antifragile/antifragile-consulting/playbooks/business-case-template.md

# Business Case Template

> *"The board does not buy security. The board buys risk reduction, regulatory survival, and competitive advantage. Price it accordingly."*

This template provides a reusable structure for building financial justification for antifragile engagements. It is designed to be adapted per client, per vertical, and per regulatory context. The output should be a 4-6 page document that a CFO can evaluate in 15 minutes.

---

## Document Structure

### Page 1: Executive Summary

**Subtitle**: *Investment Proposal: Antifragile Enterprise Program*

| Element | Content |
|---------|---------|
| **Investment ask** | €[X] over 180 days, phase-gated with go/no-go decisions at days 60, 120, 180 |
| **Primary return** | Reduction of existential cyber risk; regulatory compliance evidence; operational resilience demonstrable to auditors and insurers |
| **Break-even** | 12–18 months post-programme: insurance premium reductions take one renewal cycle; regulatory evidence value accumulates from day 1; incident avoidance value is probabilistic but compounding |
| **Risk of inaction** | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] |

### Page 2: Cost of Inaction

**Frame**: The most expensive decision is the one not to act.

#### Direct Costs (Quantifiable)

| Risk Category | Probability (Client-Specific) | Average Industry Cost | Expected Value |
|--------------|------------------------------|----------------------|----------------|
| Ransomware incident (recovery + downtime) | [X]% | €4.5M average (IBM 2024) | €[X * 4.5M] |
| Regulatory fine (DORA / NIS2 / national) | [X]% | Up to 2% global turnover (NIS2); up to 1% daily (DORA) | €[X * % GT] |
| Data breach notification and remediation | [X]% | €3.8M average (IBM Cost of Data Breach 2024) | €[X * 3.8M] |
| Incident response and forensics | [X]% | €150K–500K (external IR firm + legal + crisis comms, independent of breach cost) | €[X * 325K] |
| Business interruption during recovery | [X]% | €[daily revenue] × [estimated downtime days] — client-specific | €[X * daily] |

**Calculation**:

```
Expected Loss = Σ (Probability_i × Cost_i)
```

Present this as: *"Without intervention, the organization faces an expected loss of €[X] over 24 months. The proposed program costs €[Y], representing a [Z]:1 return on risk reduction."*

#### Indirect Costs (Narrative)

- **Reputational damage**: Customer churn, difficulty acquiring new business, talent attrition
- **Operational paralysis**: During an incident, leadership attention is diverted from growth to survival
- **Insurance premium increases**: Cyber insurers are tightening terms; resilience demonstrably reduces premiums
- **Regulatory scrutiny**: A single incident triggers multi-year regulatory attention and reporting obligations

---

### Page 3: Investment Structure

**Frame**: We spend your money as if it were our own. Configuration first. Purchase only if justified.

#### Phase-Gated Budget

| Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate |
|-------|----------|-----------------|----------------|---------------|
| **1. Visibility** | Days 0–60 | Kill chain mapping; T0 identity hardening; ASTRAL/PULSAR deployment; T0 backup verified | €[X] (primarily labor) | Day 60: Kill chain documented and T0 hardening complete |
| **2. Control** | Days 60–120 | MFA for all users; CA baseline; attack surface reduction; vendor hardening | €[X] (labor + minimal tooling) | Day 120: MFA enforced 100%; P0/P1 vulnerabilities closed |
| **3. Signal** | Days 120–180 | Detection rules; alert runbooks; knowledge transfer; housekeeping stream operational | €[X] (labor) | Day 180: Client operates independently; housekeeping running |
| **4. Retained capability** | Ongoing | Quarterly retained scope; detection engineering; housekeeping; structural improvements | €[X]/quarter | Ongoing: measurable queue reduction; annual BloodHound/Elysium |
| **Total (180-day programme)** | 180 days | | **€[X]** | |

#### Cost Categories

| Category | Typical % of Budget | Description |
|----------|--------------------|-------------|
| Consulting / Labor | 60-70% | Configuration, process design, training, documentation |
| Existing Tool Activation | 0% | Included in current licensing; no new purchase |
| Local AI Infrastructure | 10-20% | Hardware or sovereign cloud for inference (only if pilot justifies) |
| External Testing | 10-15% | Red team, penetration testing, regulatory validation |
| Training / Change Management | 5-10% | Security awareness, champion programs, board briefings |

