UX Research As Risk Management: Why We Finally Need To Change Our Language

$440 million. 45 minutes. A software error that went unnoticed—because the trading interface showed no clear warning signs while the system executed massive numbers of erroneous orders. Knight Capital, 2012. The company was effectively insolvent afterward. Technical failure, yes. But one that a better interface could have made visible earlier. And it’s not alone.

In 2020, Citibank accidentally transferred $900 million to lenders—because three employees in the so-called six-eyes protocol (maker, checker, approver) all overlooked the same default value in a confusing interface. The money was largely repaid after years of litigation—but the reputational damage and legal costs remained. In 2018, Hawaii sent an entire population into a panic because a poorly designed alert interface failed to make a sufficiently clear distinction between a test and a real incident—the employee believed they were confirming a test threat.

These are not footnotes. They are evidence for a question we in the UX industry haven’t been asking loudly enough for years: What does it cost to ignore UX?

In this article, I’ll show you why UX research should no longer be communicated as a discipline of empathy—but rather as a risk management tool. And how you can implement this shift in perspective in your next meeting.

📌 Key takeaways

• Poor UX isn’t a comfort issue—it creates real strategic, operational, legal, and security risks.

• The classic ROI argument looks to the past. The risk argument looks to the future—and carries more weight in decision-making rooms.

• Section 91(2) of the German Stock Corporation Act (AktG) (KonTraG) requires executive boards to identify risks that threaten the company’s existence early on—UX risks may fall under this category.

• The EU Product Liability Directive 2024 defines software as a product for the first time: poor UX can legally be considered a product defect.

• 95% of all cybersecurity incidents are due to human error – poor UX directly amplifies this risk. [IBM, 2014; confirmed by WEF, 2022, and Mimecast, 2024]

• UX arguments can be directly translated into business language: loss of revenue, compliance risk, litigation costs.

• Allies within the company (Support, Controlling, Legal) make UX arguments unbeatable.

  
  

Why hasn’t “Users find this confusing” worked for 25 years?

The honest answer: Not because the argument is wrong. But because it’s formulated in the wrong frame of reference.

In my work as a UX consultant, I experience this regularly. We present heatmaps, user quotes, usability scores. The other party nods—and then asks for the quarterly report. Empathy and risk speak different languages. And in most companies, the budget is controlled by people who speak the language of risk.

This is not a moral failure on the part of management. It is a communication problem on our side.

Four factors exacerbate this:

1. Focus on empathy rather than consequences – We argue based on what users feel. Decision-makers think in terms of what the company stands to lose.

   
   

2. Lack of numbers – Without quantification, UX remains in the realm of the subjective.

   
   

3. Wrong level of comparison – A heatmap doesn’t compete with a financial report. It needs to become part of a risk report.

   
   

4. ROI as a backward-looking argument – “What would we have gained if...” doesn’t interest anyone who is currently deciding on the next quarter.

   
   

What is the difference between ROI and risk-based arguments?

ROI arguments are ex-post: They calculate what a UX investment would have yielded in hindsight. That sounds solid – but is often too abstract and too late for decision-makers.

Risk-based argumentation is ex-ante: It asks what the company loses if it does nothing now. That is forward-looking. That is the language of risk managers, CFOs, and board members.

The difference in practice:

The principle behind this: always quantify impacts in business terms—revenue, costs, compliance, efficiency. These are not retrospective ROI calculations. These are forward-looking risk calculations.

What risks arise from poor UX?

Poor UX is not a single problem—it creates risks across four categories. Here’s an overview you can take directly to your next stakeholder meeting.

Strategic Risks: When UX Becomes a Growth Hindrance

Strategic risks arise when UX is not integrated into business decisions. This manifests in missed market trends due to a lack of research. In revenue declines caused by conversion losses. In reputational damage from poor user experiences shared on social media.

Companies in the top quartile of the McKinsey Design Index grew 32 percentage points faster over five years than their industry peers [McKinsey, 2018]. That’s the upside. The downside—that is, what happens when UX is ignored—is the exact opposite.

Operational Risks: The Invisible Cost Drivers

Operational risks are often the hardest to spot—because they’re accepted as “normal.” Too many support tickets? Business as usual. High training costs for internal tools? Also normal. Yet these are direct consequences of poor UX research.

Specific operational risks caused by poor UX:

• Misguided product development due to a lack of research

• High training costs for internal applications

• Inefficient processes due to inadequate tools

• Call center costs that would drop significantly with better UX

  
  

UX debt (UX Debt) acts here like technical debt—only more invisible. Postponed UX fixes lead to rising support costs and falling conversion rates. Compound interest, but for bad experiences.

Legal & Compliance: New laws, new risks

This area is evolving so rapidly that many UX teams haven’t even caught up yet.

GDPR and Dark Patterns: 

Manipulative UX patterns in consent workflows lead to GDPR fines of up to 4% of annual revenue. In 2022, the French data protection authority CNIL imposed fines of €150 million and €60 million on Google and Facebook, respectively—in part due to misleading cookie consent designs that made rejecting cookies significantly more difficult than accepting them.

European Accessibility Act (EAA):

Failure to comply with accessibility requirements (BITV 2.0 / EAA) leads to discrimination lawsuits and actively excludes user groups.

EU Product Liability Directive 2024 (PLD) – new and underestimated:

Since the 2024 revision, software is explicitly considered a product. This means: Manufacturers are liable for damages caused by defective software. Poor UX can be classified as a product defect—if it leads to user errors that cause damage. The burden of proof has shifted: Companies must prove that their product is safe. (As of 2024)

This is not a theoretical scenario. This is applicable law.

