---
id: "framework-playing-to-win"
type: "framework"
source_timestamps: ["¶19"]
tags: ["business-strategy", "decision-making"]
related: ["entity-playing-to-win-book", "entity-roger-martin", "entity-ag-lafley"]
speakers: ["Roger Martin", "A.G. Lafley"]
steps: ["What is our winning aspiration?", "Where will we play?", "How will we win?", "What capabilities must we have in place to win?", "What management systems are required to support our choices?"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Playing to Win Strategic Framework

A seminal strategic decision-making framework from [[entity-roger-martin|Roger Martin]] and [[entity-a-g-lafley|A.G. Lafley]], outlined in their book *[[entity-playing-to-win-book|Playing to Win]]*. The source references it at the close (¶19) — HBR offers a toolkit based on it — as the strategy layer into which cyber-risk decisions should nest.

**Five sequential, cascading strategic questions:**
1. What is our **winning aspiration**?
2. **Where will we play**?
3. **How will we win**?
4. What **capabilities** must we have in place to win?
5. What **management systems** are required to support our choices?

**Relevance to this vault:** the cybersecurity guidance in [[framework-dobrygowski-smb-cyber-defense]] is fundamentally a *strategic choice under constraint* — an SMB deciding where to play (which risks to accept), how to win (relative security, not absolute), and which capabilities/management systems (MFA, data architecture, security culture) to build. Playing to Win supplies the decision scaffolding for those choices.
