Skip to main content
 
Return on Investment In Information Technology: A Guide for Managers

Abstract

Acknowledgments

Executive Summary

Chapter One: ROI and the Need for Smart IT Investment Decisions

Chapter Two: Methods of ROI Analysis for IT

Appendix A. Case 1: Reducing the Cost of Web Site Development and Maintenance

Appendix B. Case 2: ROI for Data Integration in Health and Human Services

Appendix C. Case 3: Social ROI

Appendix D. Additional Resources
print html versionPrint Chapter (html)
print pdf versionPrint Chapter (pdf)
Chapter Two: Methods of ROI Analysis for IT

Risk analysis in the public sector

Risk analysis consists of assessing the importance of threats and how to mitigate or eliminate them. We usually evaluate a threat in terms of how likely it is to materialize and how much damage or cost would result if it did materialize. We know, for example, that a large asteroid could hit the Earth and destroy a continent—an enormous threat in terms of consequences. But astronomers tell us that the likelihood of that happening is very, very remote—therefore, a small threat in terms of probability. Because of the low probability, the threat is seen as small enough that few of us (aside from some science fiction writers and astronomers) take it into account in day-to-day life. The same logic applies to risks in IT investment. Consequently risk analysis can be thought of as having four basic steps:
  • identifying the source of threats,
  • assessing the extent of potential damage or cost to the project,
  • assessing the likelihood of the threat materializing, and
  • devising ways to reduce or eliminate the threat (i.e., mitigate the risk).
Threats can be reduced by taking steps to lessen the damage or cost that would occur if the threat materializes and also by reducing the probability that the threatening event or action will occur. For example, a project could call for using the most reliable platform for a critical database application, reducing the probability that the system will experience a failure. The project could also implement a backup system capable of taking over processing if the primary system does fail, reducing the potential damage of a failure.

The overall subject of risk analysis is too large to treat in detail here. However, most of the risk assessment issues described above involve problems of thinking beyond the boundaries of the project, measuring factors, or determining probabilities. This should not discourage risk analysis.

The experience of those involved in IT projects can be a rich source of intelligence and experiential data on which to base reasonable estimates of risk potential and problem sources. The literature on IT investment is another rich source of analyses of successes and failures that provide additional insights into risks and mitigation strategies. Simply recognizing where uncertainty and potential damage lie is half the battle. Careful risk analysis, based on the best available data and estimates, will surely assist in ROI analysis and improve planning, even if the amount or quality of data is less than ideal.