Following an 18-month freeze the board is considering increasing
the IT budget. It wants a list of priorities with cost and return
on investment. Top of the list should be infrastructure and
security, but these projects are expensive and the ROI is hard to
justify. How can I ensure we tackle these first?
Return on investment is a crude tool but it can be
done
Gill Williams, partner, Ernst & Young
There has been much debate as to whether return on investment is an
effective vehicle for assessing and prioritising certain elements
of IT expenditure. Typically, ROI calculations consider change in
revenue and cost savings against the investment required.
As far is security is concerned, it is difficult to quantify all
these elements. Most organisations recognise that security is
essential; the question is how to decide how much security is
enough. This question can only be answered with input from IT and
the business.
IT infrastructure can account for a large proportion of IT spend
and is regarded as an IT-only issue. The result is that business
units often do not provide the information needed to support the
justification.
The bottom line is that IT justification is the joint
responsibility of business and IT. ROI itself may be difficult but
investment must be justified and measured. Treat this as an
opportunity to restart the process of engaging the business in
aligning business and IT.
Add risk analysis to return on investment
calculations
Roger Marshall, Elite
If the board insists on ROI, that is what you should deliver.
Expenditure on IT security is just like spend on insurance, there
is no guarantee there will be any return in the short term, but it
would be irresponsible of the directors to avoid it for that
reason.
Your ROI calculation should be based on a risk analysis which
considers the likelihood of different security breaches taking
place and the cost of putting them right. Do not be tempted to
overdo the cost part of this, but at the same time do not restrict
yourself to the IT costs alone.Ê
Loss of business while IT services are restored, loss of vital data
and loss of reputation, are all valid factors to be included.ÊYour
problem may be the lack of hard evidence to back up such analysis,
perhaps with the help of consultants. If all else fails, ask the
auditors and take their advice on corporate governance. The board
is sure to listen then.
Split the difference and do some of each
Chris Edwards, Cranfield School of Management
At least the board has recognised that IT is providing some
business value by increasing the budget. You should accept that
some of the increased budget will be devoted to developing new
applications.
So how can you ring-fence some of the extra cash for security and
infrastructure? The problem in justifying this expenditure is how
you can evaluate such projects in terms of business value.
During the moratorium did you suffer any security breaches or was
the infrastructure causing operational problems? If so, project the
number of these you could reasonably expect in the next few years
and evaluate them based on the cost experienced the last time they
occurred.
You could look at outsourcing the IT infrastructure. This would
change the nature of security and infrastructure costs which become
mixed with the overall annual fee.
How to make the risk and return
calculations
Anthony Harrison, NCC Group
IT governance arrangements should rank potential projects by the
extent to which they mitigate risks to the survival and growth of
the organisation. So although you might have concerns about
infrastructure and security, your marketing director might want to
establish e-commerce capability so that the organisation remains
competitive.
The ROI of security and infrastructure investment can be
calculated, but you need some detail about the likelihood of a risk
materialising and its potential cost.
Say, for example, that a £5,000 investment in security would allow
you to avoid a £500,000 profit loss following a denial of service
attack, and you think there is a 10% chance of such an attack
occurring in a one-year period, you could value the potential loss
at £50,000. The ROI in this scenario is 1,000%.
Provide clear information to improve decision
making
Chris Potts, Dominic Barrow
It is hard to see how you can hold the view that the first priority
for investment should be security and infrastructure if you have
not made the options transparent to the board and taken its
guidance. It is bound to have a view about how much of its
investment should go on protecting value versus projects that
create new value.
From a strategic risk management viewpoint the board may decide
that it is prepared to live with whatever level of exposure the
company faces and invest its IT money in more value-creating
initiatives.
Providing the board with clear information about the links between
the money the company spends on IT and returns on that investment
will enable you all to have a meaningful discussion about the types
of value needed from IT and how much should be invested in each
case.
Be objective in presenting the business case for
IT
Sharm Manwani, Henley Management College
The first point to consider is that you might be wrong: security
and infrastructure may not be the priority for investment. It is
your responsibility to present the correct business case for all
the proposed IT investments in a way that the right decisions can
be taken.
Working with your financial controller, you may find that there are
different criteria you can use to evaluate the proposed
investments. A certain level of security is needed just to do
business and it is important to present the board directors with
more than one option so that they can understand the potential
consequences of their decisions.
The infrastructure benefits are likely to be in improved service
levels or as a platform for other applications. Your users may want
an improved service which the board may not consider an economic
investment. Consider bundling new applications with infrastructure
spend to produce the return.
Make the board understand the risk to the
business
Robin Laidlaw, president, CW500 Club
Your priorities ought to reflect the priorities of the business, so
do not simply prepare a wish-list of your own. ROI is difficult for
projects which do not in themselves produce financial benefit. Even
for those forecast to produce benefit, users are frequently
reluctant to sign on to more than the minimum benefit to get the
project approved and then claim additional benefits as down to good
user management.
If you examine your current portfolio I am sure you will find
systems running which in themselves do not produce profit for the
business. What they do is to reduce cost.
The approach with projects such as security is to develop the
consequential loss concept: what would it cost your company if it
suffered a major loss of service, data corruption or fraud as a
result of not having adequate procedures?
It is essential that you have the proper dialogues with general
management: they do have to understand the real potential damage to
the business.
The experts
Computer Weekly has put together a panel of experts. You can
draw on their specialist knowledge to solve a problem. E-mail your
questions (or your own solution to this question) to
computer.weekly@rbi.co.uk
NCC
Group www.nccglobal.com
Ernst & Young www.ey.com
Cranfield School of
Management www.cranfield.ac.uk/som
Computer Weekly 500
Club www.cw500.co.uk
Henley Management
College www.henleymc.ac.uk
British Computer
Society www.bcs.org.uk/elite
Impact www.impact-sharing.com
The Corporate IT
Forum www.tif.co.uk
Dominic
Barrow www.dominicbarrow.com
Next question
My organisation has a disaster recovery plan that works in theory.
Can the panel advise where the greatest vulnerabilities lie in
continuity planning and how I can test the plans more
thoroughly?