The ROI of Risk Management and PCRM
Risk management has a quantifiable return. Examining the evidence across industries and organization sizes, the financial scale of unmanaged people and culture exposure, and the returns that most organizations are only partially capturing.
Every strategic decision carries risk be it capital allocation, market entry, product pricing, M&A, or leadership succession. Each one rests on assumptions about what will hold, what will shift, and what the downside looks like if those assumptions are wrong.
In some organizations, there is a dedicated function for risk management. In many others, it is distributed across functions without formal coordination. In either case, its value is realized only when it informs strategy rather than operating in isolation from it. It is what separates a confident bet from a blind one. An enterprise without mature risk management is apparently taking risk without the information needed to take it well.
And it does not just protect value, at its most mature, it actively creates it through better capital allocation, faster and more confident decision-making, and through the competitive advantage of knowing your risk profile well enough to move when others are either still deliberating or diving prematurely.
And yet the function remains chronically undervalued. Part of the reason is a bias so embedded in business culture that it rarely gets named: we study success. We analyze the companies that won, reverse-engineer their decisions, and build analogies and frameworks from their outcomes. We do not study, with anywhere near the same rigor, the companies that failed. The ones that had strong products, capable people, and sound strategies undone by risks they never saw, never measured, and never managed. The graveyard of enterprises that collapsed not from bad ideas but from unmanaged exposure is far larger and far more instructive than the pantheon we study.
The Decision to Not Invest in Risk Management Is a Decision, Too
When an organization chooses not to invest in risk management, or invests just enough to appear compliant, it is making a decision. It is choosing to self-insure against a portfolio of risks it has not identified, not measured, and has no plan to manage.
That decision has a price that gets paid in a form the organization did not choose, at a time it was least prepared for.
The data on how frequently these risks materialize is not ambiguous. In Forrester's 2025 Business Risk Survey of ERM decision-makers across North America, Europe, and Asia Pacific, nearly 75% of enterprises reported experiencing at least one critical risk event in the past year (McKay, Valente, & Scott, 2025). And yet in a survey of 273 U.S. organizations conducted in Spring 2025, targeting CFOs and senior finance leaders, only 32% rated their organization's risk oversight as mature or robust, and just 35% reported having comprehensive ERM processes in place (Beasley & Branson, 2025). The connection between the two is direct: firms without board-level ERM visibility were "20% more likely to suffer six or more critical events" (McKay et al., 2025).
These are not tail events but routine consequences of operating without risk governance.
What the Evidence Shows
The relationship between risk management maturity and financial performance is no longer a theoretical proposition. It is empirically documented across industries, geographies, and enterprise sizes.
Risk maturity produces measurably higher profitability
Ernst & Young's landmark study, Turning Risks Into Results, based on 576 interviews with executives across global companies and a review of more than 2,750 analyst and company reports, found that organizations in the top 20% of risk maturity generated three times the EBITDA of those in the bottom 20% (Ernst & Young, 2012). The study further found that high-maturity organizations produced the strongest growth in revenue, EBITDA, and EBITDA-to-enterprise-value, which is a consistent pattern across sectors.
ERM adoption reduces return volatility and improves operating performance
Eckles, Hoyt, and Miller (2014), in a study published in the Journal of Banking and Finance drawing on insurance industry data, found that firms adopting enterprise risk management experience a measurable reduction in stock return volatility, and that the reduction strengthens over time. Essentially, return on assets relative to return volatility improves after ERM adoption. In plain terms, the enterprise gets more profit out of every unit of risk it carries, because it is managing that risk rather than absorbing it.
A study of 648 firms over an eleven-year period by Gao, Hsu, and Liu (2025), published in Risks, found that ERM implementation is associated with higher financial reporting quality and reduced volatility in both operating cash flows and stock returns (Gao et al., 2025). Enterprises that manage risk well are more predictable, which makes them more valuable to investors, lenders, and strategic partners.
The pattern holds for mid-market enterprises too
The empirical case for ERM is not limited to large, publicly listed firms. Research by Syrová and Špička (2023), reviewing ERM literature on SMEs, consistently shows a positive relationship between ERM adoption and financial performance. It emphasizes on the importance of mature organizational culture and the monitoring of strategic risk management performance for success.
