Early in my career as a TV producer at Sky News, our Crime Correspondent explained the legal threshold governing everything we broadcast about active criminal trials. The test, he said, was whether reporting created a “substantial risk of serious prejudice” to proceedings.

I’ve never forgotten the phrase. Not because it’s elegant (it isn’t), but because it shows that instead of being binary, risk can sit on multiple continua (assuming that’s the plural of continuum).

When risk materialises, the cost shows up in three places. When most organisations make the case for a compliance or resilience programme, they’ll price in that first cost, but sometimes might ignore the second and third, and often they’re a lot bigger.

The direct financial penalty

The most visible cost, and typically the smallest. In a media context, it’s a fine for contempt of court. In 2009, the Daily Mail and The Sun each published photographs of a defendant during an active murder trial, images that showed him holding a gun. Neither intended to prejudice proceedings. Both were found guilty of contempt and fined £15,000 each, plus legal costs.

For a retailer or tech business, the equivalent is a regulatory breach: a GDPR violation, a data security failure, a lapse in financial compliance. The fines are much larger. The UK’s Information Commissioner can levy penalties up to £17.5 million or 4% of global annual turnover, whichever is higher. And that’s before remediation costs or legal fees.

If prejudicial reporting causes a trial to be aborted, cost orders can cover the wasted trial costs, potentially running into hundreds of thousands of pounds. Still, in most sectors, the direct penalty is not the end of it.

The operational consequence

Some failures stop the business working. That’s when the cost compounds fastest.

In April 2025, Marks & Spencer suffered a cyberattack the company attributed to human error. M&S lost an estimated £1.3 million in online sales every day its systems were down. Total financial hit was £300 million in lost operating profit. Cybersecurity experts said the vulnerabilities were largely preventable with stronger basic controls.

Later that year, Jaguar Land Rover suffered what the Cyber Monitoring Centre described as the most financially damaging cyberattack in British history. Production was halted for six weeks, and cost JLR £485 million in a single quarter. The estimated impact on the wider UK economy was £1.9 billion, affecting over 5,000 organisations in the supply chain.

For a media organisation, the operational consequence looks different. A news channel doesn’t go off air because of a contempt finding. But an editorial team consumed by a legal crisis isn’t putting that attention on its coverage. The cost is harder to see on a spreadsheet, but it’s real.

The reputational damage

This is the hardest to quantify in advance, but can be the largest in the long run.

For a commercially funded media organisation, trust is the business model. Viewers who lose confidence in a broadcaster watch less, ratings fall, subscribers cancel, and advertisers withdraw. None of that shows up in a legal bill, but it flows directly into revenue.

In retail, M&S saw consumer spending fall 22% during the cyberattack. Rival Next upgraded its profit forecast four times, explicitly attributing part of the gain to “competitor disruption.” Some of those customers won’t come back quickly. That revenue loss can compound over time.

The reputational cost is the one most likely to be left out of the investment case, precisely because it’s the hardest to model. But your finance audience knows it’s real. Your job is to help them price it in.

A method you can use

The examples above are benchmarks, not predictions. The point isn’t that your business will face a £485 million cyberattack. It’s that you can use the same three-layer structure to model realistic exposure in your own context. Here’s how.

1. Model the direct penalty. What are the regulatory or legal consequences of a serious failure in your sector? Find the worst credible case, not the worst imaginable one, and express it as a range.

2. Price the operational consequence. What does your business stop being able to do if a serious incident occurs? What does a day, a week, a month of disruption cost? For a manufacturer, it’s halted production. For a retailer, it’s lost sales. For a professional services firm, it’s advisors who can’t practise. Put a daily number on it, then multiply by a realistic downtime estimate.

3. Estimate the reputational cost. What does lost trust translate to in your revenue model? For a media business, it’s audience and advertising. For a retailer, it’s customer defection. For a B2B firm, it’s pipeline that quietly dries up. You won’t get this precisely, and you don’t need to. A conservative, defensible estimate is enough. Is a 5% drop in audience or customers a possible impact? If so, what does it look like in revenue terms?

4. Add the three layers together to get total realistic exposure from a single serious incident. Then divide that number by the annual cost of your compliance or resilience programme. The result tells you how many incidents the programme needs to prevent per year to break even. If total exposure is £1 million and the programme costs £150,000 a year, the break-even point is 0.15 incidents per year, or roughly one every six or seven years. Make that bar visible, and ask your audience whether it’s plausible. The calculation also works the other way. If the total exposure turns out to be modest, it might tell you the proposed programme is too expensive for the risk it’s managing. In that case, the same model helps you work out what a reasonable price for that mitigation actually is.

The numbers make the argument.

Over to you

Where are you carrying risk you haven’t fully priced? Legal exposure, cyber vulnerability, a flaw in a process or the threat of a human error that keeps the executive team awake but hasn’t made it into the budget conversation?

I spent twenty years in senior leadership roles at Sky, ITV, NBC News and Future Plc before becoming a Consulting Partner at Positive Momentum, where I help organisations in financial services, sustainability and technology with strategy, storytelling and change. Impact Storytelling is one of the things I do.