What is the NGO SRM ROI Calculator?
The NGO SRM ROI Calculator enables organizations to:- Quantify Security Risk: Calculate Expected Annual Loss (EAL) from historical incident data
- Evaluate Investments: Assess the financial return of security risk management programs
- Support Decision-Making: Provide evidence-based justification for security budgets
- Enhance Transparency: Document assumptions and methodologies for auditability
Key Features
Standards-Based Methodology
Standards-Based Methodology
Built on ISO 31000 risk management principles with Expected Annual Loss (EAL) quantification consistent with FAIR, NIST, and other enterprise risk frameworks.
Comprehensive Risk Assessment
Comprehensive Risk Assessment
Supports multiple incident types including physical security, cybersecurity, health emergencies, and operational disruptions.
Qualitative Valuation
Qualitative Valuation
Delivers the Qualitative Impact Assessment workflow with checklist-based scoring and short evidence notes.
Multi-Year Analysis
Multi-Year Analysis
Calculates Net Present Value (NPV) and Return on Investment (ROI) over configurable time horizons (1-10 years).
Target Audience
This documentation serves multiple stakeholders:- NGO Security Managers: Primary users implementing security risk management programs
- Finance Staff: Supporting budget justification and donor reporting
- Field Operations Coordinators: Providing incident data and operational context
- Auditors and Evaluators: Validating calculation methodologies and assumptions
- Donors and Funders: Understanding the business case for security investments
Standards Compliance
The calculator methodology is grounded in established frameworks:ISO 31000:2018
International standard for risk management principles and processes
Risk Quantification (EAL)
Expected Annual Loss formula widely used across FAIR, NIST RMF, and ISO-aligned risk practices
Financial Standards
Standard NPV, ROI, and payback period methodologies
Prerequisites
Before you begin, ensure you have:- Historical incident data (≥12 months of security incident records)
- Cost data (security-related budgets and procurement records)
- Multi-stakeholder team (security, finance, operations representatives)
- 2-3 hours for data preparation and analysis
Step 1: Understand Key Concepts
The calculator uses four main metrics:Expected Annual Loss (EAL)
Average annual financial impact of security incidents without intervention
Net Present Value (NPV)
Present value of multi-year security investment costs
Return on Investment (ROI)
Financial return as percentage of investment cost
Payback Period
Time required for benefits to recover costs (may be N/A)
Step 2: Gather Your Data
Incident Data
Collect historical security incidents with:- Incident Type: Specific category (e.g., “Vehicle Theft”, “Data Breach”)
- ARO (Annualized Rate of Occurrence): Expected number of times per year (≥ 0; values above 1 indicate multiple occurrences annually)
- SLE (Single Loss Expectancy): Cost per incident in USD
- Notes: Context and data sources
ARO Calculation:
Number of incidents ÷ Number of years observed
Example: 3 vehicle thefts over 10 years = ARO of 0.30Cost Data
Identify security-related costs by period:- Year 1: Initial investment (training, equipment, assessments)
- Year 2-3: Ongoing costs (personnel, maintenance, renewals)
- CAPEX vs OPEX: Capital expenditures vs. operating expenses
Assumptions
Define key parameters:- Discount Rate: Fixed at 0% in the calculator to maintain transparency; note any alternate rates separately if stakeholders request them.
- Time Horizon: 3-5 years (match asset lifespan or planning cycle)
- Qualitative Settings: Default weights (0.25 each), regression checkboxes, and improvement checklists; adjust weights only when priorities shift and record the rationale
Step 3: Use Data Templates
Download and populate the CSV templates:Incidents Template
Download TemplateRequired fields:
incidentType, aro, sle, notes, sourceCosts Template
Download TemplateRequired fields:
category, amount, period, capexOpexStep 4: Import and Validate
- Upload CSV files to the calculator
- Address validation errors (common issues below)
- Enter assumptions manually
- Run calculation
Common Validation Errors
Common Validation Errors
- ARO must be between 0 and 1: Convert percentages to decimals (30% → 0.30)
- Period exceeds time horizon: Ensure cost periods ≤ time horizon years
- Category is required: Provide descriptive names for all cost items
- Weights must sum to 1: Adjust qualitative weights to total 1.0
- Checklist incomplete: Either tick the regression box (score 0) or select improvement statements so the calculator can assign a score
Complete the Qualitative Checklists
- Open each dimension (Access, Continuity, Acceptance, Wellbeing) in the Qualitative step.
