Business Strategy Assignment Analyzing Strategic Issues of Microsoft
Students are required to produce a business strategy assignment on one international organization of their choosing and address the following issues:
Brief introduction to the organization and sector it operates in, including a summary of the past 3 years’ revenue, operating profits and general overview of the business’s operational activities.
An outline of one strategic business issue they are, or have recently, faced; contextualized within the organizational setting, including an overview of relevant strategic decisions that led to their current position.
Critical analysis of why the issue has strategic implications and its impact on its stakeholders
Task 1- Introduction
Microsoft is one of the known international company operating in the information technology market with the mission to empower everyone and organizations to achieve more by creating opportunity for growth. The company indulge in the development of new technologies and products that helps in driving activities in small business such as productivity, competitiveness and efficiency. Microsoft has been responsible in impacting number of sectors such as startups, education, health and others. The company is founded in 1975 and their major operational activities since then lies in the development of software, services, devices and solutions to the customers (Microsoft 2020). Microsoft is known to offer large array of services including cloud-based solutions. The products that Microsoft sell to the customers includes operating systems, cross-device productivity, server applications, business solution applications, desktop and server management tools, software development tools and video games. They are responsible for designing, manufacturing and selling devices. The three major operating segments of the business are productivity and business processes, intelligent cloud and personal computing (Microsoft 2020). Microsoft is slowly transforming to new digital transformation and unlocking new opportunity in the field of intelligent cloud and intelligent edge.
In relation to financial performance, it is seen that the company has earned a revenue of $125,843 millions in 2019 and the company has been growing continuously since years. The revenue of the company was $93,580 million in 2015 and has increased to $125,843 million in 2019. This shows the growth in the revenue that Microsoft has achieved over time. in addition to this, it is also seen that the company has experienced an increase in operating income as well from $18,161 million in 2015 to $42,959 million in 2019. The net profit of the company in the first quarter of 2019 was $10.6 billion and the net profit in the whole year 2019 was $36.8 billion. This means that there was an increase in net profit by 22% over the past year (Microsoft 2020). This shows that the company has performed significantly over the years and has built a strong market base in the information communication sector. In the year 2019 the company was able to return more than $30 billion to shareholders. The success of Microsoft in every fiscal year is because of its deep partnerships that it has with leading companies in different sector. However, the company has been facing various management challenges along with opportunities that is creating huge issue for the company. The issues are faced in relation to information, insufficient integration, human bottlenecks, credential trust and soft targets and some of these challenges has huge impact on the overall performance of the company (Microsoft 2020).
0The purpose of the report is to analyze the strategic issue faced by Microsoft in its business environment and the strategic decisions that has led to such challenging situation. Further, the report critically evaluates the implication the issue has on the stakeholders.
Task 2- Strategic Business Issue
2.1 Strategic Business Issue
Strategic issue is referred to as an issue that arise from the strategic decisions taken by the company over time that needs further decisions or clarification in future. Moreover, such kind of issues has major impact on the future direction of the business. There are various kinds of strategic issues faced by the businesses over time related to business strategy, marketing, recruitment, management and resource limitations. According to Laamanen et al. (2017), it is stated that every firm make use of different ways by which issues emerging from strategic processes can be managed. Issues arises from a business practice because the practices tend to be unstructured, highly dependent, unorganized and unplanned. However, the issues arising from a strategy can be categorized as either an opportunity or threat. This depends on the characteristics of the issue and the importance it holds in its business processes. This makes it important to analyze the strategic issue in a business and learn the reason or decisions in the past that led to such issues to prevent it from future occurrence.
