Strategic Risk Management: Complete Overview (With Examples)
As businesses continue to operate in an increasingly competitive and uncertain environment exacerbated by threats to their operations, such as cyberattacks, supply chain disruptions, and climate catastrophes, strategic risk management has become a key factor in ensuring an organization's success.
According to Racounteur 85% of business leaders feel they are operating in a moderate to high-risk environment, and 79% of boards believe that improved risk management will be critical in enabling their organization to protect and build value in the next five years.
It is clear that organizations need to be prepared for the different types of strategic risk coming their way and have strong strategic risk management in place to not only reduce the impact on their operations but even take advantage of the context and transform it into an opportunity.
In this article, we'll dive into the world of strategic risk, the different types of strategic risks, and how to manage them to reduce the chances of disruption. We'll also give you real-life examples and a ready-to-use, free Risk Management Template to help your business be in control and start your journey toward effective strategic risk management.
What Is Strategic Risk?
Strategic risk is the probability of the organization’s strategy failing. It is an estimation of the future success of the chosen strategy. Since strategy is a set of clear decisions, strategic risk reflects the aggregate of the risks of those decisions.
At its core, strategic risks affect an organization's overall strategy. It can sometimes be difficult to spot and manage.
This means that particularly at an executive level, leaders and teams need to be able to look for strategic risks and, instead of categorizing them as things to hedge or mitigate, develop the acumen to ask the appropriate questions:
- Are we going to resist this, avoid it, or maybe push it away?
- Or do we embrace it, use it as an indicator for the market and take it as an opportunity for a strategic change?
🤓Want to learn more? Download our FREE Strategic Risk Guide (PDF) with examples, definitions, and a clear framework to help you and your organization better manage strategic risk.
What Is Strategic Risk Management?
Strategic risk management is the process of recognizing risks, identifying their causes and effects, and taking the relevant actions to mitigate them. Risks arise from inside and outside factors such as manufacturing failures, economic changes, shifts in consumer tastes, etc.
Strategic risk can disrupt a business’s ability to accomplish its goals , break out in the market or even survive. Effective, efficient management puts the power in leaders’ hands to avoid potential obstacles to success and maximize their performance.
Why Is Strategic Risk Management Important?
Organizations that fail to do proper risk management face significant threats. At times, they face existential threats. Kodak was a pioneer in the photography space (they actually filed a patent for one of the first digital cameras), but they lost the digital camera race . Blockbuster made $6 billion in revenue at its peak, but there is only one store left in the world ! MySpace was once one of the dominant social networks until Facebook came along .
You could argue that these companies failed to innovate. Maybe, but they also failed to evaluate the threat properly and the risk involved in not dealing with it.
Every great company takes risks.
Smartphones, eReaders, car-sharing services, even natural cleaning products — so much of what we as consumers now take for granted was a brave step, once upon a time. But Apple , Amazon , Zipcar, and Method didn’t launch their category-defining products overnight.
These organizations safeguarded their success with a strong risk management strategy. They knew what success would look like, which factors could cause them to fail, what failure could cost them, and how they would respond to obstacles in their path.
Managing strategic risk is an essential activity for all businesses, whether you’re launching an innovative solution to market or just trying to stay ahead of the competition.
Understanding the dangers (however small) and their potential impact (however minor) empowers leaders at different levels to make smart, well-informed decisions.
But that’s easier said than done. Risk management is a dynamic process - it shifts focus as internal and external influences change. It also requires joined-up thinking and communication across an organization.
If you’re tasked with strategic planning and execution within your business, it can seem like an insurmountable task. Yet, armed with the right information, you can help ensure that your organization achieves its goals.
The Two Kinds Of Strategic Risk Factors
One of the first things you need to do to better manage risks is learn to identify them. There are mainly 2 kinds of strategic risk factors that you should look out for.
1. Internal strategic risk factors
Every business has strategic objectives and established routines.
Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable and on track for success, analyzing the strategic risks involved can help organizations identify obstacles (or opportunities)—and address them before it’s too late.
Strategic risks relate to a business’s internal choices, such as product development routines, advertising, communication tools, sales processes, investments in cutting-edge technologies, and more. These examples all directly impact function, performance, and overall results.
2. External strategic risk factors
Some strategic risks originate outside the company.
These could apply to the current or projected environment into which products will be released.
It’s often easier to understand strategic risk through real-world examples. For instance, a new type of smartphone might be in high demand today, but economic changes could lead to a drop in commercial interest, leaving the business in a totally different position than it might have expected.
Or a competitor may release a groundbreaking product or innovative service that fills the gap first, creating significant risk to the success of a strategy.
And let’s not forget that technology’s swift evolution could cause a new product to become obsolete within a few months—I’m sure that the manufacturers of wired headphones felt their stomachs drop when they saw Apple had cut the headphone jack.
These types of risks pose a real danger to companies. Investing in a business model with little chance of achieving the envisioned success can lead to severe financial strain, loss of revenue, and damage to reputation.
And none of these are easy to recover from.
Strategic Risk Assessment: How To Identify Strategic Risks?
Recognizing and taking action on strategic risks is vital to mitigate costly problems.
In your strategic risk management toolkit, you’ll need two essentials:
- An in-depth understanding of where your organization stands . This includes your target audience, market sector, competitors, and the environment in which your business operates.
- A clear awareness of your organization’s core strategic goals , from conception to proposed execution .
Gathering data on both areas can take time and investment, but it’s worthwhile to achieve accurate insights into strategic risks.
The more information you have to draw upon, the more likely it is that you’ll be able to implement processes and safeguards that facilitate organizational success.
Teams have a choice of different approaches when identifying strategic risks.
Initiate “What if” discussions
Gather employees from across the business to explore ‘what-if’ scenarios .
By mind mapping risk factors collaboratively —with a mix of perspectives and experiences from different departments—Heads of Strategy, Change Managers, and Business Analysts may discover risks they wouldn’t have thought of on their own.
All potential risks are worth considering, no matter how unlikely they may seem at first. That’s why participants should be encouraged to let their minds wander and suggest virtually any viable risk that occurs to them.
It’s best to have a long list that can be reduced through elimination: underestimating risks can lead to businesses being unprepared down the line.
📚 Recommended reading: Risk Matrix: How To Use It In Strategic Planning
Gather input from all stakeholders
Speak with the whole range of stakeholders and consider their views on strategic risks.
If you consult a wide enough group, you’ll gather expanded perspectives about your organization or issues and not just the ones from your core employees.
Collecting a wide range of perspectives creates a holistic view of risk factors which can prove hugely beneficial when trying to understand the dangers the organization faces.
Their broad awareness of how the company operates can raise unexpected possibilities that need to be factored in.
Strategic Risk Examples
The specific strategic risks relevant to your business will largely depend on your industry, sector, product range, consumer base, and many other factors. That being said, there are some broad types of strategic risk, each of which should be on your radar.
Let’s demonstrate the importance of regulatory risks with an example.
Imagine an organization working on a new product or planning a fresh service set to transform the market. Perhaps it spots a gap in the industry and finds a way to fill it, yet needs years to bring it to fruition.
However, in this time, regulations change and the product or service suddenly becomes unacceptable. The company can’t deliver the result of its hard work to the target audience, risking a substantial loss of revenue.
Fortunately, the organization had prepared for unexpected regulatory change. Now, elements of the completed project can be incorporated into another or adapted to offer a slightly different solution.
The lesson here?
It’s vital for companies to stay updated on all regulations relevant to their market and be aware of upcoming changes as early as possible.
Most industries are fiercely competitive. Companies can lose ground if their market rivals release a similar product at a similar or lower cost. Pricing may even be irrelevant if the product is suitably superior.
Competitor analysis can help mitigate this strategic risk: businesses should never operate in a vacuum.
📚 Recommended read: 6 Competitive Analysis Frameworks: How to Leave Your Competition In the Dust
Economic risks are harder to predict, but they pose a real danger to even the most well-realized strategy. For example, economic changes can lead a business’s target audience to lose much of its disposable income or scale back on perceived luxuries.
Customer research is imperative to stay aware of what target audiences desire, their spending habits, lifestyles, financial situations, and more.
Change risks refer to the challenges that arise from changes in technology, market trends, consumer preferences, or industry standards.
For instance, a company heavily invested in a particular technology may face significant risks if a disruptive innovation renders their current technology obsolete. Having a strong change management strategy to adapt to change and embracing innovation are key strategies to mitigate this risk.
Reputational risks arise when a company's actions or associations damage its brand image and public perception. Negative publicity, customer dissatisfaction, product recalls, or ethical controversies can all contribute to reputational risks.
Safeguarding the company's reputation through transparent communication, ethical practices, and proactive crisis management is crucial.
Governance risks refer to the effectiveness and integrity of a company's management and decision-making processes. Weak corporate governance, lack of oversight, non-compliance with regulations, or unethical behavior by key executives can lead to significant strategic risks.
Establishing robust governance frameworks, maintaining transparency, and fostering a culture of accountability are essential to mitigate these risks.
Political risks stem from changes in government policies, regulations, or geopolitical events. These risks can impact businesses operating domestically or internationally. Political instability, trade restrictions, sanctions, or changes in tax policies can disrupt operations and affect profitability.
Companies must closely monitor political developments and have contingency plans to navigate such risks effectively.
Financial risks involve challenges related to capital management, funding, cash flow, and financial stability. Factors such as market volatility, credit risks, liquidity constraints, or inadequate financial planning can expose a company to strategic risks.
Implementing sound financial strategies, conducting risk assessments, and maintaining a healthy balance sheet are crucial in managing these risks effectively.
Operational risks are inherent in day-to-day business activities and processes. These risks encompass issues such as supply chain disruptions, equipment failures, cybersecurity breaches, human errors, or natural disasters.
Ensuring robust operational processes, implementing contingency plans, and investing in risk mitigation measures can help minimize the impact of operational risks.
Managing Strategic Risk Vs. Operational Risk
Strategic risks and operational risks are two distinct kinds. While strategic risks originate from both internal and external forces, operational risks stem solely from the internal processes within a business and they stand to disrupt workflow.
However, the biggest difference between them is the level of the decisions they reflect.
Strategic risks reflect the risk of the decisions at a higher level, where the overall strategic plan is considered. The operational risks reflect the risk of the decisions at a lower level, the operational level, where the execution of the strategic plan is outlined.
Simply put, strategic risk is about what you do, and operational risk is how you do it.
Operational risks examples
Operational risks are critical to consider and must be dealt with as soon as possible. They directly impact a business’s work and can tie in with strategic risks, as the resources, processes, or staff available may be unable to achieve the established goals.
One example of operational risk is outdated machinery. They can cause a slowdown in production, delay completion, and ultimately damage employee morale. In this case, the operational risk might stem from what appears to be a non-critical problem but has the potential to drag productivity down to rock bottom. So the decision of whether to upgrade the machinery should be considered.
Another example of operational risk is a company’s current payroll system. Let’s say they outsource to a small team with a weak reputation purely because it’s a cheaper alternative to working with a more reliable payroll solution . But this option could create a higher risk of late payments, processing errors, or other issues with the potential to frustrate the company’s most valuable asset: its employees.
Risk Mitigation Strategies
Implementing effective risk mitigation strategies is essential for businesses to navigate uncertainties and protect their long-term success. By identifying potential risks and proactively addressing them, companies can minimize the impact of adverse events and capitalize on opportunities for growth.
Discuss opportunities and risks separately
This is something that needs to happen before the risk identification process. Mixing in the same conversation potential opportunities and their risks handicaps the opportunity conversation.
You want your people to free their minds, brainstorm ideas, and locate all possible growth and incremental opportunities. Don’t allow that process to shrink and miss out on great opportunities. Discuss risks in a different meeting on a different day.
Distribute resources at the operational level
Once you have decided on your company’s strategy, you’ll have to align every department and person with it.
Allocate your resources in a way that serves your overall strategy to succeed. That means starving certain departments or regions to feed the ones that contribute the most to your strategic objectives.
Mitigating strategic risks is often nothing more than focusing on a great execution of your strategic plan.
Align your incentive structure
Focus on execution takes another form besides resource redistribution.
You have to visit and align with your strategic objectives the incentive structure of your top and middle management. This is a crucial step in executing your strategy because it eradicates internal conflicts.
If your leadership team is rewarded according to an older strategic plan, don’t expect them to take care of your new plan’s risks. They simply won’t have the incentive to do so.
Strategy Risk Management Examples
Let’s examine two specific real-life examples of strategic risk. One that happened a little while ago, and one that is still happening now.
Complacency vs Disruption
Before Netflix, HBO Go, Amazon Prime, Disney + , and all the other streaming platforms, people used to go to Blockbuster.
In its prime, Blockbuster had over 9,000 locations around the world and became synonymous with movie rental. It had a huge slice of the market share and looked pretty peachy until the late nineties. Until 1997, when a little company called Netflix came knocking.
At the time, Netflix didn't stream. It simply delivered rentals in the mail for a set fee each month. There were no late fees (which was one of the biggest gripes from Blockbuster customers), and movie delivery was very convenient.
Netflix was a pretty obvious strategic risk to Blockbuster, which needed to manage it somehow. This could also be seen as a clear opportunity for Blockbuster since they were in a position to buy Netflix but refused to do so.
Yes, Blockbuster passed on the $50 Million deal with Netflix and sealed its fate in the process.
This story is still in development, so who knows how it will end.
Uber is known as the company that shook the cab industry around the world, but things are still changing. Uber is a tech company and understands that change happens, and risk evolves faster than ever before.
This is why they began investing in self-driving technology early on. At first glance, this seems counter-intuitive since moving in this direction could really upset the thousands of Uber drivers out there, but Uber gets it.
They know that if they do nothing, someone else will sweep in and, soon enough, turn Uber into another Blockbuster story.
Uber is a great example of strategic risk management since they not only have to manage things like implementing self-driving cars, but they have also had to navigate through complex regulatory risks in multiple countries.
They have also faced issues around customer safety, assaults, and constant battles with all kinds of protests and regulatory issues.
How To Measure Strategic Risk
So now you know the strategic risks your organization faces, you need a quantifiable figure to measure them. We suggest the following metrics and tools:
This relates to the amount of equity a business needs to cover any unplanned losses, according to a standard of solvency (based on the organization’s ideal debt rating).
This metric allows businesses to quantify all types of risks related to launching new products, acquiring enterprises, expanding into different territories, or internal transformation . Then, it can take the necessary actions to mitigate against it.
RAROC: Risk-Adjusted Return On Capital
This applies to the expected after-tax return on a scheme once divided by the economic capital.
Companies can leverage this metric to determine if a strategy is viable and offers value, helping to guide leaders’ decision-making process. Any initiative with a RAROC below the capital amount offers no value and should be scrapped (sorry!).
Businesses on all scales can utilize both metrics to measure strategic risk, but the stakes will be different for a small enterprise than for a global corporation. The former may never recover from a bad investment, while the latter has a higher chance of weathering the storm.
As a result, companies may use a decision tree to map the possible outcomes of a decision. This enables teams to determine which choices yield which results and prepare for all eventualities. Specific turning points can be identified and handled appropriately.
The 7-Step Strategic Risk Management Framework
Now you have all the information, you need to capture it in one place: the strategic risk management framework . This is where you bring together all the resources (employees, technologies, capital, etc.) required to mitigate losses caused by internal or external forces.
Exactly how your framework is structured is your choice, but the following is a great strategic risk management step-by-step approach:
- Understand where you are right now . You could use a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, for example. Here you need to know where your organization is, your vulnerabilities, and what threats you face in the market.
- Define your strategy and goals . This is where you clearly outline the strategy for your organization. Check out our free, ready-to-use strategic planning templates to build or revisit your strategy.
- Choose your key performance indicators (KPIs) . These can be used to measure success, monitor changes, and explore improvement opportunities over time.
- Identify risks that can affect productivity and performance in the future. These factors may not be as apparent as others. For example, consumers’ changing tastes can be hard to predict but still have the potential to knock plans off the rails.
- Assess your risks and define priorities . You can use a Risk Assessment Matrix that will help you score potential risks based on the probability and the impact on the business.
- Identify KRIs (key risk indicators) to gauge your business's tolerance to obstacles . Be sure to look ahead at issues that may lurk around the corner, and determine the right time to put mitigating actions into effect.
- Continually monitor KPIs, KRIs, and their internal processes to chart progress . Are problems being resolved fast enough? Are target customers’ needs being addressed? Are all essential programs and processes in place? The aim is to stay on track and adapt to ensure you achieve your objectives.
Implement A Long-term Strategic Risk Management Strategy
Managing strategic risk is an ongoing process.
It enables organizations to minimize their danger of experiencing severe losses and, ultimately, failure. It doesn’t guarantee every project will be a success (far from it!), but it will provide all the necessary tools to make better decisions in the long run.
Remember to take your time, even if there’s market pressure to act fast. Trying to rush this process could lead to missed threats or opportunities in your risk analysis. Stay on top of your strategic risk management well into the future, that’s the key to organizational success.
Execute An Effective Risk Management Strategy With Cascade 🚀
Cascade is the world’s #1 strategy execution platform, remediating the chaos of running a business to help you move forward. Cascade serves as your organization's brain, offering a unified platform that spans your entire ecosystem. With Cascade, you can gain a clear picture of potential threats and create a strong risk management strategy to proactively address them.
Signal risks before they happen
Once you've identified your risks, Cascade enables you to seamlessly incorporate them into your strategic plan, ensuring alignment throughout your organization.
Adding risks is very simple:
- Give the risk a meaningful title, and a description.
- Define the likelihood (probability of the event to happen on a scale of 1 to 10)
- Define the impact (impact of the risk on the outcome on a scale of 1 to 10)
Based on these factors, Cascade automatically calculates and displays a Risk Score (Likelihood * Impact) to assess the severity of each risk, guiding your decision-making process.
Cascade empowers you to take proactive measures by adding mitigations to each identified risk. Mitigations are steps that can be implemented to avoid or minimize the occurrence and impact of risks. With a few clicks, you can expand the risk and add relevant mitigations.
As you progress with each mitigation, you can mark its completion using the checkboxes. Cascade keeps track of the number of completed mitigations, providing visibility into your progress.
Report your risks’ progress
Cascade offers a comprehensive risk reporting functionality to ensure that you stay informed about the progress of your risk management strategy. You can easily create detailed risk reports containing essential information such as risk title, owners and collaborators, risk type, status, mitigation status, and risk score. These reports can be saved and shared with stakeholders, enabling effective communication and collaboration.
Create a risk dashboard
Leverage Cascade's Risk Distribution Scatter Plot widget , available in Dashboards or Reports, to visually represent the count of risks within specific entities (e.g., objectives, measures, projects, or actions). The widget provides valuable insights into likelihood, impact, and risk scores, enabling you to monitor and analyze risks effectively.
👉🏼For more detailed information on our Risk Management features, visit our Knowledge Base .
8 Free Strategic Risk Management Templates To Get You Started!
Don’t know where to start? Check out these free strategy templates built by our experts to kickstart your risk management journey:
- Risk Management Strategy Template
- Regulatory Risk Management Plan Template
- Financial Risk Management Plan Template
- Compliance Risk Management Plan Template
- Enterprise Risk Management Plan Template
- Risk Mitigation Plan Template
- Risk Assessment Plan Template
- Risk Response Plan Template
Ready to up your Risk Management Strategy? Get started with a free plan in Cascade or book a demo with one of our strategist experts to help you develop your strategy.
Strategic Control Simplified: A 6-Step Process And Tools
Organizational Strategy: How To Keep It On Track (+ Templates)
Build A Digital Transformation Roadmap Step-By-Step + Free Template
4 PMO Templates And Tools To Deliver Your Portfolio Value
Your toolkit for strategy success.
Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.
If an unforeseen event catches your organization unaware, the impact could be minor, such as a small impact on your overhead costs. In a worst-case scenario, though, it could be catastrophic and have serious ramifications, such as a significant financial burden or even the closure of your business.
To reduce risk, an organization needs to apply resources to minimize, monitor and control the impact of negative events while maximizing positive events. A consistent, systemic and integrated approach to risk management can help determine how best to identify, manage and mitigate significant risks.
At the broadest level, risk management is a system of people, processes and technology that enables an organization to establish objectives in line with values and risks.
A successful risk assessment program must meet legal, contractual, internal, social and ethical goals, as well as monitor new technology-related regulations. By focusing attention on risk and committing the necessary resources to control and mitigate risk, a business will protect itself from uncertainty, reduce costs and increase the likelihood of business continuity and success. Three important steps of the risk management process are risk identification, risk analysis and assessment, and risk mitigation and monitoring.
Risk identification is the process of identifying and assessing threats to an organization, its operations and its workforce. For example, risk identification may include assessing IT security threats such as malware and ransomware, accidents, natural disasters and other potentially harmful events that could disrupt business operations.
Risk analysis involves establishing the probability that a risk event might occur and the potential outcome of each event. Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence.
Risk mitigation refers to the process of planning and developing methods and options to reduce threats to project objectives. A project team might implement risk mitigation strategies to identify, monitor and evaluate risks and consequences inherent to completing a specific project, such as new product creation. Risk mitigation also includes the actions put into place to deal with issues and effects of those issues regarding a project.
Risk management is a nonstop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks.
There are five commonly accepted strategies for addressing risk. The process begins with an initial consideration of risk avoidance then proceeds to three additional avenues of addressing risk (transfer, spreading and reduction). Ideally, these three avenues are employed in concert with one another as part of a comprehensive strategy. Some residual risk may remain.
Avoidance is a method for mitigating risk by not participating in activities that may negatively affect the organization. Not making an investment or starting a product line are examples of such activities as they avoid the risk of loss.
This method of risk management attempts to minimize the loss, rather than completely eliminate it. While accepting the risk, it stays focused on keeping the loss contained and preventing it from spreading. An example of this in health insurance is preventative care.
When risks are shared, the possibility of loss is transferred from the individual to the group. A corporation is a good example of risk sharing — a number of investors pool their capital and each only bears a portion of the risk that the enterprise may fail.
Contractually transferring a risk to a third-party, such as, insurance to cover possible property damage or injury shifts the risks associated with the property from the owner to the insurance company.
After all risk sharing, risk transfer and risk reduction measures have been implemented, some risk will remain since it is virtually impossible to eliminate all risk (except through risk avoidance). This is called residual risk.
Risk management standards set out a specific set of strategic processes that start with the objectives of an organization and intend to identify risks and promote the mitigation of risks through best practice. Standards are often designed by agencies who are working together to promote common goals, to help to ensure high-quality risk management processes. For example, the ISO 31 000 standard on risk management is an international standard that provides principles and guidelines for effective risk management.
While adopting a risk management standard has its advantages, it is not without challenges. The new standard might not easily fit into what you are doing already, so you could have to introduce new ways of working. And the standards might need customizing to your industry or business.
Manage risk from changing market conditions, evolving regulations or encumbered operations while increasing effectiveness and efficiency.
Speed insights, cut infrastructure costs and increase efficiency for risk-aware decisions with IBM RegTech.
Simplify how you manage risk and regulatory compliance with a unified GRC platform fueled by AI and all your data.
Better manage your risks, compliance and governance by teaming with our security consultants.
Identify IT security vulnerabilities to help mitigate business risks.
Create a smarter security framework to manage the full threat lifecycle.
Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.
Understand your cyberattack risks with a global view of the threat landscape
Discover how a governance, risk, and compliance (GRC) framework helps an organization align its information technology with business objectives, while managing risk and meeting regulatory compliance requirements.
Find out how threat management is used by cybersecurity professionals to prevent cyber attacks, detect cyber threats and respond to security incidents.
The Cost of a Data Breach Report explores financial impacts and security measures that can help your organization avoid a data breach, or in the event of a breach, mitigate costs.
Keep up to date with the latest strategies from our expert writers.
Strategic Risk Management: A Primer for Directors
Matteo Tonello is managing director of corporate leadership at the Conference Board. This post is based on an issue of the Conference Board’s Director Notes series by Mark L. Frigo and Richard J. Anderson, director and professor of strategic risk management, respectively, at DePaul University. This Director Note was based on a book authored by Dr. Frigo and Mr. Anderson, available here .
As noted by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and that current processes may be inadequate in today’s rapidly evolving business world.”  However, especially for nonfinancial companies that may be relatively new to these topics, enhancing risk management can be a somewhat daunting task.
This article focuses on two key aspects of the relationship between risk and strategy: (1) understanding the organization’s strategic risks and the related risk management processes, and (2) understanding how risk is considered and embedded in the organization’s strategy setting and performance measurement processes. These two areas not only deserve the attention of boards, but also fit closely with one of the primary responsibilities of the board — risk oversight.
The Advent of Strategic Risk Management
Enterprise risk management (“ERM”) and risk management in general can encompass a wide range of risks that face any organization. Some risks may reflect exposures that, although harmful, will not threaten the overall health of an organization or its ability to ultimately meet its business objectives. For example, a temporary data center outage can result in a short-term problem or customer dissatisfaction, but once recovered, the organization can quickly be back on track. Other more significant risk events can be catastrophic, resulting in losses that can not only impair an organization’s ability to meet its objectives, but may also threaten the organization’s survival. The recent credit crisis is an example of this type of risk. These more significant risk exposures have given rise to a focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” then can be defined as “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action when risk is actually realized.” Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that merits the time and attention of executive management and the board of directors.
