Projects That Defy ROI

By strict ROI standards, security and disaster recovery projects shouldn't get any funding because they don't produce revenue or cut costs. Here's how some IT shops make the case.

March 3, 2003

6 Min Read
Network Computing logo

Management and technology consultants will tell you, though, that the benefits of any IT asset can be tracked and quantified. Take disaster recovery. You can use your own experience or industry benchmarks to determine the likelihood that your systems will be knocked out in the coming year, then take the dollar value of transactions lost during the estimated downtime to determine the potential loss, says Ken Neimo, COO at TMNG Technologies, a telecom consulting firm in Bethesda, Md. That number will tell you whether a hot-backup system is worth the expense, Neimo says.

But some IT execs don't buy into this approach. When it comes to technologies that address risk, they rely on intuition more than on any ROI calculation because, they say, the more you try to count every penny, the wilder--and less believable--the numbers become. For example, Neimo's formula assumes that every transaction attempted during a system outage is lost forever. That's not always true. In many businesses, employees and customers can wait until the systems come back up.

There's no shame in resorting to qualitative arguments now and then, says William Ellison, vice president of information systems at Medical Consultants Network, a 100-employee company based in Seattle that performs medical exams for insurance companies. When Ellison joined Medical Consultants, executives were frustrated because each of the company's 13 regional offices kept a separate database to track patients. They couldn't see what the satellite offices were doing.

Ellison couldn't express in dollars the potential benefits of database consolidation--what is the benefit of management being able to run a report on where the company stands?--but his instincts told him it was the way to go. After the fact, Ellison is confident that Medical Consultants has recouped the seven-figure expense. Several new clients wouldn't have become clients were it not for his company's ability to demonstrate that it could track patients centrally, he says.

ROI analyses get especially fuzzy on security, disaster recovery and other IT projects that, in effect, require proponents to "prove a negative," says Phil Mogavero, CEO of Data Systems Worldwide, a systems integrator and outsourcer. If your network never gets broken into, you don't know for sure that you prevented an intrusion. It explains why companies tend to become interested in intrusion detection only after their systems are compromised, Mogavero says.

It's also dangerous to think that new revenue can justify an IT project. Even after the project goes live, the results may not be measurable.

Exterior Wood, a 125-employee lumber producer in Washougal, Wash., invested about $17,000 and 100 labor hours in a warehouse-automation system that generates labels for wrapped shipments so customers can determine package contents without opening them. The system gets its information from a wirelessly buyers IBM AS/400.

The goal was customer satisfaction; buyers had complained the old labels weren't descriptive enough. But if someone asks IT manager Larry Miller to show a hard-dollar return on the investment, "I tell them it's not measurable," he says. "How do we know we wouldn't have gotten that phone call anyway?"

Security is different from other technology categories in that companies tend to overspend out of fear, says Tari Schreider, the security practice manager at consultancy Extreme Logic. Schreider prescribes an annualized loss-expectancy model for security and disaster-recovery investments to ensure that a client's spending is commensurate with the real risk to its IT assets.

The model, which he calls reduced-risk return on investment, or RRROI, factors in which portion of your systems are vulnerable, as well as the likelihood that an outage will occur. If an IT asset is valued at $1 million and an outage would knock out 20 percent of it, your vulnerability is $200,000. If a devastating tornado tends to occur once every two years, your risk is $100,000.

"So you need to spend commensurate with $100,000 of risk rather than $1 million," Schreider says. "No asset is 100 percent at risk 100 percent of the time."

The lesson? If you want to gain credibility with the MBA crowd, you won't score points by employing Chicken Little tactics. "IT has made a living out of scaring the hell out of the business side of the house," says TMG's Neimo. "They're like the life insurance guys who break you down by saying, 'Do you know what the statistics say about the likelihood you will get hit by a car?' "

Antivirus Installationclick to enlarge

Perhaps the best lesson comes from Rodric O'Connor, CTO at Putnam Lovell NBF Securities in San Francisco. When he wanted to sell to management the idea of consolidating five client databases to increase the efficiency of the firm's scattered sales team, O'Connor knew the productivity argument would never fly, even if he were right. "Do you say they will be 10 percent more productive? No. You say it will help them," he says. "I wouldn't risk my reputation by putting a number on it."

So he combined his clout with that of a top sales exec who also believed in database consolidation, and he got the go-ahead--using the sales unit's money. "You can't win an argument just pitting IT against the CFO," O'Connor says. "For non-cost-cutting exercises, you need to get executive sponsorship from the unit gaining the benefit."

Still, qualitative arguments like this one don't sit well with Dale Troppito, managing partner at The Gantry Group, a consultancy that develops ROI calculators for tech vendors and IT organizations. Troppito tells clients that everything can be measured. Even e-mail, which most companies deem a cost of doing business, can be justified by quantifying avoided costs such as long-distance tolls and FedExing. "I don't think a gut feel is ever appropriate," she says.

Judge for yourself. The ROI formula for these classes of technology will vary depending on your company's goals and culture. But beware: If your ROI is too hard, you risk losing credibility by claiming to measure returns that are difficult or impossible to measure. If your ROI is too soft, hardliners will consider it mushy and overly reliant on intuition. It has to be just right.

David Joachim is Network Computing's editor/business technology. Write to him at [email protected].

Post a comment or question on this story.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights