8
The Nuclear Triad, the Empty Plane, and Other Ways to Mitigate Risks
Each night, an Airbus A300 flies from Denver to Memphis. It carries no passengers and often no cargo. Flight 1311 costs about $30,000 a night and runs 365 nights a year.1
This nightly flight is part of the secret sauce behind FedEx Corporation, the world’s largest express transportation company, which delivers four million packages to 220 countries and territories each day with 650 planes, 48,000 vehicles, and 165,000 employees.2
Flight 1311 is just one component of the company’s risk mitigation efforts. FedEx’s success depends on delivering packages on time in a world full of surprises—an erupting Icelandic volcano, missile launches in Syria, trucker strikes in France,3 protests in Venezuela, typhoons in Asia, cyber threats, or a sudden spike in Apple iPad orders. The plane’s role: recovering unanticipated cargo. “It’s our flying spare, attempting to sweep up anything that our other aircraft don’t pick up,” explains Marcus Martinez, managing director of FedEx’s global operations control.4
Martinez’s Global Operations Control Center (GOCC) is FedEx’s risk mitigation nerve center, employing 220 people and located at the company’s “SuperHub” in Memphis. The SuperHub is a city unto itself, stretching across more than 800 acres, with 150 airplanes and nearly 80 miles of conveyer belts that process more than a million packages a day.5 It has its own hospital, fire, and police departments, 20 backup electric power generators, and branch offices of the Department of Homeland Security and other U.S. federal agencies.6 At peak times, planes are landing every 40 seconds.7 That’s about as fast as combat flight operations on an aircraft carrier.8
Daniel Acker/Bloomberg via Getty Images
The GOCC has hundreds of computer screens displaying real-time conditions and locations of FedEx flights worldwide. The place is wired with the latest technology and hums with activity twenty-four hours a day. The team includes fifteen full-time meteorologists; dispatchers and logistics experts coordinating with control centers in Asia and Europe; industrial engineers; scenario and contingency planners; customs compliance experts; crew scheduling specialists who make sure flight crews are where they need to be and that they are complying with regulations about flight hours and mandatory rest; and many more. The center “is kind of like Wikipedia for the FedEx pilot,” says captain Steve Zeigler. “Wherever we are in the world, they have the ability to get the answers, which makes our job much easier.”9
At FedEx, risk mitigation is about people and process, not just technology. Paul Tronsor, who started out as a package handler, ran GOCC for a decade and currently serves as vice president of global operations control and service quality assurance, notes, “One of the things that makes FedEx such a strong and people-oriented company is that many of us in leadership roles started out as handlers or couriers. It makes us understand two things: one, the value of the customer, and two, the value of the team members working at FedEx.”10 That teamwork is personal. Every FedEx airplane is named for an employee’s child. (The tradition started when a Falcon aircraft was named Wendy, after the daughter of Fred Smith, FedEx’s founder, chairman, and CEO.)11 When it comes to hiring, FedEx looks for people who are team players, are adept at evaluating large quantities of information, can make fast decisions, and can stay calm under pressure. “We have a saying around here: ‘When in control, be in control,’” notes Tronsor.12
The GOCC also has well-developed processes. The center conducts regular training to ensure cool, focused action under pressure. Authority is delegated downward so that managers can change flight paths whenever necessary rather than wading through layers of bureaucratic approvals each time. Crisis decision cycles extend over three to four days to limit confusion and improve coordination. “When you’re in a situation that’s spinning fast, it’s tempting to change gears daily. This leads to chaos by pulling your people and systems in different directions,” notes Tronsor.13 Each major crisis ends with a team debrief to share lessons learned.
In addition, the center invests in anticipation. GOCC leaders know the earlier they catch a potential disruption, the more options they have to work around it. Meteorologists forecast weather days in advance. Contingency planning is continuous so there is always a Plan B on the shelf. Routines are designed to facilitate flexibility, not impede it. Each morning begins with a “war room” conference call among FedEx managers to review the previous day’s operations and plan for the current day.
FedEx is a model of effective risk mitigation. While most companies do not need a bevy of meteorologists working around the clock or operations running as fast as aircraft carriers in combat, everyone can learn from FedEx’s underlying approach. FedEx assumes that political risks can never be eliminated, no matter how hard you work or how good you are at identifying and analyzing them. “The GOCC may not be able to foresee what will cause the next European truck drivers’ strike, but they know ground delays will happen at some point, and when it happens, the backup plans are ready to go,” the company once said.14
In the last two chapters, we discussed how to understand and analyze political risks. This chapter offers a guide for tackling residual risks that inevitably remain. Success requires a multilayered approach that uses three interlocking strategies: developing mitigation strategies in advance, creating warning systems that enable fast action when you need it, and building resilience so the entire organization can bend without breaking when bad things happen.
1. How can we reduce exposure to the risks we have identified?
Organizations can reduce exposure to political risks in many ways, but every strategy should begin by understanding what most needs protecting. No company, nonprofit, or government agency can afford to protect everything from every contingency. Risk mitigation requires trade-offs, and trade-offs require understanding what assets are most valuable and most vulnerable.
Understanding Where Asset Value and Vulnerability Converge
At FedEx, asset value and vulnerability are clear: On-time delivery is the company’s holy grail. It is the most important part of FedEx’s value proposition and also the most vulnerable to man-made and natural events. FedEx has been innovating ways to reduce the risk of delivery delays for nearly half a century. “Since FedEx Express started, there’s not been a minute of any day in our 40-year history that the ops control group has not been here overseeing the operation,” notes Tronsor.15 FedEx invests in the GOCC because it must. “You have to put your money where your mouth is,” says FedEx chief Fred Smith.16 “At the end of the day we’re essentially selling trust. People give us some of the most important things that they own. There’s medical equipment that’s going to a surgery this morning or a part that’s going to determine whether the new 787 flies.”17 Everyone at FedEx knows that “if we don’t get it there, we don’t get paid,” says Smith.18 Smith doesn’t even think of risk management as risk management. “I wouldn’t call this risk management,” he told us, “but instead it’s our commitment to our customers. It’s the purple promise: We will make every FedEx experience outstanding.”