Standard & Poor’s included the following attributes for strategic risk management in its 2008 announcement that it would apply enterprise risk analysis to corporate ratings:
Management’s view of the most consequential risks the firm faces, their likelihood, and potential effect; The frequency and nature of updating the identification of these top risks; The influence of risk sensitivity on liability management and financial decisions, and The role of risk management in strategic decision making. 
Clearly the potential impact of strategic risks is significant enough to deserve the attention of the board and its directors.
Strategic Risk Management and the Role of the Board
At the board level, strategic risk management is a necessary core competency.  In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of the questions posed is “Are we addressing the risks that could send our company over the cliff?”  According to Charan, boards need to focus on the risk that is inherent in the strategy and strategy execution:
Risk is an integral part of every company’s strategy; when boards review strategy, they have to be forceful in asking the CEO what risks are inherent in the strategy. They need to explore ‘what ifs’ with management in order to stress-test against external conditions such as recession or currency exchange movements. 
Regarding risk culture, Charan provides the following insight: “Boards must also watch for a toxic culture that enables ethical lapses throughout the organization. Companies set rules—but the culture determines how employees follow them.”  We believe that corporate culture plays a significant role in how well strategic risk is managed and must be considered as part of a strategic risk assessment.
Understanding an Organization’s Strategic Risks and Related Risk Management Processes
A necessary first step for boards to understand their strategic risks and how management is managing and monitoring those risks is a strategic risk assessment. A strategic risk assessment is a systematic and continual process for assessing the most significant risks facing an enterprise.  It is anchored and driven directly by the organization’s core strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps pinpoint the most relevant information that might serve as an effective leading indicator of an emerging risk.” 
Conducting an initial assessment can be a valuable activity and should involve both senior management and the board of directors. Management should take the lead in conducting the assessment, but the assessment process should include input from the board members and, as it is completed, a thorough review and discussion between management and the board. These dialogues and discussions may be the most beneficial activities of the assessment and afford an opportunity for management and the directors to come to a consensus view of the risks facing the company, as well any related risk management activities.
The strategic risk assessment process is designed to be tailored to an organization’s specific needs and culture. To be most useful, a risk management process and the resultant reporting must reflect and support an enterprise’s culture so the process can be embedded and owned by management. Ultimately, if the strategic risk assessment process is not embedded and owned by management as an integral part of the business processes, the risk management process will rapidly lose its impact and will not add to or deliver on its expected role.
The Strategic Risk Assessment Process
There are seven basic steps for conducting a strategic risk assessment:
1 Achieve a deep understanding of the strategy of the organization The initial step in the assessment process is to gain a deep understanding of the key business strategies and objectives of the organization. Some organizations have welldeveloped strategic plans and objectives, while others may be much more informal in their articulation and documentation of strategy. In either case, the assessment must develop an overview of the organization’s key strategies and business objectives. This step is critical, because without these key data to focus around, an assessment could result in a long laundry list of potential risks with no way to really prioritize them. This step also establishes a foundation for integrating risk management with the business strategy. In conducting this step, a strategy framework could be useful to provide structure to the activity.a
2 Gather views and data on strategic risks The next step is to gather information and views on the organization’s strategic risks. This can be accomplished through interviews of key executives and directors, surveys, and the analysis of information (e.g., financial reports and investor presentations). This data gathering should also include both internal and external auditors and other personnel who would have views on risks, such as compliance or safety personnel. Information gathered in Step 1 may be helpful to frame discussions or surveys and relate them back to core strategies. This is also an opportunity to ask what these key individuals view as potential emerging risks that should also be considered.
3 Prepare a preliminary strategic risk profile Combine and analyze the data gathered in the first two steps to develop an initial profile of the organization’s strategic risks. The level of detail and type of presentation should be tailored to the culture of the organization. For some organizations, simple lists are adequate, while others may want more detail as part of the profile. At a minimum, the profile should clearly communicate a concise list of the top risks and their potential severity or ranking. Colorcoded reports or “heat-maps” may be useful to ensure clarity of communication of this critical information.
4 Validate and finalize the strategic risk profile The initial strategic risk profile must be validated, refined, and finalized. Depending on how the data gathering was accomplished, this step could involve validation with all or a portion of the key executives and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the final risk profile.
5 Develop a strategic risk management action plan This step should be undertaken in tandem with Step 4. While significant effort can go into an initial risk assessment and strategic risk profile, the real product of this effort should be an action plan to enhance risk monitoring or management actions related to the strategic risks identified. The ultimate value of this process is helping and enhancing the organization’s ability to manage and monitor its top risks.
6 Communicate the strategic risk profile and strategic risk management action plan Building or enhancing the organization’s risk culture is a communications effort with two primary focuses. The first focus is the communication of the organization’s top risks and the strategic risk management action plan to help build an understanding of the risks and how they are being managed. This helps focus personnel on what those key risks are and potentially how significant they might be. A second focus is the communication of management’s expectations regarding risk to help reinforce the message that the understanding and management of risk is a core competency and expected role of people across the organization. The risk culture is an integral part of the overall corporate culture. The assessment of the corporate culture and risk culture is an initial step in building and nurturing a high performance, high integrity corporate culture.
7 Implement the strategic risk management action plan As noted above, the real value resulting from the risk assessment process comes from the implementation of an action plan for managing and monitoring risk. These steps define a basic, high-level process and allow for a significant amount of tailoring and customization to reflect the maturity and capabilities of the organization. As shown by Figure 1, strategic risk assessment is an ongoing process, not just a one-time event. Reflecting the dynamic nature of risk, these seven steps constitute a circular or closed-loop process that should be ongoing and continual within the organization.
Integrating Strategic Risk Management in Strategy Setting and Performance Measurement Processes
The second step for an organization is to integrate strategic risk management into its existing strategy setting and performance measurement processes. As discussed above, there is a clear link between the organization’s strategies and its related strategic risks. Just as strategic risk management is an ongoing process, so is the need to establish an ongoing linkage with the organization’s core processes to set and measure its strategies and performance. This would include integrating risk management into strategic planning and performance measurement systems. Again, the maturity and culture of the organization should dictate how this performed. For some organizations, this may be accomplished through relatively simple processes, such as adding a page or section to their annual business planning process for the business to discuss the risks it sees in achieving its business plan and how it will monitor those risks. For organizations with more developed performance measurement processes, the Kaplan- Norton Strategy Execution Model described in The Execution Premium may be useful.  This model describes six stages for strategy execution and provides a useful framework for visualizing where strategic risk management can be embedded into these processes.
Stage 1: Develop the strategy This stage includes developing the mission, values, and vision; strategic analysis; and strategy formulation. At this stage, a strategic risk assessment could be included using the Return Driven Strategy framework to articulate and clarify the strategy and the Strategic Risk Management framework to identify the organization’s strategic risks.
Stage 2: Translate the strategy This stage includes developing strategy maps, strategic themes, objectives, measures, targets, initiatives, and the strategic plan in the form of strategy maps, balanced scorecards, and strategic expenditures. Here, the strategic risk management framework would be used to develop risk-based objectives and performance measures for balanced scorecards and strategy maps, and for analyzing risks related to strategic expenditures.  At this stage, boards may also want to consider developing a risk scorecard that includes key metrics.
Stage 3: Align the organization This stage includes aligning business units, support units, employees, and boards of directors. The Strategic Risk Management Alignment Guide and Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for aligning risk and control units toward more effective and efficient risk management and governance, and for linking this alignment with the strategy of the organization. 
Stage 4: Plan operations This stage includes developing the operating plan, key process improvements, sales planning, resource capacity planning, and budgeting. In this stage, the strategic risk management action plan can be reflected in the operating plan and dashboards, including risk dashboards. One organization we worked with developed a “resources follow risk” philosophy to make certain that resources were appropriately and efficiently allocated. This philosophy focused on ensuring that resources used in risk management are justified economically based on the relative amount of risk and cost-benefit analysis.
Stage 5: Monitor and learn This stage includes strategy and operational reviews. “Strategic risk reviews” would be part of the ongoing strategic risk assessment, which reinforces the necessary continual, closed-loop approach for effective strategy risk assessment and strategy execution.
Stage 6: Test and adapt This stage includes profitability analysis and emerging strategies. Emerging risks can be considered part of the ongoing strategic risk assessment in this stage. The strategic risk assessment can complement and leverage the strategy execution processes in an organization toward improving risk management and governance.
For more information about integrating risk management in the strategy execution model and a discussion of risk scorecards, see “Risk Management and Strategy Execution Systems.” 
Final Thoughts: Moving Forward with Strategic Risk Management
Management teams and boards must challenge themselves and their organizations to move up the strategic risk management learning curve. Developing strategic risk management processes and capabilities can provide a strong foundation for improving risk management and governance. Boards may want to consider engaging independent advisors to advise and educate themselves on these matters. For organizations that are early in this process, the seven keys to success for improving ERM as described in a 2011 COSO Thought Leadership Paper may be useful, and are applicable in strategic risk management:
- 1. Support from the top is a necessity
- 2. Build ERM using incremental steps
- 3. Focus initially on a small number of top risks
- 4. Leverage existing resources
- 5. Build on existing risk management activities
- 6. Embed ERM into the business fabric of the organization
- 7. Provide ongoing ERM updates and continuing education for directors and senior management 
However the board decides to proceed, their leadership, direction, and overall oversight will be critical to the success of a strategic risk management process.
 “Effective Enterprise Risk Oversight: The Role of the Board of Directors,” COSO 2009, p. 1. (go back)
 “Enterprise Risk Management, Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings” Standard & Poor’s press release, May 7, 2008 (www.standardandpoors.com). (go back)
 Mark L. Frigo, “Strategic Risk Management: The New Core Competency,” Balanced Scorecard Report, 11, no. 1, January–February 2009. (go back)
 Ram Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask (San Francisco: John Wiley & Sons 2009). (go back)
 Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 23. (go back)
 Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 28. (go back)
 Mark L. Frigo and Richard J. Anderson, “Strategic Risk Assessment: A First Step for Improving Risk Management and Governance,” Strategic Finance, December 2009. (go back)
 Mark S. Breasley, Bruce C. Branson and Bonnie V. Hancock, “Developing Key Risk Indicators to Strengthen Enterprise Risk Management,” COSO, 2011 p.2. (go back)
 Robert S. Kaplan and David P. Norton, The Execution Premium (Cambridge, MA: Harvard Business Press, 2008). (go back)
 Mark L. Frigo and Richard J. Anderson, “Strategic Risk Management: A Primer for Directors and Management Teams,” 2012. (go back)
 Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance, Risk and Compliance,” Strategic Finance, February 2010. (go back)
 Robert S. Kaplan, “Risk Management and Strategy Execution Systems,” Balanced Scorecard Report, Vol. 11, No. 6, November-December 2009. (go back)
 Mark L Frigo and Richard J. Anderson, “Embracing Enterprise Risk Management: Practical Approaches for Getting Started,” COSO, 2011. (go back)
ERM and SRM should consider integrating with the Competitive Intelligence process. This will guarantee proficiency in Collection and Strategy development and Integration.
Integration of CI into this process will increase to identify risks in advance. I have written about it three years ago.
[…] full article via Strategic Risk Management: A Primer for Directors — The Harvard Law School Forum on Corporate Gove…. Share OptionsPrintEmailMoreFacebookLinkedInStumbleUponTwitterPinterestRedditDiggTumblrLike […]
Subscribe or Follow
Program on corporate governance advisory board.
- William Ackman
- Peter Atkins
- Kerry E. Berchem
- Richard Brand
- Daniel Burch
- Creighton Condon
- Arthur B. Crozier
- Renata J. Ferrari
- John Finley
- Carolyn Frantz
- Bruce H. Goldfarb
- Joseph Hall
- Jason M. Halper
- David Millstone
- Theodore Mirvis
- Maria Moats
- Erika Moore
- Morton Pierce
- Philip Richter
- Paul K. Rowe
- Marc Trevino
- Steven J. Williams
- Daniel Wolf
HLS Faculty & Senior Fellows
- Lucian Bebchuk
- Robert Clark
- John Coates
- Stephen M. Davis
- Allen Ferrell
- Jesse Fried
- Oliver Hart
- Howell Jackson
- Kobi Kastiel
- Reinier Kraakman
- Mark Ramseyer
- Robert Sitkoff
- Holger Spamann
- Leo E. Strine, Jr.
- Guhan Subramanian
Strategic Risk Management
What is strategic risk management (srm).
Strategic risk management is the process by which the strategy of an organisation (or a strategic programme) is formally accessed for any risks that might affect them.
You can deliver a project or programme on time, to budget and meet all your declared programme objectives; likewise, all your business operations could be functioning as expected. But if your overall business strategy is ultimately incorrect, the business will be deemed a failure.
Strategic risk management looks at current strategic market trends. It then tries to predict the risks that your current business strategy might face in the future as a result of these strategic trends.
Why is strategic risk management important?
Strategic risks are, by definition, the risks of you not achieving your business strategy. This means that a business which fails to deal with its strategic risks faces failure if those risks eventually materialise.
For example, if a core part of your business’s strategy is introducing a new product to the market, that strategy will be deemed a failure if the market no longer wants that product. And this applies no matter how you define your “customers”.
Few businesses take the time to assess their exposure to strategic risk appropriately — even though it takes relatively little effort to perform a strategic risk assessment and the payback can be huge.
What type of risk is ‘strategic’ risk?
Any risk that is considered to be threatening to an organisation’s strategic objectives is considered a strategic risk.
Strategic risk is sometimes confused with operational risk. Good operational risk management means doing things in the right way. While having good strategic risk management means doing the right things in the first place.
In the example above, your business strategy might be to introduce a new product into the market and the development and delivery of the project might have gone exceptionally well. This suggests good project and operational risk management. But if you introduce the product at a time when the market no longer wants it, then that product would still be deemed a failure and the strategy has failed.
In this case, the blame would be down to poor strategic decisions based on a failure to use appropriate strategic risk management to identify and manage the threats.
Strategic risks essentially come from three directions:
- Internal risks identified at board level (or equivalent)
- External risks identified (typically) by external industry experts
- Escalated risks ie programme and project risks that potentially impact overall business strategy
What is the relationship between SRM and enterprise risk management (ERM)?
ERM is a process implemented by an organisation’s board of directors to identify the risks and manage risks to be within its risk appetite while pursuing its objectives, across the entire business. It is a broad planning process that encompasses internal strategic decision making.
SRM, on the other hand, is a critical part of the overall ERM process. It looks both internally and externally, as good strategy execution depends on external market circumstances as much as it does on internal competencies.
The strategic risk management process: How do organisations manage strategic risk?
There are a number of steps an organisation can take to successfully minimise strategic risk:
- A good start would be to capture a suitable statement of the overall business strategy. This should be done by the board of directors and needs to be as specific and as quantifiable as possible.
- Establish key performance indicators (KPIs) to help you measure forthcoming results. Failure to meet — or success of — these KPIs will provide a road map for progress in the future.
- Establish key risk indicators (KRIs). These are the opposite of KPIs and are proactive rather than reactive. KRIs anticipate risk events that may happen in the future.
- Once the business strategy, KPIs and KRIs are made clear, they should then be suitably communicated from the board members to at least two levels down within the organisation, or even the whole organisation if you are dealing with a small or medium-sized businesses.
- The directors should then break down the business strategy into approximately 10-20 assumptions i.e. “What are the key things that need to happen in order to deliver the strategy?”. Then each assumption can be tested for its susceptibility to risk. Looking at assumptions and not ‘risks’ removes much of the negative psychology associated with risk management. Assumption analysis is also a core component of ABCD risk management, which can be applied to strategic risk management.
- Bring in an external perspective. The process of capturing assumptions is often one which is internal to the company or organisation in question. As a result, the risk managers or risk management team may be “too close” to the risks to notice them. An external perspective can help with decision-making and prevent possible risk oversight.
- Market trends for specific products being offered.
- Competitors’ likely strategy, including pricing policy changes. Socio-political shifts or external crises which may impact your business strategy.
- Macro or microeconomic trends.
Struggling with strategic risk management implementation? We can help.
In order to be successful, every business strategy needs testing against the dynamic of their marketplace.
We work by identifying the key assumptions underpinning a strategy through a series of interviews or workshops with senior management and industry experts to build a strategic risk profile.
After this initial analysis, a number of discrete scenarios can then be developed. Then, using the ABCD-based approach, we analyse each of the assumptions in each of the scenarios. This presents a clear picture of the risks and their potential impact on each scenario, which allows us to adjust the business strategy-setting to prevent the risks from happening, or develop a contingency plan to manage them.
An ABCD-based risk analysis approach can also highlight some of the potential reasons why key assumptions underpinning a strategy may be unstable that may not have been obvious before.
5 Steps to Effective Strategic Risk Management
Mike Rost SVP, Investor Relations and Corporate Development
Strategic risk management is a crucial, but often overlooked, aspect of enterprise risk management (ERM) . Traditionally, ERM has focused on financial and operational risk. However, the fact is that strategic risk is far more consequential .
Harnessing the Power of Technology in ERM Download white paper
What is strategic risk?
Simply put, strategic risks are risks that a company takes that could potentially result in a major loss.
A company that has superior and unmatched manufacturing processes will still fail if their consumers no longer want their products. This was the lesson that was learned by even the most efficient buggy whip makers once Henry Ford introduced his Model T in 1908. Cellphone handset manufacturers faced a similar crisis when the Apple® iPhone® arrived on the scene.
Identifying strategic risks enables organizations to develop an effective strategic risk management strategy to effectively combat the root cause and mitigate risk due to competition, market or industry changes, and other external risks such as changes in customer demand.
What is strategic risk management?
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution. Types of strategic risks may include:
Shifts in consumer demand and preferences
Legal and regulatory change
Senior management turnover
As industry expert James Lam says, strategic risk is the big stuff, and prioritizing strategic risk management means sweating the big stuff first. In other words, an effective strategic risk management framework will prioritize understanding the risks that your business faces to take the necessary steps to protect your assets and your business.
Strategic risk is a bell curve
Like any risk, strategic risk falls along a classic bell curve, with results along the x-axis and likelihood along the y-axis. The expected result of a given risk strategy would represent the peak of this curve. Most strategic risk planning considers only this peak while ignoring the slopes to either side.
But imagine two strategic risk initiatives, each with a similar expected result. One falls along a narrow, steep curve, indicating a low risk of failure and little upside opportunity. The other is represented by a wider bell, with greater chances of both under- and over-performance. Which to choose? The answer depends on an individual company’s appetite for risk.
Strategic risk management: shifting the curve
Now imagine a third curve with that same expected result. This one rises steeply from the left but slopes more gently downward on the right. Here, downside risk has been minimized, and upside opportunity increased. That is the goal of strategic risk management: to shape the curve in a way that favors success.
How do you measure and manage strategic risk?
As the saying goes, you can't manage what you can't measure.
In order for us to understand how to manage strategic risk, we must first take a look at how to measure it. A key tenet of enterprise risk management (ERM) is measuring risk with the same yardsticks used to measure results. In this way, companies can calculate how much inherent risk their initiatives contain, monitoring risks to inform key business decisions.
Strategic risk can measured with two key metrics:
Economic capital is the amount of equity required to cover unexpected losses based on a predetermined solvency standard. This standard is usually derived from the company's target debt rating. Economic capital is a common currency with which any risk can be quantified. Importantly, it applies the same methodology and assumptions used in determining enterprise value, making it ideal for strategic risk.
Risk-adjusted return on capital (RAROC) is the anticipated after-tax return on an initiative divided by its economic capital. If RAROC exceeds the company's cost of capital, the initiative is viable and will add value. If RAROC is less than the cost of capital, it will destroy value.
Five steps for Effective Risk Mitigation Strategies
Managing strategic risk involves five steps which must be integrated within the strategic planning and execution process in order to be effective:
Define business strategy and objectives. There are several frameworks that companies commonly use to plan out strategy, from simple SWOT analysis to the more nuanced and holistic balanced scorecard. The one thing that these frameworks have in common, however, is their failure to address internal and external risk. It is crucial, then, that companies take additional steps to integrate risk management at the planning stage by using a risk management framework, which is a template and guideline used by companies to identify, eliminate and minimize risks.
Establish key performance indicators (KPIs) to measure results. The best KPIs offer hints as to the levers the company can pull to improve them. Thus, overall sales makes a poor KPI, while sales per customer lets the company drill down for answers.
Identify risks that can drive variability in performance. An effective risk strategy will identify the unknowns, such as future customer demand, that will determine results.
Establish key risk indicators (KRIs) and tolerance levels for critical risks. Whereas KPIs measure historical performance, KRIs are forward-looking leading indicators intended to anticipate potential roadblocks. Tolerance levels serve as triggers for action.
Provide integrated risk reporting and monitoring. Finally, companies must monitor results and KRIs on a continuous basis in order to mitigate risks or grasp unexpected opportunities as they arise.
Strategic risk represents the greatest dangers—and opportunities—your company faces. By taking steps to mitigate risk at the enterprise level, companies can shape their future success while minimizing downside exposure.
To learn more, download Strategic Risk Management: The Next Frontier for ERM .
Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries.
Editor's note: This blog post was originally published February 14, 2017, and has been updated.
Read an analysis of features to evaluate when choosing an ERM solution.
SVP, Investor Relations and Corporate Development
As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.
With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.
Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.
You May Also Like
How KBR Makes Informed, Transparent Risk-Based Business Decisions
With hundreds of active projects and multiple business units, KBR was looking for a solution to replace paper processes and empower leaders. Learn why they chose Workiva’s flexible GRC platform.
Workiva Amplify ‘22 Recap: Betting Big on Tomorrow
Accounting for war: the impacts of ukraine, grabbing risk by its horns | best practices for sox, audit, risk, and compliance, tips for laying your corporate governance foundation, online registration is currently unavailable..
Please email [email protected] to register for this event.
Our forms are currently down.
Please contact us at [email protected]
9 Strategic Risk Examples and How to Successfully Tackle Them
What is meant by strategic risk? Strategic risk examples encompass many different risks ' and depending on the nature of your business, you may face any or all of them. Understanding the types of strategic risk you face is fundamental to your ability to tackle them as part of your broader governance, risk and compliance (GRC) strategy.
Whether you are a chief risk officer and strategic risk falls firmly within your orbit, or whether as CFO, CEO or general counsel, you take more holistic responsibility for your organization's risk strategy. Understanding and mitigating risk at a strategic level will be a priority.
In today's hyper-connected world, the risk evolves faster than businesses can devise strategies to tackle it. Being familiar with different strategic risk examples can help you get ahead of the curve, helping you identify the types of strategic risk your organization faces and the tactics you can put in place to respond.
Understanding the Different Types of Strategic Risk
'Strategic risk' is a term that's often bandied about. But what does the phrase mean in practice? What types of risk are defined as 'strategic?' How do you identify strategic risks? What are the examples of strategic risks you might face in your organization? What are the types of strategic risk you should prioritize in your risk mitigation strategy?
Strategic risk is a category of risk; alongside operational, financial, regulatory and other business risks, it forms part of the umbrella of risks your organization faces.
When we look at strategic risk examples, they are generally defined as those that threaten a business's ability to set and implement its chosen strategy.
They may be external; events like the Covid-19 pandemic are the perfect example here.
They may be 'self-inflicted,' brought about via an organization's own strategy and decision-making. An example of this would be the accelerating digital transformation of businesses, which has delivered many positives but has also exposed new types of risk.
Exploring Strategic Risk Examples
Regulatory and legislative drivers relating to governance, risk and compliance strategies more generally are also prompting businesses to focus on strategic risk. At the same time, a spotlight has been thrown on strategic risk via growing awareness of the close ties between risk, compliance and business value .
This evolution of risk has led organizations to try and bring some structure to their mitigation strategies by categorizing and prioritizing the risks they face. Let's look at some of the examples of strategic risks you might face.
Some sources distill strategic risks into five types, sometimes called the 'five sources of strategic risk.' However, these aren't always consistent, however, look up several different sources, and you will find a variety of risks listed among the 'five types.'
Our list of strategic risk examples below therefore includes more than five.
What Are the 9 Examples of Strategic Risk?
Among the types of strategic risk you should have on your radar are:
- Competitive risk. The risk is that you fall behind your competitors as they innovate and improve their offerings faster than you.
- Change risk. The digital transformation risk we cited above is a prime example of this ' the inherent risks of introducing any change program.
- Disrupt your business
- Create new responsibilities
- Demand new technologies (and therefore linking back to change risk)
- Distract your business leaders from their operations as their time is abstracted to put in place new governance processes and control measures
- Reputational risk . The risk that your corporate standing is threatened. The potential causes of this are legion, from regulatory compliance breaches to shareholder activism or poor performance in public ratings, such as those used to measure ESG performance .
- Political risk. The potential for political change, or the political landscape overall, to disrupt your business. For example, through volatility in a country within your supply chain .
- Governance risk. The risk brought about by poor governance, risk and compliance processes within your organization.
- Financial risk. Risks relating to the financial health of the organization. This differs from...
- Economic risk. This refers to the broader economic landscape and its potential to affect the success of your business strategy.
- Operational risk. The risk is that your operations and business processes are not up to standard.
Many of these examples of strategic risk are inter-connected. For instance, if you face operational risks around the efficacy and rigor of your processes, this is likely to expose you to financial or regulatory risk. Similarly, if you fail to tackle governance risks, you may well encounter reputational risk.
The intertwined nature of the types of strategic risk emphasizes how important it is to take an integrated approach to address them.
