system
requires more than understanding the Parts. Process ties together the structure of the system and
its purpose in order to understand the connections and flows between components.
Communication pertains to the governance and Command structure and the Control loops which
balance or reinforce system behavior. Harmony balances the advantages of Variety (such as
redundancy and robustness) and Parsimony’s tendency to get by with the minimum necessary.
Hierarchy describes the structure of the system and the way it interacts with the outside world
with Openness relating to the level of interaction with the outside world and Emergence
addressing the behaviors that the system exhibits through combinations of components that
would not be associated with any individual part in isolation. The reader is encouraged to consult
Boardman and Sausers’ work or Edson’s primer (13) for details beyond this abbreviated
overview.

An example of the utility of such an approach can be found in the estimation of the impact to
electricity provision associated with a potential disruptive event. Whereas one might consider the
impact as being to those electricity customers in the immediate vicinity of the event, analysis of
the greater system might bring to light cascading consequences into other industries or regions,
as well as consequences stemming from the original event that might not manifest until
sometime later. Taking the larger system view in this example would significantly increase the
overall potential return, as shown in Figure 5 and thereby make the resilience ROI argument
stronger. Allocation of the potential benefits by sector could also be relevant to discussion of
investment cost sharing.

Figure 5 Investment cost and total potential return

- 7-
Checkland’s Soft Systems Methodology

Understanding human activity systems with multiple stakeholders requires understanding of the
relationships and perspectives of the stakeholders. A component of Checkland’s Soft Systems
Methodology, the CATWOE analysis, is based on a checklist for thinking through the six
elements of Customers, Actors, Transformation Process, Weltanschauung—also known as
“world view”, Owner, and Environmental Constraints (14).

Figure 6 CATWOE analysis for electrical power industry

Figure 6 provides an example of a high-level CATWOE analysis for the Electrical Power
Industry from three stakeholder’s perspectives: the public, the government (federal), and the
industry itself. A potential fourth perspective one might consider is that of the analyst, as
subjectivity can clearly affect analysis of human activity systems. It should be emphasized that

- 8-
this analysis is presented only as a feasible example of the CATWOE tool and is not meant to
convey the same validity of results as a fully rigorous analysis.

To highlight a few of the components of our example:

 Transformation (the essential activity of the system) is seen quite differently among the
three. The public, in general, tends to focus on delivery of dependable power to their
outlets; the government perspective sees conversion of resources into electricity; and the
power industry defines their mission as the generation and supply of sufficient electricity
to meet demand, with load shifting as necessary while network damage is being repaired.

 The Worldview conveys that the public, which is concerned with current conditions,
expects utilities to be reliable and affordable; the government is equally concerned with
the future - how industry will meet growing demand, how the security of the system can
be assured, and whether innovation in the technology is being supported; industry,
conscious of the requirements to move from the present into the future, considers
sustained profitability vital.

 Ownership (the individual or group that can modify of close the system) again points out
the limited perspective of the public, which typically views the electricity distribution
company as having far more control than they in fact do; the government sees control as
shared in a partnership between the electricity companies and the regulators; and the
electricity industry faces the potentially conflicting motivations of their shareholders, the
regulators, and indirectly the policy makers.

Again, our analysis is for the purpose of demonstration, but hopefully is sufficient to convey the
utility of the approach. By recognizing, appreciating, and synthesizing the varied perspectives of
the stakeholders, communication can be improved and more culturally feasible solutions can be
identified.

Understanding causality and feedback structures in complex systems

Causal Loop Diagrams, originally developed by Senge (10), are a tool to increase understanding
of causal relationships by recognizing the relevant variables, their relationships, time lags, and
reinforcing or balancing dynamics. Through this deeper understanding, points of high and low
leverage change can be understood. These diagrams can serve as useful communication tools to
help an audience understand the effects and dependencies of different relationships.

The blue loop in Figure 7 represents an industry perspective of resilience investment. Plus signs
indicate linked variables that move in the same direction and minus signs indicate variables that
move in opposite directions. After a disaster, costs to industry increase and profitability
decreases, thereby increasing the focus on cost reduction. This leads to decreased investment in
resilience and decreased net resilience. The independent input related to the magnitude of the
event reflects that it is the combination of event magnitude and resilience that determines the
impact realized. For a similar magnitude subsequent event the cycle predicts additional costs,

- 9-
further reduction in profitability, and greater pressure on reducing internal costs. This is a
reinforcing loop in that once set-off it can be self-perpetuating.