A surprising number of firms lack FedEx’s visibility into the convergence of asset value and vulnerability. A 2013 survey found that 74 percent of companies had encountered significant supply chain disruptions in the previous two years requiring C-suite attention but still had not developed an effective continuity plan to deal with them. The risk was there but the mitigation game plan wasn’t.19 In a 2015 cyber threat survey, two-thirds of risk management professionals said they did not know the value of the company’s critical assets being hacked. Nearly 40 percent said they did not have a clear understanding of what their data assets even were.20
SeaWorld and Sony Pictures illustrate why it is so important to know asset value/vulnerability convergence. SeaWorld had long recognized that putting humans in orca tanks was dangerous and that animal rights groups opposed the company’s treatment of animals in captivity. What company executives did not realize was just how dependent their brand and core business were on Shamu. When Blackfish was released, nearly half of all parks owned by SeaWorld’s parent company were SeaWorld theme parks or extensions of the SeaWorld brand. Every SeaWorld park featured its famed “Shamu shows” in “Shamu stadiums.” Shamu was the company’s logo, its star attraction, and its marketing cornerstone—the image everyone associated with the brand. That’s why it did not take much to destroy half of the company’s shareholder value.
After SeaWorld’s stock price plummeted, management began reaching out to animal rights groups, moving more aggressively into new business lines such as television programming, and creating more ride-based attractions as it phased out orca shows.21 These steps could have been taken before Blackfish if only executives had considered where asset value and vulnerability converged.
Like SeaWorld, Sony Pictures executives did not see the convergence of asset value and vulnerability until it was too late. North Korea’s cyber attack over a Seth Rogen comedy was certainly bizarre and hard to imagine. But studio executives should have known that yet-to-be-released movie scripts and contracts with Hollywood stars were among its most valued assets, and that Sony’s weak cyber defenses left it exceptionally vulnerable to anyone who wanted them.22 Sony’s parent company had been the victim of more than twenty cyber breaches in the previous three years, including a 2011 attack on its PlayStation network that cost $170 million. Yet efforts to improve cyber security floundered. A new cyber chief abruptly quit in 2014 amid speculation that he was frustrated by insufficient authority and resources. Meanwhile, at Sony Pictures, IT administrator user names and passwords were stored in unprotected files, including one named “Password.”23 The studio’s email system did not employ basic protections such as two-factor authentication (where logging in requires two forms of identification, usually a regular password and a randomly generated code sent to a mobile phone). And just weeks before the North Korean breach, a cyber security firm visited the Sony Pictures offices to sell its services. After checking in with security, they walked right into the studio’s unlocked information security offices. Nobody was inside. The computers were sitting there, connected and unprotected. “If we were bad guys, we could have done something horrible,” said entertainment attorney Mickey Shapiro, who was there.24 As cyber expert James Lewis noted, Sony “[left] the doors wide open and put out the welcome mat.”25
Sketching value and vulnerability along a 2-by-2 matrix helps illuminate risk mitigation priorities. Start by asking:
• What assets are most valuable to my organization?
• What assets are most vulnerable to political risk?
• Where do high value and high vulnerability cluster?
In the example matrix below, Sony scripts and contracts and SeaWorld’s Shamu brand are in the “High/High” quadrant, making them top-priority assets for risk mitigation. Medium priorities include assets that are of lower value but highly vulnerable to political risks, and assets that are valuable but not so vulnerable. Coca-Cola’s Angola bottling plant is an example of a lower-value/higher-vulnerability asset. When Coke decided to build the plant in 2000, Angola was still experiencing civil unrest, with shooting between rebel and government forces not far from the plant. But the value of this site for the company’s global operations was relatively low—a $33 million investment in a $20-billion-revenue business. Coke made the value even lower by sharing the investment with partners.26
Occidental Petroleum’s West Texas drilling operation is an example of a higher-value/lower-vulnerability asset. West Texas oil production accounts for 39 percent of the company’s global total, and the capital investment required is substantial. But the risk of expropriation or sudden, severe regulatory change in Texas is extremely low.27
Two Common Mitigation Strategies: Market Avoidance and Timing
Once you have visibility into what needs protecting, you can pursue a number of mitigation strategies. Market avoidance and timing are the most frequently used. It should come as little surprise that investors and companies often make judgments based on general rules of thumb about country conditions. As Silicon Valley entrepreneur and investor Vinod Khosla told us, “We’re dealing mostly with small companies, so… we end up worrying mostly about do we even want to be in a country or not… There are places where we don’t do business.” Other investors told us the same thing. As Marc Andreessen explained, early stage investment is a case where market avoidance can work well. “One of the reasons the U.S. does so well in tech,” he told us, “is because we’re blessed with such a large and vibrant early adopter market here, so these companies can get to their $100–$200 million in sales by just selling in the U.S.”
Timing is another common strategy. Blackstone’s Tom Hill includes timing in his definition of risk. “In investing, risk is the probability and magnitude of capital loss over a defined time period,” he told us. “Your investment time frame and duration of committed capital truly matters. In private equity, we have capital commitments from our investors which run ten years, with automatic extensions built into LP agreements. In the 2008 financial crisis, as long as we capitalized our investments well, as long as we bought them at the right price and had no financing coming due, we could hold through the crisis, so that we are able to achieve our desired return when markets recovered. Staying power is really important.” As we noted in chapter 6, Khosla advised one of his companies to enter a foreign market knowing that its intellectual property would likely be compromised. But because the company was estimated to have a ten-year profit window in that market before that occurred, the entry made sense. Timing helped mitigate the risk.
Beyond these usual suspects, three mitigation strategies can be useful: dispersing critical assets, creating flexible surge capacity, and aligning with others. Or as we like to put it: Build your nuclear triad, fly the empty plane, and band together.
Build Your Nuclear Triad: Dispersing Critical Assets28
The strategy of dispersing critical assets has been central to nuclear deterrence. During the Cold War, nuclear planners worried that if a single massive Soviet strike could eliminate all American nuclear forces, the Soviets would be more likely to attack. So they arranged American nuclear forces into a “triad” of hardened intercontinental ballistic missile sites, distributed bombers, and roving, hard-to-find submarines to ensure that no enemy first strike could ever eliminate America’s entire arsenal. Dispersing our most powerful nuclear weapons in three different platforms ensured that no matter what happened, the United States could retaliate. Paradoxically, the credible threat of nuclear retaliation lowered the risk of nuclear war. Survivable second-strike forces kept both sides from stepping into the nuclear abyss.