How to Tackle the Different Types of Strategic Risk
Amongst all these strategic risk examples, there are positives. The linkages that cause one risk to increase the chances of another can also work to your advantage. Take a coordinated, integrated stance on one aspect of strategic risk, and your performance in others should also improve. As companies refine their approaches to risk mitigation, they become better able to recognize these connections. As a result, they can approach risk strategically, capitalizing on synergies for a more robust result.
Below we also set out some specific tips that can help you tackle the different strategic risk examples:
- Competitive risk. Remaining competitive means understanding your competition; data is key here, and technology can be your friend in enabling you to provide your board with the competitive intelligence they need .
- Change risk. Here, good governance is the secret. Put governance at the heart of your change programs and reduce the risks they bring while enhancing their benefits.
- Regulatory risk. Keeping on top of the latest developments in the fast-moving regulatory landscape is vital here ' you can't meet expectations if you're not aware of them. Ensure you keep abreast of the news and trends in risk and compliance .
- Reputational risk. Bolster your GRC processes , and you have a better chance of swerving the risks that can derail your brand.
- Political risk. There is less you can do here, although ensuring you build sustainable supply chains rooted in countries where political volatility is less of a threat can help make your operations more resilient.
- Governance risk. As with change risk, robust governance processes and controls are essential to reducing risk here.
- Financial risk. While some financial risks come from external factors, improving your ability to measure, monitor and respond to the business risks you face, if done successfully, should minimize the financial threats that fall within your wheelhouse.
- Economic risk. Sustainable supply chains can help here, reducing the threat from economic instability in countries you source from. And, again, keeping pace with external events that can affect your risk profile is vital.
- Operational risk. One of the areas you have the most control over, introducing agility , rigor and structure to your operations can significantly reduce your risk across all areas of your organization.
Understand and Respond to All Types of Strategic Risk
Hopefully, this article has given you a deeper understanding of the types of strategic risk you face, some examples of strategic risk that bring this to life. It has also provided insights into how you can tackle different strategic risks.
Remaining on the front foot in terms of upcoming legislation, economic trends and governance best practice can really make the difference ' amplifying your ability to be proactive in the face of changing risks.
Diligent's regular GRC Newsletter summarizes the latest insights, exploring strategic risk examples and mitigation strategies in-depth and, as a result, enabling organizations to develop successful enterprise governance risk and compliance programs. You can sign up to receive the newsletter here .
The Rising Tide of ESG – Navigating the Road Ahead
The Board's Role in Leading and Enabling GRC
Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace
- SUGGESTED TOPICS
- The Magazine
- Managing Yourself
- Managing Teams
- Work-life Balance
- The Big Idea
- Data & Visuals
- Reading Lists
- Case Selections
- HBR Learning
- Topic Feeds
- Account Settings
- Email Preferences
Managing Risks: A New Framework
- Robert S. Kaplan
- Anette Mikes
Risk management is too-often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. Risk events from any category can be fatal to a company’s strategy and even to its survival.
Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.
Smart companies match their approach to the nature of the threats they face.
Editors’ note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are highlighted in this article, revealed significant trading losses at one of its units. The authors provide their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing Risky Behavior.
When Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top priority. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s story reflects a common problem. Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches. We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes . We conclude by looking at how organizations can identify and prepare for nonpreventable risks that arise externally to their strategy and operations.
Managing Risk: Rules or Dialogue?
The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories. Risk events from any category can be fatal to a company’s strategy and even to its survival.
Category I: Preventable risks.
These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.
Identifying and Managing Preventable Risks
Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter. Thus, the first line of defense against preventable risk events is to provide guidelines clarifying the company’s goals and values.
A well-crafted mission statement articulates the organization’s fundamental purpose, serving as a “true north” for all employees to follow. The first sentence of Johnson & Johnson’s renowned credo, for instance, states, “We believe our first responsibility is to the doctors, nurses and patients, to mothers and fathers, and all others who use our products and services,” making clear to all employees whose interests should take precedence in any situation. Mission statements should be communicated to and understood by all employees.
Companies should articulate the values that guide employee behavior toward principal stakeholders, including customers, suppliers, fellow employees, communities, and shareholders. Clear value statements help employees avoid violating the company’s standards and putting its reputation and assets at risk.
A strong corporate culture clarifies what is not allowed. An explicit definition of boundaries is an effective way to control actions. Consider that nine of the Ten Commandments and nine of the first 10 amendments to the U.S. Constitution (commonly known as the Bill of Rights) are written in negative terms. Companies need corporate codes of business conduct that prescribe behaviors relating to conflicts of interest, antitrust issues, trade secrets and confidential information, bribery, discrimination, and harassment.
Of course, clearly articulated statements of mission, values, and boundaries don’t in themselves ensure good behavior. To counter the day-to-day pressures of organizational life, top managers must serve as role models and demonstrate that they mean what they say. Companies must institute strong internal control systems, such as the segregation of duties and an active whistle-blowing program, to reduce not only misbehavior but also temptation. A capable and independent internal audit department tasked with continually checking employees’ compliance with internal controls and standard operating processes also will deter employees from violating company procedures and policies and can detect violations when they do occur.
See also Robert Simons’s article on managing preventable risks, “ How Risky Is Your Company? ” (HBR May 1999), and his book Levers of Control (Harvard Business School Press, 1995).
This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Since considerable literature already exists on the rules-based compliance approach, we refer interested readers to the sidebar “Identifying and Managing Preventable Risks” in lieu of a full discussion of best practices here.
Category II: Strategy risks.
A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities.
Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. BP accepted the high risks of drilling several miles below the surface of the Gulf of Mexico because of the high value of the oil and gas it hoped to extract.
Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.
Category III: External risks.
Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts . External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.
Understanding the Three Categories of Risk
The risks that companies face fall into three categories, each of which requires a different risk-management approach. Preventable risks, arising from within an organization, are monitored and controlled through rules, values, and standard compliance tools. In contrast, strategy risks and external risks require distinct processes that encourage managers to openly discuss risks and find cost-effective ways to reduce the likelihood of risk events or mitigate their consequences.
Companies should tailor their risk-management processes to these different categories. While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions. That, however, is easier said than done; extensive behavioral and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.
Why Risk Is Hard to Talk About
Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.
We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. We often compound this problem with a confirmation bias, which drives us to favor information that supports our positions (typically successes) and suppress information that contradicts them (typically failures). When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad.
Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink : Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority.
Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.
Effective risk-management processes must counteract those biases. “Risk mitigation is painful, not a natural act for humans to perform,” says Gentry Lee, the chief systems engineer at Jet Propulsion Laboratory (JPL), a division of the U.S. National Aeronautics and Space Administration. The rocket scientists on JPL project teams are top graduates from elite universities, many of whom have never experienced failure at school or work. Lee’s biggest challenge in establishing a new risk culture at JPL was to get project teams to feel comfortable thinking and talking about what could go wrong with their excellent designs.
Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks.
Managing Strategy Risks
Over the past 10 years of study, we’ve come across three distinct approaches to managing strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates. Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information. Our finding that “one size does not fit all” runs counter to the efforts of regulatory authorities and professional associations to standardize the function.
Some organizations—particularly those like JPL that push the envelope of technological innovation—face high intrinsic risk as they pursue long, complex, and expensive product-development projects. But since much of the risk arises from coping with known laws of nature, the risk changes slowly over time. For these organizations, risk management can be handled at the project level.
JPL, for example, has established a risk review board made up of independent technical experts whose role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions. The experts ensure that evaluations of risk take place periodically throughout the product-development cycle. Because the risks are relatively unchanging, the review board needs to meet only once or twice a year, with the project leader and the head of the review board meeting quarterly.
The risk review board meetings are intense, creating what Gentry Lee calls “a culture of intellectual confrontation.” As board member Chris Lewicki says, “We tear each other apart, throwing stones and giving very critical commentary about everything that’s going on.” In the process, project engineers see their work from another perspective. “It lifts their noses away from the grindstone,” Lewicki adds.
The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. The board members, acting as devil’s advocates, counterbalance the engineers’ natural overconfidence, helping to avoid escalation of commitment to projects with unacceptable levels of risk.
Risk management is painful—not a natural act for humans to perform.
At JPL, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness. A simple extension from a prior mission would require a 10% to 20% financial reserve, for instance, whereas an entirely new component that had yet to work on Earth—much less on an unexplored planet—could require a 50% to 75% contingency. The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date. JPL takes the estimates seriously; projects have been deferred or canceled if funds were insufficient to cover recommended reserves.
Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand. In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time.
Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision makers with a full picture of the company’s risk profile.
Read more about
When Every Employee Is a Risk Manager
We observed this model in action at Hydro One, the Canadian electricity company. Chief risk officer John Fraser, with the explicit backing of the CEO, runs dozens of workshops each year at which employees from all levels and functions identify and rank the principal risks they see to the company’s strategic objectives. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls. The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions. The group ultimately develops a consensus view that gets recorded on a visual risk map, recommends action plans, and designates an “owner” for each major risk.
Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. The risk group draws upon technical experts to challenge line engineers’ investment plans and risk assessments and to provide independent expert oversight to the resource allocation process. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives. Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability.
The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by decentralized traders and investment managers. An investment bank’s risk profile can change dramatically with a single deal or major market movement. For such companies, risk management requires embedded experts within the organization to continuously monitor and influence the business’s risk profile, working side by side with the line managers whose activities are generating new ideas, innovation, and risks—and, if all goes well, profits.
The danger from embedding risk managers within the line organization is that they “go native”—becoming deal makers rather than deal questioners.
JP Morgan Private Bank adopted this model in 2007, at the onset of the global financial crisis. Risk managers, embedded within the line organization, report to both line executives and a centralized, independent risk-management function. The face-to-face contact with line managers enables the market-savvy risk managers to continually ask “what if” questions, challenging the assumptions of portfolio managers and forcing them to look at different scenarios. Risk managers assess how proposed trades affect the risk of the entire investment portfolio, not only under normal circumstances but also under times of extreme stress, when the correlations of returns across different asset classes escalate. “Portfolio managers come to me with three trades, and the [risk] model may say that all three are adding to the same type of risk,” explains Gregoriy Zhikarev, a risk manager at JP Morgan. “Nine times out of 10 a manager will say, ‘No, that’s not what I want to do.’ Then we can sit down and redesign the trades.”
The chief danger from embedding risk managers within the line organization is that they “go native,” aligning themselves with the inner circle of the business unit’s leadership team—becoming deal makers rather than deal questioners. Preventing this is the responsibility of the company’s senior risk officer and—ultimately—the CEO, who sets the tone for a company’s risk culture.
Avoiding the Function Trap
Even if managers have a system that promotes rich discussions about risk, a second cognitive-behavioral trap awaits them. Because many strategy risks (and some external risks) are quite predictable—even familiar—companies tend to label and compartmentalize them, especially along business function lines. Banks often manage what they label “credit risk,” “market risk,” and “operational risk” in separate groups. Other companies compartmentalize the management of “brand risk,” “reputation risk,” “supply chain risk,” “human resources risk,” “IT risk,” and “financial risk.”
Such organizational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways.
Managers can develop a companywide risk perspective by anchoring their discussions in strategic planning, the one integrative process that most well-run companies already have. For example, Infosys, the Indian IT services company, generates risk discussions from the Balanced Scorecard, its management tool for strategy measurement and communication. “As we asked ourselves about what risks we should be looking at,” says M.D. Ranganath, the chief risk officer, “we gradually zeroed in on risks to business objectives specified in our corporate scorecard.”
In building its Balanced Scorecard, Infosys had identified “growing client relationships” as a key objective and selected metrics for measuring progress, such as the number of global clients with annual billings in excess of $50 million and the annual percentage increases in revenues from large clients. In looking at the goal and the performance metrics together, management realized that its strategy had introduced a new risk factor: client default. When Infosys’s business was based on numerous small clients, a single client default would not jeopardize the company’s strategy. But a default by a $50 million client would present a major setback. Infosys began to monitor the credit default swap rate of every large client as a leading indicator of the likelihood of default. When a client’s rate increased, Infosys would accelerate collection of receivables or request progress payments to reduce the likelihood or impact of default.
To take another example, consider Volkswagen do Brasil (subsequently abbreviated as VW), the Brazilian subsidiary of the German carmaker. VW’s risk-management unit uses the company’s strategy map as a starting point for its dialogues about risk. For each objective on the map, the group identifies the risk events that could cause VW to fall short of that objective. The team then generates a Risk Event Card for each risk on the map, listing the practical effects of the event on operations, the probability of occurrence, leading indicators, and potential actions for mitigation. It also identifies who has primary accountability for managing the risk.
See more HBR charts in Data & Visuals
The risk team then presents a high-level summary of results to senior management.
Beyond introducing a systematic process for identifying and mitigating strategy risks, companies also need a risk oversight structure. Infosys uses a dual structure: a central risk team that identifies general strategy risks and establishes central policy, and specialized functional teams that design and monitor policies and controls in consultation with local business teams. The decentralized teams have the authority and expertise to help the business lines respond to threats and changes in their risk profiles, escalating only the exceptions to the central risk team for review. For example, if a client relationship manager wants to give a longer credit period to a company whose credit risk parameters are high, the functional risk manager can send the case to the central team for review.
These examples show that the size and scope of the risk function are not dictated by the size of the organization. Hydro One, a large company, has a relatively small risk group to generate risk awareness and communication throughout the firm and to advise the executive team on risk-based resource allocations. By contrast, relatively small companies or units, such as JPL or JP Morgan Private Bank, need multiple project-level review boards or teams of embedded risk managers to apply domain expertise to assess the risk of business decisions. And Infosys, a large company with broad operational and strategic scope, requires a strong centralized risk-management function as well as dispersed risk managers who support local business decisions and facilitate the exchange of information with the centralized risk group.
Managing the Uncontrollable
External risks, the third category of risk, cannot typically be reduced or avoided through the approaches used for managing preventable and strategy risks. External risks lie largely outside the company’s control; companies should focus on identifying them, assessing their potential impact, and figuring out how best to mitigate their effects should they occur.
Some external risk events are sufficiently imminent that managers can manage them as they do their strategy risks. For example, during the economic slowdown after the global financial crisis, Infosys identified a new risk related to its objective of developing a global workforce: an upsurge in protectionism, which could lead to tight restrictions on work visas and permits for foreign nationals in several OECD countries where Infosys had large client engagements. Although protectionist legislation is technically an external risk since it’s beyond the company’s control, Infosys treated it as a strategy risk and created a Risk Event Card for it, which included a new risk indicator: the number and percentage of its employees with dual citizenships or existing work permits outside India. If this number were to fall owing to staff turnover, Infosys’s global strategy might be jeopardized. Infosys therefore put in place recruiting and retention policies that mitigate the consequences of this external risk event.
Most external risk events, however, require a different analytic approach either because their probability of occurrence is very low or because managers find it difficult to envision them during their normal strategy processes. We have identified several different sources of external risks:
- Natural and economic disasters with immediate impact. These risks are predictable in a general way, although their timing is usually not (a large earthquake will hit someday in California, but there is no telling exactly where or when). They may be anticipated only by relatively weak signals. Examples include natural disasters such as the 2010 Icelandic volcano eruption that closed European airspace for a week and economic disasters such as the bursting of a major asset price bubble. When these risks occur, their effects are typically drastic and immediate, as we saw in the disruption from the Japanese earthquake and tsunami in 2011.
- Geopolitical and environmental changes with long-term impact. These include political shifts such as major policy changes, coups, revolutions, and wars; long-term environmental changes such as global warming; and depletion of critical natural resources such as fresh water.
- Competitive risks with medium-term impact. These include the emergence of disruptive technologies (such as the internet, smartphones, and bar codes) and radical strategic moves by industry players (such as the entry of Amazon into book retailing and Apple into the mobile phone and consumer electronics industries).
Companies use different analytic approaches for each of the sources of external risk.
Tail-risk stress tests.
Stress-testing helps companies assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable. Financial services firms use stress tests to assess, for example, how an event such as the tripling of oil prices, a large swing in exchange or interest rates, or the default of a major institution or sovereign country would affect trading positions and investments.
The benefits from stress-testing, however, depend critically on the assumptions—which may themselves be biased—about how much the variable in question will change. The tail-risk stress tests of many banks in 2007–2008, for example, assumed a worst-case scenario in which U.S. housing prices leveled off and remained flat for several periods. Very few companies thought to test what would happen if prices began to decline—an excellent example of the tendency to anchor estimates in recent and readily available data. Most companies extrapolated from recent U.S. housing prices, which had gone several decades without a general decline, to develop overly optimistic market assessments.
This tool is suited for long-range analysis, typically five to 10 years out. Originally developed at Shell Oil in the 1960s, scenario analysis is a systematic process for defining the plausible boundaries of future states of the world. Participants examine political, economic, technological, social, regulatory, and environmental forces and select some number of drivers—typically four—that would have the biggest impact on the company. Some companies explicitly draw on the expertise in their advisory boards to inform them about significant trends, outside the company’s and industry’s day-to-day focus, that should be considered in their scenarios.
For each of the selected drivers, participants estimate maximum and minimum anticipated values over five to 10 years. Combining the extreme values for each of four drivers leads to 16 scenarios. About half tend to be implausible and are discarded; participants then assess how their firm’s strategy would perform in the remaining scenarios. If managers see that their strategy is contingent on a generally optimistic view, they can modify it to accommodate pessimistic scenarios or develop plans for how they would change their strategy should early indicators show an increasing likelihood of events turning against it.
War-gaming assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies. In a war-game, the company assigns three or four teams the task of devising plausible near-term strategies or actions that existing or potential competitors might adopt during the next one or two years—a shorter time horizon than that of scenario analysis. The teams then meet to examine how clever competitors could attack the company’s strategy. The process helps to overcome the bias of leaders to ignore evidence that runs counter to their current beliefs, including the possibility of actions that competitors might take to disrupt their strategy.
A firm’s ability to weather storms depends on how seriously executives take risk management when the sun is shining and no clouds are on the horizon.
Companies have no influence over the likelihood of risk events identified through methods such as tail-risk testing, scenario planning, and war-gaming. But managers can take specific actions to mitigate their impact. Since moral hazard does not arise for nonpreventable events, companies can use insurance or hedging to mitigate some risks, as an airline does when it protects itself against sharp increases in fuel prices by using financial derivatives. Another option is for firms to make investments now to avoid much higher costs later. For instance, a manufacturer with facilities in earthquake-prone areas can increase its construction costs to protect critical facilities against severe quakes. Also, companies exposed to different but comparable risks can cooperate to mitigate them. For example, the IT data centers of a university in North Carolina would be vulnerable to hurricane risk while those of a comparable university on the San Andreas Fault in California would be vulnerable to earthquakes. The likelihood that both disasters would happen on the same day is small enough that the two universities might choose to mitigate their risks by backing up each other’s systems every night.
The Leadership Challenge
Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. And many leaders have a tendency to discount the future; they’re reluctant to spend time and money now to avoid an uncertain future problem that might occur down the road, on someone else’s watch. Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.
For those reasons, most companies need a separate function to handle strategy- and external-risk management. The risk function’s size will vary from company to company, but the group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.
That was what separated the banks that failed in the financial crisis from those that survived. The failed companies had relegated risk management to a compliance function; their risk managers had limited access to senior management and their boards of directors. Further, executives routinely ignored risk managers’ warnings about highly leveraged and concentrated positions. By contrast, Goldman Sachs and JPMorgan Chase, two firms that weathered the financial crisis well, had strong internal risk-management functions and leadership teams that understood and managed the companies’ multiple risk exposures. Barry Zubrow, chief risk officer at JP Morgan Chase, told us, “I may have the title, but [CEO] Jamie Dimon is the chief risk officer of the company.”
Risk management is nonintuitive; it runs counter to many individual and organizational biases. Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.
- Robert S. Kaplan is a senior fellow and the Marvin Bower Professor of Leadership Development emeritus at Harvard Business School. He coauthored the McKinsey Award–winning HBR article “ Accounting for Climate Change ” (November–December 2021).
- Anette Mikes is a fellow at Hertford College, Oxford University, and an associate professor at Oxford’s Saïd Business School.
- Assessment Management
- Compliance Audits
- Enterprise Risk Management
- Fraud Risk Management
- IT Risk Management
- Operational Audits
- Operational Risk Management
- Security Compliance Management
- SOX Compliance
- SOX Readiness
- Vendor Risk Management
- Business Services
- Education, Government, and Non-Profit
- Energy, Materials, and Utilities
- Financial Services
- Media and Telecom
- Real Estate and Construction
- Travel and Transportation
- Technology & Security
- Resource Library
- AuditBoard TV
- Events & Webinars
- On-Demand Webinars
10 Types of Risk Management Strategies to Follow in 2021
Having a strong approach to risk management is more important now than ever in today’s dynamic risk environment. Following these ten types of risk management strategies can better prepare your business for a volatile risk landscape.
McKinsey found that when banks shut branches and corporate offices, it altered how customers interact with them, forcing changes to long-held risk management practices in order to monitor existing risks and guard against new ones.
Regardless of industry, how quickly and effectively risks can be identified and managed will determine how well companies and institutions will recover and rebuild — and this requires rethinking risk management strategies. As organizations increase their focus on identifying, mitigating, and monitoring risks in response to an ever more volatile risk environment, you may have questions about who is responsible for developing a risk management strategy and what are the different risk management strategies? Here’s everything that you need to know to better address today’s top risk areas .
What Is a Risk Management Strategy?
A risk management strategy is a structured approach to addressing risks, and can be used in companies of all sizes and across any industry. Risk management is best understood not as a series of steps, but as a cyclical process in which new and ongoing risks are continually identified, assessed, managed, and monitored. This provides a way to update and review assessments as new developments occur and then to take steps to protect the organization, people, and assets.
Risk identification can result from passively stumbling across vulnerabilities or through implemented tools and control processes that raise red flags when there are potential identified risks. Being more proactive rather than reactive is always the best approach to reducing risk points.
Once potential risks have been identified, each risk should be assessed to determine the likelihood of it becoming a concern, its level of severity, and the probable impact — this helps audit teams prioritize each risk. Whether your audit team is conducting a risk assessment for Sarbanes Oxley (SOX) or focusing on other types of risks, your assessments should be systematic, documented, and, depending on your business, reviewed at least annually. How often risk assessments are completed will differ, depending on the size and complexity of each business.
Responding to Risks
After assessing risks, the next part of the process involves developing and implementing treatments and controls, enabling the organization to address risks appropriately and effectively deal with each risk in a timely manner.
Risk monitoring is the ongoing process of managing risk by tracking risk management execution, and continuing to identify and manage new risks. Monitoring risks enables prompt action if the likelihood, severity or, potential impact of a risk exceeds acceptable levels.
Why Is Having a Risk Management Strategy Important?
Project and operational risks are not uncommon to most businesses, but having risk management processes and strategies are essential in identifying your company’s strengths, weaknesses, opportunities, and threats (SWOT) — also known as conducting a SWOT analysis. There are many other benefits to effectively managing risks .
1. Operational Effectiveness and Business Continuity
No matter how well prepared your business is, operational risks can surface at any time — and from sources that you may not have been aware of in the past. Risks can take the form of a new cybersecurity threat, a supplier or service provider that’s no longer able to service your company, or an equipment failure. With all the moving parts both in a company and outside of it that have an impact, having an established risk management process and a strategy in place that allows you to ensure internal controls to prevent fraud are in place — or to deal with other types of risk as they arise.
2. Protection of Your Company’s Assets
Whether it’s physical equipment, supplies, or information, protecting your company’s assets is imperative. A recent report by IBM shows that over 8.5 billion records were compromised in data breaches between April 2019 and 2020 — with the average cost of a mega-sized data breach being $3.86 million US. In the one-year period ending April 2020, 80 percent of thefts were customer-related personally identifiable information (PII). This makes establishing a solid and actionable risk management strategy imperative from a business insurance perspective.
3. Customer Satisfaction and Loyalty
Your company’s logo, brand, digital presence, and reputation is also an asset — and your customers take comfort in seeing and interacting with them daily. When your business has a well-thought-out and developed risk management plan and acts on it, your customers can maintain a sense of security and confidence about your reputation and brand. Your risk strategies and processes help you protect your brand and reputation by safeguarding these assets. It also ensures that customers can maintain faith in your ability to be there and deliver the products and services to which you’ve committed. The result is a higher degree of customer satisfaction and loyalty.
4. Realizing Benefits and Achieving Goals
A significant part of finishing projects on time and achieving the intended goals relies on how effectively risks are managed. Risk management identification, assessment, and management practices expose vulnerabilities faster — and allow your company to remove projects and activities that simply don’t produce a return on investment. This increases the chance of achieving your expected project portfolio and wider business performance and reaping the anticipated benefits.
5. Increased Profitability
The bottom line for most businesses is remaining profitable. Often when something like a breach occurs, there is a substantial financial impact — and it usually involves tedious hours working with legal and insurance teams to conduct lengthy investigations. Managing market, credit, operational, reputational, and other risks is vital to keeping your company’s bottom line healthy.
What Are 4 Examples of Common Risk Responses?
Managing risks can involve applying different risk responses to deal with varying types of risk. Not every risk will warrant the same response. You’ve likely heard the adage, “Avoidance is not a strategy.” Well, believe it or not, when it comes to risk management strategies, avoidance is a common risk response — along with reducing, accepting, and transferring. Here’s what you need to know about each risk response and when they might work best.
