Beyond ROI: Measuring Risk Reduction, NPS, and Compliance as Investment Outcomes
Why the most strategically important investment outcomes are the ones most organisations forget to track
The ROI Monopoly
Return on investment has dominated the vocabulary of investment governance for so long that it has become synonymous with investment value. When a board asks whether investments are performing, they are asking about ROI. When a CFO evaluates a fund request, the first metric they examine is the projected ROI. When a post-project review assesses outcomes, the framework is financial: did the investment pay for itself?
This ROI monopoly is not wrong. Financial returns are a legitimate and essential measure of investment performance. But the monopoly creates a blind spot that grows more dangerous as organisations invest in outcomes that do not produce direct, attributable financial returns within the measurement window. Risk reduction. Regulatory compliance. Employee engagement. Customer satisfaction. Operational resilience. Environmental sustainability. Each of these outcomes is strategically critical, measurable, and systematically excluded from the investment performance conversation because it does not fit neatly into an ROI calculation.
The consequence is a portfolio management discipline that measures what is easy and ignores what is important. Financial returns are measured because they are denominated in the same unit as the investment. Non-monetary outcomes are ignored because they require a different measurement framework. The result is not just incomplete measurement. It is distorted governance. Investment decisions are biased toward projects with easily measurable financial returns and away from projects that deliver strategic value in non-monetary forms.
Risk Reduction: The Value of What Does Not Happen
Risk reduction is among the most valuable outcomes an organisation can invest in and the most difficult to capture in a traditional ROI framework. A cybersecurity programme that reduces the probability of a data breach does not generate revenue. It prevents loss. The value is real, potentially hundreds of millions of dollars in avoided breach costs, regulatory penalties, and reputational damage. But the value is probabilistic. It exists in the counterfactual: the bad outcome that did not happen because the investment was made.
This does not mean risk reduction cannot be measured. It means it must be measured in its own terms. Risk scores, vulnerability counts, mean time to detect and respond, audit findings, compliance gap assessments, these are all quantifiable metrics that can be tracked using the same planned-versus-actual framework applied to financial benefits. The fund request defines a target: reduce the organisation’s critical vulnerability count from two hundred to fifty within twelve months. Check-ins record the actual count at each interval. The planned-versus-actual chart shows whether the investment is delivering the risk reduction it promised.
The measurement unit is not dollars. It is vulnerabilities, or risk score points, or audit findings. But the governance framework is identical. The benefit has a target, a baseline, a timeline, an owner, and a check-in cadence. The VRO can review the trajectory. The portfolio owner can see the aggregate risk reduction across the security portfolio. The CFO can assess whether the organisation’s risk investments are performing alongside its financial investments.
Organisations that exclude risk reduction from their benefit tracking system are making a statement, whether they intend to or not, that risk is not a measurable investment outcome. The statement is false. And the organisations that act on it will eventually discover the cost of unmeasured risk the hard way.
Customer Satisfaction: The Leading Indicator Hidden in Plain Sight
Net Promoter Score, customer satisfaction indices, customer effort scores, and retention rates are among the most widely tracked metrics in modern enterprises. They are also among the most widely disconnected from the investment governance process. Organisations invest millions in customer experience programmes and then track the resulting NPS improvement in a completely separate system from the one that tracks whether the investment delivered its committed returns.
This disconnection is inexplicable. A customer experience programme funded through the investment governance process should have a defined NPS improvement target in its benefit commitment. That target should be tracked through the same check-in process, the same planned-versus-actual comparison, and the same governance escalation framework as any financial benefit. The fact that the target is measured in NPS points rather than dollars changes the unit but not the discipline.
Tracking customer satisfaction as a formal investment outcome produces several governance advantages. First, it makes the programme accountable to a specific target rather than a vague aspiration to improve the customer experience. Second, it creates an early warning signal if the investment is not translating into the expected customer impact. Third, it provides the CFO and the board with evidence that customer-facing investments are delivering measurable results, which strengthens the case for continued investment in future cycles.
The leading indicator value of customer satisfaction metrics is particularly important. NPS improvements often precede revenue improvements by several quarters. Tracking NPS as a benefit during execution provides an early signal of whether the revenue impact projected in the business case is likely to materialise. This signal is invisible if customer satisfaction is not part of the benefit tracking framework.
Compliance: The Outcome That Protects Everything Else
Regulatory compliance investments are among the most undervalued in the typical enterprise portfolio. They do not generate revenue. They do not reduce costs in a directly attributable way. What they do is protect the organisation from penalties, sanctions, licence revocations, and operational restrictions that would be catastrophically more expensive than the compliance investment itself.
The challenge with tracking compliance as a benefit is defining the target in measurable terms. Achieve compliance is not a measurable benefit. It is a binary state that does not lend itself to the periodic check-in model. But compliance programmes are composed of specific, measurable milestones: complete the gap assessment, remediate the identified deficiencies, pass the audit, achieve the certification, maintain the score above the threshold.
Each of these milestones can be defined as a non-financial benefit with a target value, a timeline, and an owner. A programme to achieve SOC 2 certification might define three benefits: complete gap assessment by end of quarter one (measured in percentage of assessment domains completed), remediate critical findings by end of quarter two (measured in count of open findings), and achieve certification by end of quarter three (measured as a binary milestone with a target date). Each benefit is tracked through check-ins that record progress against the specific metric.
This approach transforms compliance from a cost centre that is difficult to justify into a tracked investment that demonstrates measurable progress toward a defined outcome. The portfolio owner can see which compliance investments are on track and which are at risk. The CFO can report to the board that the organisation’s compliance investments are delivering against specific milestones. And the next time a compliance programme requests funding, the fund request committee can evaluate it against the delivery track record of previous compliance investments.
Building the Multi-Dimensional Value Picture
The organisations that will manage capital most effectively in the coming decade are those that build a multi-dimensional view of investment value. Financial returns remain the foundation. But layered on top of that foundation are the non-monetary outcomes that protect the organisation, sustain its customer relationships, ensure its regulatory standing, and build the operational capabilities that enable future growth.
Building this multi-dimensional picture does not require a new governance framework. It requires extending the existing framework to accommodate non-monetary measurement units. The benefit definition structure already supports any quantifiable target. The check-in process already captures actual values against plan. The planned-versus-actual comparison already works regardless of whether the unit is dollars, points, scores, or days. The executive dashboard already provides portfolio-level views that can be filtered by benefit type.
The barrier is not technical. It is cultural. Organisations must decide that non-monetary outcomes are worth measuring with the same rigour applied to financial returns. That risk reduction matters enough to track. That customer satisfaction matters enough to commit to a target. That compliance milestones matter enough to report alongside revenue improvements.
The ROI monopoly is not broken by abandoning financial measurement. It is broken by expanding the definition of value to include everything the organisation invests in achieving. When risk reduction, customer satisfaction, compliance, employee engagement, and operational resilience are tracked alongside revenue and cost savings, the portfolio view is complete. The governance conversation is informed. And the organisation’s investments are finally measured by the full breadth of value they were funded to deliver.