Search
Close this search box.

Is ROI the right way to fund Identity Projects

Preface

Nearly every vendor in Identity and Access Management will use the term “Return of Investment” somewhere in their marketing or sales message. The message has been used for years as justification to do any IAM project. Many vendors publish free ones on their website, to make it even easier to consider and justify your Identity Project.

Yet why is it then many business cases are dismissed by finance teams before a project starts and why a mature program is compared to the original ROI calculation is deemed a failure because it hasn’t delivered the much-promised returns.

Spoiler alert, the answer has not so much to do with the program or technology but more with the over-hyped ROI calculation. Thankfully there is a better way that could make your IAM program more cost-effective.

What is Return of Investment?

A good starting point is to define Return of Investment. Type ROI or Return of Investment into your favourite search engine or AI assistant and you will get answers like

Return on Investment (ROI) is a popular profitability metric used to evaluate how well an investment has performed” and Return on investment (ROI) is a financial ratio that measures the monetary value of an investment relative to its cost”.

Given the economic realities of many businesses, the key word from the definitions is “profitability” either to appease shareholders or simply just to survive. Does an Identity program increase profitability, do share prices go up and make shareholders happy, is it the high on the list of any budding entrepreneur of things to do?

Simply, the answer is NO.

Why do vendors promote ROI?

The clue is in the definition of ROI, show profitability, show monetary value relative to the cost. The vendors are trying to show that purchasing their tool will save you money and that it will payback itself in a short period of time. So, what is it they are trying to say you will save on? That depends on what tool you are being consider, but there are some standard things they do promote.

Saving on Key presses.

An old favourite with SSO (Single Sign On) vendors and no has resurfaced with many MFA and passwordless vendors. The premise is that it takes a user time to enter their password and by not having to makes the user more productive. The idea is that more times a user enters their password the more they could be doing elsewhere.
It’s down to you to decide that the handful of seconds, or even a couple of minutes per day you would save means that you can do something that earns the company more money, or would you spend that time looking out the window, drinking coffee or staring vaguely at the screen.
Answer is that despite this message being rolled out for 20+ years, there has never been any real evidence of increasing profitability.

Password Resets

Another old favourite, and probably as popular as ever with the vendors. This message gained a lot of credibility when Forrester estimated the cost of every password reset to be $70. Multiply that by the number of employees and possible number of passwords suddenly the potential saving runs into hundreds of thousands even for a small organisation and millions for larger ones.
Not willing to undermine the research by well-respected analysts but is that figure accurate? Despite plenty of searching no company has published an article after the event and said “Wow we saved all this money.” If there is it’s hard to find.
Another argument could be human behaviour. Despite security advisors saying that we should be having different passwords for different applications, we must be honest and say most people do not. Also, the general use of Access Management with SSO has reduced the number of passwords.
The final argument against this number is similar to before in that do staff remain un-productive was waiting for a password to be reset. Maybe a few times out of all the requests, but certainly not on every reset.
There is no denying that there is a cost of having help desk staff reset passwords. However, what is the labour cost of those staff and would they just be repurposed for other tasks. Even if a help-desk staff member was to lose their job, it is likely this will be orders of magnitude less than the reported millions suggested by vendors and analysts.

Automation

Most industries view any automation as a major return of investment. This is certainly true in manufacturing where machines produce more, work 24 hours a day, need very little rest and don’t require a union. However, the same can’t be said for the automation of Identity tasks especially around JML or access requests. The reason being is that the task itself does not take a lot of time manually. The only caveat to this is if there are a considerable number of operations in a short period of time. This is especially true in industries such as health-care, education and retail around Christmas time.

The argument is does it really matter if a new joiner or someone requesting new access is waiting a couple of days. What is the financial impact of this? The answer to that depends on who and what they are trying to access and how urgent the request is. Therefore, the answer is not as straightforward as many vendors will have you believe.

Compliance

If numbers and science don’t work, many vendors will refer to scare tactics and use the justification that being non-compliant to a regulation will likely cost 4% of the global turnover for a company. No brainer, a product that can save you hundreds of millions is surely a must have.
Again, not so simple. A quick bit of research will show that the 4% fine is rarely given out and when it is has been it has often been for persistent bad practices and generally of the humankind.

Yes, non-compliance does have a financial implication in that it can lead to a fine, but generally compliance can be achieved with many processes and policies and a combination of tools and does not necessarily mandate a single product. The cost of the fine will vary depending upon the severity and in nearly all cases will be less than the cost of licenses and implementation.

The Exception to the Rule

Most people when they think of Identity tend to think of workforce management. Identity should be considered as workforce, customer and non-human identities. The big exception to the ROI not working statement are consumer identities. Anything related to improving customer experience will have a return of investment figure because most business are about making money from customers.

If not ROI, then what?

Thank fully the world of economics provides an alternative answer, Return of Value (ROV).
The Return of Value is defined as “Return on value (ROV) is a concept that considers both the monetary and non-monetary results of a venture”. How it differs is that it considers things like employee satisfaction and retention, risk reduction, environmental sustainability, platform stability and consistency of service.

There is no doubt that an ROV estimation is much more difficult and therefore it is very unlikely that any vendor will produce a calculation for it. An ROV estimate will vary wildly for each company as each will have a different weighting for things that are important to them.

Is ROV better than ROI?

At the end of the day nearly all companies live and die by money or lack of it and therefore it can be argued that ROI is better because it focuses on purely monetary values. If that is the case then nearly all IT, Security and particularly Identity projects would never get off the ground.
Thinking in terms of ROV places weightings on factors that are important to an organisation. When all factors are taken into an account for a project a better return for an organisation is calculated compared to the cost. Yes, that return is a number and its arbitrary, but it’s a better way of contrasting and comparing projects.

Will using ROV save money?

By applying ROV to all projects, not just Identity, in an organisation, it will act as a way of evaluating the best way to spend the budget. This can avoid unnecessary spend on lesser projects that may not provide a greater return. It forces an organisation to focus on priorities that are important to them overall and not on something that has dubious financial savings.
Applying ROV retrospectively to programs can help identifier financial cost savings by removing poor technology and something that can be replaced by a modern, cheaper alternative.

ROV can be used as a good mechanism to define the success of a program. Did it achieve the necessary results as first predicted? Does an employee survey show greater satisfaction? Evaluating this against

Overall, it may be difficult to say thinking in terms of ROW will save organisations money, but this is not the point. It’s the all-round value compared to financial saving. Did the program improve the user experience, did it help staff retention, help save the planet? All non-financial questions that ROV, and not ROI, can answer.

Disclaimer

The author is human, as any AI tool claim that silicon based technology will save more money than a human.

share this blog

About Chris

Chris Martin is another industry veteran of 20+ years. With a career spanning multiple disciplines in the identity space, Chris is ideally placed to lead our advisory practice.

Other Posts

Is ROI the right way to fund Identity Projects >
How to Discover User Personas >
How to Make IAM Projects Successful >
dotnext

UK based identity and access management consultancy

sales@dotnext-europe.com 

0141 212 0017

Linkedin
UK Glasgow Office

Suite 121, The Wright Business Center, 1 Lonmay Road, Glasgow, G33 4EL

 

UK London Office

2nd Floor College House, 17 King Edwards Road, Ruislip, London, Ha4 7AE

 

Company
Quick Links

We are a proud member of scotlandIS

Copyright ©2025 DOTNEXT EUROPE LTD. All rights reserved.