2.2 Strategic Issue Faced by Microsoft
One of the most evident strategic issue that Microsoft has been facing is human bottlenecks that limits the activities of the business. Microsoft has been facing huge challenges in its incident response process due to bottlenecks from the humans. Each incident that is caused in any of the software products and other services of the company highly damages its reputation and its customers. Incident response process is the process that an organization takes to effectively respond to the extent of incident or attacks that business faces in its operations and activities. According to Shedden et al. (2010), it is stated that effective response to incident is one of the critical functions of a modern organization. This is because there is a direct relationship between successful organization and effective response to the incident. An incident that the business fails to solve or handle turn it into a catastrophe such as damage to reputation, productivity, legal and regulatory penalties and cause direct financial loss. The customers of the business lose trust on the organization and the security it offers from the products. Incident is one of the major risks faced by an information technology because of continuous attack from hackers. The attacker of the IT systems like the one provided by Microsoft get the access and administrative control over the business processes and critical business data that can be used negatively. Microsoft being the largest information technology company face number of incidents in its products and services, especially from cybersecurity attacks.
For example, there has been major cybersecurity incidents in Microsoft that lacked efficient management and control. The security failure incident in the company hampered the confidentiality, integrity and availability of information of the organization. Along with breaching the sensitive information, the incident also causes operational destruction. In 2019, the company has blocked 13 billion malicious mails on their network and among them 1 billion were URLs. Further, the first two quarter of 2020 there was 35% increase in the total attacks volume and IOT threats and this is continuously expanding and evolving. Controlling such attack is important because such incidents have caused legal proceedings to Microsoft for breaching the confidentiality law (Gaus 2020). Such incident has been a major challenge for Microsoft when the organization is not equipped and trained well to deal with such crisis in the operation processes. In addition to cybersecurity incident, it is also seen that Microsoft customers faces ransomware attack and such attack on the information technology infrastructure is difficult to control and often irreversible. This incident has also caused high cost to the customers as they have to pay for the ransom with the hope that they receive the decryption key and restrict the attackers from attacking the software. However, paying for the ransomware to obtain the decryption key is not a good option because there is no guarantee that after the payment the encrypted data will be restored. This makes it difficult for the human resource of the company to make decisions regarding guiding the customers to either pay for the ransom or not. Such attacks and difficulties have been the major cause behind the rising incidents in Microsoft and the difficulties faced by employees to manage such incidents has made the situation worse.
2.3 Strategic Decisions that Caused the Issue
Human bottlenecks in incident response process has been the major issue in Microsoft in the past years because the time the incident management team is formed and the response manual is consulted, the incident takes several folds and impact the business negatively. The processes for handling the incident caused is long because Microsoft follow a lengthy process for handling such incident. The major reason behind the bottlenecks that is caused in the incident management system is due to poor strategic decisions. Strategic decisions are referred to as decisions that are made to manage a process with the help of short term or long-term strategy. It is the decision that is concerned with the whole environment in which a firm operates. The major features of a strategic decisions are that it is concerned with major resource propositions for an organization, helps in harmonizing resource capabilities, help in dealing with organizational activities, manage changes effectively and are complex in nature. Samba et al. (2018) has pointed out that poor quality strategic decisions lead to bad relationships and communication failures and this in turn creates weak performance of the organization. This makes it important to have an effective and planned structure for forming strategy. This has been the case in Microsoft as well where unplanned strategic decisions have led to difficulties in their incident response processes.
Management of Microsoft has planned and implemented a four incident response functions that included technology, operations, legal and communication. This strategy was taken by the management with the aim of responding to security and ransomware issue in a way that can significantly reduce the risk to business from such attacks. The preparation of responding to the incident in Microsoft is done through two steps such as identifying the high value assets and confirm the reliability of software development. Further, the response team also prepares for investigation with the help of several detection tools such as event correlation and analysis, integrated threat intelligence, machine learning analytics and others (Gaus 2020). The detection step is then followed by tracking and analyzing the response costs. This is followed by recovery step through technical documentations and automation. This shows that the incident management process of the company is lengthy and this has been the major cause behind the failure of incident response processes.
According to Ahmad et al. (2012), the employees of Microsoft are of the view that the company has indulged in huge planning and communication to develop intricate response plans to such incidents. However, the plans have not been implemented effectively and this has increased the time of response to such incidents. This makes it important for the business to turn the plans into workflows. However, the present workflows include detection and validation of events before solving the incident. This makes the process long and the customer data is hampered. This makes it necessary to have a response system that is short and reduce damages instantly after identifying the incident. Moreover, the incident response processes in Microsoft are highly dependent on human resources more than computers and this creates high chances of mistake. This is because even with effective response team and practice, human tends to make mistakes whenever they are in pressure.