Businesses need to build their equivalent of the nuclear triad to reduce the impact of any single political event on the bottom line. No organization should have its most valuable resources exposed to the same risk at the same time. To be sure, dispersing critical assets is more easily done in some industries than in others—and sometimes may be impossible. For example, in the oil business, refining standards (which vary by state in the United States) make it impossible to easily move production from one refinery to another should a disruption occur. But there are areas—such as data management capabilities—where creating redundancies is a good mitigation tool for any company.
FedEx’s equivalent of the nuclear triad is its network of global hubs. The Memphis SuperHub is the company’s largest, but it is one of a dozen FedEx hubs around the world, all designed to enable regional flex. Multiple hubs ensure that a bad day in Memphis does not become a bad day everywhere.
The bond and equity trading firm Cantor Fitzgerald is the most searing and incredible example of how dispersing assets can make a difference. On September 11, 2001, terrorists killed 2,977 people in New York, Washington, D.C., and Pennsylvania. Not since the War of 1812, when British troops burned the White House, had an enemy attacked the continental United States so destructively. No company suffered more loss of life that day than Cantor Fitzgerald, whose offices were located on the 101st to 105th floors of the World Trade Center’s North Tower. The firm lost 658 employees, nearly two-thirds of its U.S. workforce. And because hiring friends and family was part of the Cantor culture, many lost multiple family members. Cantor CEO Howard W. Lutnick, whose younger brother died in the attack, lived only because he was taking his five-year-old son, Kyle, to his first day of kindergarten and was not yet in the office.
Few thought Cantor could possibly survive. Yet when Treasury markets reopened two days later, Cantor was back in business. In the years since, the firm has not only survived but thrived. How did it manage to hang on in those dark early days? In part because of the extraordinary dedication of Cantor’s surviving employees. In part because of Lutnick’s determined leadership. In part because other firms, even competitors, came to Cantor’s aid. In part because of what Lutnick calls a series of “miracles” like a golf outing and a fishing trip that kept several key executives out of the office that morning.29
“No one ever builds a disaster recovery plan that allows for the destruction of everybody in the office at 8:45 a.m. That is never in any plan.”
—Howard W. Lutnick, CEO, Cantor Fitzgerald
But a large, unheralded part of the story is that before 9/11, Cantor Fitzgerald had dispersed many of its critical assets. After the 1993 World Trade Center terrorist attack, the company decided to set up a backup disaster recovery site in Rochelle Park, New Jersey, just in case.30 Cantor’s eSpeed online trading subsidiary, which was the backbone of the firm’s real-time electronic trading in Treasury markets, had three data centers, so when the main New York data center went down on 9/11, eSpeed did not.31 When markets opened at 8:00 a.m. on September 13, eSpeed was ready at 7:00.32 With nearly all of the firm’s voice brokers killed, the firm shifted even more to eSpeed to keep trading. Finally, though New York was Cantor’s headquarters and largest office, the firm had a seven-hundred-person office in London that worked furiously to perform all the jobs of their lost New York colleagues to keep the company afloat.33 “No one ever builds a disaster recovery plan that allows for the destruction of everybody in the office at 8:45 a.m. That is never in any plan,” Lutnick told listeners in an emotional conference call a month after 9/11.34 But Cantor had built its nuclear triad. Without a risk mitigation plan that included dispersing key assets, Cantor Fitzgerald probably would not have survived.
Fly the Empty Plane: Creating Flexible Surge Capacity
Dispersing key assets is closely related to a second mitigation strategy: creating excess capacity, whether it’s flying FedEx’s empty plane, keeping warehouses partly empty, or employing personnel who aren’t 100 percent busy 100 percent of the time. In recent years, slack has become synonymous with “waste.” Many companies have been trimming margins by reducing slack, moving to just-in-time inventory management. But slack has benefits. Without it, unforeseen events—from terrorist attacks to cyber threats to civil unrest or a surprise referendum result—can take a heavy toll. Earlier we mentioned Boeing’s 787 Dreamliner, which suffered unprecedented production delays in part because nobody foresaw that the 9/11 terrorist attacks would lead to a decline in air travel, a contraction in the fastener industry, and a shortage six years later of the nuts and bolts that hold jets together. These special fasteners constituted just 3 percent of the cost of an aircraft, but they became one of the reasons Boeing experienced a three-year production delay.35
Though better risk assessment certainly could have helped, it wasn’t the only solution to Boeing’s Dreamliner nightmare. The company did not need a crystal ball to protect itself from the fastener shortage. It needed more slack. Even if Boeing executives had missed the ripple effects of 9/11, the company could have lessened or prevented the disruption of its fastener supply chain with an inventory policy that required keeping parts on hand for a minimum number of months.36 Instead, the shortage came as a surprise, without any slack in the system to keep production lines moving. This dramatically delayed six hundred airplane orders. It didn’t have to.
Other firms create flexible surge capacity through standardization or last-minute customization. The Intel Corporation, for example, designs all of its semiconductor fabrication plants to be identical so that if one plant cannot function at full capacity, another can quickly step in, decreasing both response time and cost in a crisis.37
Band Together: Aligning with Others in Your Industry
Aligning with others in your industry takes two forms: sharing information about risks, and pursuing voluntary collective action to preempt more damaging legal or regulatory changes to the industry.
Alan Orlob’s experience at Marriott International highlights the benefits of banding together. Since 9/11, terrorist groups have taken greater aim at luxury hotel chains. As governments have moved to harden parliaments, offices, and military facilities, hotels have become “softer” targets. Western hotel chains are particularly vulnerable because they are seen as symbols of Western values and have a continual stream of people—including guests, third-party vendors, and employees—that make security challenging. Hotels have to strike a careful balance between taking measures to protect guests (like security guards and metal detectors) and creating a warm and inviting atmosphere. Terrorist attacks against hotels included the 2003 and 2004 car bombings of the JW Marriott in Jakarta and the Taba Hilton in the Sinai Peninsula; the 2005 triple suicide bombings of the Grand Hyatt, Radisson SAS, and Days Inn in Amman, Jordan; the storming assaults on the Taj and Oberoi hotels in Mumbai, which killed one hundred in 2008; the double bombing of the JW Marriott and Ritz-Carlton hotels in Jakarta in 2009; and the 2011 Intercontinental hotel attack in Kabul.
