Strategic risk handling, as oppposed to traditional risk management, which is concerned with operation-level risks, is about ensuring the achievement of major objectives on shifting ground with moving targets. The following article discusses the intellectual foundation for the working method.
Thinking in inverse: Modelling strategy as risk
by Mikal Rian
2020
Wind extinguishes a candle and energizes fire. Likewise with randomness, uncertainty, chaos; you want to use them, not to hide from them.
— Nassim Nicholas Taleb
Introduction
Risk management and strategy are normally two different areas, handled by different people, in different departments, and by different types of thinking. But, as I will claim in this paper, on some level of abstraction they can be treated exactly the same. Thus, the questions are provoked: What if we approached strategy as and applied to it the thinking and methods—both conceptually and quite specifically—of the risk management toolbox? Further, I suggest that strategy is a complex system. This has implications for how we can treat it in a novel way and, also, makes even more sense of the risk-mindset perspective.
In the present text, I will present the strategy of OilMan Ltd, an actor wishing to buy fuel from a producer out of Venezuela. I will look at the strategy, model and visualise it, and analyse it from a risk management perspective. The level of detail will be different than in a typical (operational) risk analysis. Strategy, like risk, can be looked at on a macro scale or in miniscule detail. In my instance, the variables will be few and the behavioural rules will be simple. All the involved companies—nodes in the system—will be looked on as agents, and I will not be concerned with how they are set up and function internally. Culture is an integral part of strategy, as we will see shortly.
The variables are derived from a very real case, but the countries, names, and strategic contents have been changed in all, part, or full to protect the people, businesses, and strategies involved.
The structure of the paper is as follows. First, I will briefly present the conceptual framework. This section is longer than it should for a short assignment, but as short as I could make it for the ideas to make sense. Second, in the Risk analysis and evaluation section I will make a system description and perform a risk analysis. Then I will comment briefly on what a risk database could do. Lastly, I will make some concluding remarks on risk management.
Conceptual framework
I have two simple, working definitions. Culture is a system of behaviour. Strategy is a pattern of behaviour. Strategy is also a complex system. Let me elaborate.
What is strategy?
Strategy to most people means plan. To others it is a more flexible scheme — one with contingencies alternate pathways, like in the armed forces. To others still it is more like an organism — a specific setup of competencies, strengths, and weaknesses (from trade-offs). Conceptions of strategy of this type are often referred to as the positioning school and come from Porter (1980; 1996). Yet another take is that of Mintzberg, who discusses learning (1998) and emergent (2007) strategy.
To Porter (1996), strategic positions come not from setting oneself up to deliver something unique, but from uniquely setting oneself up deliver something. The most important characteristics of the positioning strategy are trade-offs (choosing what not to do) and fit. Fitness is interesting, because we could interpret (with some artistic liberty) Porter’s portrayal of “fit” as fitness (I’ll come back to this). Thus, “[Strategy] involves a whole system of activities, not a collection of parts” (Porter, 1996, p70). Now, the Porterian view is not related to the idea of complexity as we know it from the science of complex systems. Porterian strategic fit comes from building a constellation of activities that, as a whole, produce something in a different way than others do. The picture I’ve created below illustrates.
Figure 1: Jaguar and lion
A jaguar and a lion may both be feline, but they are each “set up” to extract resources and survive in different ways. Those different setups allow and disallow behaviours in such a manner that the jaguar is the king of the jungle (the Latin American rainforest) and the lion the king of the savannah. How and what they hunt is a function of the whole constellation of parts.
As a metaphor, strategy then is a pattern of behaviour — or a repertoire of behaviours. You can do what’s on the menu and cannot do what’s not on the menu. This allows some flexibility, within limits.
Now we can think of fitness as the degree to which an organism is suited to operate in one environment and not the other. Our friends from Statoil and Telenor can confirm this hard fact of life with their (mis-) adventures in the U.S.A. and Russia and India, respectively. The “organism” could be an agent, a company, or it could be an abstraction of what is actually a strategy. In other words, we can conceive of the strategy as an organism — something that does something, in a specific environment under specific contingencies.
What is culture?
