# Business Case Template > *"The board does not buy security. The board buys risk reduction, regulatory survival, and competitive advantage. Price it accordingly."* This template provides a reusable structure for building financial justification for antifragile engagements. It is designed to be adapted per client, per vertical, and per regulatory context. The output should be a 4-6 page document that a CFO can evaluate in 15 minutes. --- ## Document Structure ### Page 1: Executive Summary **Subtitle**: *Investment Proposal: Antifragile Enterprise Program* | Element | Content | |---------|---------| | **Investment ask** | €[X] over 180 days, phase-gated with go/no-go decisions at days 30, 60, 90 | | **Primary return** | Reduction of existential cyber risk; regulatory compliance evidence; competitive differentiation through AI sovereignty | | **Break-even** | Day 90 (via avoided regulatory fine exposure, reduced insurance premiums, or operational resilience) | | **Risk of inaction** | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] | ### Page 2: Cost of Inaction **Frame**: The most expensive decision is the one not to act. #### Direct Costs (Quantifiable) | Risk Category | Probability (Client-Specific) | Average Industry Cost | Expected Value | |--------------|------------------------------|----------------------|----------------| | Ransomware incident (recovery + downtime) | [X]% | €4.5M | €[X * 4.5M] | | Regulatory fine (DORA / NIS2 / national) | [X]% | 1-2% global turnover | €[X * % GT] | | Data breach notification and remediation | [X]% | €3.8M (per IBM Cost of Data Breach Report) | €[X * 3.8M] | | Cloud AI vendor price increase / lock-in | [X]% | 200-500% price shock | €[X * shock] | | Competitive intelligence loss (cloud AI training) | [X]% | Unquantifiable but existential | High | **Calculation**: ``` Expected Loss = Σ (Probability_i × Cost_i) ``` Present this as: *"Without intervention, the organization faces an expected loss of €[X] over 24 months. The proposed program costs €[Y], representing a [Z]:1 return on risk reduction."* #### Indirect Costs (Narrative) - **Reputational damage**: Customer churn, difficulty acquiring new business, talent attrition - **Operational paralysis**: During an incident, leadership attention is diverted from growth to survival - **Insurance premium increases**: Cyber insurers are tightening terms; resilience demonstrably reduces premiums - **Regulatory scrutiny**: A single incident triggers multi-year regulatory attention and reporting obligations --- ### Page 3: Investment Structure **Frame**: We spend your money as if it were our own. Configuration first. Purchase only if justified. #### Phase-Gated Budget | Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate | |-------|----------|-----------------|----------------|---------------| | **1. Hygiene** | Days 0-30 | Configuration of existing tools; identity cleanse; visibility | €[X] (primarily labor) | Day 30: Demonstrate risk reduction or stop | | **2. Control** | Days 30-60 | ASR, MFA enforcement, network segmentation, vendor lockdown | €[X] (labor + minimal tooling) | Day 60: Validate control effectiveness | | **3. Sovereignty** | Days 60-90 | Local AI pilot; recovery drills; T0 asset protection | €[X] (labor + local inference hardware if needed) | Day 90: Prove local AI viability | | **4. Antifragility** | Days 90-180 | Chaos engineering; red team; continuous improvement | €[X] (labor + external testing) | Day 180: Maturity assessment and next-phase planning | | **Total** | 180 days | | **€[X]** | | #### Cost Categories | Category | Typical % of Budget | Description | |----------|--------------------|-------------| | Consulting / Labor | 60-70% | Configuration, process design, training, documentation | | Existing Tool Activation | 0% | Included in current licensing; no new purchase | | Local AI Infrastructure | 10-20% | Hardware or sovereign cloud for inference (only if pilot justifies) | | External Testing | 10-15% | Red team, penetration testing, regulatory validation | | Training / Change Management | 5-10% | Security awareness, champion programs, board briefings | #### Compare to Alternatives | Alternative Approach | Cost | Timeline | Risk | |---------------------|------|----------|------| | **Do nothing** | €0 | — | Expected loss €[X] over 24 months | | **Traditional security audit** | €[X] | 90 days | Produces report; no structural change | | **Full E5 licensing upgrade** | €[X]/user/year | 30 days | Solves some gaps; does not address architecture or AI sovereignty | | **Managed security service (MSSP)** | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility | | **Antifragile program (this proposal)** | €[X] | 180 days | Structural change, regulatory evidence, AI sovereignty, measurable resilience | --- ### Page 4: Return on Investment **Frame**: The return is not revenue. It is **avoided cost + preserved optionality + regulatory license to operate**. #### Quantifiable Returns | Return Category | Calculation | 12-Month Value | 24-Month Value | |----------------|-------------|---------------|----------------| | Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] | | Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] | | Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] | | Cloud AI cost stabilization | Shift from variable API costs to fixed infra | €[X] | €[Y] | | Reduced incident response cost | Faster detection and containment | €[X] | €[Y] | | **Total Quantifiable Return** | | **€[X]** | **€[Y]** | #### Strategic Returns (Narrative) | Return Category | Description | |----------------|-------------| | **Competitive moat** | Proprietary data improves only your models; competitors cannot replicate your operational intelligence | | **Regulatory agility** | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions | | **Talent retention** | Engineers and security professionals prefer organizations that invest in durability over firefighting | | **M&A readiness** | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction | | **Vendor negotiation leverage** | Documented exit architectures improve negotiating position with all major suppliers | #### ROI Summary ``` ROI = (Total Return - Total Investment) / Total Investment × 100% ``` Present as: *"This program delivers a [X]% return in year one, rising to [Y]% in year two, with strategic optionality that compounds beyond quantification."