1. Avoiding Risk
Avoidance is an option that works to remove the chance of a risk becoming a reality or posing a threat altogether. If a product isn’t working well but doesn’t present any potential risk to the health or safety of employees or the company then avoiding the risk may be the best option. One example may be avoiding the use of a piece of faulty equipment — but only if it isn’t needed and it doesn’t impact performance, productivity, or safety. Avoidance shouldn’t necessarily be used with frequency or for longer-term threats. Eventually, this response should be re-evaluated to find other sustainable risk responses that address underlying issues.
2. Accepting Risks
Sometimes avoidance isn’t an appropriate response, and acceptance may be the better practice. When a risk is unlikely to occur or if the impact is minimal, then accepting the risk might be the best response. Timing also plays a role — it could be that a risk doesn’t pose any imminent concern, or it won’t impact your company’s strategic outlook. One example might be a change to vendor pricing or delivery down the road. It’s important to keep re-evaluating these types of risks periodically: their impact on your company and its projects could change.
3. Mitigating Risks
Mitigating risks is the most commonly discussed risk response — however, it isn’t always practical or possible. It may be the best option if a risk poses a real threat or problem, and avoidance or acceptance won’t suffice. If a risk creates a negative impact and one that could be costly to your company, employees, vendors, or customers, then that risk should be mitigated. This means identifying the risk, assessing all possible solutions, devising a plan, taking action, and monitoring the results.
4. Transferring Risks
There will be times when challenges or issues arise and you or your team may not be able to avoid, accept, or mitigate them. One example may be a lack of expertise or training required to address the risks. In this case, it may be a good idea to outsource or transfer the risk to another party — sometimes in-house, while other times it might warrant help from an external third or fourth party.
Who is Responsible for Developing a Risk Management Strategy?
Determining who will be the best person or function to identify, assess, and develop a risk management strategy won’t necessarily be the same each time — it will depend on the scope, nature, company structure, complexity, resource availability, and team capabilities. So who is responsible for developing a risk management strategy? It might be the responsibility of a risk management committee member, an audit team member, a project manager, a risk specialist, or someone else – like an external consultant. When deciding which direction to go, other things to consider include:
- The drivers and benefits behind developing a risk management strategy.
- The end-to-end process, from initiation to completion.
- Other parties who can bring additional insight and value.
- How and where to document the risk management strategy.
- Risk management software and tools that can simplify and streamline work.
- Conducting a formal review of the findings.
- Timing for presenting the findings.
What are the 10 Types of Risk Management Strategies to Follow?
It’s important to know that there are many different risk management strategies, each with its own benefits and uses. Here are ten types to follow.
Type 1: Business Experiments
This risk management strategy is useful in running ‘what-if’ scenarios to gauge different outcomes to potential threats. From IT to marketing teams, many functional groups are well versed in conducting business experiments. Financial teams also run experiments to gauge return on investments or assess other financial metrics.
Type 2: Theory Validation
Theory validation strategies are conducted using questionnaires and surveys of groups to gain feedback based on experience. If a new product or service has been developed or there are enhancements, it makes sense to get direct, timely, and relevant feedback from end users to assist with managing potential challenges and design flaws, and thus better manage risks.
Type 3: Minimum Viable Product Development
Developing complex systems that offer nice-to-have features isn’t always the best route. A good risk management strategy considers building software using core modules and features that will be relevant and useful for the bulk of their customers — this is called a Minimum Viable Product (MVP). It helps to keep projects within scope, minimizes the financial burden, and helps companies get to market faster.
Type 4: Isolating Identified Risks
Information technology teams are used to engaging with internal or external help to isolate security gaps or flawed processes that might leave room for vulnerabilities. In doing so, they become proactive in identifying security risks ahead of an event rather than waiting for a malicious and costly breach to occur.
Type 5: Building in Buffers
Whether it’s a technology or audit project, project managers recognize the need to build in a buffer. Buffers reduce risks by ensuring initiatives stay within the intended scope. Depending on the project, buffers may be financial, resource or time-based. The goal here is making sure that there are no surprises posing unforeseen risks.
Type 6: Data Analysis
Data gathering and analysis are key elements in assessing and managing various risks. For instance, qualitative risk analysis can help identify potential project risks. Conducting a thorough qualitative risk analysis helps to isolate and prioritize risks, and to develop strategies to address, monitor, and re-evaluate them.
Type 7: Risk-Reward Analysis
Conducting an analysis of risks versus rewards is a risk strategy that helps companies and project teams unearth the benefits and drawbacks of an initiative before investing resources, time, or money. It’s not only about the risks and rewards of investing funds to take on opportunities — it’s also about providing insight into the cost of lost opportunities.
Type 8: Lessons Learned
With every initiative or project that your company does or doesn’t complete, there will inevitably be lessons that can be learned. These lessons are a valuable tool that can significantly reduce risks in future projects or undertakings — but lessons are only useful if teams take the time to document them, discuss them, and develop an action plan for improvement based on what’s been learned.
Type 9: Contingency Planning
Things seldom go as planned, and while having a plan is great, it’s seldom enough. Companies need to plan to have multiple plans or options based on various scenarios. Contingency planning is all about anticipating that things will go wrong and planning alternate solutions for the type of risks that may surface and foil your original plan.
Type 10: Leveraging Best Practices
There’s a reason best practices are mentioned under risk management strategies. Best practices are usually tried and tested ways of doing things — and while they may differ from industry to industry and project to project, best practices ensure companies don’t have to recreate the wheel. Ultimately this reduces risks.
Effectively managing risk has always been critical for success in any company and industry — but never more so than today. Being able to identify and properly assess risks reduces missteps and saves money, time, and valuable resources. It also clarifies decision-makers and their teams and helps leaders recognize opportunities and the actions they need to take. An important part of your risk strategy should also involve managing your company’s risks by using integrated risk management software that facilitates collaboration and visibility into risk to increase the effectiveness of your risk management programs. Get started with RiskOversight today!
Ready to Get Started?
- Thought Leadership
What is a risk management strategy?
Having an appropriate risk management strategy is critical to dealing with the many types of risk that your organisation could face. But what is a risk management strategy? And what risk management strategies can you use?
A strategy for risk management is a dedicated plan which details how organisations are going deal with risk, both pre-emptively and as incidents occur. It provides a detailed outlook for stakeholders across t he business so they can make informed decisions. Read on for a more detailed definition where we break down the four common approaches to building a management strategy for risk and how to choose wh ich one is suitable for your needs.
How to approach building a risk management strategy
A risk management strategy is a key part of the risk management lifecycle . After identifying risks and assessing the likelihood of them happening, as well as the impact they could have, you will need to decide how to treat them. The approach you decide to take is your risk management strategy. This is also sometimes referred to as risk treatment.
There are four main risk management strategies, or risk treatment options:
Risk transference, risk avoidance, risk reduction.
Choosing the right one will mean the difference between managing each potential risk effectively or facing serious consequences that could damage your business. Let’s take a closer look at what these four approaches involve and some examples of when you could use them.
Types of risk management strategy
'A risk is accepted with no action taken to mitigate it' is the definition of risk acceptance.
This approach will not reduce the impact of a risk or even prevent it from happening, but that’s not necessarily a bad thing. Sometimes the cost of mitigating risks can exceed the cost of the risk itself, in which case it makes more sense to simply accept the risk. After all, why spend £200,000 to prevent a £20,000 risk?
However, this approach does come with a gamble. You will need to be sure that, if the risk does occur in the future, then you will be able to deal with it when the time comes. Because of this, it is best to accept risks only when the risk has a low chance of occurring or will have minimal impact if it does occur.
Risk transference is defined as: 'A risk transferred via a contract to an external party who will assume the risk on an organisation’s behalf.'
Choosing to transfer a risk does not entirely eradicate it. The risk still exists, only the responsibility for it shifts from your organisation to another.
An example of this would be travel insurance. You don’t accept the risk of a lost suitcase or an accident abroad and the costs that this would bring – you pay a travel insurance company to bear the financial consequences for you.
The same goes for the workplace. You may outsource work – and the risks that come with it - to a contractor. In finance, you may adopt a hedging strategy to protect your assets or investments.
How to choose the best risk management solution
Is it time to improve how your organisation manages risk? Our handy e-book guides you through choosing a risk management solution that can help you face complex challenges head on.
'A risk is eliminated by not taking any action that would mean the risk could occur' – this is risk avoidance.
If you choose this approach, you are aiming to completely eliminate the possibility of the risk occurring. One example of risk avoidance would be with investment. If, after analysing the risks associated with that investment, you deem it too risky, then you simply do not make the investment.
Treating risks by avoiding them should be reserved for risks that would have a major impact on your organisation if they were to occur. However, if you avoid every risk you come up against, you may miss out on positive opportunities. You never know, that investment you decided not to make could have paid off. That is why it’s important to thoroughly analyse risks and make the most informed judgement you can.
Risk reduction is when a risk becomes less severe through actions taken to prevent or minimis e its impact.
Risk reduction is a common strategy when it comes to risk treatment. It is sometimes known as lowering risk. By choosing this approach, you will need to work out the measures or actions you can take that will make risks more manageable.
One example of risk reduction would be within manufacturing and the risk of products being produced to incorrect specifications. Using a quality management system can lower the chance of this happening, so this would be a method of risk reduction. In the finance industry, you may face risks associated with new regulations. Implementing a digital solution to help you manage regulatory requirements can mitigate the risks of non-compliance and would therefore also be an example of risk reduction.
So which management strategy should you choose to handle risk?
As you can probably guess, that depends on the risk. You will need to fully understand each risk your organisation faces so that you can choose the appropriate strategy to treat them – whether that’s through acceptance, transference, avoidance or reduction.
Taking a detailed look at how risk is currently managed in your organisation is a good place to start. Are there areas for improvement? Where do you want to be as opposed to where you are now performance wise? These are some useful starting points to putting in place a suitable risk management strategy that’s going to work for your organisation .
Ensure effective risk management
With our powerful risk solutions, you can shield your organisation against potential threats, safeguard your reputation through seamless risk management processes and remain adaptable to ever-changing industry regulations.
As Digital Content Executive at Ideagen, Abbie is responsible for writing engaging and educational content for Ideagen’s digital channels. With a background in writing and social media, Abbie is committed to understanding the needs of our customers and providing insightful and valuable content that helps them to achieve their objectives.
- Search Search Please fill out this field.
What Is Risk Management?
Understanding risk management, good, bad, and necessary risk, risk management example, risk management and psychology, beta and passive risk management, alpha and active risk management, the cost of risk.
What Is Risk Management in Finance, and Why Is It Important?
Amanda Bellucco-Chatham is an editor, writer, and fact-checker with years of experience researching personal finance topics. Specialties include general financial planning, career development, lending, retirement, tax preparation, and credit.
Investopedia / Joules Garcia
In the financial world, risk management is the process of identification, analysis , and acceptance or mitigation of uncertainty in investment decisions. Essentially, risk management occurs when an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment, such as a moral hazard , and then takes the appropriate action (or inaction) given the fund's investment objectives and risk tolerance .
Risk is inseparable from return. Every investment involves some degree of risk, which is considered close to zero in the case of a U.S. T-bill or very high for something such as emerging-market equities or real estate in highly inflationary markets. Risk is quantifiable both in absolute and in relative terms. A solid understanding of risk in its different forms can help investors to better understand the opportunities, trade-offs, and costs involved with different investment approaches .
- Risk management is the process of identification, analysis, and acceptance or mitigation of uncertainty in investment decisions.
- Risk is inseparable from return in the investment world.
- A variety of tactics exist to ascertain risk; one of the most common is standard deviation, a statistical measure of dispersion around a central tendency.
- Beta, also known as market risk, is a measure of the volatility, or systematic risk, of an individual stock in comparison to the entire market.
- Alpha is a measure of excess return; money managers who employ active strategies to beat the market are subject to alpha risk.
What is Risk Management?
Risk management occurs everywhere in the realm of finance. It occurs when an investor buys U.S. Treasury bonds over corporate bonds, when a fund manager hedges his currency exposure with currency derivatives , and when a bank performs a credit check on an individual before issuing a personal line of credit. Stockbrokers use financial instruments like options and futures , and money managers use strategies like portfolio diversification, asset allocation and position sizing to mitigate or effectively manage risk.
Inadequate risk management can result in severe consequences for companies, individuals, and the economy. For example, the subprime mortgage meltdown in 2007 that helped trigger the Great Recession stemmed from bad risk-management decisions, such as lenders who extended mortgages to individuals with poor credit; investment firms who bought, packaged, and resold these mortgages; and funds that invested excessively in the repackaged, but still risky, mortgage-backed securities (MBSs).
We tend to think of "risk" in predominantly negative terms. However, in the investment world, risk is necessary and inseparable from desirable performance.
A common definition of investment risk is a deviation from an expected outcome . We can express this deviation in absolute terms or relative to something else, like a market benchmark .
While that deviation may be positive or negative, investment professionals generally accept the idea that such deviation implies some degree of the intended outcome for your investments. Thus to achieve higher returns one expects to accept the greater risk. It is also a generally accepted idea that increased risk comes in the form of increased volatility. While investment professionals constantly seek—and occasionally find—ways to reduce such volatility, there is no clear agreement among them on how it's best done.
How much volatility an investor should accept depends entirely on the individual investor's tolerance for risk, or in the case of an investment professional, how much tolerance their investment objectives allow. One of the most commonly used absolute risk metrics is standard deviation , a statistical measure of dispersion around a central tendency. You look at the average return of an investment and then find its average standard deviation over the same time period. Normal distributions (the familiar bell-shaped curve) dictate that the expected return of the investment is likely to be one standard deviation from the average 67% of the time and two standard deviations from the average deviation 95% of the time. This helps investors evaluate risk numerically. If they believe that they can tolerate the risk, financially and emotionally, they invest.
For example, during a 15-year period from Aug. 1, 1992, to July 31, 2007, the average annualized total return of the S&P 500 was 10.7%. This number reveals what happened for the whole period, but it does not say what happened along the way. The average standard deviation of the S&P 500 for that same period was 13.5%. This is the difference between the average return and the real return at most given points throughout the 15-year period.
When applying the bell curve model, any given outcome should fall within one standard deviation of the mean about 67% of the time and within two standard deviations about 95% of the time. Thus, an S&P 500 investor could expect the return, at any given point during this period, to be 10.7% plus or minus the standard deviation of 13.5% about 67% of the time; he may also assume a 27% (two standard deviations) increase or decrease 95% of the time. If he can afford the loss, he invests.
While that information may be helpful, it does not fully address an investor's risk concerns. The field of behavioral finance has contributed an important element to the risk equation, demonstrating asymmetry between how people view gains and losses. In the language of prospect theory, an area of behavioral finance introduced by Amos Tversky and Daniel Kahneman in 1979, investors exhibit loss aversion. Tversky and Kahneman documented that investors put roughly twice the weight on the pain associated with a loss than the good feeling associated with a profit.
Often, what investors really want to know is not just how much an asset deviates from its expected outcome, but how bad things look way down on the left-hand tail of the distribution curve. Value at risk (VAR) attempts to provide an answer to this question. The idea behind VAR is to quantify how large a loss on investment could be with a given level of confidence over a defined period. For example, the following statement would be an example of VAR: "With about a 95% level of confidence, the most you stand to lose on this $1,000 investment over a two-year time horizon is $200." The confidence level is a probability statement based on the statistical characteristics of the investment and the shape of its distribution curve.
Of course, even a measure like VAR doesn't guarantee that 5% of the time will be much worse. Spectacular debacles like the one that hit the hedge fund Long-Term Capital Management in 1998 remind us that so-called "outlier events" may occur. In the case of LTCM, the outlier event was the Russian government's default on its outstanding sovereign debt obligations, an event that threatened to bankrupt the hedge fund, which had highly leveraged positions worth over $1 trillion; if it had gone under, it could have collapsed the global financial system. The U.S. government created a $3.65-billion loan fund to cover LTCM's losses, which enabled the firm to survive the market volatility and liquidate in an orderly manner in early 2000.
Another risk measure oriented to behavioral tendencies is a drawdown , which refers to any period during which an asset's return is negative relative to a previous high mark. In measuring drawdown, we attempt to address three things:
- The magnitude of each negative period (how bad)
- The duration of each (how long)
- The frequency (how often)
For example, in addition to wanting to know whether a mutual fund beat the S&P 500, we also want to know how comparatively risky it was. One measure for this is beta (known as "market risk"), based on the statistical property of covariance . A beta greater than 1 indicates more risk than the market and vice versa.
Beta helps us to understand the concepts of passive and active risk . The graph below shows a time series of returns (each data point labeled "+") for a particular portfolio R(p) versus the market return R(m). The returns are cash-adjusted, so the point at which the x and y-axes intersect is the cash-equivalent return. Drawing a line of best fit through the data points allows us to quantify the passive risk (beta) and the active risk (alpha).
The gradient of the line is its beta. For example, a gradient of 1.0 indicates that for every unit increase of market return, the portfolio return also increases by one unit. A money manager employing a passive management strategy can attempt to increase the portfolio return by taking on more market risk (i.e., a beta greater than 1) or alternatively decrease portfolio risk (and return) by reducing the portfolio beta below one.
If the level of market or systematic risk were the only influencing factor, then a portfolio's return would always be equal to the beta-adjusted market return. Of course, this is not the case: Returns vary because of a number of factors unrelated to market risk. Investment managers who follow an active strategy take on other risks to achieve excess returns over the market's performance. Active strategies include tactics that leverage stock, sector or country selection, fundamental analysis, position sizing, and technical analysis.
Active managers are on the hunt for an alpha, the measure of excess return. In our diagram example above, alpha is the amount of portfolio return not explained by beta, represented as the distance between the intersection of the x and y-axes and the y-axis intercept, which can be positive or negative. In their quest for excess returns, active managers expose investors to alpha risk , the risk that the result of their bets will prove negative rather than positive. For example, a fund manager may think that the energy sector will outperform the S&P 500 and increase her portfolio's weighting in this sector. If unexpected economic developments cause energy stocks to sharply decline, the manager will likely underperform the benchmark, an example of alpha risk.
In general, the more an active fund and its managers shows themselves able to generate alpha, the higher the fees they will tend to charge investors for exposure to those higher-alpha strategies. For a purely passive vehicle like an index fund or an exchange-traded fund (ETF), you're likely to pay one to 10 basis points (bps) in annual management fees, while for a high-octane hedge fund employing complex trading strategies involving high capital commitments and transaction costs, an investor would need to pay 200 basis points in annual fees, plus give back 20% of the profits to the manager.
The difference in pricing between passive and active strategies (or beta risk and alpha risk respectively) encourages many investors to try and separate these risks (e.g. to pay lower fees for the beta risk assumed and concentrate their more expensive exposures to specifically defined alpha opportunities). This is popularly known as portable alpha , the idea that the alpha component of a total return is separate from the beta component.
For example, a fund manager may claim to have an active sector rotation strategy for beating the S&P 500 and show, as evidence, a track record of beating the index by 1.5% on an average annualized basis. To the investor, that 1.5% of excess return is the manager's value, the alpha, and the investor is willing to pay higher fees to obtain it. The rest of the total return, what the S&P 500 itself earned, arguably has nothing to do with the manager's unique ability. Portable alpha strategies use derivatives and other tools to refine how they obtain and pay for the alpha and beta components of their exposure .
Guide to Mutual Funds
- Terms of Service
- Editorial Policy
- Do Not Sell My Personal Information
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
- Learning Center
What is moscow prioritization.
MoSCoW prioritization, also known as the MoSCoW method or MoSCoW analysis, is a popular prioritization technique for managing requirements.
The acronym MoSCoW represents four categories of initiatives: must-have, should-have, could-have, and won’t-have, or will not have right now. Some companies also use the “W” in MoSCoW to mean “wish.”
What is the History of the MoSCoW Method?
Software development expert Dai Clegg created the MoSCoW method while working at Oracle. He designed the framework to help his team prioritize tasks during development work on product releases.
You can find a detailed account of using MoSCoW prioritization in the Dynamic System Development Method (DSDM) handbook . But because MoSCoW can prioritize tasks within any time-boxed project, teams have adapted the method for a broad range of uses.
How Does MoSCoW Prioritization Work?
Before running a MoSCoW analysis, a few things need to happen. First, key stakeholders and the product team need to get aligned on objectives and prioritization factors. Then, all participants must agree on which initiatives to prioritize.
At this point, your team should also discuss how they will settle any disagreements in prioritization. If you can establish how to resolve disputes before they come up, you can help prevent those disagreements from holding up progress.
Finally, you’ll also want to reach a consensus on what percentage of resources you’d like to allocate to each category.
With the groundwork complete, you may begin determining which category is most appropriate for each initiative. But, first, let’s further break down each category in the MoSCoW method.
Start prioritizing your roadmap
Moscow prioritization categories.
1. Must-have initiatives
As the name suggests, this category consists of initiatives that are “musts” for your team. They represent non-negotiable needs for the project, product, or release in question. For example, if you’re releasing a healthcare application, a must-have initiative may be security functionalities that help maintain compliance.
The “must-have” category requires the team to complete a mandatory task. If you’re unsure about whether something belongs in this category, ask yourself the following.
If the product won’t work without an initiative, or the release becomes useless without it, the initiative is most likely a “must-have.”
2. Should-have initiatives
Should-have initiatives are just a step below must-haves. They are essential to the product, project, or release, but they are not vital. If left out, the product or project still functions. However, the initiatives may add significant value.
“Should-have” initiatives are different from “must-have” initiatives in that they can get scheduled for a future release without impacting the current one. For example, performance improvements, minor bug fixes, or new functionality may be “should-have” initiatives. Without them, the product still works.
3. Could-have initiatives
Another way of describing “could-have” initiatives is nice-to-haves. “Could-have” initiatives are not necessary to the core function of the product. However, compared with “should-have” initiatives, they have a much smaller impact on the outcome if left out.
So, initiatives placed in the “could-have” category are often the first to be deprioritized if a project in the “should-have” or “must-have” category ends up larger than expected.
4. Will not have (this time)
One benefit of the MoSCoW method is that it places several initiatives in the “will-not-have” category. The category can manage expectations about what the team will not include in a specific release (or another timeframe you’re prioritizing).
Placing initiatives in the “will-not-have” category is one way to help prevent scope creep . If initiatives are in this category, the team knows they are not a priority for this specific time frame.
Some initiatives in the “will-not-have” group will be prioritized in the future, while others are not likely to happen. Some teams decide to differentiate between those by creating a subcategory within this group.
How Can Development Teams Use MoSCoW?
Although Dai Clegg developed the approach to help prioritize tasks around his team’s limited time, the MoSCoW method also works when a development team faces limitations other than time. For example:
Prioritize based on budgetary constraints.
What if a development team’s limiting factor is not a deadline but a tight budget imposed by the company? Working with the product managers, the team can use MoSCoW first to decide on the initiatives that represent must-haves and the should-haves. Then, using the development department’s budget as the guide, the team can figure out which items they can complete.
Prioritize based on the team’s skillsets.
A cross-functional product team might also find itself constrained by the experience and expertise of its developers. If the product roadmap calls for functionality the team does not have the skills to build, this limiting factor will play into scoring those items in their MoSCoW analysis.
Prioritize based on competing needs at the company.
Cross-functional teams can also find themselves constrained by other company priorities. The team wants to make progress on a new product release, but the executive staff has created tight deadlines for further releases in the same timeframe. In this case, the team can use MoSCoW to determine which aspects of their desired release represent must-haves and temporarily backlog everything else.
What Are the Drawbacks of MoSCoW Prioritization?
Although many product and development teams have prioritized MoSCoW, the approach has potential pitfalls. Here are a few examples.
1. An inconsistent scoring process can lead to tasks placed in the wrong categories.
One common criticism against MoSCoW is that it does not include an objective methodology for ranking initiatives against each other. Your team will need to bring this methodology to your analysis. The MoSCoW approach works only to ensure that your team applies a consistent scoring system for all initiatives.
Pro tip: One proven method is weighted scoring, where your team measures each initiative on your backlog against a standard set of cost and benefit criteria. You can use the weighted scoring approach in ProductPlan’s roadmap app .
2. Not including all relevant stakeholders can lead to items placed in the wrong categories.
To know which of your team’s initiatives represent must-haves for your product and which are merely should-haves, you will need as much context as possible.
For example, you might need someone from your sales team to let you know how important (or unimportant) prospective buyers view a proposed new feature.
One pitfall of the MoSCoW method is that you could make poor decisions about where to slot each initiative unless your team receives input from all relevant stakeholders.
3. Team bias for (or against) initiatives can undermine MoSCoW’s effectiveness.
Because MoSCoW does not include an objective scoring method, your team members can fall victim to their own opinions about certain initiatives.
One risk of using MoSCoW prioritization is that a team can mistakenly think MoSCoW itself represents an objective way of measuring the items on their list. They discuss an initiative, agree that it is a “should have,” and move on to the next.
But your team will also need an objective and consistent framework for ranking all initiatives. That is the only way to minimize your team’s biases in favor of items or against them.
When Do You Use the MoSCoW Method for Prioritization?
MoSCoW prioritization is effective for teams that want to include representatives from the whole organization in their process. You can capture a broader perspective by involving participants from various functional departments.
Another reason you may want to use MoSCoW prioritization is it allows your team to determine how much effort goes into each category. Therefore, you can ensure you’re delivering a good variety of initiatives in each release.
What Are Best Practices for Using MoSCoW Prioritization?
If you’re considering giving MoSCoW prioritization a try, here are a few steps to keep in mind. Incorporating these into your process will help your team gain more value from the MoSCoW method.