Culture, to Baum (2017), “is learned behavior that is shared by members of a group. It consists of operant behavior […] acquired as a result of group membership.” Skinner (1974) defines culture as a set of contingencies of reinforcement maintained by a group. He adds that people learn strategies from the contingencies to which they are exposed, and on top of that learn successful strategies from the experience pool of others. Put differently, culture is a system of behaviour.
If culture is a system, then that system—for any of the agents/entities operating within it—is also an environment. Taking a broader view (parting from the strict, behaviourist definition), we could regard the informal and formal institutions as part of the cultural environment. They set and shape contingencies among the population and the population set and shape the contingencies of the institutions.
Culture is to strategy (or a business or a policy or a romantic endeavour) what the physical and climactic environment is to an organism. Just like the savannah and the jungle provide opportunities and constraints to their respective big cats, Norway and Nigeria or Germany and Guyana represent different contingencies for human behaviours.
The same strategy in two different environments may have completely distinct outcomes. One may have the right fitness for its environment to survive; the other may perish. Stated differently, in one culture there are some things you can and cannot do, and in another culture there are others. This places restrictions on the behavioural repertoire.
Strategy / risk as a complex system
One way to define risk is to state that risk equals p(event) x cost(consequence) and another way is to state that risk is the “uncertain achievement of multiple goals” (Wright, 2019, p2). Merna and Al-Thani (2008) define risk as what is between loss and gain. Renn, Klinke, and van Asselt (2011) underscore the difference between simple risks that are easily identifiable, recordable, and calculable and risks that are complex in nature. I’d add that, from a complex systems perspective, risk may be an emergent property. Anyhow, a complex system is a set of interacting agents (or variables) that may evolve unexpectedly and contains inherent nonlinearities. That is, a small change in one place or region of the system may induce disproportional (nonlinear) consequences in another region or for the entire system.
Figure 2: Constellation of activities
Strategy is also a complex system! If we add Mintzberg (emergent strategy) to Porter (constellation of activities), the result is strategy as a system of interacting parts which can be set up and changed (by the strategist) as time goes by. In one way, the apex predators metaphor falls short (though the idea of a behavioural repertoire remains intact), because the setup of “parts” seems somewhat fixed. Yet, a company cannot cheaply and easily change its setup, and a strategy takes time to build. There’s a limit to how much emergence (in Mintzberg’s learning-as-you-go sense) and how many changes one can permit without costs.
Then a simple representation of a strategy (a set of activities) could look like Figure 2. At the same time, “If there were only one ideal position, there would be no need for strategy” (Porter, 1996, p68), so there is indeed a good reason to constantly being able to perform changes. So, we should think of it as the strategy system. Changes may be done to the system without the system failing to perform.
Risk analysis and evaluation
System description
OilMan is a company interested in buying fuel (MDO) from a Venezuelan company. The reason is OilMan’s larger presence in the region. Hence, OilMan seeks to attain strategic resource flows for an extended time horizon. The other variables are PortStor (fuel storage in Maracaibo), Refinery, FuelMan (owner of Refinery; buyer of oil from Horizon), Horizon (oil extractor/producer), Transportania, PDVSA (Venezuela’s State petroleum firm). Horizon is has foreign owners, with corporate headquarters in a country far away and a local operational HQ. FuelMan, PortStor, Refinery (FuelMan-controlled), and Transportania are locally owned.
Figure 3: A complex system
On the right side of the figure above you can see the maximum amount of possible connections—or edges—in the system (21 edges). Seven variables seem not much, but they can in theory produce 21 possible different relationships (or 42 directions) which all can influence one another. Adding just one node would increase the complexity to 28; twice as many total nodes (14) would theoretically produce 91 potential relationships (or 182 directions). Setting up probabilities, calculating expected values, incorporating feedback and other dynamics, and foreseeing any emergent properties or, even, simple changes in one node’s values caused by change in another node’s values would quickly be a daunting task. Indeed, the simpler the model, the better.
The left side depicts the strategy as it is before risk analysis. Lines are direct interactions. Dotted lines mean there is knowledge of the other agent, but only indirect interaction (through others in the system) or none. PDVSA oversees all, decides the rules for all (and the exceptions). Horizon, a private actor, produces oil and sells it to FuelMan. FuelMan refines, then stores. Then OilMan’s vessel comes to port for bunkering.
