The IT Law Wiki


A strategic risk is a

[r]isk that would prevent an area from accomplishing its objectives (meeting the mission).[1]
risk that affects an entity's vital interests or execution of chosen strategy, whether imposed by external threats or arising from flawed or poorly implemented strategy.[2]


"Managing strategic risk is associated with the ability to recognize future trends, challenges, and threats and match these with appropriate operational concepts, capabilities, competencies, and capacity."

"Strategic risk can arise from three basic sources. First, strategic risk can arise from the actions of adversaries, from natural hazards or from non-adversarial human actions, such as accidents. These can be thought of as imposed risks. Second, strategic risk can be created by the unintended consequences of the strategies we adopt in response to imposed risks. These can be thought of as self-imposed risks. Finally, strategic risk can arise from obstacles to successful implementation of an adopted strategy. These obstacles can be either imposed (e.g., the actions of an adaptive adversary to counter a security measure or to exploit an unintended vulnerability created by a security measure) or self-imposed (e.g., failure to adequately resource, or to prematurely abandon, a strategy or course of action that would otherwise be beneficial)."[3]