Back in March, I took "independent risk consultant" Protiviti to task for its apparent emphasis on bean counting, that is total cost of ownership and ROI, when considering an identity management system. Now ROI and TCO are not unimportant factors. They need to be taken into consideration when choosing among the various products and services you will use to implement an identity management system. But they aren't anywhere near the top of the priority list when first deciding whether or not to implement such a system.As it turns out, I may have mistakenly heaped derision on the company. Norm Barber, Protiviti managing director and practice leader for identity management has now provided me with a paper, soon to be available at Protiviti's Web site, entitled "Risks and Opportunities in Identity Management." The document makes it clear that Protiviti's Gartner-developed TCO and ROI tools I mentioned in March, were designed as aids to help you convince the financial gnomes that identity management is not only a Good Thing in and of itself, but also Good for the Bottom Line.The paper, for example, cites information from Meta Group studies that indicate the following:* Because of inefficient request processing, the user management process on average takes more than 60% longer than necessary.* Fully 45% of help desk calls are for assistance in resetting passwords.* IT staff spend, on average, 35% of their time on user data stores, access control and authentication, and user management issues for both internal and external users.* Providing a new internal user with computing privileges occurs 28 hours more slowly than required, resulting in a 36% loss of productivity and 26% loss of efficiency.The document also quotes an IDC estimation that a company with 5,000 employee, vendor or customer users requiring access to systems and information spends $1 million to $1.5 million annually for password management alone.Mr. Barber and I actually agree on quite a bit more than we disagree. The point he wished to emphasize is that "...data on the cost of not implementing identity management is often valuable to present in the business case, along with the broader set of risks, particularly to finance executives who must authorize identity management expenditures.\u00a0 The TCO and ROI tools developed for Protiviti by Gartner, in fact, do present data on what it costs a company to remain with the status quo, in terms of variables such as downtime, hours saved for security administration, and hours saved for help desk." I couldn't have put it any better myself.Grab a copy of the paper when it's available, and investigate Protiviti's tools should you need to demonstrate TCO and ROI for your identity management projects. As for Protiviti, it may only need someone new to write its press releases.