Figure 7 Causal Loop Diagram

The maroon loop represents potential government intervention in the form of incentives,
mandates, and partnerships. Increased intervention brings increases in industry resilience, which
reduces future impact. With reduced impact, the public’s perceived need for government
intervention decreases. This increases the likelihood that the next event will have significant
destructive impact. The combination of the two loops results then in a relationship such that
should industry investment in resilience decrease and result in disaster impacts beyond public
acceptance thresholds, government intervention will act to increase resilience and reduce disaster
impact to back below the acceptable level. If industry is able to minimize disaster impact
sufficiently, no public reaction occurs and government intervention is not necessary.

The balancing, or self-limiting, loop is typical of causal relationships where successful

reductions of an undesirable condition decrease public concern, which in turn results in
decreased government response, leading ultimately to an increase in the undesirable condition.
The system continues to oscillate about some equilibrium which is largely determined by the
degree of public concern. Figure 8 shows this on the left.

An interesting change can be achieved though if the role of the undesirable condition can be
replaced in the loops with a desirable one. In the loop on the right, we have replaced “impact of
disaster” with “losses reduced due to resilience” (a concept from our previous ROI figures). If
attention can be focused on the benefits realized from previous resilience investments, then
public reaction should support increased investment in resilience, thereby increasing the benefit
realized in subsequent events (in losses and costs avoided), and further fueling the cycle. Past
successes now contribute to the ROI argument for future investment.

- 10-
Figure 8 Conversion of self-limiting to self-perpetuating causality

SUMMARY

Of the many challenges in gaining stakeholder buy-in for resilience-related investments, we have
focused on two. The first pertains to the uncertainties of conversion from intangible to tangible
returns and the difficulties of prediction of impact magnitude and frequency of occurrence.
Second, resilience enhancements to private-industry infrastructure frequently offer the greater
potential benefit to the public than they do to the owners, but the industry is expected to make
the upfront investment. Government interventions such as incentives, mandates, and partnerships
will likely be required in such cases.

We believe that systems thinking perspectives and tools offer advantages in problem assessment,
communication, and solution. This systematic approach incorporates assessment of the system
with a balance of analysis and synthesis, incorporates multiple stakeholder perspectives, and
promotes understanding of causal relationship.

Does resilience ROI face an impossible argument? Particularly in private-industry owned cases,
the complexity is daunting. In framing these issues, and discussing meaningful solutions,
systems thinking approaches appear to have much of benefit to offer.

REFERENCES

(1) National Infrastructure Advisory Council, “Critical Infrastructure Resilience Final

Report and Recommendations” September 8, 2009
(2) National Infrastructure Advisory Council, “A Framework for Establishing Critical
Infrastructure Resilience Goals”, October 19, 2010
(3) Debra S. Herrmann Complete guide to security and privacy metrics: measuring
regulatory compliance, operational resilience, and ROI. Taylor & Francis Group LLC
2007.

- 11-
(4) “Underground Electric Transmission Lines”, Public Service Commission of Wisconsin,
May 2011. Accessible through:
http://psc.wi.gov/thelibrary/publications/electric/electric11.pdf
(5) United States Energy Information Administration, “International Energy Outlook 2011”
Report Number: DOE/EIA-0484(2011), September 19, 2011.
(6) Department of Homeland Security: Congressional Appearances--110th Congress.
http://www.dhs.gov/xabout/gc_1198102431198.shtm Last accessed April 15, 2012.
(7) Department of Homeland Security: “Homeland Security Presidential Directive 7:
Critical Infrastructure Identification, Prioritization, and Protection” December 17, 2003.
(8) “National Infrastructure Protection Plan—Preparing to Enhance Protection and
Resiliency” Department of Homeland Security, 2009.
(9) Erwann O. Michel Kerjan and Debra K. Decker, “Insure to Assure—A New Paradigm
for Nuclear Nonproliferation and International Security” Innovations, Vol. 4, Issue 2,
MIT Press, Spring 2009, Pgs. 139-45.
(10) Peter M. Senge, The Fifth Discipline: The Art and Practice of the Learning
Organization, Doubleday, 2006. P. 6-7, 74-90.
(11) American Society of Civil Engineers, “Guiding Principles for the Nation’s Critical
Infrastructure”, ASCE, 2009, Chapter 2.
(12) J. Boardman and Brian Sauser, “Systems Thinking: Coping with 21st Century
Problems”. Cova Raton, Taylor & Francis. 2008
(13) Robert Edson, “Systems Thinking. Applied. A Primer”, ASysT Institute, 08 October
2008 http://www.anser.org/docs/systems_thinking_applied.pdf Last accessed April 16,
2012.
(14) Peter Checkland, Systems Thinking, Systems Practice. Wiley, 1999. Pgs. App. A22-3.

- 12-