Orlob told us that when he first started his job, he thought that security could be Marriott’s competitive advantage. “My early philosophy, and I used to espouse it frequently, is that in any city we operated a hotel, we would have more security than any other hotel,” he told us. “By doing this we knew it would dissuade terrorist organizations from attacking us because we became in that city the hard target if they were looking for a hotel.” Operating hundreds of hotels around the world, including in high-threat cities like Islamabad and Jakarta, Marriott took security seriously. Orlob developed a process for assessing and hardening the hotels according to a risk level that was continuously reviewed and adjusted. He created an in-house intelligence analysis unit to track global events 24/7. And he developed one of the industry’s first comprehensive crisis management plans. But after the 2005 Amman attack, when suicide bombers simultaneously hit the Hyatt, Radisson, and Days Inn, killing fifty-seven people, Orlob realized that Marriott’s security measures weren’t enough: The industry needed to work together. The realization came when he learned that Jordanian police had picked up an Iraqi woman suicide bomber whose vest failed to detonate in that triple bombing. She told investigators that her terror cell had looked at the Amman Marriott but found the security there too robust, which was why they targeted other hotels instead. Even though Marriott was not struck in the attack, its business was. After the bombings, Orlob said, “nobody wanted to come to Amman, Jordan, and stay in a Western-branded hotel.” From a business perspective, an attack on one Western hotel was an attack on them all.
Orlob thought, “Rather than competing in this space, we should be collaborating in this space.” So he established a hotel security working group to share information and best practices among security directors from the ten biggest hotel companies and got the State Department’s Overseas Security Advisory Council to sponsor it.
Cruise lines, which also confront rising terrorist threats, have embraced “aligning with others” as a risk mitigation strategy, too. Royal Caribbean’s Adam Goldstein told us, “In marketing or sales we fight with our competitors like cats and dogs. But when it comes to safety, the environment, and security, we all pitch in because it’s in the interests of our customers and the industry to do that.”
Aligning with others is not just about improving defenses against suicide bombers. Sometimes industry action can protect companies from reputational risks in tough political situations and preempt regulatory or legal changes. In the 1970s, for example, Reverend Leon Sullivan, an African-American minister and member of General Motors’ board of directors, proposed a code of conduct for all American-owned companies operating in apartheid South Africa. At the time, General Motors was the largest employer of blacks in the country. Sullivan’s principles included ending segregation of races in the workplace; equal and fair employment practices; equal pay; training programs for nonwhite employees; increasing the number of nonwhites in management and supervisory roles; improving the quality of life for nonwhites outside the work environment; and working to eliminate laws and customs that impeded social, economic, and political justice. Although initially a response to apartheid, the principles eventually gained popularity among companies not operating in South Africa.
The Sullivan Principles were an early version of what has become increasingly commonplace: voluntary corporate social responsibility standards embraced by an industry. American movie studios adopted their own rating standards in 1930 to fend off government regulation.38 Seventy years later, as international opposition to “conflict diamonds” grew, the diamond industry adopted a set of standards called the Kimberley Process to prevent conflict diamonds from entering the market. After the Rana Plaza factory collapse in Bangladesh killed more than a thousand employees in 2013, more than 150 major clothing companies signed an accord to inspect, fix, and publicly disclose safety violations in Bangladesh’s notoriously unsafe factories. Banding together in these cases is a kind of preemptive self-regulation. The goal is to reduce the probability of more serious regulatory and legal changes and to reduce activist and consumer backlash on salient social issues.
2. Do we have a good system in place for timely warning and action?
Reducing exposure to political risks through dispersal, flexible surge capacity, and banding together provides the first layer of risk mitigation. The next is developing a warning system to spot residual risks in time to take action. In the last chapter, we suggested tools like scenario planning and devil’s advocates to analyze risks over the horizon. Warning systems, by contrast, are designed to deal with risks knocking on the door.
In the national security world, this is the difference between strategic and tactical intelligence analysis. Strategic intelligence analysis examines over-the-horizon questions, like “What are the prospects for Egyptian democracy in the next ten years?” Tactical intelligence analysis examines questions about the here and now, like “How many improvised explosive devices has ISIS laid in the Sinai this week?” Translated to the business context, strategic political risk assessment involves peering into the future to better see broad trends. Tactical political risk assessment involves penetrating the present to see imminent challenges. Warning systems are all about tactical analysis, conveying real-time information to prevent bad events from occurring or limit the impact if prevention is impossible. Effective warning systems do two things well: provide situational awareness and set tripwires and protocols so that certain steps are triggered automatically when conditions warrant.
Situational Awareness
Situational awareness is a dynamic understanding of political risks knocking on the door. In our hypothetical Burma case, for example, Kiku Telecom receives word that a peaceful labor protest by its Muslim workers has triggered a violent ethnic crackdown by the Burmese military, which also happens to be Kiku’s joint venture partner. Initial reports are that the Burmese government has shut down all telecom service in the region, several Muslim Kiku workers have been injured, and others have been arrested, prompting outcries from human rights groups.
But first reports are almost always incomplete. Getting an accurate understanding of a crisis as it unfolds is essential, difficult, and requires robust information sources and coordination. President John F. Kennedy realized that he lacked situational awareness within his own government during the Bay of Pigs invasion. That’s why he created the Situation Room in the White House to serve as a communications and coordination center, which it still does.
In the Burma case, our MBA students like to jump into problem-solving mode even though it’s unclear what the problem is. We usually have to slow them down with some basic questions:
• Has the situation at the company’s work site stabilized or is there an ongoing risk of protest, violence, and government action?
• Was this a deliberate attack by the military or was it an effort to restore order?
• Has telecom service actually been shut down to the region? If so, by what authority? Who has the power to reverse the decision? What are the implications for Kiku’s operations in Burma if the government is arrogating to itself the right to impose a communications blackout during times of civil unrest?
• What is the reaction to the unfolding incident among key stakeholders such as parliament, the military, Burmese political opposition groups, human rights groups, and the press?
• How is the situation likely to unfold in the next several days?
• How does this event change our assessment of the political risks in Burma, and what additional steps, if any, should we take?
Our student executives struggle to answer these questions because the fictitious company never developed a robust situational awareness capability in the first place. We use the case to show the importance of thinking ahead. The lesson is not to let exciting business opportunities blind you. Companies need to be able to track developments as they unfold with diverse information sources in a coordinated manner. If that capability is not in place before crises hit, you’ll regret it.
