AWS Cloud Enterprise Strategy Blog

Techniques for Managing Strategic Risk

This new blog post, by John Naylon, Principal Solutions Architect at AWS, focuses on an important category of risk—strategic risks to a company. He shows why agility is so important in addressing those risks, and how balancing opportunities with risks effectively provides companies with a hedge against risks that can’t otherwise be mitigated.


By John Naylon, Principal Solutions Architect for Telecoms at AWS

Techniques for managing strategic risk

Have you ever observed a company investing in an initiative that seems entirely tangential to their core business and wondered, “Why on earth they would do that?” Rather than being a pet project or a whim, it could be a carefully considered response to a strategic risk. In this post, I’ll describe how familiar tools from operational risk management can be applied to strategic risks.

By definition, a risk involves an element of uncertainty. The uncertainty can be in the probability of an event occurring, or in the magnitude of the event, or in another dimension. Certain risks are common and can simply be insured against; for example, the possibility of a business losing stock due to a warehouse burning down. Some types of insurance can even be mandatory; liability insurance for employers is a common example.

There are, however, categories of risk for which insurance is not possible, meaning that the risk must be mitigated internally by the organization. At the operational end of the spectrum, one example is sales performance risk. Some elements that govern a quarter’s sales performance are within the organization’s control, but others are not; for example, governmental stay-at-home mandates during a pandemic or a customer’s procurement decision making. Avoiding over-concentration on individual customers and good sales pipeline discipline can help to manage the risk of a quarterly sales forecast miss.

At the other end of the spectrum are strategic risks, which are existential in nature for organizations. Strategic risks themselves comprise several types, from the rise of disruptive technologies to loss of pricing power. We might think, for instance, of the invention of digital photography and the effect that had on some film camera companies. Another interesting example, in the telecom infrastructure industry, was the disruptive advent of the Chinese network equipment providers, with radically low pricing and ultra-long payment terms. In this case, macro-political events many years later resulted in some governments requiring network operators to cease using equipment from certain “high risk vendors.” This illustrates that risks can sometimes lie dormant for a substantial period before their impact is felt.

How, then, can a company’s management and board address a risk landscape that contains not just “known unknowns” but “unknown unknowns”? Let’s focus on two specific tools, familiar from operational risk management, that we can also apply to strategic risks: agility and risk-opportunity balance.

At AWS, we often speak about agility, defined by my dictionary as “ability to move quickly and easily.” The term encapsulates many recent trends in product development: agile and lean methodologies, DevOps, iterative development, and rapid product cycle time. The cloud enables agility because it accommodates rapid changes in infrastructure and shifts responsibility for burdensome, non-value-adding tasks to the cloud provider. In a previous blog piece, I described how cloud adoption can prevent companies getting stuck on sub-optimal technology stacks.

How does agility bear on strategic risks in particular? As we described above, strategic risks can arise because the business environment, external to the organization, suddenly changes. An organization’s agility is one factor that enables it to be adaptable, able to respond to these changes. The other, equally necessary factors are to be observant and to be decisive. It is not enough to be able to change without also detecting that it is now advantageous to change, and then quickly deciding upon the optimal changes. But my general observation is that agility is the factor which most consciously needs to be developed—and developed ahead of time. I’m sure the frustrating feeling that “we know what we need to do, but we’re tying ourselves in knots trying to do it” is well known to fellow executives! My colleague, Mark, has previously made the point that the more risk averse a company is the greater its need for agility and enablers like the cloud.

Let’s turn to the other risk management mechanism I mentioned—risk-opportunity balance—and first illustrate it using the operational risk of a quarterly sales forecast miss. To mitigate this with risk-opportunity balancing, I categorize sales opportunities into “on track” (mainstream business with no foreseen barrier to successfully closing in the quarter), “at risk” (previously forecast, but now unlikely to close in the quarter), and “upside” (possible to close in the quarter, but perhaps involving new customers or territories, or product changes, or otherwise somehow outside the mainstream business).

If I find that I need opportunities from the “at risk” category to meet my sales forecast, then I can manage that risk by ensuring that my “upside” category is large enough to balance that risk. This does not need to be a direct, 1:1 relation—prudently, I can recognize that the “upside” opportunities are inherently more uncertain, and balance each “at risk” dollar with two, three, or more dollars of upside. As I scale up the number of opportunities, you can see that this starts to look like a form of self-insurance or hedging; the possibility of defaults in the “at risk” category is “insured” by the mainstream “on track” opportunities and the possible good fortune from “upside.”

How can this be applied to strategic risks? Again we start by identifying a category of risk—let’s say a shift in underlying technology. I can create my own hedge against this risk using countervailing opportunities; in this example I can start running lightweight investigative projects into the near-term alternatives to the technology. These projects are the equivalent to my “upside” sales opportunities. It is not expected that they will all be successful, but they create optionality in the event of the core technology not delivering the required results—or if the goalposts move. Interestingly, it’s often the case that the hands-on engineering teams already know the most promising alternate technologies that they would like to investigate—they just need a green light and some budget to go ahead.

One widely admired example of this approach is the military contractor Lockheed Martin’s famous Skunk Works. As well as being staffed by exceptional aeronautical designers and engineers, this advanced development division is notable for investing its parent company’s own funds into R&D beyond current military demands. During the Cold War, this resulted in the timely availability of stealth aircraft which were able to balance the strategic risk posed by supersonic radar-guided missiles—a high-stakes piece of risk mitigation indeed. So successful has the division been, over many decades, that the term “skunkworks” has entered the vernacular as a description for an autonomous, highly empowered development group.

Looking again at my own industry—telecoms—yields another example. Many mobile operators are exploring the possibilities of “open RAN” architectures. Such an architecture enables the radio access network, or RAN, to be decomposed into smaller components interfaced via standardized sub-interfaces. These components can then be supplied by multiple vendors. Hitherto, the RAN has been purchased as pre-integrated software and specialized hardware from a single vendor. At the time of writing, it is an open question as to whether open RAN can achieve the same price/performance ratio as a traditional RAN. In which case, why invest in this exploration? The answer is that the traditional RAN market is concentrated on a small number of vendors—some of whom fall into the “high risk vendor” category described earlier. The composition of the vendor pool thus represents a strategic risk, and in this light the exploration of an alternative supply chain is a quite logical hedge against that risk.

So, the next time you observe a company running an initiative that seems tangential to their core business, you could ask yourself, “Does this in some way hedge against a strategic risk to the core business? Am I exposed to that same risk, and what am I doing about it?”

What are the strategic risks your organization faces in the next three to five years? Are there potential mitigations that your teams have already conceived that could be cost-effectively developed further in skunkworks mode? Like the old saying about trees, the best time to start is five years ago, but the second best time is now!

About our Guest

John Naylon is a Principal Solutions Architect at AWS, in the Telecom IBU. Before joining AWS, John founded two disruptive startups in the fixed wireless access (FWA) space. This blog was written using a QWERTY keyboard, iconic emblem of the power of path dependence.

Mark Schwartz

Mark Schwartz

Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the Table: IT Leadership in the Age of Agility. Before joining AWS he was the CIO of US Citizenship and Immigration Service (part of the Department of Homeland Security), CIO of Intrax, and CEO of Auctiva. He has an MBA from Wharton, a BS in Computer Science from Yale, and an MA in Philosophy from Yale.