What could go wrong?
The project’s timeline is long — several years. We imagine to be in the start phase. Let’s call OilMan’s man in Caracas the Strategist. Functionally, for this paper’s intents and purposes, OilMan and the Strategist can be regarded as one and the same. Strategist has been implementing his strategy for 18 months. During that time, research of firms was conducted and relationships built. Finding the right people and companies to work with takes time in Latin America, even more so for foreign firms with strict anti-corruption and compliance rules. The project is underway, but as for now no fuel has yet been stored or delivered, no transactions made. Ideally, things should be functioning before 24 months, but 36 is acceptable. We took one day to brainstorm what can still go wrong and what can mitigate those risks. Since no other people but Strategist and I were involved, a table of all participants is unnecessary.
In the system depicted on the left in Figure 3 there are 11 edges between the nodes and 20 possible directions of interaction. Here’s a risk list of some general things that can go wrong:
1. Relationship goes sour
2. Indirect relationship goes sour
3. Failed delivery, technical reasons
4. Failed delivery, accident
5. Failed delivery, force majeure
6. Failure/discontinuation of business from financial reasons
7. Non-compliance occurs
8. Internal intrigues (“politics”/plots/corruption)
9. External intrigues (“politics”/plots/corruption)
There is overlap in this list. For example, due to internal intrigues or plain corruption (7) a relationship may go sour (1). Horizon’s employees may dislike FuelMan’s CEO or PDVSA may dislike FuelMan’s CEO. Horizon’s employees may engage in corrupt practices towards FuelMan, disrupting either FuelMan directly, affecting OilMan’s interest in being involved, affecting FuelMan (through OilMan’s lost interest), or all of the above. PDVSA, controlling who gets to extract on a whim, may for internal ploys (7) exercise influence (8) over two agent’s relationship (1). Operationally, FuelMan, Horizon, Transportania, and Refinery may have accidents or technical hick-ups. Though fewer things may happen to PortStor or OilMan, they are in a similar situation. Various actors can have different types of operational risks. Financials can play a role too, for example if an agent requires a minimum quantity and another agent cannot live up the costs incurred from delayed payment. Relationships can break down in any shape or form. Several things can happen at once too, operationally and relationship-wise. There is considerable overlap and potential for multicausality.
A mountain of complexity arises from multiplying all these risks with seven variables or up to 20 connections! The simple list from above needs further simplification and some modification. Basically, we have two break-down types—node failure and relationship failure—and two consequence types, namely, non-delivery and delayed delivery. A node is an agent (a business in this case). Why a relationship breaks down is somehow irrelevant (though not entirely from a probability view). It is enough to consider that it can happen and what it entails. Then we have five types of reasons a node can fail: Operative; plot/ploys internal; plot/ploys external; force majeure (e.g., earthquake, pandemic); emergent properties; and extra-system dynamics. Simplifying:
Table 1: Risk scenarios,
barriers, and consequences
|
ID |
Unwanted event |
Barriers |
Consequences |
Comments |
|
Node failure from self (logistical,
technical, accidental) |
Substitute agent (identified
and/or ready before event or identified after) |
Non-delivery |
Prior due diligence should mean
the likelihood of failure—p(non-delivery)—is low. |
|
|
1b |
Node failure from self
(logistical, technical, accidental) |
Substitute; |
Delayed delivery |
Prior due diligence → |
|
1c |
Node failure from self (plot/ploy
internal) |
Substitute agent; |
Non-delivery |
Prior due diligence → |
|
1d |
Node failure from self (plot/ploy internal) |
Substitute agent; |
Delayed delivery |
Same as above. |
|
1e |
Node failure by link to another node (log/tech/acc) |
Substitute; |
Non-delivery |
Prior due diligence entails vetting all agents in the system. |
|
1f |
Node failure by link to another node (log/tech/acc) |
Substitute; |
Delayed delivery |
Same as above. |
|
1g |
Node failure by link to another node (plot/ploy external) |
Substitute |
Non-delivery |
Prior environmental research and due diligence should mean
p(non-delivery) = low. |
|
1h |
Node failure by link to another node (plot/ploy external) |
Substitute |
Delayed delivery |
Same as above. |
|
These can affect all or some of the above with
varying severity: |
||||
|
1i |
Force majeure |
Substitute |
Either |
A pandemic could cause substitution of several agents! |
|
1j |
Emergence |
? |
Either |
p(either) = incalculable. |
|
1k |
Extra-system |
Don’t
do business in the country. |
Either |
Venezuela is a known corrupt environment,
plus oligopolistic networks abound. |
Ideally, 1a through 1h should represent a probability value for each of the six agents (OilMan not counting). 1k can be considered similar to 1g and 1h event, but with the difference that the agent(s) exerting influence exist outside the system (that is, the strategy and its agents).
