.png)
When Reasonable Decisions Compound into Strategic Risk
- Julien Haye
- 4 hours ago
- 16 min read
Introduction – Seeing Strategic Risk Upstream
Strategic risk defines how well an organisation makes decisions under uncertainty. It determines whether ambition, governance, and delivery capacity remain aligned as conditions change. Most strategic failures are not caused by unforeseen events. They emerge from how choices are framed, assumptions are treated, and commitments are made long before outcomes are visible.
Traditional approaches to strategic risk tend to focus on identification and monitoring. Risks are catalogued, scenarios are reviewed, and indicators are tracked. These activities create visibility after decisions are taken, but they do little to shape exposure at the point where it is created. As a result, it is often discussed once delivery pressure appears, not when options are still open.
In practice, strategic risk accumulates quietly. Incremental trade-offs are accepted to maintain momentum. Assumptions that once held begin to weaken as conditions evolve. Early signals are visible, though they are frequently discounted because performance remains within tolerance. By the time escalation occurs, strategic flexibility has already narrowed.
Boards and executives increasingly recognise this pattern. The challenge is not a lack of information or frameworks. It is the absence of consistent discipline in how strategic decisions are governed. Strategic risk is shaped upstream, through decision rights, escalation discipline, risk appetite, and the behavioural conditions that determine whether challenge arrives early or late.
This article examines strategic risk through that lens. It explains how it is created through choice, why it accumulates over time, and how governance design influences whether exposure is surfaced while decisions are still reversible. The aim is not to provide another risk taxonomy, but to clarify how leaders can govern strategic risk where it actually forms.
TABLE OF CONTENTS
Strategic Risk Starts with Choice
Strategic risk is created at the moment an organisation commits to a course of action. It arises from the short term or long term decisions leaders make, the assumptions they accept, and the obligations they take on in pursuit of their business objectives.
Strategic risk can be defined as the exposure generated by strategic choices, including where to compete, how to allocate resources, and which assumptions are relied upon to deliver intended outcomes.
Strategic risk is a type of business risk created by strategic planning choices, not by day-to-day operational activity.
It exists before execution begins and before any control is designed. Once a decision is taken, exposure is already embedded.
This is why strategic risk cannot be understood as an outcome of delivery failure. Operational breakdowns, missed milestones, or control weaknesses may reveal this risk, yet they do not create it. The exposure was present at the point of commitment, shaped by ambition, timing, scale, and dependency.
Because strategic risk is formed upstream, it cannot be delegated to frameworks, policies, or risk registers. These mechanisms play an important role in governance and oversight, although they operate after exposure has already been accepted. They manage consequences rather than determine whether the risk was taken knowingly, deliberately, and within the organisation’s capacity.
Strategic risk therefore sits squarely with leadership as part of strategic planning and definition of the business strategy. It is a function of how decisions are framed under uncertainty, how trade-offs are assessed, and how assumptions are tested before commitments become difficult to reverse. Treating this risk as a technical artefact obscures this reality. Treating it as a leadership responsibility makes exposure visible when it still matters.
Distinguishing Strategic Risk from Risk Strategy
Strategic risk describes the exposure created by strategic choice. Risk strategy describes how an organisation governs and manages risk in pursuit of its objectives.
The two are related, although they are not interchangeable.
This type of risk arises because leaders decide where to compete, how to allocate capital, which capabilities to build, and which assumptions to rely on. Exposure is created through these choices, whether or not it is formally articulated. This risk is therefore an outcome of decision-making.
Risk strategy is a deliberate design response. It defines how exposure is framed, challenged, and governed across the organisation, including risk appetite, decision rights, escalation discipline, and the capabilities used to inform judgement. Risk strategy does not create exposure. It shapes whether exposure is taken consciously.
A clear distinction restores discipline. Strategy creates exposure. Risk strategy governs how that exposure is surfaced, debated, and constrained. When the boundary is understood, strategic accountability remains with leadership and risk retains its independence as a source of challenge.
Discover the Aevitium Integrated Risk Management Framework™
Unify strategy, governance, and culture with our 9-step advisory approach. Learn how boards and executives can strengthen resilience and embed risk into decision-making.
Why the Distinction Breaks Down in Practice
In practice, the distinction between strategic risk and risk strategy erodes under delivery pressure.