Today, companies on the front lines of managing global political risk have developed in-house threat assessment units staffed with former intelligence and law enforcement professionals to provide situational awareness about political developments around the world in real time. Royal Caribbean’s team is led by a twenty-five-year veteran of the FBI. Disney’s senior vice president for global security, Ron Iden, served as the director of the California Office of Homeland Security and spent twenty-five years at the FBI, including leading the Bureau’s Los Angeles field office, where he oversaw investigations of terrorism, counterintelligence, and corruption. Marriott’s Alan Orlob worked in the U.S. Army special forces for twenty-four years and has been a consultant for the U.S. State Department’s Anti-Terrorism Assistance Program. Chevron’s eight-person team of global analysts and risk experts has a combined ninety-two years of experience in U.S. and other government security services.
The best in-house risk teams have four core competencies to develop situational awareness:
• An ability to sift through voluminous amounts of information quickly to determine relevant political risks
• A deep understanding of the business to identify quickly what matters most for their bosses
• A forward-leaning entrepreneurial approach to collect and share information that may not be obvious or readily available through standard products
• A healthy skepticism about how incentives might affect what information they receive and when they receive it
Above all, situational awareness needs to be proactive and timely to be useful. Companies that manage political risks well do not sit back waiting for government advisories or quarterly industry reports. They know that warning systems need to be fed continuously and creatively. As Chevron’s director of global security, Pat Donovan, told us, “You have to be informed about the world. You have to be reading five newspapers a day. If you want to stay on top of it, you have to be on top of it.” Some companies station risk analysts in different regions. Some hire analysts with particular geographic expertise. Some bring in consultants to help the in-house team surge on a particular issue. Many develop customized tools to identify, collect, and analyze information. McDonald’s, for example, uses a sophisticated model developed by Northwestern University to gather press reports and other information about groups that might launch boycotts or conduct activities that could disrupt company operations or tarnish the brand.39 All of the high-functioning political risk units we found are proactive about getting and vetting information from a variety of sources. Informal networks play a vital role. As Nenad Pacek and Daniel Thorniley write, “A manager who relies solely on desk research is like a ship’s captain who sees only the top of an iceberg; it is the large chunk below the surface that makes or breaks the business.”40
In chapter 6, we recounted the shooting down of Malaysia Airlines Flight 17 in July 2014 over Ukraine during conflict between Russian-backed separatists and Ukrainian forces. That same day, 160 other commercial airliners were flying through Ukrainian airspace, despite the fact that it was a war zone. Just two days earlier, two Ukrainian military planes were shot down while flying at commercial altitudes.41 Still, Ukrainian airspace remained open, and that was good enough for most airlines.
But not every airline was relying on the Ukrainian government to determine whether it was safe to fly. Months before the Malaysia Airlines shootdown, as hostilities on the ground escalated, Australia’s Qantas and Korean Air rerouted flights to avoid passing over Ukraine.42 These two airlines assessed the political risk of Ukrainian overflight differently than many of their competitors because they were not passive recipients of Ukrainian government decisions. Both airlines moved early to mitigate the risks they saw unfolding. Timing proved critical.
Setting Tripwires and Protocols
Situational awareness goes hand in hand with setting tripwires and protocols. Tripwires are systems that identify what information to look for in advance. Protocols make clear what steps should be taken by whom when the tripwire gets crossed. The idea is to reduce decision-making on the fly.
Tripwires and protocols are common in high-risk environments like emergency rooms and aircraft carriers. When a patient comes into a hospital with symptoms of a heart attack, doctors and nurses don’t sit around deciding what to do. A flatlined EKG crosses the tripwire, automatically prompting a team to fetch a crash cart and begin CPR. Roles are clear: One member prepares and administers a dose of epinephrine if needed. Another works through the “Hs and Ts,” a mnemonic used to identify possible causes of cardiac arrest. One keeps time and records the process on the patient’s chart. Everyone understands what data crosses the tripwire and who does what.
The same goes for aircraft carrier operations. Because so many hazards pose lethal risks to the fifty-two hundred sailors on board, tripwires and protocols must be clear, quick to activate, and universally understood. One of those tripwires is physical—it’s called the foul line. It’s a bright red line painted alongside the length of the flight deck. All personnel who are not on shift must stand behind the foul line during flight operations. There are no exceptions. Anyone crossing the line for any reason is physically moved by a designated safety officer out of harm’s way—tackled, if necessary. Crossing the foul line also triggers a host of other prearranged actions. Flight operations are immediately suspended. Red lights flash. There is a system in place for waving off approaching aircraft, rerouting other aircraft that are airborne farther away, and addressing any other safety concerns, like FOD (foreign object damage) or small pocket debris, which can get sucked into jet engines and cause engine failure, resulting in an unsafe or foul deck.
Like emergency rooms and aircraft carriers, companies can develop tripwires that identify specific political risk indicators to watch and protocols that identify specific actions to take when the indicators light up. To be sure, indicators of political risk are much murkier than indicators of a heart attack or a safety problem on a carrier flight deck. But the basic idea is the same: Organizations that identify warning indicators and reaction protocols are better able to mitigate risk than those that don’t.
How exactly can a company develop tripwire indicators? For starters, by asking one of Condi’s favorite questions: “How do you know it when you see it? What evidence would prove your hypothesis right or wrong?” In our class’s Triton cruise line simulation, students grapple with setting tripwires. As you may remember, our fictitious cruise line has to decide how to respond to reports of rising drug-related violence in Mexico that could result in “wrong-place/wrong-time” crimes against passengers.
One key issue we probe during our “board meeting” with Triton executives is Condi’s question: How do you know it when you see it? When does drug-related violence cross a threshold warranting a risk review and further action?
As in the real world, we provide the students with accurate but contradictory background information. Here’s a sampling:
• In February 2012, twenty-two Carnival Cruise Line passengers were robbed at gunpoint near Puerto Vallarta. In February 2013, masked gunmen attacked and raped a group of Spanish tourists vacationing in Acapulco. In 2014, unrest rocked Acapulco after the disappearance of forty-three student teachers in nearby Iguala.
• In May 2015, the U.S. State Department issued a travel warning for Puerto Vallarta in Jalisco, the twenty-first Mexican state under such a warning.