1. Choose an objective ranking or scoring system.
Remember, MoSCoW helps your team group items into the appropriate buckets—from must-have items down to your longer-term wish list. But MoSCoW itself doesn’t help you determine which item belongs in which category.
You will need a separate ranking methodology. You can choose from many, such as:
- Weighted scoring
- Value vs. complexity
- Opportunity scoring
For help finding the best scoring methodology for your team, check out ProductPlan’s article: 7 strategies to choose the best features for your product .
2. Seek input from all key stakeholders.
To make sure you’re placing each initiative into the right bucket—must-have, should-have, could-have, or won’t-have—your team needs context.
At the beginning of your MoSCoW method, your team should consider which stakeholders can provide valuable context and insights. Sales? Customer success? The executive staff? Product managers in another area of your business? Include them in your initiative scoring process if you think they can help you see opportunities or threats your team might miss.
3. Share your MoSCoW process across your organization.
MoSCoW gives your team a tangible way to show your organization prioritizing initiatives for your products or projects.
The method can help you build company-wide consensus for your work, or at least help you show stakeholders why you made the decisions you did.
Communicating your team’s prioritization strategy also helps you set expectations across the business. When they see your methodology for choosing one initiative over another, stakeholders in other departments will understand that your team has thought through and weighed all decisions you’ve made.
If any stakeholders have an issue with one of your decisions, they will understand that they can’t simply complain—they’ll need to present you with evidence to alter your course of action.
2×2 prioritization matrix / Eisenhower matrix / DACI decision-making framework / ICE scoring model / RICE scoring model
Prioritizing your roadmap using our guide
Try productplan free for 14 days.
Value and resilience through better risk management
Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.
Stay current on your favorite topics
Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.
The role of the board and senior executives
Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).
A long way to go
Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.
Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.
A sectoral view of risks
Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.
- Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
- Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
- Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
- Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.
Toward proactive risk management
An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.
Strategic decision making
More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.
Debiasing and stress-testing
Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).
Higher-quality products and safety standards
Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.
Comprehensive operative controls
These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.
Stronger ethical and societal standards
To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.
The three dimensions of effective risk management
Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.
Would you like to learn more about our Risk Practice ?
To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.
1. Developing an effective risk operating model
The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.
Finding the right level of risk appetite
Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:
Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.
Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.
As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.
- Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
- Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
- Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
- Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.
2. Toward robust risk governance, organization, and culture
The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.
- Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
- Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
- Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
- Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
- Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.
An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.
3. Crisis preparedness and response
A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.
- Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
- Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
- Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
- Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
- Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.
In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.
Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.
Explore a career with us
The business logic in debiasing
Are you prepared for a corporate crisis?
Nonfinancial risk today: Getting risk and the business aligned
Buy Print Magazine
A Crisis of Diverging Perspectives: U.S.-Russian Relations and the Security Dilemma
Charles E. Ziegler PDF Download -->
Aspects of the relationship between Russia and the United States can be conceptualized as a security dilemma. Each side perceives a serious threat from the other and takes countermeasures that further provoke insecurity for the adversary. Bilateral ties have deteriorated as Russia and the United States engage in political and military competition. For Russia, the major threats are America’s advantage in conventional weaponry, NATO expansion, and the threat of regime change in the form of democracy promotion. For the United States, the primary security threats are Russia’s emphasis on nuclear weapons modernization, its attacks on the American system of democratic government, its willingness to violate the sovereignty of neighboring states, its support for rogue actors, and the developing Russian partnership with China. The potential for conflict is greater than at any time in the past three decades, but assuming both states are acting as defensive realists, cooperation remains a possibility.
U.S.-Russian relations after the Cold War showed great promise. Russia had abandoned its empire in Eastern Europe, the country was transitioning toward a market-oriented, democratic system, and Moscow no longer presented a military threat to American security. But over the past 30 years, each period of optimism has been followed by a significant worsening of relations. The warm personal relationship between U.S. President Bill Clinton and Russian President Boris Yeltsin foundered on NATO expansion and the U.S. military intervention in the Balkans. President Vladimir Putin’s initial support for the American campaign against terrorism in 2001 waned after the Bush administration invaded Iraq in 2003. Relations reached a new low with Putin’s 2007 Munich Security Conference speech where he condemned American unilateralism and the hyper-use of force. The Obama administration’s “reset” in U.S.-Russian relations was severely tested by the U.S. intervention in Libya, while Secretary of State Hillary Clinton’s open support for the White Revolution in Russia from 2011 to 2012, Ukraine’s Euromaidan uprising in 2014 and Russia’s subsequent annexation of Crimea, and the U.S. imposition of sanctions all contributed to a downward spiral in relations. By 2016 a social media campaign by Russian trolls to undermine Hillary Clinton’s bid for the White House stoked divisions in the American electorate and may have helped elect Donald Trump president. Regardless of how effective Russian interference was in tipping the race to Trump, Russian officials were obviously elated about Clinton’s defeat — U.S. intelligence intercepts captured audio of Russian celebrations when Trump’s victory was announced. 1
However, Trump’s victory in the election has not led to better relations. If anything, ties between Russia and the United States have worsened, to the point that many observers are referring to a new Cold War. 2 What explains the mutual hostility and suspicion that have characterized U.S.-Russian relations over the past two decades?
Experts have advanced various explanations for the deterioration in U.S.-Russian relations, which may be divided into two broad categories. The first argues that Russia, historically aggressive and imperialistic, has returned to a pattern of confrontation under Putin. The second explanation focuses much of the blame on the United States, citing Washington’s unilateral exercise of unrestrained power following the Cold War and its cavalier disregard of Russian national interests.
While each side bears some responsibility for the poor state of relations, I argue that much of the U.S.-Russian relationship constitutes a security dilemma, in which defensive actions undertaken by one side increase the other’s insecurity. Russia and the United States are arguably defensive realist powers, yet few studies have analyzed the relationship as a security dilemma. The erosion of American hegemony, decline of international institutions, rejection of arms control agreements, and return of great-power rivalry all contribute to heightened uncertainties and increased potential for conflict. In short, the strategic spiral model would seem appropriate to this confrontational dynamic. Each side is fearful of the other’s intentions, neither understands the security imperatives of their rival, and both engage in behavior that undermines the security of the other. Domestic political vulnerabilities contribute to international tensions, while contrasting geopolitical perspectives are a critical contextual factor shaping the security dilemma. These internal vulnerabilities and differing perspectives serve to heighten insecurity, which is then manifested in exaggerated reactions to alliance expansion, a renewed nuclear arms race to overcome missile defenses, and efforts to interfere in the other’s domestic politics. While the Russian Federation is significantly different from the Soviet Union, determinants of great-power interaction remain relevant for understanding the dynamic between the two countries. War is a real possibility, but the two sides may find opportunities for cooperation and manage to avoid military conflict.
I first briefly sketch out the main arguments of the rival explanations for the deterioration in U.S.-Russian relations, then present the case for a security dilemma approach that develops the role of geography, conflicting norms, and insecurity. The next section outlines Russian reactions to U.S. security initiatives, followed by U.S. reactions to Russia’s security initiatives. The subsequent two sections examine how asymmetric geographic positions and alliance politics contribute to the security dilemma. The conclusion evaluates the utility of the security dilemma approach and briefly considers the prospects for improving U.S.-Russian relations.
Assessing Rival Explanations
Blaming Russia for the breakdown in U.S.-Russian relations has been popular among American politicians across the political spectrum — including, the late John McCain, Hillary Clinton, and John Bolton, among others. A number of foreign policy and Russia specialists have also focused on Russian actions as responsible for the downturn. They cite Putin’s confrontational Munich speech of 2007, the Russo-Georgian War of 2008, the Kremlin’s annexation of Crimea and destabilizing involvement in southeastern Ukraine, the Sergei Skripal poisoning, murders of Russian journalists, informational warfare, and interference in the 2016 presidential elections as evidence that Russia is fundamentally revisionist, hostile, and aggressive toward the United States.
Some observers suggest Russian military action in Georgia and Ukraine provide proof that Putin is attempting to reestablish the czarist or Soviet empire. 3 Putin’s 2005 statement that the collapse of the Soviet Union was “a major geopolitical disaster of the century” is taken as an indication that his goal is to reconstitute a Russian empire, or at least restore hegemony over neighboring states. Agnia Grigas argues that Russian foreign policy has increasingly sought to restore influence over the former Soviet space, especially those territories that are home to large numbers of Russian compatriots, in a form of “reimperialization.” 4 Ingmar Oldberg agrees that Russia’s aggressive actions in the Commonwealth of Independent States region, its hostile information offensive against Europe, its domestic militarism, and its ambitions in the Middle East and Arctic are evidence that Russia is a revisionist, not a status quo, power. 5
Other critics are more measured. Michael McFaul, for example, acknowledges the Russian claim that after the Cold War the United States took advantage of Russia’s weakness to expand NATO, bomb Serbia, invade Iraq, and provide assistance to Georgia and Ukraine. But he asserts “it is revisionism to argue that [the United States] did not embrace Moscow’s new leaders.” 6 The United States and its NATO allies, according to this interpretation, provided well-intentioned support for Russia’s transition away from communism, but Putin rejected a Western-dominated liberal order in favor of nationalist authoritarianism at home and revisionist adventurism abroad. Stephen Sestanovich assesses NATO’s expansion as a means to improve stability and advance American influence but dismisses Russian charges that Washington sought to militarize the continent. Dramatic reductions in U.S. and NATO forces deployed in Europe and the significant reductions in defense expenditures, he suggests, refute Moscow’s claims of Western aggressive intentions. 7
If Russia is indeed defensive and simply reacting to perceived threats from the United States and its allies, then we should expect Moscow to react only to U.S. provocations in its perceived sphere of interests and to develop only sufficient military capabilities to deter the United States and its allies. However, this expectation is only partially supported.
If Russia is indeed aggressive and expansionist, then we should expect Moscow to take advantage of most, if not all, opportunities to reestablish Russian hegemony in the former Soviet space and to build up military capabilities in excess of what is necessary to deter the United States and its NATO allies. But as we shall see, Russia has only partially followed this scenario. In policy terms, the United States would in turn respond with a show of military force and work with its allies to impose painful sanctions and condemn Russia in various international forums. This, in essence, is the approach that Washington has been following since 2014.
A second explanation places more of the blame on the United States. Stephen F. Cohen has argued that the media and much of the Washington establishment have demonized Putin and exaggerated the authoritarian aspects of Russia’s political system. 8 Similarly, Dimitri Simes notes that the United States humiliated Russia after the Cold War by treating it as a defeated state, slighting Russia’s national interests while ignoring the context and historical background behind Russian actions. 9 Daniel Deudney and G. John Ikenberry place much of the blame for U.S.-Russian antagonism on ill-considered American policies that rejected the restraint exercised during the late Cold War in favor of a foreign policy that ignored Russian interests. The expansion of NATO, the U.S. withdrawal from the Anti-Ballistic Missile (ABM) Treaty together with the decision to deploy anti-missile systems, and disputes over pipeline routes from the Caspian region all violated the spirit of the Cold War settlement. 10
Arguments that NATO’s eastward expansion and the 1999 intervention in Kosovo threatened Russian security and were responsible for much of the downturn in bilateral relations echo official Russian statements. 11 John Mearsheimer, a leading realist scholar of international relations, suggests the Ukraine crisis is the West’s fault: Any great power, faced with the expansion of a military bloc toward its borders, would react as Russia did. 12 As early as the mid-1990s, Michael Brown warned that admitting Eastern European nations to the alliance would be counterproductive, boosting radical nationalists and opportunists in Russia who would undermine chances for democracy and push the country toward more aggressive policies. 13 George Kennan, the father of containment, described NATO expansion as a “tragic mistake” and the “beginning of a new cold war.” 14
Drawing on newly released archival materials, recent scholarship finds that NATO enlargement in the Clinton administration, while facilitated by Russian “missteps” (including extensive corruption and the first Chechen War), resulted more from pressure by the Central and Eastern European states and “above all” from the 1994 Republican midterm electoral victory than any military imperative. 15 Joshua Shifrinson demonstrates that during the German reunification negotiations the United States repeatedly offered Russia informal assurances NATO would not expand into Eastern Europe and then exploited Russian weakness to do just that. 16
If Russia is indeed defensive and simply reacting to perceived threats from the United States and its allies, then we should expect Moscow to react only to U.S. provocations in its perceived sphere of interests and to develop only sufficient military capabilities to deter the United States and its allies. However, this expectation is only partially supported. The logical implications of this perspective are that a more nuanced approach acknowledging Russia as a great power with valid security concerns, especially in the former Soviet space, would ease tensions. Russian pride and honor make Kremlin leaders acutely sensitive to American actions that constrain its international status, while Washington’s anti-Russia lobby promotes fear of Russia far out of proportion to any objective threat. 17
The Security Dilemma Argument
Realism holds uncertainty to be a fundamental condition of the international system, a condition that, contrary to the expectations of global optimists, was not resolved with the end of the Cold War. This uncertainty and attempts by states to alleviate threats through various measures lead to the security dilemma. 18 Decision-makers can never fully understand the plans and intentions of the other side (the “other minds” problem), nor can they predict how weapons might be used against them, since few weapons systems are purely offensive or defensive. Each state, in enhancing its power, increases the insecurity of its rival. 19 A security dilemma interpretation of Russian-American relations is not solely an argument for a “blame-free” analysis, and it does not enlighten every facet of the relationship, but it does direct our attention toward distinct perceptual variables that shape policy. As Robert Jervis observed, psychological factors play a major role in the security dilemma, with perceptions and misperceptions contributing to a spiral of mutual hostility potentially leading to war. 20 States may develop hostile images of each other, which was clearly evident throughout the Cold War and has been the case over the past decade or more of Russian-American relations. 21 Under these conditions, a power imbalance on one side fuels insecurity on the other. Arms buildups and modernization programs are interpreted as aggressive rather than defensive behavior, while similar behavior on the part of the self is held to be benign. 22
The complexity of Russian-American ties leads both sides to misread each other’s intentions and overreact to potential threats. Relations have been described as a “wicked problem” — that is, an extremely complex situation comparable to the period before World War I that could easily spiral into conflict. 23 Russian and American leaders, and publics, have powerful perceptions and beliefs that are fundamentally different. Russian political elites believe that “the purpose of U.S. policy is to cause damage to Russia,” and that Washington pursues this policy through NATO expansion, promoting color revolutions, conducting information campaigns, deploying troops in Eastern Europe, and imposing economic sanctions. 24 As Andrej Krickovic has argued, Russia’s internal vulnerabilities — weak institutional legitimacy, national identity issues, and contested borders — constitute a domestic dimension of the security dilemma. Authoritarian leaders fear destabilization by hostile democratic powers and affiliated nongovernmental organizations promoting change. These domestic insecurities lead to aggressive behaviors that generate fears in Washington about Russian intentions, which then lead to countermeasures. 25
American officials, for their part, tend to discount or simply do not recognize the threat that democracy promotion and human rights advocacy pose to authoritarian elites. Russia can justify destabilization measures against Ukraine, the Baltic states, and other post-Soviet states, together with cyber attacks and the development of new weapons systems, as defensive measures in response to U.S. policies, but in Washington they are perceived as offensive actions threatening American interests. Leaders in Congress and the executive branch point to Russian meddling in elections, Moscow’s nuclear modernization programs, the annexation of Crimea and stoking civil war in Ukraine, support for rogue regimes in Syria and Venezuela, alignment with China, and the poisoning of Kremlin opponents in the West. Washington’s response is to attempt to change Russian behavior largely through economic sanctions, which allow the regime to blame the West for Russia’s economic troubles and stoke nationalism. Sanctions increase distrust of the United States and support Putin’s anti-Western narrative but ultimately have failed to alter Russian behavior. 26
Shiping Tang’s analysis of the security dilemma provides a useful framework for analyzing the U.S.-Russian relationship. Of the eight “aspects” he identifies, three are central: “anarchy (which leads to uncertainty, fear, and the need for self-help for survival or security), a lack of malign intentions on both sides, and some accumulation of power (including offensive capabilities).” 27 Tang argues that a security dilemma exists only within the framework of defensive realism, based on the assumption that neither side has malign intentions, but that each is merely seeking to enhance security through various means. From this position, states have conflicts of interest that may be reconcilable or irreconcilable and may be objective or subjective. Tang singles out seven material regulators of the security dilemma: “geography, polarity, military technology (that is, the objective offense-defense balance) … the distinguishability of offensive and defensive weapons … asymmetric power, external actors (allies), and concentration or mixing of ethnic groups.” 28
While it may be debatable that neither the United States nor Russia has malign intentions (a necessity for the security dilemma to operate), it is certainly the case that each side reads hostile intent into the other’s actions.
Historically, Russia’s geographic vulnerability has made establishing buffer zones critical to national security. Erosion of the buffer, as in NATO expansion eastward, is viewed by the Kremlin as a threat to vital security interests and may result in attempts to reestablish a more secure perimeter (as in Ukraine). Regarding the second regulator — polarity — Moscow has criticized the unipolar post-Cold War order as destabilizing and a threat to Russian interests. Russia’s “drifting authoritarianism” and domestic problems, however, prevent reaching a bargain with its adversaries on a new, more favorable international order. 29 Third, Russia is counting on recent advances in military technology to offset perceived American superiority in conventional and offensive weaponry.
Fourth, the two sides are fundamentally at odds over whether the European ballistic missile system is defensive (the U.S. and NATO position) or offensive (the Russian claim). Russian insecurity derives from American and NATO superiority in conventional weaponry, which has led Moscow to stress its nuclear and retaliatory capabilities, thereby fueling Western insecurity. Fifth, the United States wields asymmetrical advantage through the NATO alliance. Russia has attempted to compensate for its relatively isolated position with the Collective Security Treaty Organization and the Eurasian Economic Union, but neither of these constitutes a security alliance comparable to NATO. Finally, the ethnic dimension has factored into Russian aggression against Ukraine and the frozen conflicts in Moldova and Georgia. Defense of Russian compatriots could be used against NATO member states Estonia and Latvia, heightening insecurity among Washington’s NATO allies.
While all seven regulators of the security dilemma are relevant to U.S.-Russian relations, geography and fundamentally contrasting geopolitical perceptions are critical and influence each nation’s security beliefs and commitments. 30 Historically, Russian security has been shaped by its vulnerability to invasion, resulting in centuries of expansion and the creation of buffer zones to slow or deter aggressors. 31 Geographically, the United States has a defensive advantage comparable to that of an island nation, though treaty commitments to NATO and defense of liberal international norms have created an American perception of pervasive threats beyond the North American continent.
Russian and American leaders each believe the other side holds malign intentions and has acted aggressively (that is, attempting to change the status quo). But is that really the case? Ascertaining malign intent is no easy task. The most visible evidence comes from states’ military doctrines and capabilities, though it is almost always debatable whether weapons are primarily offensive or defensive. Perceptions of necessity are predicated on the worst-case scenario, to ensure against potentially catastrophic threats. Other indications of offensive intent may be the forcible acquisition of territory, forming coalitions, or arms buildups. 32 In the context of anarchy and mutual mistrust, perception is more salient than objective reality.
The security dilemma does not come into play when one or both states act offensively and seek to change the status quo, but as Jervis has observed, “Few states are completely satisfied with the status quo.” 33 To treat satisfaction or dissatisfaction with the status quo as a dichotomous variable obscures a range of motives. Hitler’s revisionism in attempting to conquer Europe was quite different from Putin’s revisionism to regain control of Crimea and destabilize Ukraine. Moves perceived by one side as offensive, such as controlling buffer territories or engaging in provocative actions, may be viewed by the other actor as defensive. Jervis notes that Soviet forces were arrayed in an offensive posture in Europe, but the motive was to enhance security rather than initiate a war. He concludes that while the East-West conflict was essentially a clash of social systems, it did contain elements of the security dilemma.
After the Cold War ended, both Russia and the United States, following an initial period of uncertainty and confusion, sought to revise the European security order. 34 In this context, though, it would have been difficult for either actor to favor the status quo. The entire continent was in flux, and the long-term outcome of this transformation was in doubt. Deep ideological divisions no longer existed between the United States and Russia, however, and national interests moved to the fore in official calculations. Revisionism for a hegemonic United States meant expanding and consolidating liberal democratic and market economy gains resulting from the collapse of communism, a goal that encouraged NATO expansion. Revisionism for a severely weakened Moscow consisted of reestablishing spheres of interest befitting a great power along Russia’s periphery and securing recognition as Washington’s coequal in European affairs. Neither side may have been acting from offensive motives, but responses by each to this new and uncertain security environment in some instances led to a security dilemma spiral of mistrust.
There is some evidence that Russia is motivated by revisionist, even imperialist, goals and seeks to expand territorially beyond the gains already made in Ukraine and Georgia. There is also considerable evidence that Moscow is acting defensively and has simply exploited a limited number of opportunities to strengthen its position along the periphery. Russian history may be employed to support the claim for imperial expansion, or it may be used to justify Moscow’s preoccupation with threats from Europe and the need for buffer zones. 35
If the security dilemma approach has explanatory value, then we should observe frequent tit-for-tat responses on both sides to perceived threatening moves by the other. Russia and the United States have objective conflicts of interest, but mutual hostility in recent years has expanded the number of both real and perceived (that is, subjective) disputes and has minimized the number of shared interests. If subjective conflicts of interest are perceived as irreconcilable, the potential for conflict is likely, albeit avoidable. 36 While it may be debatable that neither the United States nor Russia has malign intentions (a necessity for the security dilemma to operate), it is certainly the case that each side reads hostile intent into the other’s actions. The following sections attempt to sort out the central perceptions on both sides shaping the security dilemma, recognizing that it is extremely difficult to assess intentions accurately.
U.S. Security Initiatives and Russian Reactions
Since the end of the Cold War, the United States has engaged in a number of actions that, from Moscow’s perspective, could be considered militarily offensive and not benign. These include NATO expansion, installing ballistic missile defenses in Europe, invading Iraq, supporting color revolutions, and abrogating the ABM Treaty. According to Russian Chief of General Staff Valerii Gerasimov, aggressive U.S. foreign policy strategies combine global military operations and the concept of “multi-sphere battle,” including democracy-promotion programs, American soft power, and Defense Department support for grassroots movements, using the “protest potential” of “fifth columns” to destabilize unfriendly states. 37 U.S. ballistic missile defenses in Europe have proved particularly contentious.
Congressional opposition to the ABM Treaty emerged late in the 1990s, as Republicans pressured the Clinton administration to develop national missile defense systems to counter the threat from rogue states, specifically North Korea and Iraq. Clinton attempted to negotiate an agreement acceptable to the Kremlin, which was adamantly opposed to an American national missile defense system, but Republican senators dismissed the president’s efforts to reassure Russia as jeopardizing U.S. security. 38 Congress overwhelmingly passed, and the president signed, a National Missile Defense Act in July 1999. George W. Bush entered office determined to evade the constraints of the ABM Treaty in order to defend against rogue states and terrorists and in December 2001 gave Moscow formal notice of his intention to withdraw from the treaty. 39 At that time, Putin asserted the decision to dissolve the treaty was a “mistake” but not one that threatened Russia’s national security. In response, however, the Russian government pulled out of the Strategic Arms Reduction Treaty (START II) one day after the United States formally withdrew from the ABM Treaty. 40
Since the end of the Cold War, the United States has engaged in a number of actions that, from Moscow’s perspective, could be considered militarily offensive and not benign. These include NATO expansion, installing ballistic missile defenses in Europe, invading Iraq, supporting color revolutions, and abrogating the ABM Treaty.