Risk strategy is often developed after strategic commitments have already been made. By the time appetite statements are approved or governance frameworks are refreshed, exposure has been accepted and options have narrowed. Risk then operates downstream of choice, managing consequences rather than informing judgement.
The breakdown is reinforced when risk appetite is treated as descriptive rather than directive. Appetite statements articulate tolerance in principle, yet they do not shape capital allocation, sequencing, or prioritisation decisions. When appetite does not influence commitment, it becomes a reporting artefact rather than a strategic constraint.
The boundary also weakens when risk functions are drawn into defending outcomes. As execution challenges surface, risk is asked to provide assurance that decisions were reasonable rather than to challenge whether they were framed appropriately. This shifts risk from an independent source of scrutiny to a participant in justification.
These dynamics produce the appearance of strong governance. Committees meet, frameworks are referenced, and risk language is visible. Insight, however, is diluted. Strategic risk is discussed once delivery issues arise, not when exposure is being created. Assurance increases while foresight declines.
The result is not a failure of intent. It is a structural consequence of allowing risk strategy to substitute for strategic judgement. Where the distinction is blurred, governance activity expands and strategic risk discipline weakens.
Strategic Risk as a Design Outcome
Strategic risk is an output of organisational design.
Operating models, funding structures, and governance arrangements determine where exposure concentrates and how sensitive the organisation becomes to change.
Design choices shape risk long before performance is tested. Decisions about centralisation, sourcing, investment horizons, and control span define how tightly activities are coupled and how easily the organisation can adapt.
Sequencing and scale matter. Commitments made early constrain options later, while interdependencies create pathways through which stress travels quickly across the system. Strategic design choices determine how exposed the organisation becomes to economic risk and external events such as regulatory change, market shifts, or geopolitical disruption.
This is why this risk often concentrates invisibly. Exposure accumulates through ordinary design decisions that appear efficient in isolation. Over time, concentration replaces optionality. Flexibility gives way to dependency. By the time pressure is felt, the design has already narrowed the organisation’s ability to respond.
Emerging risk is most useful at this point, not as a forecast, but as a diagnostic. It reveals whether strategic design has sufficient adaptability. Concentration increases sensitivity to regulatory or geopolitical shifts. Rigid cost structures amplify demand or funding volatility. Legacy technology heightens exposure to cyber and data disruption. These signals do not create risk. They expose how design choices magnify uncertainty.
Within this framing, what are often labelled as sub-risks are better understood as expressions of strategic choice. These are the risks that affect the organisation most materially because they shape cumulative exposure and potential impact across strategy, capital, and delivery.
Market positioning reflects where the organisation has chosen to compete.
Business model risk reflects how value is generated and sustained.
Capital allocation risk reflects how resources are committed and recovered.
Dependency and concentration risk reflect design trade-offs made in pursuit of efficiency.
Timing and sequencing risk reflect when commitments are locked in.
Capability and capacity risk reflect the limits of what the organisation can absorb.
These are not standalone threats to be catalogued. They are symptoms of how strategy has been designed and implemented. Treating them as independent risks obscures their common source. Viewing them through a design lens makes strategic risk visible while decisions are still reversible.
In this sense, emerging risk performs a critical function. It tests the resilience of strategic design rather than predicting specific outcomes. Where signals consistently expose the same points of fragility, the issue is rarely awareness. It is the structure within which choices have been made.
The Role of Governance in Strategic Risk
Strategic risk is governed through decisions, not reports.
Governance determines who has authority to commit the organisation, how challenge is enabled, and whether exposure is surfaced early enough to influence outcomes.
Board and executive ownership of strategic risk is therefore fundamental.
It cannot sit neatly within a single committee or function because it emerges at the intersection of strategy, capital allocation, and delivery. When accountability is fragmented, exposure becomes diffused and challenge weakens. Governance design either concentrates responsibility or obscures it.
Decision rights and escalation discipline are central to effective strategic risk governance. It becomes visible when the assumptions that underpin a decision are surfaced and tested before commitments are approved. These assumptions relate not only to market conditions, but also to delivery capacity, behavioural responses, dependency stability, and the organisation’s ability to absorb change over time.
Where governance requires explicit articulation of these assumptions, decision quality improves. Challenge is focused on what must hold true for the strategy to remain viable, rather than on defending the proposal itself. Escalation in this context is not a response to failure. It is a mechanism for questioning whether the conditions that justified the original commitment still apply.
