Sure that is a great way to start. When you are required to convince the companies board members to spend perhaps several million dollars, you must be able to present the awareness of other issues related NOT implementing the IAM Project. Some of those items might be similar to:
Outside security provider Protegrity has estimated that the company's losses as a result of the data breach may reach $1.6 billion in the years that followed the breach. The company admitted that the legal and and financial costs from the data theft cost it $20 million in the first quarter following the detection of the breech alone. The losses would come as a result of paying for credit checks and administrative costs for managing the fallout from the breach.
Note that these costs did not include the ill-will and loss of the companies own credit card usage.
Official action against the company in the form of regulatory fines made up a $1.5 million.
Or as one expert said, "The issue is a lot of companies really struggle with intangible benefits and risk profiles ... until, as he said, it's too late." He went on to say, ...in an environment where the intangible is brand value as opposed to just compliance"
On one client site, I was told that they had duplicate Social Security Numbers in their HR system that were as far as they knew, were valid.