So, you have decided to spend $250,000 on security measures. You have done the analysis and you believe the spending is well worth it. You already have the money and some happy salesperson is working on a proposal right now. You don't need risk management because you're close enough to the finish line that all that annoying stuff has been evaded successfully. Only it hasn't…

Assuming you are a conscientious security professional, you actually went through the process of risk assessment and completed it when you decided it was "worth it" to make the purchase. Informal, ad hoc, seat of the pants are all tried and true methods of success in this field.

In fact, you, as conscientious security professional, conducted an informal calculation of the consequences and the probability associated with some negative event that this $250k countermeasure is supposed to eliminate or reduce.

Now, I can't tell you exactly what consequence and probability values you implicitly decided on, but I can tell you that their product must be greater than $250,000. It could have been a 5% chance of losing $5 million or a 50% chance of losing $500,000. Perhaps it was a 1% chance of losing $25 million.

In order to get your money's worth (e.g. ROSI or
return on security investment) that $250,000 must be LESS than the
amount of reduced risk. If you assert otherwise, then it wasn't a good
decision. Let me say that another way – if you tell me I am wrong, then
you are making a poor decision for your organization.