The Bush administration’s unilateral withdrawal from the ABM Treaty in 2002 and American plans to deploy ground-based missile defense systems in Alaska, California, and Eastern Europe to counter Iranian missiles coincided with demonstrations of American conventional superiority in Afghanistan and Iraq and increased tensions with Russia. However, U.S. efforts at developing missile defense systems and modernization of nuclear weapons systems proceeded slowly. The Obama administration replaced the Bush plan with a more flexible version of this system — the European Phased Adaptive Approach — which is now some four years behind schedule. Although the new system likely would be ineffective against either Russian intercontinental ballistic missiles or cruise missiles on submarine platforms, Putin has asserted the sites could be used for NATO cruise missile attacks against Russia. 41
American withdrawal from the ABM Treaty was perceived as destabilizing by Moscow because it put Russia’s nuclear deterrent at risk. In his memoirs, Robert Gates recounts that U.S.-Russian relations during the George W. Bush administration were dominated by the missile defense question, along with Washington’s efforts to secure NATO membership for Ukraine and Georgia and the Russo-Georgian War. The American goal was primarily to address the evolving threat of Iranian short- and medium-range missiles. The Eastern European allies, most notably Poland, focused on the threat from Russia and sought U.S. security guarantees. Although the European Phased Adaptive Approach generated a storm of controversy among conservative opponents of the Obama administration, it did little to allay Russian concerns. 42
Russia’s early efforts to develop maneuverable reentry vehicles to counteract anti-ballistic missile systems date to 1997 and 1998, with the first test conducted in 2004. 43 These Russian programs were possibly a response to the intensifying debate in Washington on developing an anti-ballistic missile system, and, if so, reflect a security dilemma logic. Putin referred to America’s development of an anti-ballistic missile complex as “the most important defense issue” in his March 2018 speech to the Russian Federal Assembly. Earlier, Putin had called U.S. withdrawal from the ABM Treaty simply a mistake. Now he claimed the United States was intent on taking advantage of Russian military weakness after the breakup of the Soviet Union. Putin also stated that Russian strategists were “greatly concerned” about the revised U.S. Nuclear Posture Review , specifically the provisions for lowering the threshold for use of nuclear weapons against a conventional or cyber attack. 44
The threat to Russia from American missile defense systems and nuclear modernization programs is the potential for strategic instability. Russian officials and military analysts assert that the European anti-ballistic missile systems will not be limited and will not be utilized solely against Iran as claimed. Taken together with the systems in South Korea and the western United States, Russia’s retaliatory capability would be impacted, forcing Moscow to respond by enhancing its capability to overwhelm U.S. defensive systems. 45 Russian conventional capabilities have improved in recent years, but the provisions in Russian military doctrine suggesting a nuclear response could be employed if the very existence of the state is at risk illustrates Russia’s continuing conventional weakness. 46 However, while Russian leaders vehemently reject the possibility that their nuclear posture might constitute an offensive threat, this “defensive” nuclear posture is perceived by U.S. and NATO security officials as “destabilizing and dangerous.” 47
Putin, Foreign Minister Sergey Lavrov, and other Russian officials have frequently cited NATO expansion as another major threat to the country’s security. However, as Kimberly Marten has pointed out, Foreign Minister Yevgeny Primakov signed the NATO-Russia Founding Act the same year the Visegrad states were admitted to NATO (1997). 48 Russian policy toward the vulnerable enclave of Kaliningrad also suggests that Moscow was more concerned with the Baltic states’ accession to the European Union rather than NATO enlargement. Cooperative rhetoric (Kaliningrad as a “bridge”) only shifted toward more confrontational discourse (Kaliningrad as a “fortress”) between 2002 and 2004, coincident with the color revolutions and U.S. invasion of Iraq. 49 Reinforcing this timeline, attitudinal research conducted in 2001 found that while 53 percent of Russian elites held NATO expansion eastward to be a threat to national security, only 36 percent thought it was important for Russia to prevent NATO enlargement. 50
By the mid-2000s the discourse had shifted to NATO as an enemy, not a partner. In his 2007 speech to the NATO security conference, Putin asserted that NATO expansion was “a serious provocation that reduces the level of mutual trust.” He condemned NATO members’ refusal to ratify the Adapted Treaty on Conventional Armed Forces in Europe and the positioning of American frontline forces on Russian borders. 51 Russia’s 2010 and 2014 military doctrines identified NATO’s military buildup and the expansion of the alliance toward Russian borders as the main external military threat to the Russian Federation. 52
The enlargement of NATO, together with the European Union’s absorption of most Eastern European countries, weakened Moscow’s position in Europe by promoting stronger, democratic states allied with the West. Weak and dysfunctional states along Russia’s periphery — those mired in territorial disputes or frozen conflicts — provide opportunities for Russia to exert influence. The dramatic decrease in U.S. troops stationed in Europe and the deterioration of European defense capabilities in the two decades after the end of the Cold War contradict Putin’s claims of an arms race directed against Russia. Nonetheless, U.S. leaders failed to appreciate how NATO expansion was perceived in the Kremlin as a genuine security threat that required a more assertive posture along Russian borders. 53
In place of the Obama administration’s emphasis on international institutions and alliance structures, the Trump administration adopted a strategy of dramatically increasing military expenditures and pressuring allies to assume more of the burden for their own defense. The 2017 National Security Strategy claims engagement policies pursued over the past two decades — policies that sought to enmesh great-power rivals in a web of political institutions and commercial arrangements — failed to advance U.S. goals. The strategy identifies a return to great-power politics as the major security challenge for the United States. 54 Russia, China, rogue states Iran and North Korea, and terrorism are identified as key threats to American power, interests, and influence globally:
China and Russia challenge American power, influence, and interests, attempting to erode American security and prosperity. They are determined to make economies less free and less fair, to grow their militaries, and to control information and data to repress their societies and expand their influence. 55
Russia’s Ministry of Foreign Affairs described the 2017 U.S. security strategy as confrontational, noting the “anti-Russia proclamations scattered throughout the text” and a vision of international relations as adversarial rather than cooperative. The strategy’s goals included preserving American dominance and preventing Russia (and China) from becoming major powers and was not that different from previous policies. 56 In his response to the strategy document’s publication, presidential spokesman Dmitry Peskov denied Russia was a threat to U.S. security and cited prospects for cooperation on terrorism. Head of the Duma international affairs committee Leonid Slutsky condemned the document as demonizing Russia and essentially continuing Barack Obama’s efforts at preserving a unipolar world order. 57
The 2018 National Defense Strategy , another key document released by the Trump administration, identifies long-term strategic competition with Russia and China as “principal priorities” for the Department of Defense:
Russia seeks veto authority over nations on its periphery in terms of their governmental, economic, and diplomatic decisions, to shatter the North Atlantic Treaty Organization and change European and Middle East security and economic structures to its favor. … China and Russia are now undermining the international order from within the system by exploiting its benefits while simultaneously undercutting its principles and “rules of the road.” 58
In acknowledging that all domains (land, sea, air, space, and cyberspace) are now contested, Washington echoes Moscow’s view that the world is increasingly multipolar and confirms Russian claims that American primacy is slipping. By identifying Russia as a key threat to the United States and a major player in world politics, while abandoning the discourse of global liberalism, the strategy document accords well with Moscow’s perception of 21st-century international politics. 59
To cope with a perceived Russian threat, the United States under the Trump administration is continuing and expanding the Obama administration’s European Deterrence Initiative, rotating forces through Poland and the Baltic states, completing the European ballistic missile defense system, ramping up NATO military exercises, and modernizing the U.S. nuclear arsenal. Though ostensibly defensive in nature, these actions have been portrayed as threatening to Russia by Kremlin leaders. 60 Trust and communication between the two sides are at their lowest level since the end of the Cold War, compounding the problem. Russia claims the United States has demonstrated its aggressive intentions by abrogating key treaties, expanding NATO eastward in violation of its promises, and adopting confrontational (that is, offensive) security postures. The United States responds that its actions are benign and pose no real threat to Russia.
Russian Security Initiatives and U.S. Reactions
Russia’s nuclear and conventional modernization programs and aggressive informational warfare against the West, combined with Putin’s belligerent rhetoric, have generated unease in the United States and Europe. The Russian military is undertaking an extensive modernization of all three legs of the strategic triad: land-based missiles, strategic submarines, and long-distance bombers. However, the argument that this portends a new, threatening form of Russian aggression or is the outcome of bureaucratic politics is not persuasive. Nuclear modernization is designed to ensure Russia’s second-strike nuclear capability, compensate for conventional weakness, and counter the potential for a U.S. missile defense system to undermine Russia’s nuclear deterrent. 61 Rather than change Russian behavior, U.S. reactions have worsened the conditions of the security dilemma.
In his 2018 state of the nation address, Putin asserted that the ABM and New START treaties reduced the likelihood of resorting to nuclear weapons by preserving mutual vulnerability and providing a foundation for trust in the international system. Putin noted that Russia tried to reengage the United States and Europe in discussions about constraining anti-ballistic missile systems and halting NATO’s advance eastward, but without much success: “Nobody wanted to listen to us.” After detailing the modernization of Russia’s conventional and nuclear forces, Putin explained how Russia was expanding and upgrading its forces to counter American anti-ballistic missile systems deployed in Alaska, California, Eastern Europe, South Korea, and Japan, as well as on five cruisers and 30 destroyers close to Russian borders. 62
Russia’s nuclear and conventional modernization programs and aggressive informational warfare against the West, combined with Putin’s belligerent rhetoric, have generated unease in the United States and Europe.
Kremlin leaders have dismissed U.S. assurances that American anti-ballistic missile systems are designed to counter rogue states, insisting their emplacement will devalue Russia’s nuclear deterrent potential. To overwhelm U.S. defenses, Russia is developing a new generation of missiles, including the heavy intercontinental ballistic missile Sarmat, which is more difficult to intercept than the Soviet Voevoda system it was designed to replace. Russia’s defense industry is also developing new types of global-range cruise missiles and unmanned underwater vehicles that do not use ballistic trajectories and so are less likely to be intercepted. In his presentation to the Federal Assembly, Putin showed a much-publicized video of the new Sarmat missile launching multiple nuclear warheads at Florida, to enthusiastic applause from the audience. Putin also identified the hypersonic missile systems Kinzhal and Avangard, new laser weapons, the Burevestnik nuclear-powered cruise missile, and glide wing aircraft as additions to Russia’s strategic inventory. 63
Russia insists these new weapons systems are only for deterrence. Hypersonic cruise missiles and glide vehicles are designed to evade anti-ballistic missile systems and theoretically should preserve the deterrent capability of Russian nuclear systems. However, hypersonic vehicles can be destabilizing since they dramatically reduce the response time after a launch is detected. 64 Moreover, hypersonic vehicles can be used in an offensive capacity and can be fitted either with conventional or nuclear warheads. Russia’s deterrence strategy is more expansive than that of the United States, containing both defensive and offensive elements and employing nuclear and non-nuclear weapons, together with other military and non-military instruments, in an integrated, broad-spectrum strategy. 65 Moscow’s nuclear programs are designed to counter American and NATO superiority in conventional weaponry and reflect a fear of U.S. technological capabilities. As noted earlier, Russia’s military doctrine reserves the right to utilize nuclear weapons in the event of conventional attack against Russia when the existence of the state is threatened. Similarly, in his remarks to the 2018 Valdai Club, Putin emphasized that Russian strategic nuclear doctrine did not call for a preemptive strike, but rather a “launch on warning” posture. Russia has advanced early warning systems, Putin averred, that would allow for an immediate counterattack in the event of aggression. 66
Putin has also averred that, should nuclear war break out, Russians would pursue it and would go to heaven as martyrs. The Western aggressors, by contrast, would simply perish. Putin’s introduction of a messianic element into a discussion of nuclear warfare reflects a perspective that two central elements of Russian statehood are nuclear weapons and Russian Orthodoxy, combining raw power and moral righteousness. 67 Rejecting Western social permissiveness and moral decay, Russia has become the new bastion of Christian conservatism, or in historical terms, the Third Rome. 68 By fomenting a Eurasian ideological messianism to counter America’s liberal messianism, Putin’s rhetoric heightens tensions and contributes to a greater likelihood of conflict.
These uncertainties have contributed to an American response in kind, a classic problem of the security dilemma. In response to Russia’s development of hypersonic vehicles, the Defense Advanced Research Projects Agency successfully lobbied for major increases in U.S. funding for hypersonic weapons. 69 The U.S. Air Force accelerated its hypersonic programs in mid-2018, awarding contracts to Lockheed Martin for the Air-Launched Rapid Response Weapon and the Hypersonic Conventional Strike Weapon. In addition, the Department of Defense is developing hypersonic boost glide technology. 70 Overall, the Defense Department requested $2.6 billion for all hypersonic-related research in fiscal year 2020, though the United States is not expected to field an operational system before 2022. 71
Shorter-range, “tactical” nuclear weapons are an integral part of Russia’s nuclear inventory and are critical to offsetting U.S. and NATO conventional superiority. The Department of Defense’s 2018 Nuclear Posture Review recognized that nuclear weapons served as a deterrent in Russian strategy, but asserted that
Russia may also rely on threats of limited nuclear first use, or actual first use, to coerce us, our allies, and partners into terminating a conflict on terms favorable to Russia. Moscow apparently believes that the United States is unwilling to respond to Russian employment of tactical nuclear weapons with strategic nuclear weapons. 72
Experts on Russian nuclear doctrine, however, are divided on whether Moscow has lowered its nuclear threshold (the supposed “escalate to deescalate” concept), though most acknowledge reliance on nuclear weaponry is likely to decline with conventional modernization. For example, Katarzyna Zysk argues that while Russia’s “defensive” doctrine provides for an increasing role for non-nuclear deterrence, non-strategic nuclear weapons could be used to deescalate tensions. 73 Michael Kofman agrees: “From the outset, Moscow is resolved to the prospect of employing non-strategic nuclear weapons should it find itself on the losing side of a war.” 74 Kristin Ven Bruusgaard, in contrast, finds no evidence for an escalate-to-deescalate concept in Russian nuclear doctrine. 75
While the United States has far fewer tactical nuclear weapons than does Russia, the Joint Chiefs of Staff in 2019 accidently released (and then rescinded) a nuclear operations document that asserted that “using nuclear weapons could create conditions for decisive results and the restoration of strategic stability” during ground operations. As the document noted, “A nuclear weapon could be brought into the campaign as a result of perceived failure in a conventional campaign, potential loss of control or regime, or to escalate the conflict to sue for peace on more-favorable terms.” 76 This position effectively mirrors the supposed escalate to deescalate doctrine frequently attributed to Russia. Renewed emphasis by both sides on the possible use of tactical nuclear weapons to fight and win a nuclear war erodes trust and contributes to the downward spiral. 77
Uncertainty generated by such actions heightens mistrust in the Kremlin and among Russian military strategists. The Trump administration’s Nuclear Posture Review has been described by Western experts as confusing, ambiguous, and blurring the line between nuclear and non-nuclear war, 78 so it is not surprising that Russian policymakers would regard U.S. intentions with suspicion and alarm. Russia’s reaction to the 2018 Nuclear Posture Review rejected the idea that Moscow was responsible for lowering the threshold for the use of nuclear weapons. Russian planners are “deeply concerned” about apparent U.S. willingness to use nuclear weapons in ambiguous situations, including use of low-yield nuclear warheads and American modernization of its strategic arsenal. The Foreign Ministry criticized the “anti-Russian” and confrontational aspects of the Nuclear Posture Review and asserted that Russia had honored all its international treaty obligations, including the Intermediate-Range Nuclear Forces (INF) Treaty, the Budapest Memorandum, and the Open Skies Treaty. 79
NATO had repeatedly raised concerns about Russia’s violation of the INF Treaty based on its development of the 9M729 cruise missile. 80 Trump and his advisers repeated the Obama administration’s claim that Russia was in violation of the treaty’s provisions and expressed concern that China’s intermediate-range ballistic missile deployments in the Western Pacific were not covered by the agreement. 81 In response, Kremlin spokesman Dmitry Peskov said U.S. withdrawal would make the world more dangerous and would necessitate counter-balancing on Russia’s part. 82 During his October 2018 visit to Moscow, national security adviser John Bolton denied allegations that the United States was attempting to blackmail Russia over intermediate-range missiles. After meeting with Bolton, Putin threatened to take countermeasures were the United States to leave the INF Treaty and stated that any European nations hosting intermediate-range ballistic missiles would be targeted for possible retaliatory attacks. 83
Russia has long been dissatisfied with the INF Treaty, seeing it as disadvantageous to Russia and benefiting NATO, since Russia was not allowed to field a ground-launched capability to counter weapons systems that neighboring states were developing. 84 Putin and then-Defense Minister Sergei Ivanov threatened in 2007 to withdraw from the INF Treaty unless other countries were brought into the agreement and reportedly began searching for ways out of the treaty as early as 2008. 85 Russia also developed its intermediate-range capabilities by deploying the Kalibr sea-launched land-attack cruise missile starting in 2015. The missile was used later that year against the opposition in Syria’s civil war, a likely signal to Washington, and in 2019 Russian news agency TASS reported that a land-based version of the missile might be deployed in response to the Trump administration’s withdrawal from the INF Treaty. 86
A number of Russia’s neighbors, including China, have deployed intermediate-range ballistic missiles that could threaten Russia, but Russia could not deploy land-based systems to counter these without being in violation of the treaty. Russia’s close strategic partnership with China makes it difficult for Moscow to cooperate with the United States to pressure Beijing into joining the INF Treaty, and Beijing has flatly refused to participate in negotiations over intermediate-range missiles. The Kremlin made no real effort to address NATO concerns about Russian treaty violations, and in August 2019 the United States and Russia formally withdrew from the treaty.
The United States finds evidence Russia is behaving offensively in violating the INF Treaty, developing destabilizing weapons systems, and advancing a risky nuclear doctrine, along with aggressive positions toward neighboring states and military support for the brutal Syrian regime. From Washington’s perspective, the United States is merely responding to Russia’s confrontational policies and bears little responsibility for Russian actions.
Geography and Vulnerability
Russia and the United States have distinct perspectives on security vulnerability arising from their fundamentally different geographic positions. The United States, through its history, has been isolated by water and borders on weak, largely friendly states. Russia is a continental power vulnerable to land attack and in the past has suffered tremendous devastation from large, powerful neighbors. Russia has indeed adopted aggressive policies toward many of the newly independent countries, but this confrontational posture may be partly defensive, based on a historical perception that spheres of influence and buffer zones are critical to defend the country’s extensive borders and partly motivated by great-power aspirations. 87 The expansion of NATO frustrated expectations that the Eastern European states would serve as a neutral zone between Russia and the United States and its allies.
From its great-power perspective, Russia views the former Soviet republics as its “sphere of privileged interests,” to use Dmitri Medvedev’s term. According to Dmitry Trenin, “the former imperial borderlands of Russia are deemed to be both elements of its power center and a cushion to protect Russia itself from undesirable encroachments by other great powers.” 88 Ukraine, Belarus, and the Baltic states are central to Russian security vis-à-vis Europe. Three are members of NATO, one is aligned with Moscow (albeit tentatively), while the last and most important, Ukraine, has been at the center of tensions with Europe and the United States. A neutral Ukraine serving as a buffer state might be acceptable to Moscow, but instead the West has used economic incentives, political support, and possible membership in NATO to encourage Kyiv to align with the United States and Europe. 89 Following security dilemma logic, Moscow moved quickly in 2014 to reverse the loss of Crimea, destabilize Ukraine, and preempt the possible consolidation of U.S. and E.U. influence in that key state.
Most policymakers in Washington fail to understand the seriousness with which Moscow views NATO enlargement, and specifically the possibility of Ukraine’s admission to the alliance, since the United States has never faced similar land-based challenges to its security.
Russia’s military actions in Ukraine, Georgia, and elsewhere along its borders may be interpreted as imperialist — seeking to recreate a version of the Soviet empire. More persuasive is the argument that Moscow has limited security goals focused on influencing states along its periphery. 90 The Kremlin has not taken advantage of every opportunity to restore influence in the former republics — when Kyrgyzstan’s government asked Russia to send peacekeeping troops to stabilize the Osh region during the 2010 ethnic riots, for example, Moscow demurred. 91 Presumably, the costs of becoming involved in a bitter domestic conflict where the lives of Russian compatriots were not at issue outweighed the benefits.
Most policymakers in Washington fail to understand the seriousness with which Moscow views NATO enlargement, and specifically the possibility of Ukraine’s admission to the alliance, since the United States has never faced similar land-based challenges to its security. 92 It is debatable how significant an American-influenced Ukraine would be as a security threat to Russia, but it is worth noting that the Kremlin pulled out all the stops to mobilize public opinion against the United States. As the Ukraine conflict developed between 2013 and 2014, the Russian government directed state-controlled television channels, from which Russians get the bulk of their news, to frame the situation as an American conspiracy against their country. 93
Modernizing Russia’s military capabilities in the European theater, efforts to expand Russian influence through the Eurasian Economic Union, creation of a Union State with Belarus, and support for breakaway provinces in Moldova and Georgia are typical great-power strategies to preserve security along vulnerable borders. 94 Abrogation of the INF Treaty and NATO’s rotational deployments in Poland and the Baltic states reassure Eastern Europeans that the allies will stand up to Russian aggression. For Moscow, however, these actions confirm that Washington’s goal is to deny Russia a reasonable buffer zone needed to preserve security along its western perimeter. 95
The threat of conventional or “hybrid” aggression against Eastern Europe has heightened fears of Russia, especially in Poland and the Baltic states. 96 The Obama administration supported its newer NATO allies through the European Reassurance Initiative, designed to enhance deterrence and improve the readiness of European forces through increased U.S. presence, exercises, training, pre-positioning, building partnership capacity, and improved infrastructure. In the last year of the Obama administration, the Defense Department requested $3.4 billion be allocated in fiscal year 2017 for the initiative. Under Trump, the Department of Defense increased budgetary requests for the renamed European Deterrence Initiative to $4.8 billion in fiscal year 2018 and $6.5 billion in fiscal year 2019, but then reduced funding in fiscal year 2020 to encourage European allies to pick up more of the cost. 97
While U.S. troops in the region are rotational, rather than being permanently based close to the Russian border, the enhanced NATO presence and military exercises in Eastern Europe have heightened tensions with Moscow. In May 2018, Poland requested that the United States consider permanently stationing troops in Poland, a move the Kremlin suggested would prompt countermeasures. 98 Tensions occasioned by Russia’s continued operations against Ukraine, and the NATO buildup on Russia’s western border, are heightened by joint military exercises conducted by both sides. NATO analysts have criticized Russian exercises as lacking transparency and claim they are not conducted in accordance with Organization for Security and Cooperation in Europe Vienna Document requirements on prior notifications, and therefore are destabilizing. 99 The scale of such exercises has expanded since Trump took office.
In September 2017, Russia conducted the Zapad (West) exercises in its Western Military District with Belarus, reporting numbers just below the 13,000-force threshold that would have required it to permit foreign observers. 100 NATO officials were well aware that Russia had conducted a large exercise (Kavkaz in 2008) just prior to the Georgian war and so were on high alert. 101 In turn, military exercises led by the United States have generated alarmism in Moscow. During the Saber Strike maneuvers in Poland and the Baltic states in June 2018, 18,000 troops practiced rapid response training to counter hypothetical aggression from the East. Russia condemned the operation as undermining stability on the continent and countered with a fake blog account and doctored photo claiming a child was killed during the exercises. 102 The Kremlin was even more incensed when, in October 2018, NATO conducted the largest military exercise since the Cold War, Trident Juncture, with 50,000 troops from 31 nations (including non-members Finland and Sweden) participating in maneuvers in Norway, the Baltic Sea, and the North Atlantic. Defense Minister Sergei Shoigu warned that NATO’s exercise was simulating offensive military action against Russia. 103
Other factors contribute to the sense of uncertainty. Given Trump’s frequent criticisms of NATO allies, the Russian leadership might suspect the U.S. president would not honor Article 5 of the treaty and respond militarily to a Russian incursion in the Baltic states. Putin may be willing to gamble on NATO’s unwillingness to counter Russian adventurism in the Baltic region and thereby risk precipitating a nuclear war. According to one Russian analyst, Moscow’s leaders are confident in their ability to win a nuclear conflict, so the question for the West is whether the costs in blood and treasure of defending these small, distant nations can really be justified. 104 More realistically, any Baltic conflict is likely to follow a version of the Ukraine scenario, with Moscow intervening indirectly (and defensively, from the Russian perspective) to protect threatened Russian compatriots.
Russia further complicates NATO calculations by employing cyber attacks and disinformation that present the alliance with a dilemma of either overreacting and risking war or doing nothing and demonstrating the organization’s impotence. Moscow’s asymmetric approach derives from its relatively weak conventional capabilities and the absence of useful allies in Europe to balance against NATO.
To summarize, Russia’s geographically vulnerable position makes political developments in Eastern Europe and the Caucasus far more salient to Russia’s security than to America’s. Efforts by the United States and Europe to promote democracy and, by extension, consolidate Western influence in Eastern Europe erode the buffer zone and (from Moscow’s perspective) threaten Russian security. Russia’s actions in the “near abroad” have been aggressive. Its goals, however, appear to fall short of reestablishing imperial control over former Soviet space. The U.S. and European response, consisting of military exercises, limited troop deployments, economic sanctions, and political support for Russia’s enemies, increases Russia’s sense of vulnerability and leads to responses in kind.
Alliance Politics and the Security Dilemma
Theoretically, states form alliances in a multipolar world to balance powerful adversaries and enhance their security. 105 But in a unipolar environment, states may have few options in forming alliances to balance a competitor. In a unipolar world, the rationale for alliances is much weaker, and the incentives among weaker members to free-ride and to draw the dominant power into situations where it has few or no vital interests (the moral hazard problem) are great. As the Soviet Union collapsed, NATO expanded from 16 alliance members in 1991 to the present 29, and the organization decided to go out-of-area. The security rationale became less focused but still was perceived in Moscow as a threat to Russian interests.
When the Warsaw Pact collapsed, the alliance decision to preserve NATO, expand its membership, and go out-of-area violated Moscow’s expectations that the United States would reciprocate Russia’s cooperative moves. In security dilemma terms, the United States defected, and the unipolar order excluded the possibility of Russia restoring a comparable alliance to balance NATO. At various points Mikhail Gorbachev, Yeltsin, and Putin all expressed interest in joining NATO within a revised European security framework, but that option was not seriously considered in Brussels or Washington.
With so few reliable allies in Europe, eroding NATO unity has become a key goal for enhancing Russian security. The deployment of additional NATO forces in northern Europe has led Russia to prioritize its foreign policy and defense relationship with Belarus, the last authoritarian state in Europe and a dubious ally at best. Belarus and Russia are joined in a Union State, and Belarus is a member of the Eurasian Economic Union and Collective Security Treaty Organization, but President Alexander Lukashenko maintains his country’s independence by balancing between Russia and the West. 106 Lukashenko refused Russia’s request for a Russian air base in 2013, conducted joint military exercises with the Chinese in 2015, and in 2019 sought to purchase U.S. crude oil in an attempt to reduce dependence on Russia. Considering the poor performance of the Eurasian Economic Union and Moscow’s obvious attempt to dominate the organization, Belarus has kept channels open to the European Union and the United States. Moscow has played down differences, however, with Foreign Minister Lavrov praising Belarus for its support in the U.N. General Assembly on issues relating to Crimea, Syria, and Georgia. 107 Putin has expressed support for the beleaguered dictator in the wake of widespread protests against manipulation of the 2020 presidential election. 108
Russia’s isolated position has also led the Kremlin to emphasize ties with “rogue regimes” including Syria, Iran, and Venezuela. These states are hostile to America and can be counted on to support Russian initiatives. These bilateral relationships are not alliances, but they do allow the Kremlin to exercise influence beyond Russia’s immediate borders. Moscow’s support for these regimes complicates American foreign policy and reinforces the perception of Russia as a spoiler in global politics.