Industry-specific: 

DORA (finance) and NIS2 (critical infrastructure) introduce additional risks for specific industries. The medical technology sector, incidentally, has understood this for some time—IEC 62366 and ISO 14971 make usability an explicit risk mitigation strategy there.

Security UX: When poor UX opens the floodgates

This is the most underestimated connection. According to the IBM Cyber Security Intelligence Index [2014], 95% of all cybersecurity incidents are attributable to human error—a figure independently confirmed by the WEF Global Risks Report [2022] and Mimecast [2024]. Poor UX directly amplifies this risk.

Specifically:

• Complex password requirements lead to Post-its on monitors and weak, reused passwords

• Friction in MFA (multi-factor authentication) causes users to disable it or choose insecure methods

• Frustrating tool experiences drive employees toward shadow IT—that is, unauthorized apps outside of IT control

  
  

Security that is too complicated to use will not be used. This is not a behavioral problem on the part of users. It is a UX problem.

The KonTraG Argument: Is UX a Board Duty?

This is where it gets interesting—and sharp.

Section 91(2) of the German Stock Corporation Act (AktG) obliges board members to take appropriate measures to ensure that developments endangering the company’s continued existence are identified at an early stage.

The KonTraG (Act on Control and Transparency in the Corporate Sector) is not a UX law. But UX risks—loss of revenue due to abandoned conversions, damage to reputation, compliance violations, security incidents—can be exactly the kind of development that Section 91(2) refers to.

This is my interpretation, not a codified legal obligation. But as an argument in a board meeting? Very compelling. Anyone who has documented UX risks and been ignored has an escalation path.

In practice, this means: document UX risks, include them in formal risk management documentation, and reference the legal obligation. Who is responsible if an ignored UX risk leads to compliance violations or lost revenue?

How do I get started? Four steps for tomorrow morning

This is the most action-oriented part of this article—for UX professionals who want to implement this right away.

1. Actively change your language: Take the reframing table above and translate your next UX finding into business language. Not “the navigation is unclear,” but “support tickets cost X € per incident × Y tickets per month.”

   
   

2. Find allies: Support has ticket data. Controlling can quantify costs. Legal knows the compliance risks. IT knows which shadow IT is in use. These departments are natural allies—a joint presentation carries more weight than UX advocacy alone.

   
   

3. Make UX debt visible: Document accumulated UX issues in writing: risk description, potential impact, date of report, response from stakeholders. This isn’t an internal memo—it’s a risk register entry.

   
   

4. Introduce key metrics: Four UX risk metrics that can be directly integrated with Controlling and Risk Management:

   • Error rate × Cost per error = Total impact of errors

   • Support tickets × Cost of resolution = Ongoing operational costs due to UX issues

   • Abandonment rate × Customer Lifetime Value = Revenue risk due to poor UX

   • Processing time × working hours × hourly rate = loss of productivity

     
     

In my workshops, I also demonstrate how AI-powered prompts help create quick business impact analyses—without hours of research. Not as a substitute for real UX research, but as a tool to formulate and test risk arguments more quickly.

FAQ:

Does the KonTraG argument really apply to UX? 

Section 91(2) of the German Stock Corporation Act (AktG) requires executive boards to identify risks that threaten the company’s continued existence. UX risks—revenue loss, compliance violations, security incidents—may fall under this category. This is an interpretation, not a codified legal obligation. But it’s a solid argument in board discussions, especially if risks were documented and ignored.

How do I quantify UX risks without existing data?

Start with what’s available: support ticket volume, drop-off rates from analytics, onboarding costs. Even rough estimates with explicit caveats are better than no numbers at all. The question “What will an incident cost us if we don’t resolve it?” quickly sharpens awareness.

What is the difference between UX debt and technical debt?

Technical debt is deferred code quality. UX debt is deferred user experience quality. Both grow with compound interest—the longer you wait, the more expensive the fix becomes. The difference: UX debt is usually less visible because it doesn’t appear in systems, but in user behavior.

As a UX professional, do I now have to become a risk manager? 

No. But you need to understand the language. You need to know what a risk register looks like, what DORA and NIS2 mean, and how to translate your findings into business terms. This isn’t an expansion of your role—it’s communication competence.

Does the EU PLD 2024 really apply to UX? 

The directive defines software as a product and holds manufacturers liable for damages caused by defective software. Whether poor UX qualifies as “defective” depends on the individual case—that’s a legal question. But the direction is clear: interfaces that lead to systematic user errors can become legally relevant. (As of 2024)

Conclusion: UX has a credibility problem—one we must solve ourselves

Not through better slides. Not through prettier heatmaps. But through better arguments.

UX research is not a nice-to-have. It is an early warning system for risks that can cost companies millions—and in some cases threaten their very existence. Knight Capital. Citibank. Hawaii. In each of these cases, poor interface design was part of the problem—even if it was never the sole cause.

The shift in perspective from ex-post to ex-ante, from empathy to risk mitigation, from heatmap to risk register—this is not a capitulation to the business side. It is the courage to step into the rooms where risk managers sit. And that is where we belong.

What’s your next step? Take a recent UX finding from your work and translate it into a business risk. Write down the number. Share it with Controlling or Legal. See what happens.

💌 Not enough yet? Then read on—in our newsletter. 

Comes out four times a year. Sticks with you longer. https://www.uintent.com/de/newsletter

About the Author

Tara Bosenick is a UX consultant and co-owner of Uintent. Since 1999, she has been helping companies make their products more user-friendly—using sound research methods and a clear eye for what matters most. As a speaker at conferences such as Mensch & Computer and the World Usability Congress, she shares her knowledge of UX and AI. Her workshops on UX-AI prompting and AI integration embody what makes for good UX: clear benefits, direct applicability—and enjoyment of the process.