* --- ### Page 5: Risk and Sensitivity Analysis **Frame**: We are honest about what could go wrong. That honesty is why you should trust us. #### Program Risks | Risk | Likelihood | Impact | Mitigation | |------|-----------|--------|-----------| | Operational disruption during hygiene phase | Medium | Medium | Changes executed in maintenance windows; rollback procedures documented; "get out of jail free" executive authorization | | Client team capacity constraints | High | Medium | Weekly sprints with clear priorities; we do the heavy lifting; client provides decisions, not labor | | Scope creep | Medium | High | Ruthless phase gating; kill chain prioritization; deferred items tracked for future phases | | Tool activation reveals deeper problems | High | Low | This is the point. Early discovery is cheaper than late discovery. | | Executive sponsor departure | Low | High | Board-level endorsement; documented in steering committee minutes; knowledge transfer at each phase | #### Sensitivity Analysis | Scenario | Investment Adjustment | Outcome | |----------|----------------------|---------| | **Best case** | No additional tooling needed | Program completes under budget; all value from configuration | | **Base case** | Local AI hardware required for pilot | Slight budget increase; sovereign intelligence proven | | **Worst case** | Deeper technical debt than anticipated | Extend Phase 1 by 30 days; additional labor cost; still cheaper than incident | --- ### Page 6: Recommendation and Next Steps **The Ask (Full Program)**: > *"We recommend approval of a 180-day antifragile enterprise program, structured in four 30-60-90-180 day phases with hard go/no-go gates. The initial 30-day investment is €[X] with a defined deliverable: identification and initial closure of the organizational kill chain. If measurable risk reduction is not demonstrated by Day 30, the program stops with no further obligation."* **The Ask (Modular Alternative)**: > *"Alternatively, we can start with a single, fixed-scope module chosen based on your highest-priority pain. Each module is 30-60 days, fixed price, with defined deliverables and a hard stop. If the value is proven, we proceed to the next module. If not, you have still received a complete, bounded solution. See [Modular Engagements](../core/modular-engagements.md) for the module menu."* **Immediate Next Steps**: | Step | Owner | Timeline | |------|-------|----------| | Executive sponsor designation | CEO / Board | Week 0 | | Steering committee scheduling | COO / Chief of Staff | Week 0 | | Data room access (AD, cloud IAM, network diagrams) | CISO / IT Director | Week 0 | | SOW execution and kickoff | Procurement / Consultant | Week 1 | | Week 1 stakeholder interviews | Consultant | Week 1 | | Day 30 steering committee and go/no-go | Executive Sponsor | Day 30 | --- ## Vertical-Specific Financial Adjustments ### Banking - **Regulatory fine exposure**: DORA fines up to 2% of global turnover; use client's actual global turnover - **SWIFT CSP non-compliance**: Potential disconnection from SWIFT network; catastrophic for international payments - **PSD2 SCA failure**: Transaction rejection rates, customer abandonment, regulator attention - **Insurance context**: Many banks are self-insured for cyber; frame as direct balance-sheet protection ### Telco / Power (Critical Infrastructure) - **NIS2 penalties**: Up to €10M or 2% of global turnover (whichever is higher) - **Operational downtime**: Power outages measured in €/minute; telco downtime in subscriber churn - **National security implications**: Some incidents trigger government intervention or nationalization risk - **Supply chain**: Single vendor failure can disable critical infrastructure; optionality has direct monetary value ### Generic Enterprise - **Ransomware**: Primary quantifiable risk; use industry averages if client-specific data unavailable - **Business interruption**: Use revenue/day × estimated downtime - **Reputation**: Use customer acquisition cost × estimated churn from breach notification --- ## The CFO Conversation: Key Metrics When presenting to the CFO, lead with these metrics and no others: 1. **Expected loss without intervention** (24 months): €[X] 2. **Program cost**: €[Y] 3. **Risk reduction ROI**: [Z]% 4. **Cash payback period**: [X] days 5. **Probability of material incident**: [before]% → [after]% Everything else is supporting detail. --- ## Template Appendix: Client-Specific Worksheets ### Worksheet 1: Revenue at Risk ``` Annual revenue: €_________ Revenue per day: €_________ (annual / 365) Critical system downtime tolerance: _________ days Revenue at risk from downtime: €_________ (revenue/day × tolerance) ``` ### Worksheet 2: Regulatory Fine Exposure ``` Global turnover (if applicable): €_________ Applicable regulation: [DORA / NIS2 / National / None] Maximum fine %: _________% Maximum fine €: €_________ Probability of fine (current): _________% Expected fine exposure: €_________ ``` ### Worksheet 3: Cloud AI Cost Trajectory ``` Current monthly cloud AI spend: €_________ Projected 24-month spend: €_________ Local AI infrastructure cost: €_________ Break-even month: _________ 24-month savings: €_________ Data leakage risk (narrative): [Eliminated / Reduced / Unchanged] ``` --- *For the board conversation guide, see [C-Suite Conversation Guide](../core/c-suite-conversation-guide.md).* *For the one-page executive summary, see [Executive Summary](../core/executive-summary.md).*