To the east, Russia has discovered a far more important partner in China. Much of Russia’s pivot toward Asia can be explained by the hostile European environment, the Kremlin’s interest in constraining American power, and the need to legitimize Kremlin rule by affirming Russia’s great-power status. 109 On virtually all indicators, the United States remains the world’s most powerful country, but China ranks second on many measures. Russia is the equal of the United States (and China’s superior) only in nuclear weapons. On all other dimensions, especially economic and demographic, it operates from a position of weakness. Russia’s “strategic partnership” with China is clearly directed against the United States and presents significant challenges to Washington. Under the Trump administration, the Russo-Chinese partnership has strengthened, notwithstanding the president’s conciliatory rhetoric toward Moscow. 110
Russia’s isolated position has also led the Kremlin to emphasize ties with “rogue regimes” including Syria, Iran, and Venezuela. These states are hostile to America and can be counted on to support Russian initiatives.
The Chinese-Russian relationship is not a formal alliance, and while the two countries may engage in a form of balancing against the dominant power, they also hedge against each other in the Asia-Pacific. 111 However, policymakers in Washington remain nervous about close military cooperation between Moscow and Beijing. As relations between the United States and Russia, and those between the United States and China, have deteriorated, the Russian-Chinese defense relationship has become more openly directed against American military hegemony in Eastern Europe and the Western Pacific, respectively. Russian-Chinese military cooperation consists of arms sales, 112 joint military exercises, and anti-terrorism coordination through the Shanghai Cooperation Organization. Russia’s military modernization program has led to an expansion of offensive and defensive capabilities in the western and southern military districts, while China’s ballistic missile buildup, the development of attack submarines, and the island construction activities in the South China Sea constrain the U.S. Navy’s ability to maneuver in the Western Pacific. 113
As noted earlier, the United States faces joint opposition from Russia and China to U.S. deployment of anti-ballistic missile systems in Eastern Europe and East Asia. Russia and China see the potential for regionally based anti-ballistic missile systems, together with those located in the United States, as an “interlinked global defensive network” that would erode their strategic deterrents. 114 This is especially threatening given the Nuclear Posture Review ’s emphasis on technological development and blurring the distinction between nuclear and conventional weapons. 115 Since the American position threatens the strategic deterrents of both Russia and China, the administration’s nuclear posture is another factor pushing Russia and China closer together.
In addition to its vital partnership with China, Russia is hedging in Asia by developing ties with India, Japan, South Korea, Pakistan, and the Association of Southeast Asian Nations. Russian analysts assert that the global order is changing and the West is losing its five-century dominance of global affairs. Since the United States failed to subordinate Russia and China as junior partners within the liberal international order, it is now returning to a policy of containment, trying to force countries to take sides in a new bipolar order through the Trump administration’s Indo-Pacific strategy. 116 The United States considers Russia a “revitalized malign actor” in the Indo-Pacific, one that is using economic, diplomatic, and military instruments to reestablish presence and influence lost after the collapse of communism. In addition, Russia frequently collaborates with China to oppose the United States in the U.N. Security Council, promoting a multilateral world order that will weaken the United States and reduce its global influence. 117
Rhetoric notwithstanding, the United States remains dominant in global politics in large part through the hub-and-spoke system of alliances in the Indo-Pacific and through an enlarged NATO in Europe. Alliances are one means by which states augment their power, but the current alliance structure favors only the United States. Russia is severely disadvantaged on this dimension. The United States is in a far stronger position, despite tensions within NATO over burden sharing and uncertainty regarding U.S. willingness to defend small and distant members of the alliance. Moscow perceives NATO as a security threat, or at least claims to — and not without reason. Russia cannot balance NATO and the United States through a roughly equal alliance, as it did during the Cold War, and so must resort to asymmetric measures that are threatening to NATO’s small Eastern European members. Actions on both sides feed into the security dilemma.
If a broad security dilemma approach has value for explaining the downward spiral in Russian-American relations, we should expect tit-for-tat responses to initiatives in the political, military, and alliance realms. We can never be certain that any given action provokes a reaction, but the evidence presented here suggests that in certain cases the security dilemma was operating. In others, the utility of the approach is less apparent.
First, the evidence suggests that NATO expansion did not pose a direct military threat to Russia. U.S. and European troop deployments and military spending declined dramatically from 1990 through 2015. 118 Instead, enlargement symbolized Russian weakness, practically eliminated a historical buffer zone, demonstrated Russia’s inability to control events along its borders, and dismissed Russia’s interests as a great power. NATO’s involvement in the Balkans and U.S. efforts to secure alliance membership for Georgia and Ukraine were justified by the United States as attempts to enhance European security. For Moscow, these actions were offensive in nature, directed against vital Russian interests, resulting in the Kremlin’s use of military force against both countries.
Second, conventional vulnerability, combined with American anti-ballistic missile complexes deployed and planned in Eastern Europe, led Russia to cheat on the INF Treaty and develop new strategic weapons more capable of negating American ballistic missile defenses. Two decades of military budget increases under Putin supported conventional and nuclear modernization. 119 These increases can be explained as defensive sufficiency (simply catching up after the massive declines of the 1990s), or as positioning Russia for offensive regional operations. The Trump administration, like its predecessor, has interpreted these Russian strategic advances as aggressive and has greatly accelerated America’s nuclear program while renouncing arms control agreements, continuing the cycle of strategic modernization and heightening mistrust. 120
Third, U.S. support for color revolutions, the Arab Spring uprisings, and Russia’s White Revolution would not generally be considered an offensive military threat and so would seem not to relate to the security dilemma. Russia’s concept of full-spectrum warfare, however, holds support for popular uprisings to be an existential threat to allies and to Putin’s authoritarian regime. Here, Russian responses to U.S. actions are clear — Moscow has taken a range of actions to contain political threats to Russia and its partners. For the United States, Russia’s interference in U.S. elections and attacks on the American system of democratic government, Moscow’s willingness to violate the sovereignty of neighboring states and its disinformation campaign are viewed as offensive threats — an attempt to destabilize Western societies and compensate for inferior kinetic capabilities. But these measures can also be viewed as defensive, as asserted by Russia’s Ministry of Defense, based on the perception that the West is using information technology (liberal democratic propaganda) as a component of its military strategy. 121
Finally, the two sides have occasionally found various avenues for cooperation. The downward spiral in relations has been interrupted at various points — after the 9/11 terrorist attacks, early in the Obama reset, and during the surge in Afghanistan. At times, Russia and the United States find they have common interests, but the level of distrust and hostility precludes cooperation in many areas.
U.S.-Russian relations exhibited remarkable continuity from the second half of Obama’s administration through Trump’s first term. The two sides reduced channels of communication, trust remained very low, and each side interpreted the other’s behavior as aggressive and threatening. Reflexive anti-Russian positions are evident on both sides of the American political spectrum, while Russian elites have become uniformly anti-American in the Putin era. 122 In short, the two countries appear to be engaged in a downward spiral arising from a security dilemma, where each side perceives a serious threat from the other and takes countermeasures that further provoke insecurity within the adversary.
The security dilemma argument is predicated on defensive realism, the assumption that states are seeking sufficiency in capabilities to deal with threats rather than the clear superiority argued by offensive realists. 123 If this approach is correct, and assuming neither side is acting as a greedy power, then tensions in U.S.-Russian relations can be lowered through measures designed to reduce uncertainty and build trust. 124 Russia’s behavior since the end of the Cold War suggests that it clearly perceives the West — specifically the United States — as a threat. The United States is far superior in conventional weapons, boasts considerably more (and more reliable) allies, and has frequently acted without restraint in its dealings with Russia and other countries. At the same time, Russian behavior under Putin has been highly aggressive, threatening to its neighbors, and is frequently outside the boundaries of international law.
In short, the two countries appear to be engaged in a downward spiral arising from a security dilemma, where each side perceives a serious threat from the other and takes countermeasures that further provoke insecurity within the adversary.
Historically, Russian grand strategy has alternated between imperialism and defensiveness, shaped by a combination of perceived vulnerability of the homeland and opportunities for expansion along the periphery. 125 Soviet foreign policy followed much the same pattern of expansion and coexistence, as one leading scholar described it. 126 U.S. policies since 1992 have been largely indifferent to, or ignorant of, the historical context — the destruction visited on Russia in the 20th century — and Russian leaders perceive the West as taking advantage of Russian weakness. Policymakers in Washington mistakenly assumed that the expansion of friendly democratic states along Russia’s periphery and their incorporation into NATO would enhance American security without threatening Russian interests. Moscow’s response, in the form of military intervention in the “near abroad,” informational warfare against the United States and its allies, and a program of weapons modernization, was viewed as the aggressive behavior typical of a revanchist authoritarian regime. Washington responded by deploying forces to Eastern Europe, imposing a wide range of sanctions, and ratcheting up its already formidable military machine.
How, then, can the two countries slow or reverse the escalatory logic of the security dilemma? One obvious first step would be to increase diplomatic and military-to-military communication and to have more frequent consultations within the NATO-Russia Council to improve trust and reduce the possibility of an accidental engagement. More transparency is needed — especially by Russia — during military exercises. Each side needs to reassure the other that its intentions are purely defensive, although given the level of mutual suspicion that may prove difficult to accomplish.
Second, reaching a settlement on Ukraine would be a major step forward. Ukrainian President Volodymyr Zelensky has indicated a willingness to talk with Moscow, and the Russian public appears to be increasingly weary of the conflict. One possibility would be to grant some form of autonomy to Donetsk and Luhansk in exchange for an end to hostilities and territorial and security guarantees for Kyiv, followed by the deployment of a multilateral peacekeeping force. The United States cannot and should not accept Russian sovereignty over Crimea. But restoring the peninsula to Ukrainian control is highly unlikely in the near future. Treating Ukraine as a de facto buffer zone between Russia and Europe may be controversial, but a solution along these lines could reassure Russia and lower tensions. 127 Such an arrangement would likely involve taking NATO membership off the table for Ukraine (and for Georgia), although NATO should at the same time reaffirm clear support for the security and territorial integrity of its current members.
Third, the two sides need to ratchet back their interference in each other’s internal affairs. Russian meddling in the 2016 and 2020 presidential elections and its use of information warfare against the United States and its allies has contributed to the high levels of distrust and suspicion. The United States could, and should, continue to voice support for democratic ideals and is justified in criticizing authoritarian governments, but Washington should curtail active attempts at regime change. In any event, Western support for color revolution-style popular uprisings has waned as the results have proved mixed at best.
Fourth, an arms race involving a new generation of weapons is highly destabilizing. The INF Treaty may be dead, but Russia and the United States should agree to extend the New START Treaty, which expires in February 2021. Equally important, they should begin negotiations on limiting the development and deployment of potentially destabilizing hypersonic and stealth weapons, and tactical nuclear systems, which could be incorporated under an expanded New START agreement. Since Russian and Chinese nuclear hypersonic programs are more advanced than those of the United States, Washington would benefit by limiting these systems. And negotiations, even in the absence of formal agreements, would generate information about the other side’s capabilities and intentions and would help reduce the suspicions that fuel the security dilemma. Shifting to a no-first-use policy on nuclear weapons would also reduce tensions, though neither side is likely to agree to such a proposal.
Addressing the security dilemma does not mean acquiescing to all of Russia’s demands, but it does suggest that treating Russia with the respect due a great power might lower tensions and lay the groundwork for more substantive agreements. The United States need not concede a sphere of influence to Moscow in the former Soviet space, but it should recognize that Russia has genuine security concerns regarding NATO expansion and democracy-promotion efforts in the former republics. The point is to reduce uncertainty and mistrust that could lead to an unintentional clash, which could rapidly escalate to large-scale conventional or nuclear conflict.
Charles E. Ziegler is professor of political science and university scholar at the University of Louisville. He is the author or editor of five books and over 100 scholarly articles on foreign policy and domestic politics in Russia and Eurasia and has held fellowships from the Council on Foreign Relations, Fulbright Program, IREX, and Hoover Institution. He is the faculty director for the Grawemeyer Award for Ideas Improving World Order and executive director of the Louisville Committee on Foreign Relations. He is currently working on a book on Russia in the Pacific region.
Acknowledgements: I would like to thank Gregory Brew, Michael Brown, Doyle Hodges, Van Jackson, and the anonymous reviewers of the Texas National Security Review for their helpful comments on earlier versions of the manuscript.
Image: Dmitry Ivanov , CC BY-SA 4.0
1 Adam Entous and Greg Miller, “U.S. Intercepts Capture Senior Russian Official Celebrating Trump Win,” Washington Post , Jan. 5, 2017, https://www.washingtonpost.com/world/national-security/us-intercepts-capture-senior-russian-officials-celebrating-trump-win/2017/01/05/d7099406-d355-11e6-9cb0-54ab630851e8_story.html .
2 Robert Legvold, Return to Cold War (Cambridge: Polity, 2016). For an argument against characterizing relations as a new Cold War, see, Andrei P. Tsygankov, Russia and America: The Asymmetric Rivalry (Cambridge: Polity, 2019).
3 Marvin Kalb, Imperial Gamble: Putin, Ukraine, and the New Cold War (Washington, DC: Brookings, 2015); David E. McNabb, Vladimir Putin and Russia’s Imperial Revival (New York: Routledge, 2016).
4 Agnia Grigas, Beyond Crimea: The New Russian Empire (New Haven, CT: Yale University Press, 2016).
5 Ingmar Oldberg, “Is Russia a Status Quo Power?” UlPaper , no. 1 (2016), published by the Swedish Institute of International Affairs, https://www.ui.se/globalassets/butiken/ui-paper/2016/is-russia-a-status-quo-power---io.pdf .
6 Michael McFaul, “Russia as It Is: A Grand Strategy for Confronting Putin,” Foreign Affairs 97, no. 4 (July/August 2018): 82–91, https://www.foreignaffairs.com/articles/russia-fsu/2018-06-14/russia-it .
7 Stephen Sestanovich, “Could It Have Been Otherwise?” The American Interest 10, no. 5 (May/June 2015): 6–15, https://www.the-american-interest.com/2015/04/14/could-it-have-been-otherwise/ .
8 Stephen F. Cohen, War with Russia? From Putin & Ukraine to Trump & Russiagate (New York: Skyhorse Publishing, 2019).
9 Dimitri K. Simes, “Delusions About Russia,” National Interest 163 (September/October 2019): 5–16, https://nationalinterest.org/feature/delusions-about-russia-72321 .
10 Daniel Deudney and G. John Ikenberry, “The Unravelling of the Cold War Settlement,” Survival 51, no. 6 (2009): 39–62, https://doi.org/10.1080/00396330903461666 .
11 Putin’s March 2014 address justifying the annexation of Crimea referenced Kosovo six times. “Address by President of the Russian Federation,” President of Russia, March 18, 2014, http://en.kremlin.ru/events/president/news/20603 ; Steve Gutterman, “Russia Uses 1999 NATO Bombing in Media War Over Crimea,” Reuters , March 24, 2014, https://www.reuters.com/article/us-ukraine-crisis-russia-kosovo/russia-uses-1999-nato-bombing-in-media-war-over-crimea-idUSBREA2N0SC20140324 .
12 John J. Mearsheimer, “Why the Ukraine Crisis Is the West’s Fault,” Foreign Affairs 93, no. 5 (September/October 2014): 77–89, https://www.foreignaffairs.com/articles/russia-fsu/2014-08-18/why-ukraine-crisis-west-s-fault .
13 Michael E. Brown, “The Flawed Logic of NATO Expansion,” Survival 37, no. 1 (1995): 34–52, https://doi.org/10.1080/00396339508442775 ; Michael E. Brown, “Minimalist NATO: A Wise Alliance Knows When to Retrench,” Foreign Affairs 78, no. 3 (May/June 1999): 204–18, https://www.jstor.org/stable/20049354 .
14 Thomas L. Friedman, “Foreign Affairs; Now a Word From X,” New York Times , May 2, 1998, https://www.nytimes.com/1998/05/02/opinion/foreign-affairs-now-a-word-from-x.html .
15 M.E. Sarotte, “How to Enlarge NATO: The Debate Inside the Clinton Administration, 1993–95,” International Security 44, no. 1 (Summer 2019): 7–41, https://doi.org/10.1162/isec_a_00353 .
16 Joshua R. Itzkowitz Shifrinson, “Deal or No Deal? The End of the Cold War and the U.S. Offer to Limit NATO Expansion,” International Security 40, no. 4 (Spring 2016): 7–44, https://doi.org/10.1162/ISEC_a_00236 .
17 Andrei P. Tsygankov, Russophobia: Anti-Russian Lobby and American Foreign Policy (New York: Palgrave Macmillan, 2009); Andrei P. Tsygankov, Russia and the West from Alexander to Putin: Honor in International Relations (Cambridge: Cambridge University Press, 2012).
18 Robert Jervis, Perception and Misperception in International Politics (Princeton, NJ: Princeton University Press, 1976); Robert Jervis, “Cooperation Under the Security Dilemma,” World Politics 30, no. 2 (1978): 167–214, https://www.jstor.org/stable/2009958 ; Ken Booth and Nicholas J. Wheeler, The Security Dilemma: Fear, Cooperation and Trust in World Politics (New York: Palgrave Macmillan, 2008); Shiping Tang, “The Security Dilemma: A Conceptual Analysis,” Security Studies 18, no. 3 (2009): 587–623, https://doi.org/10.1080/09636410903133050 .
19 Booth and Wheeler, The Security Dilemma , 4.
20 Jervis, Perception and Misperception in International Politics .
21 Charles E. Ziegler, “Russian-American Relations: From Tsarism to Putin,” International Politics 51, no. 6 (2014): 671–92, https://www.doi.org/10.1057/ip.2014.32 .
22 Jervis, Perception and Misperception , 67–76. See also, Charles L. Glaser, “The Security Dilemma Revisited,” World Politics 50, no. 1 (1997): 171–201, https://www.jstor.org/stable/25054031 .
23 George S. Beebe, The Russia Trap: How Our Shadow War with Russia Could Spiral into Nuclear Catastrophe (New York: Thomas Dunne, 2019).
24 Andrei A. Sushentsov and Maxim A. Suchkov, “The Nature of the Modern Crisis in U.S.-Russia Relations,” Russia in Global Affairs , Jan. 17, 2019, https://eng.globalaffairs.ru/number/The-Nature-of-the-Modern-Crisis-in-US-Russia-Relations-19914 .
25 Andrej Krickovic, “Catalyzing Conflict: The Internal Dimension of the Security Dilemma,” Journal of Global Security Studies 1, no. 2 (2016): 111–26, https://doi.org/10.1093/jogss/ogw002 .
26 Emma Ashford, “Not-So-Smart Sanctions: The Failure of Western Restrictions Against Russia,” Foreign Affairs 95, no. 1 (January/February 2016): 114–23, https://www.foreignaffairs.com/articles/russian-federation/2015-12-14/not-so-smart-sanctions .
27 Tang, “The Security Dilemma,” 595.
28 Tang, “The Security Dilemma,” 599, 620–21.
29 Andrej Krickovic and Yuval Weber, “Commitment Issues: The Syrian and Ukraine Crises as Bargaining Failures of the Post-Cold War International Order,” Problems of Post-Communism 65, no. 6 (2018): 373–84, https://doi.org/10.1080/10758216.2017.1330660 .
30 Jervis, “Cooperation Under the Security Dilemma,” 183.
31 Stephen Kotkin, “Russia’s Perpetual Geopolitics: Putin Returns to the Historical Pattern,” Foreign Affairs 95, no. 3 (May/June 2016): 2–9, https://www.jstor.org/stable/43946851 .
32 Barry R. Posen, The Sources of Military Doctrine: France, Britain, and Germany Between the World Wars (Ithaca, NY: Cornell University Press, 1984), 15–18.
33 Robert Jervis, “Was the Cold War a Security Dilemma?” Journal of Cold War Studies 3, no. 1 (Winter 2001): 39, https://doi.org/10.1162/15203970151032146 .
34 See, Andrey A. Sushentsov and William C. Wohlforth, “The Tragedy of US-Russian Relations: NATO Centrality and the Revisionists’ Spiral,” International Politics 57 (2020): 427–50, https://doi.org/10.1057/s41311-020-00229-5 ; and Michael Kofman, “Drivers of Russian Grand Strategy,” Frivarld , April 2019, http://frivarld.se/wp-content/uploads/2019/04/Drivers-of-Russian-Grand-Strategy.pdf .
35 Alexander Lanoszka and Michael A. Hunzeker explore competing arguments for revisionist and defensive models of Russian behavior in Conventional Deterrence and Landpower in Northeastern Europe (Carlisle Barracks, PA: U.S. Army War College Press, March 2019), http://www.alexlanoszka.com/lanoszkahunzekerssi.pdf .
36 Tang, “The Security Dilemma,” 601.
37 “Valerii Gerasimov Speech to the Academy of Military Sciences,” Krasnaia zvezda , March 4, 2019, http://redstar.ru/vektory-razvitiya-voennoj-strategii/?attempt=1 .
38 Wade Boese, “Leaked Documents Detail U.S. ABM Strategy: GOP Says Limited NMD Plans Are Not Enough,” Arms Control Association , May 2000, https://www.armscontrol.org/act/2000-05/news/leaked-documents-detail-us-abm-strategy-gop-says-limited-nmd-plans-not-enough .
39 Greg Thielmann, “The National Missile Defense Act of 1999,” Arms Control Association , 2009, https://www.armscontrol.org/act/2009-07/national-missile-defense-act-1999 ; Elizabeth Becker and Eric Schmitt, “G.O.P. Senators Tell Clinton They Oppose Him on ABM Treaty and Defense System,” New York Times , April 22, 2000, https://www.nytimes.com/2000/04/22/world/gop-senators-tell-clinton-they-oppose-him-on-abm-treaty-and-defense-system.html .
40 “ABM Treaty: Putin Statement December 13, 2001,” Department of Defense, Office of Strategic Deterrence and Capabilities, https://www.acq.osd.mil/tc/abm/ABM-PutinDec13.htm . The Russian Duma delayed bringing up the treaty for ratification and then rejected it after the United States left the ABM Treaty. Russia was dissatisfied with the limitations in START II, and in any case, Putin and Bush signed the Strategic Offensive Reductions Treaty (SORT) in May 2002.
41 Ulrich Kühn and Anna Péczli, “Russia, NATO, and the INF Treaty,” Strategic Studies Quarterly 11, no. 1 (Spring 2017): 73, https://www.jstor.org/stable/26271591 . Bush administration plans to deploy anti-ballistic missile systems in Poland and the Czech Republic were abandoned when the Obama administration created the European Phased Adaptive Approach to defend against Iranian intermediate-range missiles. See, Ian Williams, “Achilles’ Heel: Adding Resilience to NATO’s Fragile Missile Shield,” CSIS Brief , Aug. 5, 2019, https://www.csis.org/analysis/achilles-heel-adding-resilience-natos-fragile-missile-shield .
42 Robert M. Gates, Duty: Memoirs of a Secretary at War (New York: Vintage Books, 2015), 159–60, 398–404.
43 From Nikolai Sokov, former Soviet nuclear negotiator and senior fellow at the Middlebury Institute. In, Dave Majumdar, “Why Russia Fears America’s Missile Defenses,” National Interest , Sept. 29, 2017, https://nationalinterest.org/blog/the-buzz/why-russia-fears-americas-missile-defenses-22533 .
44 Vladimir Putin, “Presidential Address to the Federal Assembly,” President of Russia, March 1, 2018, http://en.kremlin.ru/events/president/transcripts/statements/56957 ; Nuclear Posture Review , U.S. Department of Defense, February 2018, https://media.defense.gov/2018/Feb/02/2001872886/-1/-1/1/2018-NUCLEAR-POSTURE-REVIEW-FINAL-REPORT.PDF .
45 Keir Giles with Andrew Monaghan, European Missile Defense and Russia (Carlisle Barracks, PA: U.S. Army War College Press, 2014), 12–18, http://www.dtic.mil/dtic/tr/fulltext/u2/a607174.pdf .
46 The Embassy of the Russian Federation to the United Kingdom of Great Britain and Northern Ireland, “The Military Doctrine of the Russian Federation,” Dec. 25, 2014, 27, https://rusemb.org.uk/press/2029 ; Bettina Renz, Russia’s Military Renewal (Cambridge: Polity Press, 2018), 172.
47 Alexey Arbatov, “Understanding the US-Russia Nuclear Schism,” Survival 59, no. 2 (2017): 34, 55–56, https://doi.org/10.1080/00396338.2017.1302189 .
48 Kimberly Marten, “NATO Enlargement: Evaluating its Consequences in Russia,” International Politics 57 (2020): 401–26, https://doi.org/10.1057/s41311-020-00233-9 .
49 Sergey Sukhankin, “From ‘Bridge of Cooperation’ to A2AD ‘Bubble’: The Dangerous Transformation of Kaliningrad Oblast,” Journal of Slavic Military Studies 31, no. 1 (2018): 15–36, https://doi.org/10.1080/13518046.2018.1416732 .