By contrast, where assumptions remain implicit, escalation is delayed. Governance attention shifts to execution once strain becomes visible. At that point, the strategic decision is no longer being examined. It is being defended. The discussion moves from viability to delivery, and exposure that was embedded at the point of commitment remains largely unchallenged.
In many organisations, this dynamic is reinforced by the design of governance forums. Decision papers are structured to secure endorsement rather than invite interrogation. Approval replaces challenge, and momentum substitutes for judgement. Assumptions are treated as background context rather than as active points of scrutiny. Strategic risk therefore remains hidden until delivery pressure forces it into view.
It is at this point that emerging risk becomes relevant.
Not as a separate category of risk, but as a means of testing whether the assumptions that underpin current decisions remain valid as conditions evolve.
Emerging risk has a specific governance role in this context. It should inform strategic discussion rather than sit in horizon-scanning reports or trend libraries. Its value lies in testing assumptions that underpin current choices, not in predicting discrete events. When emerging signals are treated as speculative or premature, they are discounted. By the time they are taken seriously, optionality has already narrowed.
The most effective governance conversations therefore shift the focus. The question is not, what emerging risks do we face. It is, which assumptions would no longer hold if this signal materialised. This reframing turns uncertainty into a source of strategic insight rather than deferred concern.
Where governance enables this discipline, strategic risk is addressed while decisions are still malleable. Where it does not, oversight activity increases and exposure continues to accumulate. The difference is not intent or effort. It is the way governance channels attention.
Risk Appetite as the Bridge Between Strategy and Risk Strategy
Risk appetite defines the boundaries within which strategic choices are made.When it functions effectively, it connects ambition to risk capacity and translates intent into constraint.
In this role, risk appetite operates upstream of controls and metrics. It shapes which opportunities are pursued, how capital is allocated, and how much strain the organisation is willing to absorb in pursuit of its objectives. Risk appetite is therefore not a statement of tolerance after the fact. It is a discipline applied before commitment.
Organisations manage strategic risk most effectively when appetite constrains decisions before commitments are made, rather than reacting after exposure has materialised.
Failures occur when appetite is treated as descriptive rather than directive. Statements articulate acceptable risk levels in principle, yet they do not influence sequencing, prioritisation, or investment decisions. When appetite is disconnected from how resources are committed, it becomes a reporting artefact rather than a strategic control.
In related polling, more than half of respondents indicated that risk appetite does not materially influence strategic decisions such as sequencing, prioritisation, or capital allocation.
Effective appetite framing links exposure to delivery capacity and resilience. It considers not only what risks are acceptable, but also how much complexity, dependency, and change the organisation can absorb at a given point in time. Without this link, strategic decisions accumulate strain even when individual initiatives appear to sit within tolerance.
Risk appetite also plays a critical role in preserving the distinction between strategy and risk strategy. Strategy determines what the organisation seeks to achieve. Risk appetite constrains how far it is prepared to stretch in doing so. Risk strategy then governs how these boundaries are applied, challenged, and monitored across decision forums.
When appetite is used in this way, it reinforces strategic discipline without slowing execution. It makes trade-offs explicit while choices are still reversible. Where it is not, ambition advances unchecked and risk governance becomes retrospective.
How Strategic Risk Accumulates Over Time
Strategic risk rarely materialises in a single moment.
It accumulates through a series of incremental decisions that each appear reasonable in isolation.
As strategies move from intent to execution, trade-offs are made under pressure. Timelines are compressed. Scope is adjusted. Dependencies are accepted to maintain momentum. Each decision marginally alters the risk profile, often without revisiting the assumptions on which the original commitment was based. Over time, exposure compounds.
This process is reinforced by execution drift. Assumptions that were valid at the point of decision gradually weaken as conditions change, capabilities are stretched, or priorities shift. Because drift occurs incrementally, it is seldom challenged explicitly. Performance remains within tolerance, although strategic alignment erodes.
Emerging risk plays a specific role in this dynamic. It acts as an early signal that underlying assumptions are decaying. It stress-tests whether strategic commitments remain robust under changing conditions. It accelerates exposure that already exists rather than creating it.
Weak signals are often visible during this phase. They appear as minor delays, increased reliance on workarounds, growing exceptions, or repeated appeals for additional capacity. These signals are frequently discounted because they do not yet threaten outcomes. When resilience is already stretched, emerging risks matter more. They reduce margins for error and narrow options.