• Local tourism boards stress that much of the negative press about Mexico coming from the American media is overblown. The Mexican government has made the war on drugs a top priority and devoted significant resources, including forty-five thousand police and military personnel, to enhancing the safety of tourist areas.
• Data show that Mexican tourist destinations are safer for many Americans than their home cities. The Department of State recorded eighty-one American deaths out of more than twenty million Americans who visited Mexico in 2013.43 That constitutes about 0.4 deaths per 100,000 American tourists, less than a tenth of the national U.S. homicide rate.44
• In 2013, Detroit, which registered as America’s most dangerous major city, suffered 45 homicides per 100,000 people, well over a hundred times the rate for Americans visiting Mexico that year. America’s ten most dangerous cities each had higher murder rates than Mexico’s national rate of 19 per 100,000.45
• Mexico was considered so safe that in April 2012 the first daughter, Malia Obama, took a spring break trip to Oaxaca.
How can analysts make sense of this information? The short answer is they can’t. The best they can do is make an educated guess. As we discussed earlier, educated guesses based on press reports often lead smart people to make cognitive mistakes—by, for example, giving more credence to vivid stories about tourist violence than broad trends about murder rates or by discounting evidence that conflicts with their underlying preferences without even realizing it.
A better approach is to develop tripwires in advance, identifying specific indicators about safety conditions in each of Triton’s destinations that are monitored continuously by the director of fleet security. Here’s an example:
Acapulco: Indicators of Improved Security Environment
• Cessation of reports of violence impacting civilians—including residents and standby tourists—in tourist zones, shore excursion areas, and primary commercial sites during the daytime
• Overall decrease in cartel-related violence
• Decrease in murder and violent crime rates
• Cessation of narco-motivated intimidation tactics in tourist zones and primary commercial areas
• Development of a sustainable security strategy, agreed upon by Mexican port authorities in collaboration with cruise line representatives
Acapulco: Indicators of Deteriorating Security Environment/Markers for Port-of-Call Review
• Increased violence in tourist areas, shore excursion zones, and primary commercial routes, particularly during daytime hours
• Narco-violence in tourist zones, particularly the propensity to escalate into high-probability collateral damage
• Narco-motivated intimidation tactics in tourist zones and shore excursion routes
• Deteriorating relationships with local port security officials
As this example suggests, tripwires do not have to be overly detailed. Even basic indicators can help. Identifying what to look for ahead of time helps guard against cognitive bias and makes data gathering and analysis more efficient.
To maximize effectiveness, tripwires should be tied to protocols that specify what actions come next—whether it’s conducting a security review of a Triton destination, taking additional security measures at a Marriott hotel, or rerouting more FedEx airplanes through Paris. Connecting tripwires to protocols reduces the time between warning and action. Military history is filled with examples where warnings were issued, but not in time to forestall disaster. General Douglas MacArthur testified that even if he had received three days’ warning that North Korea would invade the South on June 25, 1950, it would have made no difference. He needed three weeks, not three days, to mobilize troops from Japan to the Korean peninsula. After Japanese forces attacked Pearl Harbor on December 7, 1941, American air units in the Philippines went on full alert and were ordered to take immediate defensive measures. The attack on Clark Field came nine hours later. It was not enough time to move all the B-17s out of harm’s way. The attack on the Philippines was not a surprise, but it was devastating anyway, destroying twelve of the nineteen American B-17 bombers stationed there.46 Without sufficient time to take action, warning in both the Korean War and World War II was useless.
Businesses that are good at managing political risk link tripwires to protocols so they can reduce the lag time between warning and action. At Marriott, Alan Orlob’s in-house intelligence unit gathers information continuously. That information is fed into a five-tiered color-coded warning system that alerts all Marriott hotel managers about any changing threat conditions affecting them. Each tier includes an assigned list of mandatory tasks for managers to take. Hotels are regularly audited by a third party to test compliance. In the highest threat level, for example, called “threat condition red,” steps include installing walk-through metal detectors and X-rays at every entrance, limiting the access points to the hotel, enhancing explosive detection, and, in Orlob’s words, “procedures that are not so noticeable, like surveillance detection teams.” This is no small operation. When Marriott acquired Starwood Hotels in the fall of 2016, it became the world’s largest hotel company, with more than fifty-seven hundred properties, over a million rooms, and thirty brands worldwide.47 On a weekly basis, Marriott is moving hotels up or down the threat level.
Earlier, we mentioned McDonald’s Northwestern University model to collect information about possible sit-ins, protests, or other political risks to its restaurants. The model is coupled with crisis contingency plans that are ready to go if necessary. FedEx also understands the value of linking tripwires to protocols. The GOCC in Memphis can warn and act, rerouting planes when necessary. Marriott, McDonald’s, and FedEx all have warning systems for timely warning and action.
3. How can we limit the damage when something bad happens?
The final layer of risk mitigation is damage control. The headline here is to take action before you need to—specifically, by developing relationships and contingency plans. FedEx and other resilient organizations have an exceptional ability to bend without breaking when bad things happen. The key to their resilience is flexibility, and the key to flexibility is having the people and plans pre-positioned and ready to go.
Building Relationships: Drink the Cup of Coffee!
There’s a scene in the movie Erin Brockovich that Amy used in her UCLA public management course for many years. The movie chronicles the real-life story of how Brockovich brought a successful lawsuit against the Pacific Gas and Electric Company for contaminating drinking water in the small Southern California town of Hinkley. In the scene, the lawyer, named Ed Masry, goes with Erin, a down-on-her-luck high school dropout single mom scraping by as his assistant, to convince a family to start a class action lawsuit against the energy company. It’s a make-or-break moment. If they cannot get the support of Donna and Pete Jensen, their cause is lost. After a long and tense discussion, Erin convinces the Jensens to sign the suit. The tension lifts and Donna offers some homemade bundt cake and coffee. But Ed is all business. “No thanks,” he says curtly and heads for the door, eager to get back to work. Erin grabs him by the arm and whispers, “Ed, have a #$! cup of coffee.” Erin knew what her boss didn’t: Coffee was not a waste of time. It was a golden opportunity to deepen a personal connection.
Relationships are important in any endeavor. Building trust takes effort, time, and shared experiences. In the moment, drinking the cup of coffee feels inefficient. There are always too many meetings, too many priorities, too much to do, and too little time. Former secretary of state George Shultz has always said that he took the time to do what he called “gardening”—cultivating relationships with his counterparts—before he had to call and ask them to do something hard.