“Wait,” though not a barrier, means doing nothing while agents fixes own problem. “Intervene” means changing contracts/agreements, quality of product, contents of service, or otherwise helping.
The reader may be wondering what plot/ploys are. This is where cultural behaviour comes in. In, say, Norway and Canada business relationships are clinical and clean. (With some stretch of imagination, business-policymaker relationships are also clean.) In many parts of the world, doing business is not simply an organisation-organisation transaction; it is a bi-level transaction — on the B2B and person to person levels. This means node failure can stem from internal, personal interests. Additionally, there may be background vested interests like elite group networks hindering via oligopolistic structures, favouritism, or by lobbyism. These extra-system dynamics affect the system (the strategy), but are not part of it. Telenor in India experienced such an effect.
With so many ways something can go wrong, this is a very fragile system. Any of 1a to 1h can disrupt the rest of the system (the strategy). Even delayed deliveries can produce non-deliveries in other places, creating nonlinear outcomes.
Likelihood of unwanted events, consequence of events
Here follow a table for frequency scale and a modified consequence severity table.
Table 2: Frequency scale
Uniting risk management with complex systems science, it would make great sense to perform Monte Carlo simulations on the strategy, with different probabilities assigned to the components (agents) of the system for each of 1a to 1h, possibly also 1i-1k. Even with fantasy or near-fantasy probabilities, such simulations could give an idea of various risk—including chain reactions—and break-down scenarios. Yet, that is outside the bounds of this short paper.
An overview based on similar projects and/or similar environments can help to indicate what to expect, but it is important to realise that no two strategies, histories, or environments are alike. Such data would be rare (do databases exist for failed relationships in hard-to-operate environments?).
For simplicity’s sake, we’ll exclude 1i, 1j, and 1k from the model.
Plot/ploys can be considered more constant (frequent) than failures of the logistical, technical, or accident-caused kind. Here is some free imagination:
Table 4: Overview of unwanted events
Note: This table does not integrate with Table 3. Bear with me for a moment.
Here is a problem. Neither of these risks would enter the red or yellow zones in the matrix below. But that is a false assurance. These risks should not be treated as separate; they should be stacked. By stacking probability values—by single, joint (“AND”), “OR”, or “EITHER/OR” calculations—the probability increases (Morin, 2016). That quickly displaces us towards the right in the matrix: I’ve displayed stacked risks as “[2 stacked]” and “[3 stacked]” and so on. (I’ve skipped the standard risk accept criteria table, suffice it to say that red cells represent high risk and yellow cells middle risk to strategic failure.)
Table 5: Risk matrix before mitigation
Substituting agents is costly and time-consuming and intervention may be both hard and time-consuming. This table shows clearly that even low-probability events can shake the strategy.
Risk mitigation
How can, mid project, Strategist start moving the pieces around of his strategy? Let’s make some assumptions: One, due diligence and research was done at the onset of the strategy building and the most fitting agents were chosen. Two, other agents (nodes in the strategy) were looked at, in different degrees of depth/superficiality, while the selection process went on. Three, not all agents may have a viable substitute. Four, substituting agents comes with considerable costs of time and resources. Five, building relationships takes time (and a great relationship with an average agent may be better than an average relationship with a good agent). Six, the longer the relationship, the greater the probability of high flexibility in cooperative problem-solving.
The first (and unimaginative) measure coming to mind is this: have substitutes ready. But since this is costly, maybe a good idea would be ensuring backups for the one or two most crucial agents in the system. But which are they? Would those be the biggest players? Another solution would be to find backups for the two agents most likely to fail and cause disruption to other agents in the strategy system. We go for the latter.