The pattern is consistent across enterprise sizes: mature risk management enables better resource allocation, reduces the cost of unexpected disruptions, and supports more confident strategic decision-making.
The Understated Risk Category: People & Culture Risk
The evidence above establishes that risk management maturity drives measurably better financial outcomes. But within the enterprise risk portfolio, there is one category that is simultaneously the largest in financial exposure, the most neglected in formal governance, and the most consequential when it fails. That category is people and culture risk.
People risk is the risk of financial, operational, legal, or reputational loss arising from human capital dependency, individual actions or inactions, knowledge or capability gaps, judgment errors, or misconduct within the organization. Culture risk arises from organizational norms and incentive structures that influence individual and collective behavior and may, over time, embed latent vulnerabilities within the operating environment. Together, they constitute people and culture risk: the exposure an organization carries not from external forces but from the conditions under which its own people operate, decide, and represent the enterprise. It manifests as misconduct that builds into litigation, cultural dysfunction that drives operational failure, ethics breakdowns that trigger regulatory action, systemic conditions at the customer interface that produce reputational or brand damage, and the slow, silent erosion of organizational health that precedes every high-profile collapse.
The financial evidence for treating it with rigor is overwhelming.
The Financial Scale of People & Culture Risk
The financial exposure that people and culture risk generates is measured in the costs the enterprise actually pays when the risk materializes: regulatory penalties, litigation settlements, operational failures, and valuation erosion.
Regulatory exposure is accelerating
India's SEBI BRSR framework requires the top 1,000 listed companies by market capitalization to disclose workforce-related metrics and governance mechanisms. The EU's Corporate Sustainability Reporting Directive (CSRD), through its European Sustainability Reporting Standards (ESRS S1), mandates disclosure on working conditions, social dialogue, and workforce impacts for companies in scope. The Corporate Sustainability Due Diligence Directive (CSDDD) extends liability for adverse human rights and environmental impacts across the value chain. But the regulatory exposure extends well beyond frameworks that explicitly name workforce conditions. For example, data breaches that originate in knowledge gaps, compliance failures that trace back to inadequate training or judgment errors, operational violations driven by cultural norms that tolerated shortcuts - these are penalized under cyber, data protection, financial services, and sector-specific regulations.
These frameworks carry enforcement mechanisms, financial penalties, and reputational consequences. An enterprise that cannot demonstrate structured, auditable governance of these risks is carrying undisclosed regulatory exposure on its books. That exposure grows with every new reporting cycle in which the governance gap persists.
Litigation and legal cost exposure
Misconduct claims, harassment actions, discrimination suits, wrongful termination, whistleblower complaints are all legal exposures with direct and indirect financial costs, in the form of settlement amounts, legal defense fees, management time consumed by proceedings, and the reputational damage that follows public action. Individual claims routinely cost enterprises between USD 100,000 and several million dollars. Class actions and systemic misconduct cases can reach tens or hundreds of millions.
The critical point is not that these events occur but that in the majority of cases, the organizational conditions that produced them were present and observable for months or years before the formal complaint was filed. The enterprise paid the full cost of the incident because it had no oversight that would have surfaced the conditions at the point where mitigation was still inexpensive.
Operational disruption hits the P&L
When a critical function destabilizes because the culture conditions within it were never surfaced and never governed, the consequences show up directly in operational performance. Execution quality deteriorates as misalignment, lack of accountability, or normalized shortcuts compound unchecked across teams and reporting lines. The conditions required for capability to translate into consistent delivery erode and the enterprise discovers the problem only when commitments are missed and clients begin to disengage. Accounts are lost, the pipeline contracts, and the enterprise's ability to grow is constrained from a position it did not choose and may not have recognized until the revenue impact was already material. When attrition follows, institutional knowledge is lost and execution capacity is further depleted, accelerating damage that was already underway.
This is a hit to the P&L, and it shows up in the numbers that CFOs report to the board. The enterprises that suffer these disruptions often lack oversight that would have surfaced the risk before the disruption occurred.
The market prices governance failure, not just incidents
Investors, lenders, and rating agencies increasingly factor governance quality into valuation. When a people and culture risk event becomes public whether through regulatory action, a high-profile lawsuit, a whistleblower disclosure, or a media investigation, the valuation impact is disproportionate to the direct cost of the event. The market does not price the settlement. It prices the governance failure that allowed the condition to persist. It reprices the enterprise's entire risk profile, not just the incident in question.