Companies that effectively manage political risks develop relationships with stakeholders early and often. Many work closely with community groups, NGOs, and local officials to win approval for projects and reduce the risk of being labeled a bad neighbor later. That’s exactly what Alcoa did in Brazil before opening a bauxite mine there in 2009. Although the rural Brazilian region of Juruti contained the world’s largest high-quality deposits of bauxite—the chief ore from which aluminum is produced—Alcoa executives were concerned about political risks there. They had watched competitors in Brazil struggle against fierce local opposition, political action, and physical security breaches that included railroad blockades, temporary mine closures, and even an armed takeover using bows, arrows, and clubs. They were determined to avoid the same fate by winning the support of stakeholders early on.
Alcoa drank the cup of coffee in a big way. Two years before the bauxite mine opened, the company launched a major public outreach and communications campaign to build relationships with residents, organized civil society groups, and government officials. Partnering with the Getúlio Vargas Foundation and the Brazilian Biodiversity Fund, Alcoa conducted a series of surveys and discussions to better understand local needs and views. The company held three public meetings to educate local residents and solicit their input. More than eight thousand people attended. Alcoa also held seventy meetings with community members. By 2008, an independent survey found that 89 percent of the local population supported the mine.48
But Alcoa didn’t stop there. Executives believed that an effective community partnership in Juruti needed to be genuine and sustained. The company created a multi-stakeholder council to serve as an open channel between it, the government, and civil society. It developed sustainability metrics to track progress. And it established a $35 million development fund for sustainable initiatives proposed by the community. Initiatives included building a hospital, adding classrooms to local schools, creating a clean water system, and establishing a local job training program. These outreach efforts did not eliminate opposition to the mine, but they made a big difference.49
Walmart took drinking the cup of coffee even further.50 Starting in the 1990s, Walmart came under attack from a number of activists and groups concerned about many issues, including the company’s environmental record. By 2004, Walmart was ranked number one on the Fortune 500 list. But it was also facing a growing chorus of concern as it moved into urban markets in search of higher growth.51 “When growth was easier, this idea of critics being ignored was O.K.,” Walmart CEO Lee Scott said.52 But with growth slowing, Walmart could not ignore it anymore. So Scott launched a strategy to respond to critics directly in the media while building better relationships with stakeholders.53 He took a trip to the New Hampshire wilderness with Fred Krupp, president of the Environmental Defense Fund and one of Walmart’s toughest critics. They talked about climate change, and Scott came back convinced that Walmart should do more.54 The company promised to reduce greenhouse gas emissions in its stores by 20 percent in seven years and improve other environmental standards. With the help of environmental groups and scholars, the company started using an electronic product sustainability rating system for its products.55 Scott also saw profit potential in going green: Walmart started selling energy-saving lightbulbs and cutting energy costs in its own operations.56 And then coffee drinking got serious: Walmart created staff positions for Environmental Defense Fund representatives at its Bentonville, Arkansas, center.57 Fred Krupp, who began as a fierce opponent, became one of Scott’s staunchest supporters. He later reflected, “I almost think of Lee Scott as a Gorbachev leading Glasnost, because Lee was this figure that opened Walmart’s walls up to the outside and changed how they did business.”58
Relationship building is also a core part of Royal Caribbean International’s risk mitigation efforts. The company takes a “destination stewardship approach” to its business, working with a range of local community groups, residents, government officials, and nonprofits to maintain the cultural, economic, environmental, and social integrity of places like Labadee, Haiti. Another way that Royal Caribbean International develops relationships with stakeholders is by arranging regular ship visits in port. “One of the very best things we can do for political risk is to take [local] people on the ship in port so they see our supply chain, they see our operations. There’s no substitute for seeing it,” said president and COO Adam Goldstein. “By trying as hard as we can to get people to see the ships, when something does happen they have a point of reference.” Goldstein believes this human touchpoint is essential. “Maybe because in the world today technology is so dominant, it’s so easy to communicate by text and email and video conference and telephone, I believe that people value personal visitation much more,” he told us. “There’s a real value in longevity… People come to believe that they can count on you, that if times are difficult, that there’s a foundation upon which the dialogue rests that is at some level tried and trusted. It’s very, very helpful to work your way through situations.”
“You make relationships when you want to, not when you need to—because when you need to, it’s too late already.”
—Adam Goldstein, president and COO, Royal Caribbean Cruises, Ltd.
Here, too, timing matters. Relationships need to be developed before a crisis hits. For Royal Caribbean International, the advocacy of Haitian government officials, ethics experts, and NGOs helped the company weather the media storm following the 2010 earthquake. Adam Goldstein did not begin cold-calling people once negative news stories started breaking. He turned to old friends for help. As he put it, “You make relationships when you want to, not when you need to—because when you need to, it’s too late already.”
Contingency Planning
Helmuth von Moltke, the nineteenth-century Prussian army commander, famously said that no battle plan survives contact with the enemy. Plans are often useless. It’s the planning process that is valuable. Plans will almost never match the conditions of the future, but planning builds capacity to succeed anyway by developing what we call the three Rs: roles, repertoires of action, and routines of coordination. Roles clarify who does what. Repertoires provide broad options for what can be done. Routines of coordination determine how it can be done well.
Rule 1: Roles should be clear. By definition, contingency plans are used when normal processes are not enough and conditions are not ideal. In these circumstances, there is too much pressure, too many moving parts, and not enough time to be debating who should be doing what. The more that roles are delineated, the faster and better your organization can execute its contingency plan.
Rule 2: The more repertoires of action, the better. By repertoires of action, we do not mean an exhaustive list of rigid plans for every conceivable circumstance. Reality is too complex, and flexibility is too important. Rigid plans of action are likely to be ill-suited. Instead, repertoires of action develop fundamental skills for the totally unexpected and provide options that can be used in different combinations and ways.
