At A Glance
Industrial and operational tech companies face a uniquely demanding risk environment – Products embedded in critical workflows, slow-moving buyers, and a fundamental business model transition from hardware to software mean the stakes for getting strategic risk wrong are unusually high.
Risk is routinely oversimplified – Most leadership teams treat risk as a gut feeling rather than a structured discipline, which leads to bad bets being approved and smart ones being blocked.
Probability and magnitude are different questions – How likely something is to go wrong is not the same as how damaging it would be. Both dimensions need to be evaluated — on the upside as well as the downside.
Reversibility changes the calculus – Decisions that can be undone warrant a lower bar for action. Decisions that can’t require greater rigor, not because failure is likely, but because the cost of being wrong is harder to recover from.
Inaction carries its own risk – Near-term risks feel concrete and get attention. Longer-term risks — displacement, commoditization, missing a market shift — feel remote but can be existential. Caution compounds quietly.
Execution risk and strategic risk are not the same thing – Execution risk asks whether you can deliver. Strategic risk asks whether it will matter. The second question is often more important than the first.
Unknown risks require a different posture – When probability and magnitude can’t be estimated in advance, the goal is to structure initiatives so the organization learns quickly and converts uncertainty into clarity over time.
Mitigation has two levers, not one – Most organizations focus on making failure less likely. Equally important is limiting how damaging failure will be — through staged investments, preserved optionality, and early warning indicators.
Portfolio balance is a risk management tool – Over-concentration magnifies the magnitude of being wrong. A deliberate mix of core, adjacent, and exploratory bets limits exposure while preserving the probability of meaningful returns.
The Unique Risks for Industrial and Operational Technology Companies
Companies that build and sell industrial and operational technology face a distinctive risk environment. Their products are often deeply embedded in customers’ critical workflows such as facility operations, fleet management, industrial process control, or transaction processing, which means that both the cost of failure and the value of trust are unusually high. They operate across long sales cycles, complex channel relationships, and demanding validation requirements, often selling to buyers who are slow to adopt and slow to switch. Many are navigating a fundamental business model transition, from hardware and perpetual licenses toward software, subscriptions, and outcome-based offerings, that requires them to take deliberate strategic risks at the same time as they manage the day-to-day risks of running an engineering-intensive business in a world being transformed by AI. That’s why at VDC Strategy we think carefully about how industrial and operational technology vendors should approach strategic risk, and why we think a more rigorous risk assessment framework is critical.
Most industrial and operational tech leadership teams say they consider “risk” when prioritizing strategic initiatives. But if you sit in enough of those conversations, you start to notice something: risk is often used as a vague, catch-all objection. It becomes shorthand for discomfort rather than a structured way of thinking. The problem isn’t that companies ignore risk, it’s that they oversimplify it.
If you want better strategic decisions, you have to unpack risk into its component parts. Because not all risks are created equal, and more importantly, not all risks should be treated the same way.
The limits of intuition and of simplistic evaluations
In most organizations, risk discussions are driven largely by gut feel. Leaders react to what feels risky rather than working from a shared, structured definition. Even in organizations that try to be more disciplined about it, the conversation rarely gets much further than a rough sense of “how likely is this to go wrong?” a question that is itself shaped more by recent experience, individual bias, and organizational politics than by any rigorous analysis. We’ve seen this repeatedly with industrial technology vendors, where executives psychologically anchor on vivid recent failures and allow those memories to drive their instincts about the next initiative. The result is a kind of irrational fear or unwarranted confidence: a shared sense in the room that something is or isn’t risky, without a clear or consistent basis for that judgment.
At VDC Strategy, we recommend a different approach. We view risk as multi-dimensional, and as something that needs to be considered through several distinct lenses, each revealing a different aspect of an initiative’s true profile.
Risk is often used as a vague, catch-all objection in strategic conversations. It becomes shorthand for discomfort rather than a structured way of thinking — and the problem isn’t that companies ignore risk, it’s that they oversimplify it.
Probability and magnitude, upside and downside
Before getting into the full framework, it’s worth pausing on a distinction that underlies all discussions about risk, that sounds simple but is routinely missed in practice: the difference between probability and magnitude on both the upside and downside.
Probability asks: how likely is this outcome? Magnitude asks: how significant would it be if it occurred? These are fundamentally different questions, and both need to be evaluated separately, not just on the downside, but on the upside as well. Most risk conversations focus almost entirely on downside probability. “What’s the chance this goes wrong?” But that’s only one of four dimensions worth considering, and leaves out important thinking about the damage of it going wrong, along with the benefit and probability of it going right.
