I would like to encourage you all to share your opinions on top 10 reason that you feel justifies the need for DLP.
From the perspective of a partner, and as the practice lead for DLP, I have been involved in dozens of Risk Assessments. Here's some common things I have found that justify the need for DLP:
1) Misconfigured systems that go undetected. An example that I've seen several times; an encryption gateway allowing sensitive traffic through due to malformed rules
2) Lack of security awareness for end users mean they don't know and or understand the risks of what they are doing. An example is internal employees chatting with each other over public IM. Users do not realize that even though they may only be a few cubicles away, their IM goes through public (unencrypted) servers onn the Internet.
3) Business processes and procedures that are undefined, poorly written or simply not followed. Even with the best of intentions of policies, unless you have some way to enforce said policies, often times they are not followed. When dealing with sensitive information, that can have grave consequences to the organization.
These are just a few VERY common circumstances that I find. The end result:
1) Sensitive information leaving the network unprotected and potential for data breach
2) Potential for reputation hit if data breach occurs
3) Cost of data breach should it occur
There are so many strong reasons for organizations to consider a DLP solution and this merely scratches the surface of those reasons (and examples).