Nevertheless, Strassmann says, there are ways of finding IT value - it is just that they are all indirect. You can plead that IT creates value, provided you come well prepared. Just as in repainting a house, the most important part of the job lies in proper preparation, not in spreading the coating.

Among other things, Strassmann advocates a managerial equivalent to "Sutton's Law". Named for the famous bank robber Willie Sutton, this law advocates "going where the money is" when targeting IT investments (and Strassmann has some suggestions for exactly where to look). Managers, he argues, also need to understand that IT benefits are tied up largely in the more intangible assets that traditional accounting practices do not reveal. When tallying these benefits, Strassmann insists that the appropriate comparator for an IT project is not where the firm is today, but where it will be if it does not undertake the investment. Strassmann's rules include:

• Adopting a conservative attitude to the value of IT
• Recognizing that the greatest obstacle to the demonstration of IT value can be found in conventional accounting methods
• Focusing on shareholder value by ensuring your "base case" starts with making no changes to how you deploy IT
• Ensuring all IT plans reflect, for the benefit of the shareholders, the certainty of the projected value of IT spending
• Keeping away from revenue-related ratios as indicators of gains attributable to IT
• Presenting a well-reasoned case that is based on analysis of the total spending package before plunging into a discussion of pet projects.

However, you also need to know how ROI should be measured - especially in an institution like the renowned The Wharton School at the University of Pennsylvania, which values IT as a competitive advantage, says CIO William Gerard McCartney. The most crucial part of the CIO's job is probably to be able to show the value to the institution of continuing high investment in technology.

"My Wharton colleague Lorin Hitt established in 1996 the three principal ways in which ROI should be measured: productivity, profitability and customer value," McCartney says. [To read the paper, "Productivity, Profit and Consumer Welfare: Three Different Measures of Information Technology's Value", go to http://ccs.mit.edu/papers/CCSWP190.html. - Ed].

"I've seen a lot of people in my job fail because they didn't pay attention to all three of these factors. In fact, many CIOs continue to be enamoured of technology merely for the sake of technology. If they aren't able to link technology investments with at least one of the three ROI factors they are putting themselves and their organization in jeopardy. Of course, the importance that any particular institution places on each of these factors will be dependent on the strategic direction of the institution, so the CIO must at least be familiar with the strategic direction and preferably should have some part in shaping it."

Minding One's Own Oats

As well as knowing how ROI should be measured, there is also the question of who should do the measuring, Cotteleer says.

If firms in general are poorly equipped to perform such analyses, IT departments are often particularly badly qualified. They tend to be poorly trained in methods of assessing business value, and are likely to lack the language required to express the business case for something like security infrastructure, which clearly in many cases has a potential ROI, if only in its ability to avoid substantial damage to the firm. That is a gap the canny CIO would be wise to fill.

"I think that if you can't go in to your technology organization and have someone explain to you basic financial concepts around discounted cash flow analysis or net present value, which we would normally think of as being outside their purview, [then] that would be a warning sign. If you don't have people in your technology organization that can explain to you what the key metrics are on which the firm measures business value, I would say that's a warning sign. If you don't have people in your technology organization that can look at a business process and document that business process and help you understand specifically where that process could be enhanced through the use of technology, I would say that's a warning sign."

Cotteleer says CIOs should view this as a developmental issue for the CIOs' organizations. In essence, ROI analysis for IT projects should not be fundamentally different from any other capital budgeting decisions made in the organization except that such measures tend to be more abstract, he says. But CIOs can learn a lot from the challenges that other parts of the organization have faced and from the capabilities that they have built. And while it remains the case that too few CIOs are talking the same language as the boards demanding accountability from them, the way forward is to train a contingent of people in the CIO's organization to perform meaningful ROI analyses. In most IT shops the ability to do so just does not exist, he says.

He warns when someone from the financial side of the business comes in and tries to perform a business case, or where someone from the CIO's organization simply adopts a standard form and tries to work something out, they neither understand nor have a process in place that makes it possible to look at business processes in the context of metrics that are important to the organization. They are also typically ill-equipped to relate IT implementation to changes in those processes and therefore in those metrics that help conceptualize the value that they will deliver.