Risk management is _supposed_ to avoid or mitigate threats to "business as usual." If an organization has a viable plan, you can expect it to
(a) protect people
(b) reduce the amount of damage from an event
(c) reduce the amount of time recovering from an event
(d) have in-place processes and procedures to maintain at least a "minimum level of service" while recovering
(d1) place to work
(d2) communications with outside world
(d3) work-arounds for missing resources or alternate resources
(e) provide directions (better, scripts) to deal with various general and specialized media
(f) policies & procedures to help avoid legal actions down the road
Of course it's hard, almost impossible, to identify costs/savings to the smallest unit of currency, but management _should_ have some idea, however gross, the cost of doing business.
AS ADDITIOAL BENEFITS, a good risk management program can
(1) help streamline, or identify unnecessary, processes
(2) help identify where insurance coverage can be reduced (savings) or needs to be increased (transferring risk)
(3) THE BIG ONE - enhance the organisation's image to staff, lenders, general public
One final thought - the longer an organization fails to meet is service level agreements, the less confidence investors have in the organziation.
I know this doesn't provide any hard figures or a formula to figure value of a viable risk management program, but its about as close as I can get.