In addition to this, it is seen that the strategic decision of Microsoft lacked the usage of machine learning in their incident response processes. This is also one of the major reasons behind the strategic business issue that the company was facing. Machine learning plays an important role in validating the incident indicators and select an appropriate response without much time and dependence on human resources. Microsoft has been missing out on this technology and automation of processes and highly depend on human resources for analyzing the incident. However, machine learning allows the businesses to respond to any new incident by training the system to respond to the next attack according to the detected indicators. This shows the strategic failure in the organization in relation to incident management system. This aligns with the findings of Gaus (2020) that states that technological interventions are necessary for controlling the dissemination of incident problem. Technological gap increases the incident and create greater risk to the business; however, implementation of technology is necessary for controlling such risks. Thus, it is necessary to have significant communication between the business and the technology for managing high severity incidents. Such notion is missing in Microsoft and this is creating the bottleneck in the incident response process. This is because it is highly challenging for the humans to detect the kinds of attacks that took place and the solution that is appropriate across different facets of network (Gaus 2020). The criminal groups are becoming highly skilled and evolving their techniques and keeping a gap in technology has been the major reason behind the bottlenecks in the incident response processes in Microsoft.
Task 3- Critical Analysis of the Issue and Impact on Stakeholders
3.1 Strategic Implication of Poor Incident Response Process
The incident management system of an organization has strategic implications on the organization because it has the capability to address the security attacks that takes place in confidential information. George et al. (2019) states that the senior management team has the willingness to investigate the risk of incidents that takes place in the organization because of the impact it has on the organization. There are number of the implication that a poor incident response system has on the organization such as reputation damage, financial penalties, reduction in sales and high threat to organizational data. Moreover, the poor incident response process means that the productive efficiency of the organization is damaged and reduction in end-user satisfaction. Microsoft failure to keep a sophisticated incident response process to protect the customers from cyberattack has negatively impacted customer satisfaction and their trust on using their services and products. This means that it is necessary for the organization to form a system that can detect such attacks and built a stronger preventative protection. Furnell et al. (2010) has further stated that an effective response management system to security in the organization is one of the most critical function of the modern organization. This is because an effective incident response process allows the organization to deal with changes effectively in the organizational environment and innovative strategies. The risk associated with the changes is effectively managed by incident response capabilities. Moreover, Shedden et al. (2010) has pointed out incident management teams in the organization also allow in adding multiple skills in the workplace environment such as technical skill, organizational skills and diplomatic skills. This is because the team is highly skilled in advising on areas like security, develop security policy, increase awareness and increasing knowledge development in the organization as a whole. This shows that the issue in incident response process has various strategic implication because it not only detects and eradicate information security incidents in a workplace, however, the response team also help in long term growth of the business by building technical skills and making the customers feel safe and satisfied from the service and product they form. The incident response team is one aspect of the organization that has not received adequate attention in current literature. However, the effective incident response is not a pure technical concern and is related to other procedures of the business and this shows that the issue in incident response team has strong strategic implications in various areas.
For example, in relation to Microsoft also it is seen that poor incident response team has caused strategic implication of reduction in customer satisfaction because the business failed to empower the customers to address the threat they face. This is because with lengthy and slow incident management processes has represented high risk in business environments and this has reduced the trust of the customers and impacted organizational reputation. The confidence of the community and the consumer is reduced that tarnish the reputation of the brand. This in turn has caused financial strains on Microsoft as the business is losing out on customers. For example, the issues in incident response process also has strategic implication on the operation of the business. The inability of Microsoft to handle the increased attackers in their server and lengthy incident management has caused hurdles in the operational aspects of the business. This is because with poor ways to handle incidents has caused increased destructive malware in the operations and slowing the normal speed of business operations. The poor incident response process also impacts the corporate valuations of the company negatively and provide the competitors with a competitive advantage. This is because with inability to manage risk incidents makes it easy for the competitors to attract potential customers and expand their market share.
