Mark Carey, CPA, CISAPresident

866.335.2736 x8431mark@delcreo.comwww.delcreo.com

Management-ese: An Introductory Course

What Does Senior Management Care About?

• Shareholders (or controlling stakeholders)• Themselves! (Stay out of jail, protect

reputation, increase pay, get promoted, etc.)

• Customers• Employees

Definitions

• Shareholder Value• Earnings per Share• Cash Flow• Stakeholder Value• WACC• CAPM

Shareholder Value

Definition: Present Value of future cash flows of the business discounted at its weighted average cost of capital, less the value of its debt.

Issues: Very difficult (impossible) to manage directly. You must break down, manage and measure individual components.

Earnings Per Share

Definition: Total Revenues (sales and other income) less tax and interest, divided by the number of shares issued.

Issues: Due to accounting opinions, rules, EPS is extremely subjective. Does not correlate very well to value creation measures

Cash Flow

Definition: Incoming cash from operations, investments and financing activities, minus outgoing cash from operations, investments and financing activities over a period of time.

Note: Cash Flow is fact based, EPS is opinion based

Weight Average Cost of Capital (WACC)

• The opportunity cost to all the capital providers weighted by their relative contributions to the company’s total capital

• Or what rate of return could each provider of capital receive on other investments of similar risk

Capital Asset Pricing Model (CAPM)

• Definition: A Model/Theory that argues that the returns both received and expected by investors are related to the risk incurred by owning particular financial assets. In general, the higher the risk, the greater the return should be.

Return EfficientFrontier

Hurdle Rate

Risk

Risk/ Return

Risk• Non-systemic (or unique or diversifiable) risk

– Non-systemic risk is caused by company specific events such as lawsuits, unsuccessful marketing programs, losing major customers, factory shutdown, fraud, security breaches, etc.

– In portfolio theory, investors do not care about non-systemic risk, because it can be diversified away

• Systemic risk (or market)– Systemic risk comes from external events that impact all

firms, such as recession, war, rising interest rates, inflation, etc.

– Systemic risk cannot be diversified away• SO WHAT:

– Finance majors are trained that shareholders do not care about non-systemic risk!

– However, individual shareholders, executive team, regulators, etc. DO care about non-systemic risk

Enron

WorldCom

Healthsouth

Tyco

If shareholders do not care about risk, how do we justify information security programs?

Defining your customers

• Who are your customers?– Senior management, business managers,

Board of Directors, line personnel, end customers, government regulators

• What is their problem (pain)? – Past interruptions, SLAs with customers, single

points of failure, loss of data, vital records, etc.

• How do you solve that problem?• Can you describe how your program

solves that problem in 30 seconds or less?

Shareholder Value Drivers

• Increase cash inflow• Decrease cash outflow• Improve efficient use of capital

• Question: How will your information security initiative impact cash flow or improve efficient use of capital?

Value DriversLevel 1 Level 2

ShareholderValue

Growth

Efficiency/ Effectiveness

Capital

BusinessScope Expansion

Organizational Effectiveness

Operational Efficiency

Capital and Structure

Other Assets

Creation of Future Options

Market Variables

Political-Legal

Social-Cultural

Allocation of capital

Economic

Technological

Sarbanes-Oxley

• Section 302: Executive Certification by the CEO and CFO as to the accuracy of financial statements

• Section 404: Manage must articulate their responsibilities to establish and maintain adequate internal controls over financial reporting, and management’s conclusion on the effectiveness of these internal controls at year-end in the annual report

• Section 409: Real Time Disclosure – Public disclosure of material changes in the financial condition or operations

BOD Roles and Responsibilities

• Management selection, evaluation and compensation• Approval of major strategies and financial objectives • Advising management• Selection of Board candidates• Reporting, risk management, controls and

compliance– effective system of controls– managing the major risks faced by the corporation– reporting accurately the corporation’s financial condition and

results of operations– adhering to key internal policies and authorizations– complying with significant laws and regulations

Source: Statement on Corporate Governance, The Business Roundtable, 1997

Why Security

• To protect future cash flows• To keep you out of jail/civil court• Satisfy regulatory requirements• Satisfy customers/increase sales

Questions?