- Regression first: Tick the regression checkbox only when the situation deteriorated; it sets the score to 0 and disables the checklist.
- Then tick improvements: Select every statement that happened in the past 12 months. Zero statements keeps the score at 1; each additional statement adds +1 up to 5.
- Add a short note citing the log, observation, or data source that backs the selection.
- Keep default weights (0.25 each) unless stakeholders explicitly agree to prioritise one dimension.
Step 5: Interpret Results
Understanding Your ROI
1
Review EAL
Your Expected Annual Loss shows the baseline risk without intervention. Higher EAL indicates greater potential for risk reduction.
2
Check NPV
Net Present Value of costs accounts for the time value of money. This is your total investment in present-day terms.
3
Analyze ROI
Positive ROI means benefits exceed costs. 100% ROI = benefits are 2× costs; 500% ROI = benefits are 6× costs.
4
Consider Payback
Payback period may be N/A if annual benefits don’t recover costs within the time horizon. This is normal for qualitative-heavy scenarios.
Example Results Interpretation
Sample Results
The results view begins with a narrative summary of qualitative impact and quantitative ROI. Expand the detail accordions for metric tables and qualitative notes.EAL: 166,000 (present value of 3-year investment)
QII: 3.00 / 5.0
Financial ROI: −11.0% (discounted EAL benefits vs. costs)
Payback: N/A (financial benefits alone do not recover costs inside 3 years)Interpretation: Quantified risk reduction alone does not recover the investment within three years. However, the Qualitative Impact Index shows strong improvements in access, continuity, acceptance, and wellbeing. Organisations should capture short evidence notes so improvements remain transparent even when quantitative ROI is negative.
QII: 3.00 / 5.0
Financial ROI: −11.0% (discounted EAL benefits vs. costs)
Payback: N/A (financial benefits alone do not recover costs inside 3 years)Interpretation: Quantified risk reduction alone does not recover the investment within three years. However, the Qualitative Impact Index shows strong improvements in access, continuity, acceptance, and wellbeing. Organisations should capture short evidence notes so improvements remain transparent even when quantitative ROI is negative.
Next Steps
Export Your Report
Generate PDF or Excel reports for stakeholder presentations and donor reporting.
Refine Your Analysis
Adjust assumptions (discount rate, time horizon, qualitative weights) and test sensitivity to key parameters.
Plan Implementation
Use results to justify security budgets and plan multi-year security programs.
Share with Team
Present findings to executive team and integrate into strategic planning.
Common Questions
Why is my ROI so high?
Why is my ROI so high?
High ROI typically indicates substantial benefits (risk reduction + qualitative improvements) relative to costs. Verify that incident costs include both direct and indirect elements, and that qualitative scores and weights match the evidence discussed.
What if I don't have 12 months of data?
What if I don't have 12 months of data?
Use industry benchmarks (GISF, INSO regional data) or expert judgment to estimate ARO/SLE for anticipated incidents. Document your assumptions clearly in the notes field.
Should I include insurance costs?
Should I include insurance costs?
Yes, include insurance premiums (e.g., K&R insurance) as OPEX costs in the relevant periods. This represents the cost of risk transfer.
Why does the tool use a 0% discount rate?
Why does the tool use a 0% discount rate?
The calculator fixes discounting at 0% to avoid devaluing future humanitarian outcomes. If stakeholders insist on an alternate rate, rerun the analysis externally and compare against the 0% baseline.
Getting Help
Technical Support
Contact our technical team for implementation assistance
Community Forum
Join the GISF community for peer support and best practices
Need More Help?
Methods Note
Detailed calculation formulas and methodology
Data Schema
Complete field definitions and validation rules
Pilot Pack
Comprehensive facilitation guidance
Ready for detailed guidance? Continue to the Methods Note for complete methodological documentation, or explore the Data Schema for detailed field specifications.