Reversibility: two-way doors vs. one-way doors
Closely related to magnitude is the idea of reversibility. Not all decisions lock you in. Some are easily undone; others are effectively permanent. We often describe this as the difference between two-way doors and one-way doors, and the distinction maps directly onto downside magnitude.
An automation or controls vendor launching a new product variant into an adjacent vertical, say, adapting an existing PLC or HMI platform for a new end market, through a limited, time-boxed pilot is walking through a two-way door. Even if the probability of needing to reverse course is significant, the magnitude of doing so is low: they can pull back with minimal damage. Committing to embed a third-party AI or analytics engine deep into your core industrial software platform, which requires re-architecting the product and retraining your entire sales and support organization, is a one-way door. Here, the magnitude of being wrong is high regardless of the probability of failure. When a decision is reversible, the threshold for action should be much lower. When it’s irreversible, greater rigor is required, not because the probability of failure is necessarily high, but because the magnitude of being wrong is harder to recover from.
Time horizon: the hidden cost of “playing it safe”
Time horizon introduces another dimension of the probability/magnitude problem. The near-term initiatives that often dominate most planning conversations, such as better cost controls, accelerating product launch schedules, building a channel alongside an established direct sales organization, tend to be high in probability of having an impact, but relatively modest in magnitude. They are visible, concrete, and feel urgent. The longer-term risks, like competitive displacement, product commoditization, being locked out of a market shift, are feel lower in probability due to their temporal distance, but are potentially catastrophic in magnitude.
We see this dynamic with industrial hardware and equipment vendors debating whether to move up the value stack into software, services, or outcome-based offerings. The near-term risks are high-probability and moderate-magnitude: real costs, real disruption, real execution challenges. The long-term risk, that a better-capitalized competitor or a software-native entrant captures the customer relationship while your hardware becomes a commoditized input, may feel less probable today, but its magnitude is existential. Because longer-term, high-magnitude risks feel remote, they tend to get systematically underweighted in terms of their probability, which leads to inaction. In practice, inaction is often the biggest risk. A strategy that feels “safe” today can create serious exposure over time.
Execution risk vs. strategic risk
The probability/magnitude lens also helps clarify the difference between execution risk and strategic risk, a distinction we consider one of the most important in strategic planning.
Execution risk is largely about probability: can we actually deliver this, and what are the chances something goes wrong along the way? Strategic risk is largely about magnitude: even if we deliver it perfectly, will it matter? Teams tend to focus on execution because probability feels more controllable and measurable. But magnitude, the significance of the problem you’re solving and the size of the opportunity you’re pursuing, is often the more consequential variable. Solving the wrong problem well is often more dangerous than struggling to execute the right one.
Companies naturally ask whether an initiative can be executed well. The more consequential question is whether it’s worth executing at all. Delivering flawlessly on the wrong objective is a strategic risk in itself.
Known risks vs. unknown risks
The probability/magnitude distinction also shapes how we think about known versus unknown risks. Known risks, those that can be identified, named, and planned for, are ones where you can form a reasonable view on both dimensions. You can estimate how likely something is and how bad it would be. Unknown risks are different: by definition, you can’t fully assess either their probability or their magnitude in advance.
This matters especially in more exploratory initiatives. An established vendor in supply chain or logistics technology extending into an adjacent product category faces mostly known risks, competitive response, channel conflict, development timelines, where both probability and magnitude can be reasonably estimated. A hardware-centric company attempting to build and monetize a software platform for the first time faces far more unknown risks, where the honest answer on both probability and magnitude is “we don’t yet know.” The goal in that case isn’t to force false precision onto uncertain estimates. It’s to structure the initiative so the team can learn quickly, progressively converting unknown risks into known ones, and building a clearer view of both likelihood and consequence over time.
Dependency risk and portfolio concentration
Dependency risk is fundamentally a probability problem. The more an initiative depends on external partners, ecosystem alignment, or market conditions outside your control, the higher the cumulative probability that something misaligns, even if each individual dependency seems manageable on its own. An operational technology vendor whose growth strategy requires a key distribution partner to behave a certain way, a regulatory shift to go a certain direction, and a customer segment to accelerate its adoption is stacking probabilities in a way that makes even a large-magnitude outcome exceptionally risky.