Conversely, an enterprise that can demonstrate structured, board-visible governance of its risk profile is a more predictable enterprise. Predictability reduces the risk premium. It supports higher multiples. It strengthens the case for capital allocation.
The compounding nature of people and culture risk
People and culture risks do not present as isolated incidents. They compound. A compliance gap that is not surfaced becomes a regulatory finding or a breach; a harassment pattern that goes unchecked becomes a class action; an operational team under cultural stress delivers declining quality, which erodes client confidence, which further triggers account losses, which constrains revenue growth. Each stage is an order of magnitude more expensive than the point at which the risk could have been identified.
The ROI of PCRM
The ROI of PCRM is the return the enterprise generates from investing in people and culture risk governance, measured against what that governance costs.
The return has two sides. The first is the downside that it prevents. For example, the regulatory penalty that was not levied because a knowledge gap that could have led to a breach was identified in time and the enterprise addressed it before it became a violation, the operational disruption that did not occur because the cultural conditions in a critical function were surfaced and addressed before the function destabilized, and the reputational crisis that did not erupt because a pattern of customer-facing misconduct was detected and corrected before it became public. The second is the upside that it enables. For example, the strategic decision that was made with confidence because the people and culture risk was measured and managed; the capital that was deployed efficiently on projects, markets, and growth initiatives because the enterprise knew where its people were strong, where they were struggling, and what conditions needed to be addressed before committing resources; the stronger employer brand that attracts higher-quality talent; the deeper stakeholder trust from investors and partners who can see that people and culture risk is governed with rigor; and the improved client confidence that comes from an enterprise whose people consistently deliver because the conditions for consistent delivery are actively maintained.
The downside prevented is directly quantifiable. The upside enabled is harder to measure with the same precision, but no less real in its financial impact. The enterprise that accounts for both will find that the cost of PCRM as a governed discipline is a fraction of the return it generates.
The Three Returns Risk Management Delivers
Organizations that view risk management only as a mechanism to prevent losses are missing the larger picture. There are three distinct categories of return, and most enterprises are only partially accessing even the first.
Return 1: Loss prevention
Loss prevention is the most intuitive return and the hardest to report. When a risk is identified early and mitigated, the incident that would have occurred does not occur. There is no invoice and no line in the P&L. There is nothing to show the board, which is precisely why it is chronically undervalued.
But the scale of the return is visible in the cost of what happens when prevention fails. The global average cost of a data breach reached USD 4.88 million in 2024, with financial services organizations averaging USD 6.08 million (IBM & Ponemon Institute, 2024). The average annual cost of regulatory non-compliance across multinational organizations was USD 14.82 million, 2.71 times the cost of maintaining compliance (Ponemon Institute & Globalscape, 2017). Global supply chain disruptions with worldwide effects now occur approximately every 1.4 years, causing economic damages of up to 5–10% of product costs (Circular Republic et al., as cited in Allianz Commercial, 2025).
Every one of these costs that is reduced through risk management is a return - value preserved that would otherwise have been lost. People and culture risk carries the same kind of exposure: misconduct settlements, regulatory findings, operational failures, litigation claims that build for years before they surface, among others. When these exposures are reduced by having effective controls in place, the value preserved or averting value destruction is the return.
Return 2: Capital efficiency
A mature approach to risk management does not just prevent losses. It improves how capital is deployed. When an enterprise understands its risk profile clearly, it can make more confident decisions about where to invest, which strategic bets to take, which markets to enter, and which exposures to treat, tolerate, terminate, or transfer. It does not over-insure against risks it has not measured, and it does not avoid opportunities because the uncertainty attached to them has never been quantified.
In the people and culture domain, every capital allocation decision the enterprise makes be it hiring, restructuring, expansion, product investment, M&A, or any other carries people and culture risk. When that risk is unmeasured, the enterprise is making those decisions with incomplete information. Capital is committed to initiatives where the people and culture conditions may not support execution, and withheld from initiatives where they would. Understanding the people and culture risk profile improves the quality of every capital decision that depends on people to execute it.