50 Leonid Kosals, “Russia’s Elite Attitudes to the NATO Enlargement: Sociological Analysis,” NATO-EAPC Research Fellowship Final Report (Moscow: 2001), https://www.nato.int/acad/fellow/99-01/kosals.pdf . NATO ranked fourth in perceived threats behind terrorism, low competitiveness in the global economy, and backwardness in science and technology.
51 Vladimir Putin, “Speech and the Following Discussion at the Munich Conference on Security Policy,” President of Russia, Feb. 10, 2007, http://en.kremlin.ru/events/president/transcripts/24034 .
52 “The Military Doctrine of the Russian Federation,” Feb. 5, 2010, https://carnegieendowment.org/files/2010russia_military_doctrine.pdf ; “The Military Doctrine of the Russian Federation,” 2014, 12.
53 Andrei P. Tsygankov, “The Sources of Russia’s Fear of NATO,” Communist and Post-Communist Studies 51, no. 2 (2018): 101–11, https://doi.org/10.1016/j.postcomstud.2018.04.002 . Also see, Jim Goldgeier, “Promises Made, Promises Broken? What Yeltsin Was Told About NATO in 1993 and Why It Matters,” War on the Rocks , Nov. 22, 2019, https://warontherocks.com/2019/11/promises-made-promises-broken-what-yeltsin-was-told-about-nato-in-1993-and-why-it-matters-2/ .
54 National Security Strategy of the United States , The White House, December 2017, 3 https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf .
55 National Security Strategy , 2.
56 “Kommentarii Departmenta informatsii i pechati MID Rossii v sviazi c novoi Strategiei natsional’noi bezopastnosti SSHA [Comments from the Russian Foreign Ministry’s Department of Information and Press on the New US National Security Strategy],” Ministry of Foreign Affairs of the Russian Federation, Dec. 19, 2017, http://www.mid.ru/ru/foreign_policy/news/-/asset_publisher/cKNonkJE02Bw/content/id/2996962 .
57 Tom Balmforth, “What a Difference a Year Makes: Russian Lawmakers Pan Trump’s Security Doctrine, Kremlin Sees Silver Lining,” Radio Free Europe/Radio Liberty , Dec. 19, 2017, https://www.rferl.org/a/russia-reaction-us-security-doctrine-trump-putin/28927351.html .
58 Summary of the 2018 National Defense Strategy of The United States of America: Sharpening the American Military’s Competitive Edge , U.S. Department of Defense, 2018, 2, https://dod.defense.gov/Portals/1/Documents/pubs/2018-National-Defense-Strategy-Summary.pdf .
59 Fyodor Lukyanov, “Trump’s Defense Strategy is Perfect for Russia,” Washington Post , Jan. 23, 2018, https://www.washingtonpost.com/news/theworldpost/wp/2018/01/23/national-defense-strategy/ .
60 See the remarks by Minister of Defense Sergei Shoigu, “Shoigu: deistviia NATO vynuzhdaiut Rossiiu prinimat’ otvetnye mery dlia bezopastnosti [Shoigu: NATO’s Actions Force Russia to Retaliate for the Country’s Security],” TASS , Feb. 27, 2019, https://tass.ru/armiya-i-opk/6164133 .
61 Elias Götz, “Strategic Imperatives, Status Aspirations, or Domestic Interests? Explaining Russia’s Nuclear Weapons Policy,” International Politics 56 (2019): 810–27, https://doi.org/10.1057/s41311-018-0168-7 .
62 Putin, “Presidential Address to the Federal Assembly.”
63 See, Matthew Gault, “Russia’s New Nuclear Missiles Squeeze Response Time,” Scientific American , March 27, 2019, https://www.scientificamerican.com/article/russias-new-nuclear-missiles-squeeze-response-time/ . In August 2019, a test of the Burevestnik cruise missile at the Nenoksa site in northern Russia resulted in the explosion of a small nuclear reactor, demonstrating the risks of nuclear-powered cruise missiles.
64 Richard H. Speier, George Nacouzi, Carrie A. Lee, and Richard M. Moore, Hypersonic Missile Nonproliferation: Hindering the Spread of a New Class of Weapons (Santa Monica, CA: RAND, 2017); Gault, “Russia’s New Nuclear Missiles Squeeze Response Time.”
65 Kristin Ven Bruusgaard, “Russian Strategic Deterrence,” Survival 58, no. 4 (2016): 7–26, https://doi.org/10.1080/00396338.2016.1207945 .
66 Vladimir Putin, “Meeting of the Valdai International Discussion Club,” President of Russia, Oct. 18, 2018, http://en.kremlin.ru/events/president/news/58848 .
67 On the role of the Russian Orthodox Church in the country’s national security policy and nuclear weapons, see, Dmitry (Dima) Adamsky, “Russian Orthodox Church and Nuclear Command and Control: A Hypothesis,” Security Studies 28, no. 5 (2019): 1010–39, https://doi.org/10.1080/09636412.2019.1662483 .
68 Vadim Shtepa, “Privedet li padenie Tret’ego Rima k Tret’ei mirovoi voine? [Will the Fall of Third Rome Lead to World War III?],” RKK ICDS , Oct. 23, 2018, https://icds.ee/ru/privedet-li-padenie-tretego-rima-k-tr/ .
69 The agency’s funding for Fiscal Year 2019 was projected to more than double to $256.7 million. Matt Stroud, “Inside the Race for Hypersonic Weapons,” The Verge , March 6, 2018, https://www.theverge.com/2018/3/6/17081590/hypersonic-missiles-long-range-arms-race-putin-speech .
70 Dave Majumdar, “The U.S. Military Is Going All In on Hypersonic Weapons,” National Interest , Aug. 14, 2018, https://nationalinterest.org/blog/buzz/us-military-going-all-hypersonic-weapons-28767 .
71 Kelley M. Sayler, “Hypersonic Weapons: Background and Issues for Congress,” Congressional Research Service, July 11, 2019, https://fas.org/sgp/crs/weapons/R45811.pdf .
72 Nuclear Posture Review , U.S. Department of Defense, Feb. 2, 2018, https://media.defense.gov/2018/Feb/02/2001872886/-1/-1/1/2018-NUCLEAR-POSTURE-REVIEW-FINAL-REPORT.PDF .
73 Katarzyna Zysk, “Escalation and Nuclear Weapons in Russia’s Military Strategy,” The RUSI Journal 163, no. 2 (2018): 4–15, https://doi.org/10.1080/03071847.2018.1469267 .
74 Kofman, “Drivers of Russian Grand Strategy.”
75 Kristin Ven Bruusgaard, “The Russian Rogue in the New Nuclear Posture Review,” Policy Roundtable: The Trump Administration’s Nuclear Posture Review, Texas National Security Review , Feb. 13, 2018, https://tnsr.org/roundtable/policy-roundtable-trump-administrations-nuclear-posture-review/ .
76 Joint Chiefs of Staff, Nuclear Operations , June 11, 2019, III-3, V-3, https://fas.org/irp/doddir/dod/jp3_72.pdf .
77 Hans M. Kristensen and Matt Korda, “Tactical Nuclear Weapons, 2019,” Bulletin of the Atomic Scientists 75, no. 5 (2019): 252–61, https://doi.org/10.1080/00963402.2019.1654273 .
78 Seyom Brown, “The Trump Administration’s Nuclear Posture Review (NPR): In Historical Perspective,” Journal for Peace and Nuclear Disarmament 1, no. 2 (2018): 268–80, https://doi.org/10.1080/25751654.2018.1494092 . For an excellent extended discussion of the Nuclear Posture Review by six leading experts, see, “Policy Roundtable: The Trump Administration’s Nuclear Posture Review,” Texas National Security Review , Feb. 13, 2018, https://tnsr.org/roundtable/policy-roundtable-trump-administrations-nuclear-posture-review/ .
79 “Comment by the Information and Press Department on the New US Nuclear Posture Review,” Ministry of Foreign Affairs of the Russian Federation, Feb. 3, 2018, http://www.mid.ru/en/foreign_policy/news/-/asset_publisher/cKNonkJE02Bw/content/id/3054726 .
80 “NATO and the INF Treaty,” NATO, Aug. 2, 2019, https://www.nato.int/cps/en/natohq/topics_166100.htm .
81 David E. Sanger and William J. Broad, “U.S. to Tell Russia It Is Leaving Landmark I.N.F. Treaty,” New York Times , Oct. 19, 2018, https://www.nytimes.com/2018/10/19/us/politics/russia-nuclear-arms-treaty-trump-administration.html .
82 “Kremlin Not Welcoming Termination of INF Treaty when no Hints at New One Exist,” TASS , Oct. 23, 2018, http://tass.com/politics/1027327 .
83 “Bolton Says U.S. not Blackmailing Russia with INF Pullout Pledge,” Radio Free Europe/Radio Liberty , Oct. 22, 2018, https://www.rferl.org/a/us-russia-bolton-meeting-moscow-lavrov-putin-trump-inf-nuclear-gorbachev/29556555.html ; “Putin: Russia Will Target Nations Hosting U.S. Missiles,” Radio Free Europe/Radio Liberty , Oct. 24, 2018, https://www.rferl.org/a/putin-russia-target-nations-hosting-u-s-missiles/29562100.html .
84 Vladimir Putin, “Speech and the Following Discussion at the Munich Conference on Security Policy,” President of Russia, Feb. 10, 2007, http://en.kremlin.ru/events/president/transcripts/24034 .
85 Vladimir Frolov, “Russia’s Superpower Status Teeters with INF Treaty,” Moscow Times , Oct. 24, 2018, https://themoscowtimes.com/articles/russias-superpower-status-teeters-with-inf-treaty-op-ed-63293 .
86 “Russia May Develop Land-based Kalibr Cruise Missile by End of Year — Source,” TASS , Feb. 7, 2019, https://tass.com/defense/1043620 .
87 See, Yury E. Federov, “Continuity and Change in Russia’s Policy Toward Central and Eastern Europe,” Communist and Post-Communist Studies 46, no. 3 (2013): 315–26, https://doi.org/10.1016/j.postcomstud.2013.06.003 .
88 Dmitri Trenin, “Russia’s Spheres of Interest, not Influence,” Washington Quarterly 32, no. 4 (2009): 4, https://doi.org/10.1080/01636600903231089 . Medvedev’s remarks were carried on several Russian TV channels on Aug. 31, 2008, shortly after the war with Georgia.
89 See, Rajan Menon and Jack Snyder, “Buffer Zones: Anachronism, Power Vacuum, or Confidence Builder?” Review of International Studies 43, no. 5 (2017): 962–86, https://doi.org/10.1017/S0260210517000122 . Their analysis suggests that the conditions for Ukraine to serve as an effective buffer state are absent.
90 Elias Götz, “Putin, the State, and War: The Causes of Russia’s Near Abroad Assertion Revisited,” International Studies Review 19, no. 2 (2017): 228–53, https://doi.org/10.1093/isr/viw009 .
91 Michael Schwirtz, “Kyrgyzstan Seeks Russian Help to Quell Unrest,” New York Times , June 12, 2010, https://www.nytimes.com/2010/06/13/world/asia/13kyrgyz.html .
92 For a range of Western perspectives on the motivations behind Russian actions in Ukraine, see the special issue of Contemporary Politics : “Russia, the West, and the Ukraine Crisis,” 22, no. 3 (2016), https://www.tandfonline.com/toc/ccpo20/22/3 .
93 Denis Volkov, “Anti-American Sentiment in Post-Soviet Russia: Dynamics and Contemporary Characteristics,” Russian Politics and Law 56, nos. 1–2 (2018): 119–20, https://doi.org/10.1080/10611940.2018.1686923 .
94 Mearsheimer, “Why the Ukraine Crisis Is the West’s Fault.”
95 See, Federov, “Continuity and Change in Russia’s policy Toward Central and Eastern Europe”; Tsygankov, “The Sources of Russia’s Fear of NATO.”
96 For a critique of the “hybrid warfare” concept, see, Bettina Renz, “Russia and ‘Hybrid Warfare,’” Contemporary Politics 22, no. 3 (2016): 283–300, https://doi.org/10.1080/13569775.2016.1201316 . The Russian perspective, ironically, is derived from its interpretation of Western strategy.
97 Jen Judson, “Funding to Deter Russia Reaches $6.5B in FY19 Defense Budget Request,” Defense News , Feb. 12, 2018, https://www.defensenews.com/land/2018/02/12/funding-to-deter-russia-reaches-65b-in-fy19-defense-budget-request/ ; Paul D. Shinkman, “Trump Proposes Cutting Key Fund to Deter Russian Aggression,” U.S. News & World Report , March 12, 2019, https://www.usnews.com/news/politics/articles/2019-03-12/trump-proposes-cutting-key-fund-to-deter-russian-aggression .
98 “Kremlin Says U.S. Military Presence in Poland Would Undermine European Stability,” Radio Free Europe/Radio Liberty , May 30, 2018, https://www.rferl.org/a/kremlin-says-us-military-presence-poland-undermine-european-stability/29258405.html .
99 Dave Johnson, “ZAPAD 2017 and Euro-Atlantic Security,” NATO Review , Dec. 14, 2017, https://www.nato.int/docu/review/2017/also-in-2017/zapad-2017-and-euro-atlantic-security-military-exercise-strategic-russia/EN/index.htm .
100 Johnson cites Western estimates of 60,000–70,000 troops participating in the Zapad exercise. Keir Giles suggests the media, NATO officials, and some military analysts greatly exaggerated the number of Russian forces involved in Zapad-2017. Keir Giles, “Russia Hit Multiple Targets with Zapad-2017,” Carnegie Endowment for International Peace , Jan. 25, 2018, https://carnegieendowment.org/2018/01/25/russia-hit-multiple-targets-with-zapad-2017-pub-75278 .
101 Johnson, “ZAPAD 2017.” Giles assessed the exercises as defensive, not offensive: “Zapad-2017 practiced countermeasures for two of Russia’s perceived greatest vulnerabilities: protection of its border regions and prevention of hostile actors exploiting fissures in Russian society or in the alliance with Belarus.” See, Giles, “Russia Hit Multiple Targets with Zapad-2017.”
102 Eric Schmitt, “In Eastern Europe, U.S. Military Girds Against Russian Might and Manipulation,” New York Times , June 27, 2018, https://www.nytimes.com/2018/06/27/us/politics/american-allies-russia-baltics-poland-hybrid-warfare.html .
103 David Brennan, “Russia Furious as NATO Launches 31-Nation Military Exercise in Largest Drill Since Cold War,” Newsweek , Oct. 25, 2018, https://www.newsweek.com/russia-furious-nato-launches-31-nation-military-exercise-largest-drill-cold-1186904 .
104 Andrei Piontkovskii, “Khotiat li Russkie iadernoi voiny? [Do the Russians Want Nuclear War?],” Kasparov.ru , Nov. 16, 2018, http://www.kasparov.ru/material.php?id=5BEF2845504AC .
105 Glenn H. Snyder, “The Security Dilemma in Alliance Politics,” World Politics 36, no. 4 (1984): 461–95, https://www.jstor.org/stable/2010183 .
106 See, Ryhor Astapenia and Dzmitry Balkunets, Belarus-Russia Relations After the Ukraine Conflict (Minsk/London: Ostrogorski Centre, 2016), https://belarusdigest.com/papers/belarus-russia-relations.pdf ; Todd Prince, “Belarus’s Lukashenka, Weary of Russia Union, Seeks to Buy U.S. Crude,” Radio Free Europe/Radio Liberty , Aug. 23, 2019, https://www.rferl.org/a/belarus-lukashenka-us-oil-purchase-russia-reliance/30124113.html .
107 “Lavrov: NATO’s Military Build-up Near Russia’s Borders Requires Special Attention,” TASS , June 19, 2018, http://tass.com/politics/1010185 .
108 Andrew Higgins, “Embattled Belarus Strongman Travels to Russia to Seek Help from Putin,” New York Times , Sept. 14, 2020, https://www.nytimes.com/2020/09/14/world/europe/belarus-russia-lukashenko-putin.html .
109 On this, see, Jeanne L. Wilson, “Russia’s Relationship with China: the Role of Domestic and Ideational Factors,” International Politics 56 (2019): 778–94, https://doi.org/10.1057/s41311-018-0167-8 .
110 See, Richard J. Ellings and Robert Sutter, eds., Axis of Authoritarians: Implications of China-Russia Cooperation (Seattle, WA: National Bureau of Asian Research, 2018).
111 See, Alexander Korolev, “Systemic Balancing and Regional Hedging: China-Russia Relations,” Chinese Journal of International Politics 9, no. 4 (2016): 375–97, https://doi.org/10.1093/cjip/pow013 .
112 From 2000 to 2019, Russia supplied more weapons to China (just over $30 billion worth) than any other country except India (just under $35 billion). Stockholm International Peace Research Institute, Importer/Exporter TIV Tables, http://armstrade.sipri.org/armstrade/page/values.php .
113 Charles Dick, Russian Ground Forces Posture Towards the West (London: Chatham House, 2019), https://www.chathamhouse.org/publication/russian-ground-forces-posture-towards-west ; Richard Weitz, “Growing China-Russia Military Relations: Implications and Opportunities for U.S. Policy,” in Axis of Authoritarians , ed. Richard J. Ellings and Robert Sutter (Seattle, WA: National Bureau of Asian Research, 2018).
114 Weitz, “Growing China-Russia Military Relations,” 85–86.
115 Beebe, The Russia Trap , 110–13.
116 Sergei Karaganov and Dmitry Suslov, “A New World Order: A View from Russia,” Russia in Global Affairs , Oct. 4, 2018, https://eng.globalaffairs.ru/pubcol/A-new-world-order-A-view-from-Russia--19782 .
117 Indo-Pacific Strategy Report , U.S. Department of Defense, June 1, 2019, https://media.defense.gov/2019/Jul/01/2002152311/-1/-1/1/DEPARTMENT-OF-DEFENSE-INDO-PACIFIC-STRATEGY-REPORT-2019.PDF , 11–12.
118 See, Marten, “NATO Enlargement: Evaluating its Consequences in Russia.”
119 Russia’s military budget increased from $48 billion in 2008 to $82.6 billion in 2016, and then declined to $66.5 billion in 2017 and $61.4 billion in 2018. Spending in 2019 increased to $65.1 billion (in constant 2018 U.S. dollars). Stockholm International Peace Research Institute Military Expenditure Database, https://www.sipri.org/commentary/topical-backgrounder/2020/russias-military-spending-frequently-asked-questions . Michael Kofman and Richard Connolly argue that Russia’s actual expenditures are much higher — in the range of $150 billion to $180 billion annually from 2014 to 2018 when calculated in purchasing power parity. Michael Kofman and Richard Connolly, “Why Russian Military Expenditure Is much Higher than Commonly Understood (as Is China’s),” War on the Rocks , Dec. 16, 2019, https://warontherocks.com/2019/12/why-russian-military-expenditure-is-much-higher-than-commonly-understood-as-is-chinas/ . Even the higher estimate puts Russian spending at about one-fourth that of the United States.
120 Dmitri Trenin, “Russian Views of US Nuclear Modernization,” Bulletin of the Atomic Scientists 75, no. 1 (2019): 14–18, https://doi.org/10.1080/00963402.2019.1555991 .
121 “Kontseptual’nye vzgliady na deiatel’nost’ vooruzhennykh sil Rossiiskoi Federatsii v informatsionnom prostranstve” [Conceptual Views on the Activities of the Russian Federation Armed Forces in Information Space], Russian Federation Ministry of Defense, 2011, http://www.pircenter.org/media/content/files/9/13480921870.pdf .
122 Emma Ashford, “How Reflexive Hostility to Russia Harms U.S. Interests,” Foreign Affairs , April 20, 2018, https://www.foreignaffairs.com/articles/russian-federation/2018-04-20/how-reflexive-hostility-russia-harms-us-interests ; Sharon Werning Rivera and James D. Bryan, “Understanding the Sources of Anti-Americanism in the Russian Elite,” Post-Soviet Affairs 35, nos. 5–6 (2019): 376–92, https://doi.org/10.1080/1060586X.2019.1662194 .
123 Jervis, “Cooperation Under the Security Dilemma.”
124 See, Charles L. Glaser, “Political Consequences of Military Strategy: Expanding and Refining the Spiral and Deterrence Models,” World Politics 44, no. 4 (1992): 497–538, https://www.jstor.org/stable/2010486 .
125 On the history of Russia’s grand strategy, see, William C. Fuller Jr., Strategy and Power in Russia 1600-1914 (New York: Free Press, 1992); John P. LeDonne, The Grand Strategy of the Russian Empire, 1650-1831 (New York: Oxford University Press, 2004).
126 Adam B. Ulam, Expansion and Coexistence: Soviet Foreign Policy, 1917-1973 , 2nd ed. (New York: Praeger, 1974).
127 See, Thomas Graham, Rajan Menon, and Jack Snyder, “Ukraine Between Russia and the West: Buffer or Flashpoint?” World Policy Journal 34, no. 1 (2017): 107–18, https://doi.org/10.1215/07402775-3903592 .
Charles E. Ziegler
Related articles, why did the united states invade iraq the debate at 20 years.
Twenty years after the Iraq War began, scholarship on its causes can be usefully divided into the security school and the hegemony school. Security school scholars argue that the main reason the Bush administration decided to invade Iraq was to safeguard the…
Thinking About Post-War Ukraine
As the war in Ukraine continues, it is not too early to consider the significant financial assistance that will be required to help Ukraine recover, once the war comes to an end. Henrik Larsen lays out a road map for how to ensure that post-war Ukraine can…
Marine Force Design: Changes Overdue Despite Critics’ Claims
The Marine Corps’ Force Design 2030, written under the direction of the 38th commandant of the Marine Corps, Gen. David Berger, has been the target of much criticism since its release in 2020. In this article, former Undersecretary of the Navy and Deputy…
Strategic Risk Management: A Complete Overview (With Examples) Execute strategy like Porsche, AstraZeneca & UNICEF. Try Cascade, the #1 Strategy Execution platform. Get started for free Article by Cascade Team — Published December 22, 2022 What is strategic risk? Strategic risk is the probability of the organization's strategy failing.
6 Steps to Building a Strategic Risk Plan: Define your business's objectives and strategy. As above, some of your risks will stem from your strategic decisions; others may impact them. Identifying your strategy and aims is an essential first step. Determine the measures you will use to monitor performance.
Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.
"Strategic risk management" then can be defined as "the process of identifying, assessing and managing the risk in the organization's business strategy—including taking swift action when risk is actually realized."
Strategy risks, or strategic risks, are events or decisions that can affect different areas of the business. These are often decisions that companies take that can be dangerous, but the potential outcome can outweigh the risk.
Last updated: Aug 4, 2022 • 5 min read Strategic risk is the risk of potential failures in strategic planning, which may lead to a company not achieving its core objectives. Learn more about strategic risk and how it can impact your business's decision-making. Learn From the Best Arts & Entertainment Music Business Sports & Gaming Writing
Strategic risk management is the process by which the strategy of an organisation (or a strategic programme) is formally accessed for any risks that might affect them. You can deliver a project or programme on time, to budget and meet all your declared programme objectives; likewise, all your business operations could be functioning as expected.
Strategic risk management is the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company's business strategy, strategic objectives, and strategy execution. Types of strategic risks may include: Shifts in consumer demand and preferences Legal and regulatory change Competitive pressure Merger integration
Strategic risk is a category of risk; alongside operational, financial, regulatory and other business risks, it forms part of the umbrella of risks your organization faces. When we look at strategic risk examples, they are generally defined as those that threaten a business's ability to set and implement its chosen strategy.
Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.
Risk management encompasses the identification, analysis, and response to risk factors that form part of the life of a business. Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively.
A U.S. investigation commission attributed the disaster to management failures that crippled "the ability of individuals involved to identify the risks they faced and to properly evaluate,...
A risk management strategy is a structured approach to addressing risks, and can be used in companies of all sizes and across any industry. Risk management is best understood not as a series of steps, but as a cyclical process in which new and ongoing risks are continually identified, assessed, managed, and monitored.
What is a risk management strategy? Having a risk management strategy is critical to dealing with the many risks that your organisation could face. Learn what this means and how to do it. Solutions SOLUTIONS Audit and risk
Risk Management: In the financial world, risk management is the process of identification, analysis and acceptance or mitigation of uncertainty in investment decisions. Essentially, risk ...
MoSCoW prioritization, also known as the MoSCoW method or MoSCoW analysis, is a popular prioritization technique for managing requirements. The acronym MoSCoW represents four categories of initiatives: must-have, should-have, could-have, and won't-have, or will not have right now. Some companies also use the "W" in MoSCoW to mean "wish.".
On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization.
Aspects of the relationship between Russia and the United States can be conceptualized as a security dilemma. Each side perceives a serious threat from the other and takes countermeasures that further provoke insecurity for the adversary. Bilateral ties have deteriorated as Russia and the United States engage in political and military competition. For Russia, the major threats are America's ...
I am a person you can rely on for honesty and quality. Well-versed in leading strategic roles, I enjoy engineering customised solutions for business needs and piloting new ways of work. | معرفة المزيد حول تجربة عمل Olga Zhuk وتعليمه وزملائه والمزيد من خلال زيارة ملفه الشخصي على LinkedIn
4) Designed a strategic session for the top management of an international energy company and helped the team to adopt sustainability and climate strategy with more ambitious goals than market ...