Concentration risk operates on the magnitude side of the ledger. Overcommitting resources to a single initiative doesn’t necessarily change the probability of any individual outcome, but it dramatically increases the magnitude of being wrong. A more balanced portfolio, mixing core product enhancements, adjacent market expansions, and higher-risk exploratory bets, limits the magnitude of any single failure while preserving the probability of meaningful learning and returns across multiple fronts.
Reputational risk and learning value
Reputational risk is a useful reminder that magnitude doesn’t reduce to financial impact alone. For companies selling into industrial and operational technology markets, where procurement decisions are rigorous, validation cycles are long, and products are deeply embedded in customers’ core workflows, a failed product launch or a reliability issue in the field can carry reputational consequences whose magnitude far exceeds the direct financial cost. The probability of such an event may be low, but the magnitude demands disproportionate scrutiny. These initiatives require a different level of rigor, not because failure is likely, but because the consequences extend well beyond what a standard risk assessment would capture.
Finally, we encourage clients to consider the learning value of risk, which is really an argument about upside magnitude. Not every initiative needs to succeed in the conventional sense to be worthwhile. Initiatives that reduce uncertainty, build new capabilities, or open paths for future growth carry a form of upside magnitude that isn’t always captured in a business case. An industrial or operational technology vendor that runs structured pilots across two or three different go-to-market approaches for a new software or services offering, knowing that one or two may not pan out, is generating strategic information whose magnitude may be higher than the cost of the experiments themselves. The probability of any single pilot succeeding may be modest. The magnitude of what the organization learns across all of them can be substantial.
Risk mitigation: probability and magnitude are different levers
Understanding risk clearly is only half the work. The other half is mitigation, and here too, the probability/magnitude distinction matters enormously. Most mitigation efforts focus on reducing the probability that something goes wrong: more rigorous planning, stronger project governance, additional validation steps, more conservative launch sequencing. These are valuable, but they address only one dimension. Equally important, and far less commonly addressed, is reducing the magnitude of impact if something does go wrong. These require different actions entirely. Limiting the scope of an initial commitment, structuring initiatives as staged investments with clear decision points, maintaining optionality in channel and partnership arrangements, building in early warning indicators that allow course correction before problems compound: none of these make failure less likely, but they make it far less damaging. For industrial and operational technology vendors, where a misaligned product investment or a failed go-to-market pivot can consume years of organizational bandwidth and erode hard-won customer relationships, this distinction is particularly consequential. The goal of mitigation isn’t simply to make bad outcomes less probable. It’s to ensure that when things don’t go as planned, and sometimes they won’t, the magnitude of the consequence is one the business can absorb, learn from, and move forward from.
In industrial and operational tech, good mitigation isn’t only about making failure less likely. It’s about ensuring that when things don’t go as planned, the consequences are ones the business can absorb and move forward from.
The right question and the right approach
When industrial and operational technology companies move beyond gut feel and start evaluating risk in a more structured way, better decisions follow. Specifically, they are able to:
- Stop missing out on smart bets because they feel risky, and start scrutinizing dangerous ones that look safe – By separating probability from magnitude, initiatives that appear comfortable but carry existential downside get the scrutiny they deserve, and asymmetric bets with bounded downside and
- Invest in reversible initiatives with greater confidence – Recognizing that two-way doors have a lower bar for action frees up organizations to move faster, learn more, and course-correct without the paralysis that comes from treating every decision as permanent.
- Give appropriate consideration to time horizons – Resisting the pull of near-term, high-probability, modest-magnitude initiatives in favor of also addressing longer-term, lower-probability, but potentially catastrophic risks that tend to get systematically underweighted.
- Build mitigation strategies that address both the likelihood and the consequence of failure – Not just asking “how do we make this less likely to go wrong?” but also “how do we make sure that if it does go wrong, we can absorb it and move forward?”
- Balance their portfolios more deliberately – Avoiding both over-concentration in a single transformational bet and the diffusion that comes from spreading resources too thin, and instead constructing a mix of initiatives that reflects a coherent view of risk and return.
- Treat risk as an important lens for deciding how and where to act – Rather than a reason not to act at all.
For companies navigating the transitions that define industrial and operational technology markets today, from hardware to software, from transactional to recurring revenue, from product vendor to platform, getting this right is not a minor improvement. It is a source of genuine competitive advantage. The companies that take strategic risk seriously, in a disciplined and structured way, are the ones that make better bets, learn faster, and build more durable businesses.