Return 3: Strategic velocity
Every major strategic decision carries risk be it restructuring, market entry, M&A, leadership succession, product launches, or geographic expansion among others. When an enterprise cannot quantify the risks attached to those decisions, it is operating on incomplete information. Sometimes that leads to paralysis where the decision is delayed or avoided because the downside is unknown. Sometimes it leads to overconfidence where the decision is made without understanding the conditions required for it to succeed. Both outcomes are costly.
An enterprise that understands its people and culture risk profile makes these decisions with the risk measured rather than assumed. For example, restructuring proceeds with clarity on which departments, teams or locations are under stress, acquisition is priced with the integration risk understood, and market expansion is committed to with evidence that the teams expected to deliver it can sustain the execution. The return is not speed for its own sake. It is the quality of the decision and the reduction in expensive surprises that follow decisions made without adequate risk intelligence.
The Actual Cost of Not Doing This
Most risk ROI conversations focus on the upside of investing in risk management. What if we asked, what does the absence of risk management actually cost?
The cost manifests in four ways:
Incident costs
The financial consequence of risk events that were not anticipated and hence not measured and mitigated. Direct costs include breach remediation, litigation settlements, regulatory fines, and cost of rework among others. Indirect costs include reputational damage and the downstream business impact that follows. People and culture risk produces the same categories of incident cost: for example, a harassment case that results in litigation and settlement, a compliance practice that has eroded to the point where it triggers a regulatory fine, a critical function whose output quality has declined to the point where clients disengage, and a pattern of shortcuts that culminates in a product or service failure among others.
Response costs
When risk events occur without warning, the cost of responding is multiples of the cost of preventing. Crisis management fees, accelerated legal costs, emergency operational changes, and executive bandwidth consumed by damage control are all avoidable. Reactive organizations pay them routinely. In the people and culture space, the cost of emergency remediation after a misconduct finding, a regulatory action, or a critical team failure is invariably higher than the cost of investing in PCRM that would have identified the risk earlier.
Opportunity costs
Every decision an enterprise makes has an alternative. When capital, time, and executive attention are committed to an initiative without understanding the risks attached to it, and that initiative fails or underperforms, the enterprise does not just absorb the direct cost of the failure but loses what it could have achieved if those same resources had been committed elsewhere, to an initiative where the conditions for success were understood. That forgone value is the opportunity cost.
Compounding costs
Unmanaged risks do not stay static. For example, a culture risk ignored becomes a governance failure, a compliance gap overlooked becomes a regulatory action, a reputational exposure unmonitored becomes a crisis. Cultural dysfunction in one team spreads through organizational networks, destabilizes adjacent functions, triggers operational failures, and eventually constrains the enterprise's ability to execute its strategy. Each escalation is an order of magnitude more expensive than the point at which it could have been addressed.
The enterprise that is not investing in risk management, including people and culture risk management is not saving the budget it declined to allocate but deferring those costs, with compounding interest, to a future moment it will not have chosen.
Why Most Organizations Still Get This Wrong
The core challenge for any risk management function is proving the value of something that, when it works, produces no visible event. The incident that did not occur, the fine that was not levied, the crisis that was averted, all of which do not generate line items. The return is real but invisible in conventional reporting.
People and culture risk faces this same challenge, amplified by two additional ones. The first is structural: where it appears in enterprise risk governance at all, it is treated as operational risk, without the dedicated measurement, mitigation, and reporting that the scale of its exposure warrants. The second is behavioral: unlike financial risk or cyber risk, which are understood as part of systems and external environments, people and culture risk is about conditions within the organization. This is not an evaluation on individual performance or leadership quality. But because the language of risk applied to people feels evaluative in a way that risk applied to a balance sheet does not, it is harder to raise, harder to discuss with objectivity, and harder to bring to the management. This is one of the reasons why the risk category with the largest exposure has the least governance.
When people and culture risk is governed as a discipline, the enterprise does not just reduce its exposure. It strengthens the organization itself. Employees operate in an environment where issues are surfaced and resolved rather than left to fester, which builds trust and retention. Management gains visibility into what is actually happening across teams, functions, and reporting lines through structured measurement which improves the quality of decisions around hiring, restructuring, resource allocation, and strategic execution. The culture becomes more resilient because problems are identified early and addressed, rather than discovered late and remediated at cost.