#### Compare to Alternatives

| Alternative Approach | Cost | Timeline | Risk |
|---------------------|------|----------|------|
| **Do nothing** | €0 | — | Expected loss €[X] over 24 months; growing regulatory exposure |
| **Traditional security audit** | €[X] | 90 days | Produces report; no structural change; findings age immediately |
| **Full E5 licensing upgrade** | €[X]/user/year | 30 days | Solves tooling gaps; does not address architecture, process, or accumulated technical debt |
| **Managed security service (MSSP)** | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility; dependency without capability transfer |
| **Antifragile programme (this proposal)** | €[X] | 180 days + retained | Structural change, regulatory evidence, measurable kill chain closure, client operational independence |

---

### Page 4: Return on Investment

**Frame**: The return is not revenue. It is **avoided cost + preserved optionality + regulatory license to operate**.

#### Quantifiable Returns

| Return Category | Calculation | 12-Month Value | 24-Month Value |
|----------------|-------------|---------------|----------------|
| Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] |
| Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] |
| Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] |
| Audit preparation time reduction | ASTRAL Git trail replaces manual evidence gathering for ISO 27001, NIS2, DORA | €[X] | €[Y] |
| Reduced incident response cost | Faster detection and containment | €[X] | €[Y] |
| **Total Quantifiable Return** | | **€[X]** | **€[Y]** |

#### Strategic Returns (Narrative)

| Return Category | Description |
|----------------|-------------|
| **Regulatory agility** | Demonstrable continuous controls accelerate regulatory approvals, certification audits, and partnership due diligence |
| **Regulatory agility** | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions |
| **Talent retention** | Engineers and security professionals prefer organizations that invest in durability over firefighting |
| **M&A readiness** | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction |
| **Vendor negotiation leverage** | Documented exit architectures improve negotiating position with all major suppliers |

#### ROI Summary

```
ROI = (Total Return - Total Investment) / Total Investment × 100%
```

Present as: *"This program delivers a [X]% return in year one, rising to [Y]% in year two, with strategic optionality that compounds beyond quantification."*

---

### Page 5: Risk and Sensitivity Analysis

**Frame**: We are honest about what could go wrong. That honesty is why you should trust us.

#### Program Risks

| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|-----------|
| Operational disruption during hygiene phase | Medium | Medium | Changes executed in maintenance windows; rollback procedures documented; "get out of jail free" executive authorization |
| Client team capacity constraints | High | Medium | Weekly sprints with clear priorities; we do the heavy lifting; client provides decisions, not labor |
| Scope creep | Medium | High | Ruthless phase gating; kill chain prioritization; deferred items tracked for future phases |
| Tool activation reveals deeper problems | High | Low | This is the point. Early discovery is cheaper than late discovery. |
| Executive sponsor departure | Low | High | Board-level endorsement; documented in steering committee minutes; knowledge transfer at each phase |

#### Sensitivity Analysis

| Scenario | Investment Adjustment | Outcome |
|----------|----------------------|---------|
| **Best case** | No additional tooling needed; client IT team engaged and responsive | Programme completes on timeline; all value from configuration; client operational independence achieved at day 180 |
| **Base case** | Minor tooling additions; moderate IT team availability; some change management friction | Programme completes with 2–4 week slippage on Phase 2 (MFA rollout change management is the usual bottleneck); strong kill chain closure and detection capability |
| **Challenging** | Significant technical debt discovered in Phase 1; IT team constrained; change windows infrequent | Phase 1 extended by 4–6 weeks; Phase 2 scope narrowed to kill chain critical path; programme value is still genuine — the findings alone are worth the investment; honest client conversation required at day 60 gate |
| **Abort condition** | Executive sponsor departure; IT team fully occupied by another major project; scope fundamentally different from discovery call | Programme paused or stopped at the next gate. Partial phases produce partial value — ASTRAL/PULSAR deployed, kill chain documented. Better to stop honestly than to produce a report that nobody acts on. |