The strategic implication of poor incident response system is also seen in relation to cost because with rising risks the cost of the security increases as the complexity of the environment rises. For example, the issues in incident response system in Microsoft has increased their total cost of ownership. This is because the company has to purchase operating system and technologies to form standardization in their incident response processes.
3.2 Impact on the Stakeholders
Stakeholders form an integral part of their business and are involved in every business decision making. This is because any issues in the business impacts the overall return to their stakeholders. There are two types of stakeholders that a business has such as internal and external stakeholders. The internal stakeholders are internal to the business process and take part in business decision making such as employees, managers, board of directors and others. On the other hand, external stakeholders are entities outside the business, however they are impacted by business performance such as consumers, regulators, investors and suppliers (Chapleo and Simms 2010). Furnell et al. (2010) has stated that risky incidents in the business exerts high pressure on the business by increasing stakeholder frustration. This is because the rising incidents cause financial strains on business and this is turn reduces the return to stakeholders and increased pressure. In relation to internal stakeholders, it is seen that the rising incidents put more pressure on the management and employees to handle the incident and reduce risks. This is because larger the risks from incident and inadequate response team would mean that more teams need to be involved and increased tension of reducing the risk on employees. For example, in Microsoft the issues in incident response process has increased pressure on the business to take up new technologies for managing security incidents and reliably validate incident indicators. Moreover, it has increased the workload on the employees and the management to develop intricate response plans for reducing the security risk incidents and make the customers empowered to address such threats. The rising threat from ransom has increased the fear for most of executive teams because cybercriminals are changing over time and evolving their techniques and detecting their abilities is becoming difficult (Gaus 2020). They face huge pressure from legal action and policy disruptions from malicious activity.
However, Shedden et al. (2010) has argued that challenges in incident management system has positive impact on the organization and its internal stakeholders. This is because with rising risk of incidents and inabilities to manage risks the management face better opportunities to take better business decisions and scope of being benefitted from new plan. For example, in case of Microsoft it is seen that difficulties and loopholes in incident response processes has helped the management to develop new plans to quickly identify and reduce damages. The increase time consumption from the present incident response processes has led Microsoft adopt new technologies to ensure consistency in response such as machine learning, artificial intelligence and others. Further, issues in incident response processes has helped in increasing the ability of the employees. In Microsoft the such issues in managing risky incidents has led to adoption of training processes so that they can better respond to upcoming cyber-attacks. This shows that the employees are benefited from such issues with the chance of improving their abilities. The rising issues in incident response process has also led Microsoft to continue to explore cloud computing and use it in core IT functions for better security.
In relation to external stakeholders, it is seen that such issues cause negative impact on the customers with rising risk of getting attack and misuse of information. For example, the cyberattack faced in various Microsoft products and services gives the attackers access to personal information of the customers and misuse of their personal data for inappropriate works. Thus, the issue reduces the confidence of the customers and out their information in higher risks. For a company like Microsoft, it is highly important for managing effective incident response process to ensure better security of customer information and increased trust of the customers. However, Awan et al. (2017) has argued that all incident in the organization do not have external focus and impacts customers. This can be seen from the fact that low impact incidents have more of an internal focus and do not impact the customers directly. However, this is not the case in Microsoft because the security incidents related to privacy and cyberattacks in the company has direct impact on the data of the customers that they protect. Privacy and cybersecurity are two pillars of Microsoft and forms a central challenge for every customer and leads to creation of “zero trust” environment.
The impact of issues in incident response processes is also seen on the investors of the business. This is because with security issues and reduction in trust of the customers the businesses face high financial loss and this in turn reduces the return to the investors. For example, Microsoft has always been an option for the investors to invest their money due to large and growing markets that the company is achieving. However, with rising security issues and inability to address customers problem, the investors lose their trusts on the company. This shows that such issues will have negative impact on the overall investment ability of the company and in turn creates further business challenges.
