I was reading a press release the other day about the total cost of ownership and return on investment of identity management.\u00a0See what I go through to keep you informed? It seems that Protiviti, a self-described "independent risk consultant" has joined with the Gartner Group to conduct a study and produce tools that measure the TCO and ROI of identity management. Evidently "independent risk consultant" means that the company is, in its own words: "...dedicated exclusively to risk consulting and internal audit."\u00a0 Somehow, I guess, consulting on other topics (the way, for example, the Gartner Group does) would taint Protiviti's expertise. Or maybe it means that larger consultancies (such as KPMG, for example) have dependencies among their practices that dilute their expertise or advice. Of course, it may simply be a marketing phrase.Protiviti wants me (and you) to know that: "Identity management now ranks among the most complex and costly information security processes for companies to address as employees, consultants, contractors, customers and vendors continue to access proprietary information through vulnerable online and legacy environments. " I can't fault that as we all know most enterprises are doing far less in the way of identity management than they should. Nevertheless, most identity management vendors are showing better returns than suppliers of other technologies, simply because companies realize that they have to do something about identity management.So why would business need tools to measure TCO and ROI?The TCO and ROI tools are necessary, evidently, not for your enterprise directly, but to enable Protiviti to "...help companies quantify the costs of managing identities, access control and authorization, and managing passwords from increasingly virtual user relationships."If you stop to think about it though, it really isn't a question of the cost of identity management. Rather, you should be presenting upper management with studies on the costs of NOT implementing identity management. How much is your proprietary information worth? How much would it cost you should your clients' financial details be hijacked? What are the legal consequences for your enterprise if privacy rights are violated?You know your company needs end-to-end identity management, you know the consequences of not having one. So don't be put off into having to justify the cost of implementing it. If you are, then it means you haven't done a proper job of explaining the risk involved. And you don't need an "independent risk consultant" to do that for you.