Rethinking Risk in an Era of Shifting Assumptions

Mark Carney, Prime Minister of Canada, delivered a speech at Davos (here) recently that included a line worth examining: "The rules-based international order is being replaced by a deals-based one." For those working in digital infrastructure and data governance, this wasn't political commentary—it was a description of a planning environment that has fundamentally changed.

Traditional risk frameworks serve us well when assessing discrete events. Equipment fails at predictable rates. Natural disasters have historical patterns. Even cyber attacks follow probability distributions we can work with. But what happens when the risk isn't an event, but a shift in fundamental assumptions about relationships and trust?

The question facing organizations today isn't calculating the likelihood of a disruption. It's recognizing when the ground beneath our planning models has already shifted.

The Limitation of Traditional Risk Assessment

The classic formula—Risk = Likelihood × Impact—works remarkably well for many scenarios. It helps organizations allocate resources, prioritize investments, and make rational trade-offs between cost and protection. Financial institutions use it to evaluate credit risk. Manufacturers apply it to supply chain decisions. Technology companies deploy it to assess cybersecurity investments.

The framework assumes we're operating within a stable system where historical patterns inform future probabilities. It's less effective when assessing what complexity theorists call "threshold crossings"—moments when a system reorganizes into a fundamentally different state, with no return path to the previous configuration.

Consider a European organization in 2019 evaluating its dependence on US-based cloud providers. A traditional risk assessment might have calculated a low probability of data transfer framework disruption, applied an estimated remediation cost, and concluded the risk was acceptable.

The Privacy Shield invalidation by the European Court of Justice the following year revealed something more complex: not a discrete event to be remediated, but entrance into ongoing regulatory uncertainty. Organizations didn't face a one-time compliance adjustment but a fundamental reordering of how data governance functions across the Atlantic.

The risk wasn't a one-time cost. It was a reordering of baseline assumptions about how data governance works across the Atlantic.

What Strategic Autonomy Actually Means

Strategic autonomy has become something of a buzzword, often invoked in geopolitical contexts. But stripped of its rhetorical weight, it's asking a straightforward question: what capabilities do we need to maintain regardless of how relationships with partners evolve?

This isn't about isolation or self-sufficiency in all things. It's about understanding dependencies and making conscious decisions about which ones are acceptable and which introduce vulnerabilities that need addressing.

Organizations have always balanced efficiency against resilience. Consolidating infrastructure with a single provider brings cost savings and operational simplicity. Diversifying across multiple providers adds complexity but reduces concentration risk. The strategic autonomy question asks: given what we're observing about how relationships are changing, where should that balance point sit?

A year ago, choosing between AWS, Azure, or Google Cloud was primarily a technical and commercial decision. Today, that same decision increasingly has a geopolitical dimension. Not because these are unreliable companies, but because they operate under jurisdictions whose relationships with other regions are being reconsidered.

The territorial discussions regarding Greenland that emerged recently serve as a useful indicator. Not as a crisis requiring immediate response, but as a signal that assumptions about the permanence of certain relationships may need revisiting. When you come home and find marks around your door lock, the sense of security doesn't return simply because nothing was taken. The relationship to that space has changed. Similarly, when foundational assumptions about partnerships shift, planning models built on those assumptions need reexamination.

The Middle Ground Problem

There's a particular challenge in the position many organizations and nations find themselves currently: neither in reliable partnership nor clear adversarial relationship, but somewhere in between with high uncertainty about direction.

Military strategists call this an "ambiguous threat environment"—a condition where potential adversaries remain undefined and threat vectors unclear. You can't fully commit to collaborative postures that assume partnership stability, but moving to fully independent postures feels premature and costly. Resources get split, decisions get deferred, and the natural tendency is to wait for clarity.

The difficulty is that waiting for clarity means waiting until after the threshold has been crossed, at which point adaptation becomes reactive rather than deliberate. Organizations asking these questions now, while relationships remain functional but substantially changed, have more options than those who wait until the questions become urgent.