Figure 4: Interlocked relationships (simple)
In the figure, interlocked agents are the ones with an arrow going towards them. Dashed lines indicate we can assume the agent will perform free of plots/ploys. This leaves FuelMan dependant on Horizon and Horizon (and FuelMan indirectly) dependant on PDVSA. We assume Transportania can be substituted at low cost, while Horizon may be so at high cost. The same goes for FuelMan. On its face, the model indicates FuelMan and Horizon are equally vital to the system. But we know from earlier that FuelMan is something of an outsider. Should we go for the smart choice and favour Horizon or the cool choice and favour FuelMan and thereby disrupting the prejudices of the elite network Horizon belongs to? Remember, FuelMan’s owner and CEO was also the one Strategist had the best relationship with. However, Horizon is among the very few that can deliver the quantities and qualities we need. Yet FuelMan owns the refinery. We must find substitutes for both. Pioneer can deliver in case Horizon fails and FuelWoman can deliver in case FuelMan fails. Time and costs are tied to researching and engaging with new agents (there’s a limit to how much “maybe we’ll do business together”-relationships can be built). These are now ready-to-fire backups. Inserting them into place does not count as substitution, and we can remove two variables from the stacks. That means the new max is [3 stacked]. Let’s see the new matrix.
Table 6: Risk matrix after mitigation (event IDs are in lower case, because they are situational; not agent-specific, and not directly mitigated)
Optionally, where substitutes cannot be found easily, it could be viable to make the best and most flexible kinds of relationships, with great bonds of trust and good intentions. This means deadlines can be stretched and unforeseen events better handled with the agents in the system. In other words, the intervention and problem-solving repertoire would be expanded, reducing the need for substitution. This would either shrink the max stack or decrease the frequency of unwanted events (displacing the stacks in downwards in the risk matrix).
There is one, much less obvious way to reduce risk: Buy oil from outside Venezuela! As crazy as this sounds, moving crude by land from the Orinoco oil belt and to the coast costs a lot of money. Plus, oil producers are not always rightly priced: It is customary to negotiate a comisión per barrel, making some players far from competitive. Horizon’s owners sit far away from local HQ in Venezuela. The local guys do not care if Horizon performs well; no extra commission often means disinterest in a business relationship. They tried numerous times to get an above-market price paid per barrel. Mitigating this type of risk would be most easily done by avoiding it altogether. Further, local firms are low tech compared Western firms. For a price sensitive actor as OilMan, these factors add up. Hence, OilMan can buy from a U.S. or Canadian producer, have the crude shipped to PortStor, and then FuelMan will treat it at Refinery in Maracaibo, Venezuela. By doing that, four agents leave the strategy system and one new comes in. That reduces complexity and risk dramatically.
Risk register
A risk register makes less sense for strategy (which may be highly unique and also flexible) than for events that repeat in similar ways on the same location, so I’ll be brief and not suggest a detailed risk report format. Yet a database could still make sense. For example, a database for our case (or similar cases) could contain records of what agents were deemed unfit from the start, what agents changed behaviour (seeking rents or other benefits or becoming increasingly uncooperative), under what contingencies such change took place, and some describing characteristics of those agents so that they may be compared with other agents. For a large corporation with strategies in many countries such a register could provide valuable insight over time, not just for risk management, but for various data analyses.
Risk magamenet
A good strategy should have some degree of fitness (between its setup and the environment in which it is intended to survive) and some degree of flexibility to cope with changes. A humble strategist with experience may know how to build good relationships and avoid overconfidence. Having been successful in the past may create the illusion of being good at what one does and that one made the right choices before. I dare to call this the outcome fallacy. A different side to that coin is suggested by Wright (2018): When someone has being going on for a long time in a situation involving risks, but without unwanted events having happened, are subject to hazard adaptation. This mistaken sense of no or low risk is caused by good luck; not good choices.
A problem many leaders and strategists face is that our world tends to be outcome oriented. “Results matter!” sounds sensible, but, really, it is the process that should matter. Winning at uncertain gambling is not a good process; well calculated and handled risk is a good process. Taleb (2005) reminds us that a successful trajectory—a successful strategy—is just one sample path out of many possible that didn’t take place. To handle these biases and fallacies, it is vital to focus on the process itself and not be too focussed on past events that did take place and past unwanted events that did not take place.