---

### Page 6: Recommendation and Next Steps

**The Ask (Full Programme)**:

> *"We recommend approval of a 180-day antifragile enterprise programme with three hard milestones. By Day 30: your kill chain is documented, ASTRAL and PULSAR are live, and your most privileged accounts are hardened. By Day 90: MFA covers the entire organisation, your kill chain is closed, and you have detection capability on M365. By Day 180: your team operates the systems independently, housekeeping is running as a permanent stream, and everything we built is in your repository. That is the 180-day programme. What comes after is a retained scope — scoped separately, renewed quarterly."*

**The Ask (Modular Alternative)**:

> *"Alternatively, we can start with a single, fixed-scope module chosen based on your highest-priority pain. Each module is 30-60 days, fixed price, with defined deliverables and a hard stop. If the value is proven, we proceed to the next module. If not, you have still received a complete, bounded solution. See [Modular Engagements](../core/modular-engagements.md) for the module menu."*

**Immediate Next Steps**:

| Step | Owner | Timeline |
|------|-------|----------|
| Executive sponsor designation | CEO / Board | Week 0 |
| Steering committee scheduling | COO / Chief of Staff | Week 0 |
| Data room access (AD, cloud IAM, network diagrams) | CISO / IT Director | Week 0 |
| SOW execution and kickoff | Procurement / Consultant | Week 1 |
| Week 1 stakeholder interviews | Consultant | Week 1 |
| Day 30 steering committee and go/no-go | Executive Sponsor | Day 30 |

---

## Vertical-Specific Financial Adjustments

### Banking

- **Regulatory fine exposure**: DORA fines up to 2% of global turnover; use client's actual global turnover
- **SWIFT CSP non-compliance**: Potential disconnection from SWIFT network; catastrophic for international payments
- **PSD2 SCA failure**: Transaction rejection rates, customer abandonment, regulator attention
- **Insurance context**: Many banks are self-insured for cyber; frame as direct balance-sheet protection

### Telco / Power (Critical Infrastructure)

- **NIS2 penalties**: Up to €10M or 2% of global turnover (whichever is higher)
- **Operational downtime**: Power outages measured in €/minute; telco downtime in subscriber churn
- **National security implications**: Some incidents trigger government intervention or nationalization risk
- **Supply chain**: Single vendor failure can disable critical infrastructure; optionality has direct monetary value

### Generic Enterprise

- **Ransomware**: Primary quantifiable risk; use industry averages if client-specific data unavailable
- **Business interruption**: Use revenue/day × estimated downtime
- **Reputation**: Use customer acquisition cost × estimated churn from breach notification

---

## The CFO Conversation: Key Metrics

When presenting to the CFO, lead with these metrics and no others:

1. **Expected loss without intervention** (24 months): €[X]
2. **Program cost**: €[Y]
3. **Risk reduction ROI**: [Z]%
4. **Cash payback period**: [X] days
5. **Probability of material incident**: [before]% → [after]%

Everything else is supporting detail.

---

## Template Appendix: Client-Specific Worksheets

### Worksheet 1: Revenue at Risk

```
Annual revenue:                     €_________
Revenue per day:                    €_________ (annual / 365)
Critical system downtime tolerance: _________ days
Revenue at risk from downtime:      €_________ (revenue/day × tolerance)
```

### Worksheet 2: Regulatory Fine Exposure

```
Global turnover (if applicable):    €_________
Applicable regulation:              [DORA / NIS2 / National / None]
Maximum fine %:                     _________%
Maximum fine €:                     €_________
Probability of fine (current):      _________%
Expected fine exposure:             €_________
```

### Worksheet 3: Cloud AI Cost Trajectory

```
Current monthly cloud AI spend:     €_________
Projected 24-month spend:           €_________
Local AI infrastructure cost:       €_________
Break-even month:                   _________
24-month savings:                   €_________
Data leakage risk (narrative):      [Eliminated / Reduced / Unchanged]
```

---

*For the board conversation guide, see [C-Suite Conversation Guide](../core/c-suite-conversation-guide.md).*
*For the one-page executive summary, see [Executive Summary](../core/executive-summary.md).*