This isn't about paranoia or worst-case planning. It's recognizing that the cost of building in resilience is lower when done proactively than reactively.

Alternative Frameworks Worth Considering

If traditional risk assessment has limitations in this context, what might supplement it? Several frameworks from other domains offer useful perspectives.

Resilience Engineering, developed for managing high-reliability organizations like nuclear facilities and aviation systems, focuses less on preventing failure and more on maintaining critical functions under stress. The discipline emerged from studying how complex systems continue operating when individual components fail or conditions deviate from normal parameters. The key questions shift from "how do we prevent bad things" to "how do we maintain essential operations when assumptions break?" Applied to infrastructure decisions, this might mean accepting 20-30% higher costs in normal times to ensure multiple pathways exist if any single provider or jurisdiction becomes untenable. The additional cost functions as insurance, not inefficiency.

Portfolio Theory from finance reminds us that diversification only reduces risk if the assets aren't correlated. Using AWS, Azure, and Google Cloud might look like diversification, but if all three are subject to the same jurisdictional pressures, they effectively fail together under the scenarios that matter most. True diversification requires infrastructure across genuinely different legal and geopolitical frameworks—combinations that won't all simultaneously become unavailable under the same triggering conditions.

Scenario Planning from military contexts plans for capabilities rather than intentions, recognizing that intentions can change far more quickly than capabilities. Military planners assess what adversaries can do, not what they currently intend, because intentions prove difficult to predict and can shift rapidly with changes in leadership or circumstances. The question isn't "will the US restrict data flows?" but "what's our response if it becomes necessary?" This shifts planning from probability assessment—which requires predicting intentions and timing—to preparedness assessment, which focuses on whether the organization possesses needed capabilities. The distinction matters because preparedness can be built regardless of whether specific scenarios materialize.

What these frameworks share is recognition that in environments with high uncertainty and potential for structural breaks, optimizing solely for normal-state efficiency creates brittleness. Systems optimized for a single set of conditions perform poorly when those conditions change. The goal becomes maintaining options and building in flexibility, even at some cost premium, to preserve the ability to adapt.

Prime Minister Carney's observation about the shift from rules-based to deals-based order captures this well. In a rules-based system, you can plan for compliance with known frameworks. In a deals-based system, frameworks themselves become negotiable, and adaptability becomes more valuable than optimization. Organizations and nations making infrastructure decisions today need to consider which environment they're actually operating in.

Practical Implications

What does this mean for organizations making decisions about infrastructure, data architecture, and operational dependencies?

A useful starting point is what might be called a "strategic autonomy assessment"—not as a formal methodology requiring consultants and months of analysis, but as a framework for asking better questions about existing dependencies. Do our backup options genuinely provide independence, or do they fail under the same conditions? If access were restricted, what's the path to maintaining operations? These questions need honest answers, not reassuring responses that often emerge from organizational review processes designed more for compliance than genuine examination.

This isn't about wholesale replacement of existing infrastructure. For many organizations, US-based cloud providers offer capabilities that would be expensive and time-consuming to replicate. The question is whether the current concentration of dependencies is a conscious strategic choice—made with full awareness of implications and trade-offs—or an artifact of decisions made when the risk landscape looked different and geopolitical considerations carried minimal weight.

Some organizations are beginning to implement "tiered data architectures"—differentiating between data that must remain under sovereign control, data that can reside in jurisdictions with strong legal protections, and data where efficiency matters more than sovereignty. This isn't compliance theater, where organizations make superficial gestures toward regulatory requirements without substantive change to their risk profile. It's architectural design that reflects a more nuanced understanding of geopolitical risk, translating abstract concerns into concrete technical decisions about where workloads run and where data resides.

The cost of building in this kind of resilience is real and shouldn't be dismissed. Distributed architectures are more complex. Multi-cloud environments require additional tooling and expertise. Regional data centers mean less economy of scale. The strategic question is whether those costs are justified by the optionality they preserve.

