Insights from the world’s most AI mature companies
IMD’s AI Maturity Index demonstrates how to align leadership, people, and technology for measurable business benefits and revenue growth, with examples from 10 industries....
Artificial Intelligence
The dual challenge of AI: Innovating and building while preparing to defend
AI poses dual threats that demand balancing innovation portfolios and scanning for external disruption. Here’s how to manage both effectively.
Uncertainty has become the defining characteristic of the modern business environment, and artificial intelligence represents perhaps the most significant amplifier of that uncertainty today.
Unlike previous technological shifts that unfolded over decades, AI’s capacity to transform entire value chains can render established business models obsolete in a matter of years. At the same time, the failure of an AI initiative can wipe hundreds of millions off the value of a company.
Defensive restructuring in the face of this uncertainty is already underway at many Fortune 500 companies, often framed in terms of efficiency initiatives. Organizations now face a dual imperative that traditional risk frameworks were never designed to address: they must harness AI’s potential through their own initiatives while simultaneously defending against AI-driven disruption from both established competitors and new entrants.
The organizations that harness AI effectively will define the next era of business, while those that mismanage its risks may not survive it. In this piece, drawing on research from our recent book Transcend, we explore a critical distinction that every leader must understand to manage AI risk effectively: the difference between project risks (the challenges arising from your own AI initiatives) and enterprise risks (the threats to the enterprise from the broader evolution of AI). After sketching this distinction, we go on to provide practical guidance for managing both types of AI risk effectively.
What’s the difference between project risk and enterprise risk?
Understanding the distinction between project risk and enterprise risk is fundamental to effective AI risk management. Project risk refers to the negative consequences that can arise from an organization’s own AI initiatives. These are risks the organization creates through its own implementation of AI, such as technical failures, integration challenges, user rejection, or ROI shortfalls.
Enterprise risk, on the other hand, refers to the threats posed to the business as a whole by the broader evolution and deployment of AI across industries and societies. Enterprise risks are those that emerge from what others are doing with AI, such as the development of new AI models, competitor breakthroughs, industry disruptions, regulatory shifts, or fundamental changes in how value is created and captured in your sector.
Could Wendy’s internal AI focus be threatened by Mangal’s fully autonomous model?
Consider the implementation of AI assistants to take drive-thru orders by the American fast-food chain Wendy’s. This kind of project comes with a host of risks for the company implementing it. For example, the Wendy’s assistant might have accuracy issues, leading to incorrect orders and frustrated customers; the system might break during peak hours, creating operational chaos; or customers might reject the assistant, and the associated brand, because they desire more human interaction.
These are all important risks and must be identified and managed as part of Wendy’s AI innovation program. But in addition to managing the risks arising from its new drive-thru AI, Wendy’s must also identify and respond to AI risks coming from external sources.
Germany’s Mangal kebab chain, for instance, plans to launch fully autonomous restaurants in which robotic arms will prepare and plate food without the intervention of human workers. If this model succeeds and spreads, Wendy’s incremental automation of order-taking may begin to look like the company is rearranging deck chairs on the Titanic.
If Mangal’s fully autonomous model achieves dramatically lower operating costs, Wendy’s entire pricing structure and business model could become uncompetitive overnight, forcing them to either attempt a rushed, expensive pivot to full automation or risk being priced out of the market entirely. Even before this point, a Mangal-style full automation could reset customer expectations for speed and consistency across the whole fast-food sector, making Wendy’s hybrid human-AI model appear outdated and inefficient – no matter how well their drive-thru AI works.
“Taking a holistic approach to AI innovation makes it possible to deliberately calibrate the organization’s overall risk exposure while maintaining the innovation velocity necessary to compete in an AI-driven economy.”
So, how can leaders manage these two different kinds of AI risks effectively and in parallel?
Managing AI project risk: portfolio management principles
Managing AI project risk effectively requires a fundamental shift in how many organizations approach AI innovation. Treating AI initiatives in isolation often leads to their risks being conceptualized as a series of disconnected ‘go/no-go’ decisions. This approach can stifle innovation because it separates the innovation process into a series of disconnected projects. By adopting portfolio management principles that approach AI investments as a unified innovation pipeline, leaders can instead balance risk and reward profiles across the entire portfolio. This approach recognizes that some AI projects should be high-risk moonshots that could transform the business, while others should be reliable workhorses that deliver steady added value with tightly circumscribed risk levels.
Taking a holistic approach to AI innovation makes it possible to deliberately calibrate the organization’s overall risk exposure while maintaining the innovation velocity necessary to compete in an AI-driven economy. The portfolio lens transforms risk from a constraint to be minimized into a strategic variable to be optimized, enabling leaders to adopt organization-wide risk profiles that are appropriate for their specific enterprise. A startup, for instance, might aim for 70% high-risk, high-reward projects to maximize breakthrough potential. An established enterprise, on the other hand, might include fewer high-impact projects and a much greater proportion of low-risk implementations of proven solutions.
A portfolio approach can also help to set and manage risk levels across functions within a business, creating nuanced risk profiles that are both industry– specific and reflect the company’s unique position. For instance, a pharmaceutical business could ring-fence its product development and testing process to ensure that regulatory compliance acts as a go/no go gate for moving an initiative from planning to prototyping. Such a business might also decide that it has an ethical duty not to concentrate resources on initiatives that may increase the risk of product failures, even if the initiative passes regulatory muster. Yet at the same time, its leaders may decide that, once these conditions are met, the company is in a robust enough position to pursue a moderate-to-high risk strategy overall, concentrating that risk in areas such as IT Ops, fundamental research, or staff management and strategy tools. By contrast, a fast fashion company could allow initiatives to pass through the portfolio without highly rigorous regulatory gate checks while also opting for an extremely low overall risk profile to insulate its low– margin product lines from the failure of new AI systems.
