• United States



by No Analyst or Consultant

Seeing the Big Picture: IT Investments and Business Strategy

Sep 27, 20056 mins
CSO and CISOData and Information Security

By Scott Feuless and Steve Powers

Ideally, CIOs and other executives evaluate IT investment initiatives in the context of a comprehensive business strategy that ensures maximum returns and facilitates that all-important “alignment” of IT spend and business requirements. But in the real world, a variety of factors often interfere, and individual IT projects end up being viewed in a vacuum, without adequate consideration of the larger environment in which those initiatives exist. The result is an isolated decision-making process that leads to a variety of problems.

What Goes Wrong

When it comes to IT-related security decisions, for example, many companies rely on worst-case evaluations of what might occur. Rather than conducting a sound, fact-based assessment, they focus on potentially devastating catastrophic events, and justify security investments by citing the cost impact of a total security breach.

The first problem with this logic is that the cost impact of a security failure has not been risk-adjusted to account for the minimal probability of a total security failure. In other words, while the impact of a complete collapse of IT security is obviously enormous, the realistic risk of such an event must be considered.

Second, initiatives to prevent a total security breach often do not consider all of the associated investments needed to mitigate the risk. Organizations may begin with firewalls and virus scanning, justifying the investment as necessary to prevent an otherwise total and inevitable security collapse. But soon other investment requirements emerge, such as intrusion detection, anti-defacement software, digital certificates, etc. All of these associated investments address the same root problem, and each incremental investment is justified on the basis of protecting against total security failure. As the spending escalates with no end in sight, management begins to question the validity of the fundamental business case for IT security.

Decisions on where, when, and how much to invest to avoid the cost of a total collapse must consider the entire portfolio of security enhancement initiatives and their related budgets. The question is not whether the incremental cost of new firewall technology is “worth it” relative to the risk of a total security failure. Rather, CIOs should ask: “Are we spending the right amount on the right things to best make ourselves secure relative to the security risks we face?”

Elements of a Good Business Case

The four calculations described below can help ensure that business cases for IT investment adequately account for a broad range of business considerations.

Net Present Value

A basic “ROI” used by many organizations today is a simple calculation of total anticipated benefits divided by total anticipated costs. While attractive for its clarity, such a calculation is too simplistic to enable truly informed decision-making. A Net Present Value (NPV) calculation goes beyond a simple ROI because it defines the value of the project over its entire life. For example, through an NPV analysis, a project that loses money the first year, but delivers a major return following the second and third years, could be shown to be more attractive than a smaller-scale project that delivers a smaller payback in the short termassuming the organization has the willingness and the available cash to wait for such a payback.


A payback is a simple calculation of how soon the investment will be recovered, and provides a valuable gauge of an initiatives risk, as well as a reality check of an NPV analysis. While a long-term view is desirable, sometimes an organization simply cant wait too long to get its money back. Based on knowledge of the business environment, management will have some idea of the level of risk associated with long-term investments, and they need to know the payback period to properly assess this risk. Opportunity Costs

Another key consideration is that of opportunity costa calculation of what investments cannot be made because of the resources consumed by a big project. If IT has a discrete budget, spending all of it on a project with a $1M NPV and a one-year payback would be a bad decision if an alternative project could yield a $5M NPV with a payback of only six months. While this appears obvious, in practice managers often view individual decisions in isolation from one another, and miss opportunities to conduct side-by-side assessments of various options. For example, the relative merits of investing in an ERP upgrade, as opposed to the hiring of ten more developers, should be considered as part of the business case. The failure to consider opportunity costs is perhaps best expressed by the following: “Wed really like to do that this year but theres no money left in the budget.”

Soft Benefits

Finally, “soft benefits” are a calculation of a projects impact on qualitative measures such as productivity, image, and employee morale, or those that are difficult to quantify as specific dollar amounts. While often overlooked, soft benefits can be significant. Compass has observed large, well-run organizations that maintain, against best practices, outmoded desktop technology because management doesnt recognize and cant quantify the benefits of hardware refresh in terms of running newer applications, increasing productivity, reducing maintenance costs, and increasing user satisfaction. Soft benefits tend to be discounted if management doesnt know how to define measures for them. For instance, the benefits of reduced end-user effort (i.e. , effort end-users expend dealing with problems and forced downtime) are significant, but difficult to define in terms of saved hours, unless established metrics are tracked and observed industry practices are applied.

Measuring Results

Measuring actual successes and failures relative to original estimates helps ensure that business cases are effective. Was the NPV realized? The payback? How close was the estimate to the actual result? What root causes accounted for any significant differences? Did the points made in the discussions on opportunity cost, soft benefits, and business alignment prove accurate over time?

Having the right people involved in business case development and evaluation is also critical. Over time, individuals can develop core competencies in constructing business cases. Organizations can then rely on these individuals when a solid business case is critical, and can leverage their expertise by having them train others. A “business case” should be more than a simple justification, and must fully consider risk, timing, and context. A project that delivers clear cost savings within one year is a waste of money if the entire system becomes irrelevant in 18 months because it no longer supports business needs. At a minimum, each business case should include mandatory discussions on Net Present Value, payback calculation, opportunity costs, soft benefits, and alignment with business requirements.

Scott Feuless and Steve Powers are Compass senior consultants based, respectively, in Houston and New York.