Computation of Risk Management ROI
For risk functions that want to change the internal conversation, the shift begins with how risk is reported. Standard risk assessment matrix is useful for prioritization but insufficient for demonstrating return. Computing risk management ROI requires showcasing into financial terms as well: estimating gross exposure for each identified risk in monetary terms, tracking what each mitigation action costs in direct spend, indirect costs, and management time, measuring the residual exposure estimated and expressed in monetary terms after controls are in place, and reporting the difference as exposure reduced or value preserved. Over time, comparing incident frequency and severity across managed and unmanaged risk categories produces the before-and-after evidence that makes the ROI case auditable and reportable in the financial language.
Conclusion
The question is not whether you can afford risk management. The question is whether you can afford what replaces it.
Organizations that treat risk management as a mandate spend the minimum necessary to satisfy the requirement. Organizations that treat it as a value driver invest in it proportionally to the exposures they carry and the returns they expect from managing those exposures well.
The evidence is consistent: mature risk management produces higher EBITDA, lower return volatility, more efficient capital deployment, and faster and more confident strategic execution. The organizations capturing those returns are not doing so because they are more risk-averse but because they understand the value of knowing their risk profile well enough, which enables them to take the right risks, at the right scale, at the right time.
The evidence on people and culture risk is equally stark. Regulatory frameworks in every major jurisdiction now mandate disclosure and governance of workforce-related risks, with enforcement mechanisms that carry real financial penalties. Litigation exposure compounds for years before it surfaces as a seven-figure claim, operational disruptions hit the P&L when critical functions destabilize, and valuation erosion prices the governance gap, not just the incident. The financial exposure is enormous. The governance infrastructure in most enterprises is absent. And the returns on building it are measurable.
Among the 273 U.S. CFOs and senior finance leaders surveyed by Beasley and Branson (2025), only 35% reported having comprehensive ERM processes in place. The proportion with formal People & Culture Risk Management as a governed discipline is negligible. For the enterprises willing to close that gap, the opportunity is significant and the evidence for doing so is clear.
Risk management has an ROI. The organizations that identify and measure risks, govern it, and communicate it with rigor will make better decisions, and build more resilient organizations.
References
Beasley, M. S., & Branson, B. C. (2025). 2025 state of risk oversight: Key trends in enterprise risk management (16th ed.). AICPA & Enterprise Risk Management Initiative, NC State University. https://erm.ncsu.edu/resource-center/2025-the-state-of-risk-oversight-an-overview-of-enterprise-risk-management-practices-16th-edition/
Circular Republic, Porsche Consulting, Allianz, & Agora Strategy. (n.d.). Supply chain disruption analysis [White paper]. As cited in Allianz Commercial, Allianz Risk Barometer 2025. https://commercial.allianz.com/news-and-insights/reports/allianz-risk-barometer.html
Eckles, D. L., Hoyt, R. E., & Miller, S. M. (2014). The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry. Journal of Banking and Finance, 43, 247–261. https://doi.org/10.1016/j.jbankfin.2014.02.007
Ernst & Young. (2012). Turning risks into results: How leading companies use risk management to fuel better performance. EYGM Limited. https://erm.ncsu.edu/library/article/ey-study-mature-risk-management
Gao, S., Hsu, H.-T., & Liu, F.-C. (2025). Enterprise risk management, financial reporting and firm operations. Risks, 13(3), 48. https://doi.org/10.3390/risks13030048
IBM & Ponemon Institute. (2024). Cost of a data breach report 2024. IBM Corporation. https://www.ibm.com/reports/data-breach
McKay, P., Valente, A., & Scott, C. (2025, June 13). Supply chain, AI, and operational resilience risks dominate ERM programs in 2025. Forrester. https://www.forrester.com/blogs/supply-chain-ai-and-operational-resilience-risks-dominate-erm-programs-in-2025/
Ponemon Institute & Globalscape. (2017). The true cost of compliance with data protection regulations. Ponemon Institute LLC. https://www.globalscape.com/news/2017/12/12/globalscape-inc-and-ponemon-study-finds-data-protection-non-compliance-expenses-45
Syrová, L., & Špička, J. (2023). Exploring the indirect links between enterprise risk management and the financial performance of SMEs. Risk Management, 25(1), 1–27. https://doi.org/10.1057/s41283-022-00107-9