The key is that a portfolio management approach allows these decisions to become conscious, strategic choices rather than accidental outcomes.
Define your desired mix of risk levels across the portfolio.
Key principles for implementing portfolio management:
- Set explicit portfolio targets based on strategic context. Define your desired mix of risk levels across the portfolio. This mix should reflect your competitive position, industry dynamics, and organizational risk appetite.
- Evaluate projects based on portfolio contribution, not just individual merit. When reviewing AI initiatives, assess not only whether the project is worth pursuing based on an internal risk/reward calculation, but also how it affects your overall portfolio risk profile.
- Create integrated governance systems that manage risk and innovation together. Replace separate risk and innovation review processes with unified portfolio reviews that consider both dimensions simultaneously.
Navigating enterprise risk in the AI era
While you are carefully managing your AI innovation portfolio, other companies may be building new AI capabilities that have the potential to render your entire business model obsolete. The speed of AI-driven disruption means the next existential threat to your organization could come from a traditional competitor that suddenly leapfrogs you with AI-powered innovation, or from an AI-native challenger three industries away that discovers how to serve your customers better, faster, and cheaper. This is enterprise risk in the AI era: not gradual erosion of market share, but the danger of sudden strategic irrelevance akin to falling off a cliff. Organizations that fail to scan for and respond to these external AI threats will not get a second chance.
Managing AI enterprise risk effectively requires systematic environmental scanning that goes beyond tracking immediate competitors and extends instead to monitoring AI developments both in adjacent industries and across multiple dimensions. This includes paying attention to technological breakthroughs that might enable new business models, regulatory changes that could reshape competitive dynamics, shifts in consumer expectations driven by AI experiences in other industries, and the emergence of AI-native startups that bypass traditional industry barriers and disrupt the entire market.
Identifying enterprise risk early is a critical first step, but it is not enough to just spot potential dangers in advance. Businesses must also develop the tools needed to respond effectively to emerging threats.
Meeting these dual challenges requires governance structures that are designed specifically for the severity of the enterprise threats that AI may pose. For example, many organizations would benefit from establishing dedicated AI risk committees that report directly to the board, ensuring enterprise risks receive appropriate senior attention. These committees should have the authority to trigger strategic reviews when emerging threats are identified. To work effectively, they need clear escalation protocols that can rapidly mobilize resources when a potential threat moves from possibility to probability.
Finally, organizations must develop what we might call strategic optionality – keeping open multiple paths forward to support rapid pivots if severe enterprise threats materialize. This could mean experimenting with AI-enabled business models even while your traditional model remains profitable. It might involve building partnerships with potential disruptors rather than ignoring them, or developing internal AI capabilities that could become the foundation for business model transformation if needed. The goal here is not to predict exactly which enterprise risks will materialize, but rather to develop the organizational agility and capability needed to respond to an uncertain future.
Experiment with AI-enabled business models, partner with potential disruptors, and build internal AI capabilities that could enable rapid pivots when needed.
Key actions for managing enterprise risk:
- Implement systematic environmental scanning beyond your industry. Establish quarterly PESTLE reviews (assessing Political, Economic, Social, Technological, Legal, and Environmental risks) calibrated for AI and monitor adjacent industries for spillover threats – AI advances that seem irrelevant to your sector today could reshape it tomorrow.
- Create board-level AI risk governance with rapid response capabilities. Establish a dedicated AI risk committee reporting directly to the board, with clear authority to trigger strategic reviews and mobilize resources when threats escalate from possibility to probability.
- Build strategic optionality through parallel experimentation. Develop multiple paths forward. Experiment with AI-enabled business models, partner with potential disruptors, and build internal AI capabilities that could enable rapid pivots when needed.
The window for developing these capabilities is narrowing rapidly, and the cost of inaction grows steeper with each passing quarter.
Conclusion
The distinction between project risk and enterprise risk in AI is not merely an academic exercise in categorization – it represents a fundamental shift in how organizations must approach strategic risk management. Companies that focus solely on managing their internal AI initiatives while ignoring the broader transformation of their competitive landscape will find themselves perfecting their execution of an obsolete strategy. Conversely, those that become paralyzed by external threats while failing to build their own AI capabilities will lack the organizational competence to respond when disruption arrives.
The path forward requires the simultaneous pursuit of disciplined portfolio management for internal initiatives and the development of robust structures for not only identifying, but also rapidly and decisively responding to external threats. This dual capability will increasingly separate organizations that thrive in the AI era from those that become its casualties. The window for developing these capabilities is narrowing rapidly, and the cost of inaction grows steeper with each passing quarter.
Authors
Related
Artificial confidence: How LLMs undermine executive thinking
Professor Amar Bhidé challenges AI hype, arguing that LLMs flatter rather than enlighten and that executives must distinguish calculable risk from true uncertainty....
Generative Engine Optimization (GEO): The $80 billion shift that every executive should understand
As AI-driven Large Language Models reshape digital visibility, Generative Engine Optimization (GEO) emerges as a critical frontier threatening to upend the $80 billion SEO industry and demanding urgent attention from senior executives....
What’s really at stake when we choose an AI vendor
AI has moved from the purely technical realm into the geopolitical one, with nations and regions striving for AI sovereignty. What are the strategic implications for leaders? ...
Learn Brain Circuits
Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Explore Leadership
What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Join Membership
Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.