Following an 18-month freeze the board is considering increasing the IT budget. It wants a list of priorities with cost and return on investment. Top of the list should be infrastructure and security, but these projects are expensive and the ROI is hard to justify. How can I ensure we tackle these first?
Return on investment is a crude tool but it can be done
Gill Williams, partner, Ernst & Young
There has been much debate as to whether return on investment is an effective vehicle for assessing and prioritising certain elements of IT expenditure. Typically, ROI calculations consider change in revenue and cost savings against the investment required.
As far is security is concerned, it is difficult to quantify all these elements. Most organisations recognise that security is essential; the question is how to decide how much security is enough. This question can only be answered with input from IT and the business.
IT infrastructure can account for a large proportion of IT spend and is regarded as an IT-only issue. The result is that business units often do not provide the information needed to support the justification.
The bottom line is that IT justification is the joint responsibility of business and IT. ROI itself may be difficult but investment must be justified and measured. Treat this as an opportunity to restart the process of engaging the business in aligning business and IT.
Add risk analysis to return on investment calculations
Roger Marshall, Elite
If the board insists on ROI, that is what you should deliver. Expenditure on IT security is just like spend on insurance, there is no guarantee there will be any return in the short term, but it would be irresponsible of the directors to avoid it for that reason.
Your ROI calculation should be based on a risk analysis which considers the likelihood of different security breaches taking place and the cost of putting them right. Do not be tempted to overdo the cost part of this, but at the same time do not restrict yourself to the IT costs alone.Ê
Loss of business while IT services are restored, loss of vital data and loss of reputation, are all valid factors to be included.ÊYour problem may be the lack of hard evidence to back up such analysis, perhaps with the help of consultants. If all else fails, ask the auditors and take their advice on corporate governance. The board is sure to listen then.
Split the difference and do some of each
Chris Edwards, Cranfield School of Management
At least the board has recognised that IT is providing some business value by increasing the budget. You should accept that some of the increased budget will be devoted to developing new applications.
So how can you ring-fence some of the extra cash for security and infrastructure? The problem in justifying this expenditure is how you can evaluate such projects in terms of business value.
During the moratorium did you suffer any security breaches or was the infrastructure causing operational problems? If so, project the number of these you could reasonably expect in the next few years and evaluate them based on the cost experienced the last time they occurred.
You could look at outsourcing the IT infrastructure. This would change the nature of security and infrastructure costs which become mixed with the overall annual fee.
How to make the risk and return calculations
Anthony Harrison, NCC Group
IT governance arrangements should rank potential projects by the extent to which they mitigate risks to the survival and growth of the organisation. So although you might have concerns about infrastructure and security, your marketing director might want to establish e-commerce capability so that the organisation remains competitive.
The ROI of security and infrastructure investment can be calculated, but you need some detail about the likelihood of a risk materialising and its potential cost.
Say, for example, that a £5,000 investment in security would allow you to avoid a £500,000 profit loss following a denial of service attack, and you think there is a 10% chance of such an attack occurring in a one-year period, you could value the potential loss at £50,000. The ROI in this scenario is 1,000%.
Provide clear information to improve decision making
Chris Potts, Dominic Barrow
It is hard to see how you can hold the view that the first priority for investment should be security and infrastructure if you have not made the options transparent to the board and taken its guidance. It is bound to have a view about how much of its investment should go on protecting value versus projects that create new value.
From a strategic risk management viewpoint the board may decide that it is prepared to live with whatever level of exposure the company faces and invest its IT money in more value-creating initiatives.
Providing the board with clear information about the links between the money the company spends on IT and returns on that investment will enable you all to have a meaningful discussion about the types of value needed from IT and how much should be invested in each case.
Be objective in presenting the business case for IT
Sharm Manwani, Henley Management College
The first point to consider is that you might be wrong: security and infrastructure may not be the priority for investment. It is your responsibility to present the correct business case for all the proposed IT investments in a way that the right decisions can be taken.
Working with your financial controller, you may find that there are different criteria you can use to evaluate the proposed investments. A certain level of security is needed just to do business and it is important to present the board directors with more than one option so that they can understand the potential consequences of their decisions.
The infrastructure benefits are likely to be in improved service levels or as a platform for other applications. Your users may want an improved service which the board may not consider an economic investment. Consider bundling new applications with infrastructure spend to produce the return.
Make the board understand the risk to the business
Robin Laidlaw, president, CW500 Club
Your priorities ought to reflect the priorities of the business, so do not simply prepare a wish-list of your own. ROI is difficult for projects which do not in themselves produce financial benefit. Even for those forecast to produce benefit, users are frequently reluctant to sign on to more than the minimum benefit to get the project approved and then claim additional benefits as down to good user management.
If you examine your current portfolio I am sure you will find systems running which in themselves do not produce profit for the business. What they do is to reduce cost.
The approach with projects such as security is to develop the consequential loss concept: what would it cost your company if it suffered a major loss of service, data corruption or fraud as a result of not having adequate procedures?
It is essential that you have the proper dialogues with general management: they do have to understand the real potential damage to the business.
Computer Weekly has put together a panel of experts. You can draw on their specialist knowledge to solve a problem. E-mail your questions (or your own solution to this question) to email@example.com
NCC Group www.nccglobal.com
Ernst & Young www.ey.com
Cranfield School of Management www.cranfield.ac.uk/som
Computer Weekly 500 Club www.cw500.co.uk
Henley Management College www.henleymc.ac.uk
British Computer Society www.bcs.org.uk/elite
The Corporate IT Forum www.tif.co.uk
Dominic Barrow www.dominicbarrow.com
My organisation has a disaster recovery plan that works in theory. Can the panel advise where the greatest vulnerabilities lie in continuity planning and how I can test the plans more thoroughly?