Delayed recognition has a predictable effect. Uncertainty is allowed to persist until commitments become difficult to unwind. Optionality is lost. At that point, escalation feels abrupt even though the trajectory was gradual. Strategic risk is then experienced as surprise, not because it was unforeseeable, but because accumulation was normalised.
In Aevitium LinkedIn polling across risk and governance leaders, around two-thirds of respondents reported that escalation typically occurs only once delivery strain becomes visible, rather than when underlying assumptions begin to weaken.
This is why emerging risk rarely causes failure on its own. It amplifies exposure created by earlier choices. Where accumulation is understood and challenged, signals inform course correction. Where it is not, governance reacts after strategic flexibility has already diminished.
Case study: Boeing – 737 MAX programme
A widely cited illustration of this dynamic is Boeing’s 737 MAX programme. The strategic intent was commercially rational: protect market position, accelerate time to market, and minimise disruption to airline customers. Early assumptions centred on continuity, limited pilot retraining, and incremental design change rather than platform redesign.
As development progressed, trade-offs were accepted to preserve momentum. Design complexity increased, software compensations were introduced, and reliance on certification assumptions deepened. Each adjustment appeared reasonable in isolation and remained consistent with the original strategic direction. Performance targets were still met and delivery continued.
Over time, however, the assumptions underpinning safety, training, and system interaction weakened. Early signals existed, yet escalation occurred only once outcomes deteriorated. The resulting failures were experienced as sudden, although the exposure had accumulated through a series of decisions made under pressure. The strategic risk was not created by execution alone. It was embedded through the way choices were framed and defended as conditions evolved.
Culture, Behaviour, and Strategic Signal Loss
Strategic risk is filtered through behaviour before it reaches governance forums. What leaders hear is shaped by what feels safe to say.
As pressure increases, informal cues matter more than formal processes. Leadership reactions to challenge, tolerance for uncertainty, and responses to early escalation shape whether signals are surfaced or suppressed. When questioning direction is perceived as disloyal or unhelpful, silence replaces scrutiny. Alignment appears strong while exposure continues to build.
This dynamic creates strategic signal loss. Information is not absent. It is diluted as it moves upward. Concerns are reframed as delivery issues. Assumptions are treated as settled facts. Emerging signals are softened to maintain momentum. Each step reduces the organisation’s ability to recognise misalignment while choices remain reversible.
Psychological safety is therefore not a cultural aspiration. It is a governance requirement because it determines whether assumptions are questioned before commitments harden. Without it, strategic risk discussions focus on whether delivery is on track rather than whether the strategy still makes sense under current conditions. Challenge arrives late, once options have narrowed, and is experienced as disruption rather than insight.
Behavioural patterns also explain why escalation often follows outcomes rather than precedes them. Individuals adapt to prevailing expectations. When early concerns are consistently deprioritised, people stop raising them. The organisation learns to manage around exposure instead of questioning it.
Strategic risk capability depends on reversing this dynamic. Leaders who invite challenge, tolerate ambiguity, and treat uncertainty as a legitimate input preserve signal quality. Where behaviour supports candour, this risk remains visible. Where it does not, governance activity increases and insight declines.
The Risk Within provides a roadmap for embedding psychological safety into risk management. It identifies critical touch points across the risk lifecycle and offers clear actions to align leadership, culture, and governance. It is designed to help risk functions integrate more deeply into the business and strengthen decision-making at every level.
Strategic Risk in Transformation and Change
Strategic risk concentrates during periods of change.
Transformation programmes, acquisitions, digital initiatives, and cost restructuring increase the number of simultaneous commitments while reducing organisational slack.
In these conditions, exposure is shaped less by individual initiatives than by their interaction. Multiple strategic bets draw on the same leadership attention, capabilities, and delivery capacity. Dependencies deepen. Sequencing becomes compressed. Assumptions that may have been reasonable in isolation are no longer valid in combination.
Transformation also accelerates strategic risk accumulation. Delivery pressure normalises exception-taking and workaround behaviour. Trade-offs are accepted to maintain momentum. As resilience is consumed, emerging risks have a greater impact. Signals that might once have prompted adjustment are now absorbed as part of the change narrative.
Operational resilience and third-party reliance are particularly affected. Outsourcing, technology modernisation, and ecosystem expansion increase dependency at the same time as internal buffers are reduced. Strategic intent may remain sound, yet exposure rises as design choices interact under stress.