For our case, managing strategy risk wisely means reducing the number of events than can stack up simultaneously while increasing strategic flexibility as much as possible. Since flexibility comes from good relationships (and with the right-minded people/organisations), such relationships are desirable. If flexibility is high, the cost of intervention may be low. In this example case, Strategist will on occasion have time available while waiting for some agents to respond or do their work. That time can be employed in identifying substitutes or further constructing relationships. Cultural insight is a key ingredient to doing the job well. If good relationships and cultural insight are combined with a willingness to learn, then new and more fit strategy systems may emerge over time.
Figure 5: Complex and simple strategy
A counterintuitive way to reduce risk is actually by increasing the number of variables in the strategy system. Theoretically, a network with more nodes and connections provides more paths to a destination. Thus, the strategy (as a complex system) could be a subsystem of a larger system. With simple agents this could work, but if the features of agents are highly unique (as in oil and gas), then there may not be a large number of similar agents through which resources can be channelled, which again brings us to a similar problem to that of substitution: alternate paths may be few. Still, some agents are simpler than others. For example, Transportania could be one of many similar agents to provide partial or total transport.
A good strategy system should be dynamic. Being able to enjoy flexibility and perform changes is equivalent to enhancing the behavioural repertoire of an organism. Having a mandate to operate with a good degree of freedom is one requisite. Industry knowledge is another. And cultural insight can hardly be understated. Two more factors augment the chance of original thinking: (1) having (on a personal or team level) a broad interest field and not only being knowledgeable about one’s profession; (2) operating “on the ground.” It is unlikely to think laterally when ignorant of the wide world outside the box. Similarly, it is unlikely to discover agents and insights by chance from a head office 10.000 miles away. Operating on location, on the ground—at least for long stretches of time—increases these chance occurrences. Further, it is vital for building personal relations—a prerequisite for doing business in Latin America.
Thus, the dynamism of a strategy is derived from these five factors (mandate, industry knowledge, cultural insight, diversity of interests, and time on location). To reduce things that can wrong, the number of parts should be reduced from the strategy system. But when parts cannot, or should not, be removed, increasing the parts could be a good solution. If doing so, the extra parts must be cheap to include and simple to handle, as illustrated with the Transportania example above. Finally, to reduce things that can go wrong, the ability to intervene (and to provide alternate solutions to agents) must increase. Low complexity in some parts and “good” complexity in other parts may ensure an evolving, emergent, and adaptive strategy.
References
Granovetter, M. (1978). Threshold models of collective behavior. The American Journal of Sociology, 83(6), 1420–1443.
Merna, T., & Al-Thani, F. F. (2008). Corporate risk management (2nd ed). Wiley.
Mintzberg, H. (Ed.). (2007). Tracking strategies: Toward a general theory. Oxford Press.
Mintzberg, H., Ahlstrand, B. W., & Lampel, J. (1998). Strategy safari: A guided tour through the wilds of strategic management. Free Press.
Morin, D. J. (2016). Probability: For the enthusiastic beginner. Createspace Independent Publishing Platform.
Porter, M. E. (1996). What is strategy. Harvard Business Review, 74(6), 61–78.
Porter, M. E. (1998). Competitive strategy: Techniques for analyzing industries and competitors (1st Free Press ed). Free Press.
Renn, O., Klinke, A., & van Asselt, M. (2011). Coping with complexity, uncertainty and ambiguity in risk governance: A synthesis. AMBIO, 40(2), 231–246. https://doi.org/10.1007/s13280-010-0134-0
Taleb, N. N. (2005). Fooled by randomness: The hidden role of chance in life and in the markets (2nd ed). Thomson/Texere.
Watts, D. J. (2011). Everything is obvious: once you know the answer (1st ed). Crown Business.
Wright, J. F. (2018). Risk management: A behavioural perspective. Journal of Risk Research, 21(6), 710–724. https://doi.org/10.1080/13669877.2016.1235605
Wright, J. F. (2019). Decision-making in risk management. In A. G. Hessami (Ed.), Perspectives on risk, assessment and management paradigms. IntechOpen. https://doi.org/10.5772/intechopen.80439