Such is the heat on CIOs to deliver ROI that some have even resorted to delivering fictitious business cases, according to Dr Kevin McIsaac, research director with Meta Group and a veteran of many business case assessments. "I look through many vendor business cases and they're wildly optimistic; there's a lot of fudge factor thrown into them. To get their pet projects through, many people start with the ROI they need to have and work backwards. We've got to be a lot more critical about these things," McIsaac told CIO Government last November.

"Lots of times in firms the ROI just becomes an exercise for justifying something that you already want to do," CITJ's Cotteleer says, "and so there is a process whereby we go through and either fudge or make up the numbers to kind of get done what we have other reasons for wanting to get done. That doesn't mean that it can't be a useful exercise, and it doesn't mean there aren't firms out there that do in fact try to make it a meaningful exercise - it just means that you need to have some discipline with the process."

So how do CIOs reconcile the demand on the part of firms, executives and shareholders to present a valid business case with the reality that almost no one - even in some cases the CIO presenting it - believes the work product that is eventually delivered?

At Tempo Services Limited, group IT manager Dermot Musker says the importance of ROI to his company "depends on who you ask - the higher up in the organization the more important it gets".

The need for an ROI at Tempo Services is determined on a case-by-case basis according to the size of the investment. Musker says there is no specific return on investment that must be proven before a project is engaged; however, "the expected gains must be described in the business case".

"The executives don't necessarily have their own rule of thumb," he says, "they would be relying on the experts to provide them with their best judgment. It's more on the lines that an executive would test the decision, based on whether they can understand the business case, the wording and how it's explained, and whether they feel that the recommendation made is commensurate with that business case."

Nevertheless, Musker says recognizing that it can be extremely challenging to present a business case for upgrades and investments in security, for example, executives in some cases will accept an explanation of the risks involved, and a judgment based on those risks.

Likewise Bruce Rice, general manager IS at RACQ General Insurance, says ROI is always important, although sometimes the business case will include a high degree of non-financial gain. For instance, as a mutual organization, one main stream of RACQ's business is member services, so sometimes Rice may be able to present a case that stacks up mostly in terms of a new business process that saves some staff or staff time or telecommunications costs.

"There are instances where a proposed project might not fully meet a 12 percent or 20 percent or 100 percent ROI," he says, "but there might also be perceived a degree of improved member services. So in those cases we might trade off an ROI which is not complete, against some real - although not quantified in dollar terms - benefit to customers."

Rice says RACQ spends "buckets of money" on strong security and an e-mail protection environment. "And I guess those things probably don't pass an ROI, or if they do, it's [a question of] how do you put a price on the likely intrusion or the likely closure of your network?

"[In those cases] we fully understand the cost, and probably leave the benefit as a set of words rather than a set of dollars. If you were going to say: 'We need to spend $45 million and it's because it's a nice thing', probably that's not going to be enough. But if it was: 'We need another $30,000 or $100,000 for a higher level of intrusion detection', and you have a set of words which will wrap around the risks and the protection you bind - that may well be enough for an ROI at that cost."