Governance often struggles in this environment. Oversight focuses on milestones, benefits, and integration plans. Less attention is paid to whether the combined strain remains within appetite and capacity. Strategic risk is discussed in fragments rather than as a cumulative condition.
This is why many strategic failures are attributed to execution. In reality, the issue is the concentration of risk created by overlapping change. Where transformation is governed as a portfolio of interdependent commitments, strategic risk remains visible. Where it is not, exposure intensifies until adjustment becomes difficult.
Case study: Credit Suisse – Pre-2023 trajectory
The experience of Credit Suisse prior to its 2023 failure illustrates how strategic risk concentrates during prolonged transformation. Over several years, the firm pursued multiple strategic shifts simultaneously, including business model repositioning, cost reduction, risk reduction initiatives, and governance reform. Each programme was directionally sound when considered independently.
In combination, however, these commitments drew on the same leadership attention, control capacity, and organisational resilience. Dependencies deepened while buffers reduced. Assumptions about execution capacity and risk containment were not consistently revisited as conditions changed.
Governance oversight focused largely on progress within individual initiatives rather than on cumulative strain. Risk signals emerged across different parts of the organisation, yet they were treated as isolated issues rather than indicators of strategic concentration. When confidence eroded, escalation appeared abrupt, although exposure had been building across the portfolio of change.
These structural pressures were reinforced by behavioural dynamics. As multiple transformation efforts progressed simultaneously, challenge increasingly focused on delivery execution rather than on the viability of the overall change agenda. Signals that might once have prompted reconsideration were reframed as isolated issues, delaying escalation. Culture did not create the exposure, but it shaped how long accumulation went unchallenged.
This was not a failure of awareness or intent. It reflected how overlapping strategic commitments can amplify risk when governance does not treat transformation as a cumulative condition.
Directional Implications for Boards and Executives
Strategic risk discipline is revealed in how decisions are framed when certainty is unavailable.
Boards and executives shape this discipline through where they focus attention, how they invite challenge, and which trade-offs they are willing to surface before commitment.
The most consequential shift is upstream. Strategic risk deserves scrutiny at the point where assumptions are formed, capacity is stretched, and commitments become difficult to reverse. This requires governance forums that prioritise framing quality over approval velocity and challenge over reassurance.
Leadership attention also matters in how risk appetite is applied. Appetite that constrains choice, sequencing, and scale strengthens strategic coherence. Appetite that follows decisions weakens it. The difference lies not in documentation, but in whether boundaries influence real trade-offs.
Strategic risk capability is sustained through behaviour as much as structure. When leaders signal openness to uncertainty and dissent, signals remain intact. When momentum is rewarded more than judgement, exposure accumulates unnoticed. Governance activity may increase in both cases. Insight does not.
For boards and executives, the implication is clear. Strategic risk is not something to be identified once strategy is set. It is something to be governed continuously through decision design, challenge, and attention to accumulation. Where this posture is adopted, risk management becomes a source of strategic clarity. Where it is not, oversight expands and flexibility contracts.
Strengthen Strategic Risk Discipline: Aevitium LTD works with boards and executives to improve how this risk is governed before exposure hardens. Our complimentary consultation helps surface decision blind spots, test critical assumptions, and align ambition with capacity while options remain open.
Conclusion: Governing Strategic Risk Where It Is Created
Strategic risk is not something organisations discover late. It is something they create early. It is shaped by how decisions are framed, how assumptions are treated, and how trade-offs are made under uncertainty. By the time outcomes deteriorate, exposure has usually been embedded for some time.
The recurring pattern is not a failure to identify risks. It is a failure to govern the conditions under which strategic choices are made. When assumptions remain implicit, challenge is deferred. When governance prioritises progress over viability, accumulation is normalised. This risk is then experienced as surprise, even though the trajectory was gradual.
Effective strategic risk management therefore starts upstream. It requires governance that surfaces assumptions before commitments harden, applies appetite as a real constraint, and treats emerging signals as tests of viability rather than forecasts of events. It also depends on behavioural conditions that allow challenge to arrive early, when options still exist.
For boards and executives, the implication is clear. Strategic risk is governed through attention, discipline, and judgement at the point of decision. Where this capability is present, organisations preserve optionality and adapt deliberately. Where it is not, oversight expands while flexibility contracts. The difference lies not in intent or effort, but in how strategy itself is governed.
About the Author: Julien Haye
Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.