The Question of Timing

One of the most difficult aspects of planning for threshold crossings is that they often appear inevitable in retrospect but remain uncertain in real-time. We look back at the 2008 financial crisis, the 2011 Japanese tsunami's supply chain impacts, or the COVID-19 pandemic's sudden shifts, and the warning signs seem obvious. Living through the buildup, uncertainty dominates. Organizations that invested heavily in diversification may look prescient if relationships deteriorate, or may have incurred unnecessary costs if conditions stabilize.

There's no perfect answer to this timing question, but two observations may be useful. First, the cost of building in resilience follows a curve. Making architectural decisions that preserve options during normal planning cycles costs relatively little—perhaps 20-30% premiums on infrastructure, spread over time as systems refresh. Building the same resilience during crisis costs substantially more, both in direct expenses and in operational disruption. Organizations paying these premiums proactively treat them as insurance. Those paying reactively experience them as crisis management.

Second, the value isn't only realized if the worst case occurs. The optionality itself has value in negotiations and strategic planning. An organization that can credibly walk away from a negotiation has leverage that a dependent one lacks. The ability to migrate workloads means vendors must compete on merit rather than relying on switching costs. Geographic flexibility enables serving customers regardless of how regulatory frameworks evolve. These benefits accrue continuously, not just in crisis scenarios.

Perhaps the more useful framing isn't "when will things get bad enough to justify this investment?" but rather "what's the opportunity cost of maintaining our current dependencies versus building in more flexibility?" When viewed through that lens, the question becomes less about prediction—forecasting when and whether specific scenarios materialize—and more about portfolio management.

Organizations don't need to make all-or-nothing decisions. Gradual diversification, conscious architecture decisions, and scenario planning can all proceed while maintaining operational continuity. The key is recognizing that decisions being made today about infrastructure and dependencies have longer-term implications worth considering explicitly.

A Shift in Ground

Risk frameworks evolve as the world changes. The traditional likelihood-and-impact model served well in an era of relative stability and predictability. When relationships between nations followed established patterns, when regulatory frameworks evolved gradually through known processes, and when technical infrastructure decisions carried primarily operational rather than geopolitical implications, the model's assumptions held.

In an environment where fundamental assumptions about relationships and frameworks have already shifted, those tools need supplementing with approaches that account for structural breaks rather than just discrete events. The change isn't coming—it has occurred. The question now is how organizations adapt their planning and decision-making to reflect this new reality.

Strategic autonomy isn't about isolation or self-sufficiency—goals that would be both impractical and counterproductive for most organizations. It's about conscious decisions regarding dependencies and resilience. Where should critical capabilities reside? Which dependencies are acceptable and which introduce unacceptable concentration risk? How much premium is justified to preserve operational flexibility? These questions don't have universal answers but require deliberate consideration in each organizational context.

The organizations and nations thinking through these questions now, while relationships remain functional but substantially changed, will have more options than those who wait for additional clarity that may come only after adaptation becomes urgent. They can make measured adjustments, test alternatives while maintaining existing operations, and build capabilities before pressure mounts. Those who wait will adapt under duress, typically at higher cost and with fewer choices.

The ground has shifted. The question is whether our planning frameworks have shifted with it.

Common Questions

What is strategic autonomy in infrastructure?

Strategic autonomy means maintaining critical capabilities regardless of how relationships with partners evolve—through conscious decisions about dependencies rather than default reliance on single providers or jurisdictions.

How does this differ from traditional risk assessment?

Traditional risk models (Likelihood × Impact) assume stable systems. Strategic autonomy planning accounts for threshold crossings—fundamental shifts in relationships and frameworks where historical patterns no longer predict future conditions.

Is this about abandoning US cloud providers?

No. It's about conscious decisions regarding concentration risk. For many organizations, US-based providers offer valuable capabilities. The question is whether dependency levels represent deliberate strategic choices made with full awareness of geopolitical dimensions.