Task 4- Conclusion
From the above analysis it can be concluded that the rising issue in incident response processes will negatively impact the financial outcome of Microsoft. Microsoft has been operating effectively financially with rising customers base and market, however, such inability to manage risky incidents makes the company face huge problems and loss. This is because such security and privacy risks from cyberattacks makes Microsoft lose the trust of the customers and create a “zero trust” environment. This in turn reduces their demand towards products and services of Microsoft and in turn cause financial loss. Microsoft is seen to face huge pressure on its incident response processes due to various reasons such as lengthy and time-consuming process, inappropriate and insufficient use of technologies and inability of the employees to analyze risks. The rising risks from security incidents in Microsoft can be seen from the security issue data gathered. In 2019, the company has blocked 13 billion malicious mails on their network and among them 1 billion were URLs. Further, the first two quarter of 2020 there was 35% increase in the total attacks volume and IOT threats and this is continuously expanding and evolving. The issues in the incident response processes are caused because the time taken for the formation of incident management team and consultation to the response manual, the incident takes several folds and impact the business negatively Such rising risks are having strategic implications for the business such as reputation damage, financial penalties, reduction in sales and high threat to organizational data. In relation to Microsoft also it is seen that poor incident response team has caused strategic implication of reduction in customer satisfaction because the business failed to empower the customers to address the threat they face. In addition to this, the issues in incident response processes also has an impact on the stakeholders. The impact is both negative as well as positive because such issue not only reduces trust of the customers, increases pressure on the employees and the management, however, it also helps in improving the ability of the business to manage such security incidents by bringing improvements in the technical ability. In case of Microsoft, it is seen that with the formation of “zero trust” environment and inability of managing incidents has increased the need of the business to invest in better technologies such as cloud computing, artificial intelligence, machine learning and others to automate the process, increase reliability of validating incident indicators and to reduce response time. this shows that the strategic issue that Microsoft face has both positive and negative impact on the business by bringing improvement in various areas and perform with better reliability over and over. The success of Microsoft in every fiscal year will be hampered because of problems in partnerships that the company has over the years with leading companies in different sector.
Ahmad, A., Hadgkiss, J. and Ruighaver, A.B., 2012. Incident response teams–Challenges in supporting the organisational security function. Computers & Security, 31(5), pp.643-652.
Awan, U., Kraslawski, A. and Huiskonen, J., 2017. Understanding the relationship between stakeholder pressure and sustainability performance in manufacturing firms in Pakistan. Procedia Manufacturing, 11, pp.768-777.
Chapleo, C. and Simms, C., 2010. Stakeholder analysis in higher education: A case study of the University of Portsmouth. Perspectives, 14(1), pp.12-20.
Furnell, S.M., Clarke, N., Werlinger, R., Muldner, K., Hawkey, K. and Beznosov, K., 2010. Preparation, detection, and analysis: the diagnostic work of IT security incident response. Information Management & Computer Security.
Gaus, A., 2020. Microsoft's 3 Biggest Challenges for 2020. [online] The street. Available at: < https://www.thestreet.com/investing/microsoft-3-biggest-challenges-2020> [Accessed 27 December 2020].
George, B., Walker, R.M. and Monster, J., 2019. Does Strategic Planning Improve Organizational Performance? A Meta?Analysis. Public Administration Review, 79(6), pp.810-819.
Laamanen, T., Maula, M., Kajanto, M. and Kunnas, P., 2017. The role of cognitive load in effective strategic issue management. Long Range Planning, 30, p.1e15.
Microsoft., 2020a. 5 threat management challenges and opportunities. [online] Microsoft. Available at:
Microsoft., 2020. Annual Report 2019. [online] Microsoft. Available at: < https://www.microsoft.com/investor/reports/ar19/index.html> [Accessed 27 December 2020].
Samba, C., Van Knippenberg, D. and Miller, C.C., 2018. The impact of strategic dissent on organizational outcomes: A meta?analytic integration. Strategic Management Journal, 39(2), pp.379-402.
Shedden, P., Ahmad, A. and Ruighaver, A.B., 2010. Organisational learning and incident response: promoting effective learning through the incident response process.