Condi is a lifelong pianist and thinks about repertoires of action as a musician does. For her, a repertoire is a go-to repository of songs that can be easily recalled and deployed in different combinations for different circumstances. Her repertoire usually consists of about five pieces. Some, like the Schumann Piano Quintet, she plays all the time, while others, like the Brahms Piano Quintet, require much more practice before she’s willing to play them outside of her living room. Her repertoire is the foundation on which she can build a performance. But it’s just the starting point. Some concerts consist entirely of songs she has known and played for years. Most include a combination of old and new songs. With an occasional curveball…
In 2010, Condi played a concert with the Philadelphia Philharmonic. They performed a movement of a Mozart piano concerto that Condi had worked on for months. The other part of the program featured Condi playing with the Queen of Soul, Aretha Franklin. They rehearsed the day before and agreed on the repertoire. At intermission, just before they were to go onstage, Aretha’s producer told Condi that Ms. Franklin wanted to sing something else—a song they had not rehearsed. Fortunately, the music wasn’t difficult, and all those years of learning to sight-read pieces, all those years of practicing scales, and considerable concert experience led Condi to just say, “Fine.” And the performance came off without a hitch.
Importantly, mastering and maintaining a repertoire takes practice. But sometimes it is mastering the fundamentals so that you can deal with a curveball—a sudden change in plans—that matters.
Repertoires of action play this role in many domains. Research on chess grandmasters finds that what distinguishes them from weaker chess players isn’t native intelligence or more time spent playing chess. It’s pattern recognition. Chess grandmasters have exceptional repertoires of action. When they see a new move, they compare it to the patterns stored in their heads to determine a path forward. The process is done in seconds, with remarkable accuracy, even when grandmasters are playing multiple games simultaneously.59 Most of us grapple with something new by comparing it to something known, relying on experience as a guide through the unfamiliar. The more developed these repertoires are, the better we can handle new situations. The same is true for organizations. Good contingency planning develops broad options as well as fundamental skills that can be deployed to help the entire organization adapt to unforeseen circumstances.
Rule 3: Coordination routines are essential. Assigning roles is a start. Developing repertoires of action comes next. Coordination is where roles and repertoires come together. Coordination routines establish trust and patterns of interaction that smooth the functioning of groups under stress. The best way to develop coordination routines is practice.
In the defense world, coordination failures have deadly consequences. Perhaps the best-known example is Operation Eagle Claw, the failed operation to rescue fifty-three American hostages in Iran. Launched on April 24, 1980, the mission had to be aborted—but not before eight service members died when a helicopter collided with a transport plane in the desert.60 The botched operation was one of the Carter presidency’s darkest moments. Thirty-five years later, when asked what he would have done differently in office, President Carter immediately answered that he would have fixed Operation Eagle Claw.61
Two postmortems conducted at the time—one by the Senate and one by a special commission—concluded that coordination problems were the root cause of failure. The Army, Navy, Air Force, and Marines all insisted on having a piece of the rescue plan. Yet they never conducted any joint training. Instead, each service practiced its own part in isolation. When the rescue day arrived, many of the team members had never met before. Service commanders did not even have arrangements in place to be able to communicate with one another. Nobody in the Pentagon had paid enough attention to coordination.62 The failure of Operation Eagle Claw led in 1987 to the creation of the U.S. Special Operations Command, a new integrated command led by a four-star general whose mission is to conduct special operations across the military services. Today, coordination across the services for special operations is vastly improved.
U.S. Special Operations Command offers a valuable lesson for business: Coordination should never be assumed, even when the stakes are high, the mission is clear, and the will to succeed is shared by all. Coordination does not just emerge organically. It has to be ingrained through practice and supported by leaders at the top. The natural state of all organizations, whether military units or corporate departments, is to work in silos or specialized functions. Silos are important. But they can also be counterproductive when unity of effort is required. Working across silos is an unnatural act. And managing political risk is an exercise in silo-crossing. Political risks do not just involve the finance department, the legal team, government relations, or the IT folks. Political risks cut across every part of a company, from strategy to operations to marketing. Planning for political risk contingencies means practicing coordination.
FedEx follows all three rules—assigning clear roles, developing repertoires of action, and establishing coordination routines. At FedEx, contingency planning is everyday life. “We believe in predictable surprises,” notes former GOCC managing director Paul Tronsor.63 At the Global Operations Control Center in Memphis, there’s always a Plan B. But as Tronsor notes, executing any Plan B, even a routine one, “is a tremendous undertaking.” Flying out of an alternate airport requires getting the right crews to the right places at the right times, with enough rest to remain in compliance. It requires making sure there’s enough fuel where you need it, securing airport space and landing rights. Freight can be unloaded only if it is cleared by customs, and it can be put on trucks only if the trucks are positioned where the planes are landing.64
Establishing roles, repertoires, and coordination routines is essential. At FedEx, roles are clear. The flight dispatcher, known as the “Captain on the Ground,” is responsible for assessing air routes and conditions. The freight movement center team focuses on constantly evaluating where freight is in transit. A service recovery specialist manages the development and implementation of the overall action plan for “movement solutions.” A crew scheduling specialist is responsible for getting aircrews to the right places at the right times in compliance with applicable regulations. Contingency plans—or repertoires of action—are continually developed based on most likely scenarios. If the Paris airport hub goes down, for example, the default contingency plan is to reroute cargo to Frankfurt, Germany. If Frankfurt goes down, too—which happened in April 2010 when an Icelandic volcano erupted and spread a giant ash cloud over Western Europe—FedEx moves to a different contingency plan, making up a new one if necessary. And routines of coordination are established and reinforced at FedEx’s GOCC. Success each day requires a complex, coordinated effort between flight dispatchers, freight movement center teams, crew scheduling, and global trade services to make sure international freight is in compliance with all laws and customs requirements.65 Each day begins with a war room conference call among managers. Each major disruption ends with a team debrief of lessons learned.
That’s not to say FedEx has a cookie-cutter approach to diverting aircraft. It doesn’t, because it can’t. When the Icelandic volcano erupted, conditions were changing so fast, European airports were closing, opening, and closing again within minutes. The usual Plan B, shifting to Frankfurt, was no good. So the GOCC developed a different Plan B that assumed Paris would remain closed and positioned flights and crews in Toulouse and Barcelona. But then Charles de Gaulle Airport in Paris reopened, so they shifted again, to what they called Plan A. FedEx had planned for that, too. “Since we had accounted for this possibility,” Tronsor noted, “we were ready to go.” FedEx restored service and then moved to clear the backlog, shipping 7.7 million pounds of cargo in two days.66 Like Condi improvising during her concert with Aretha Franklin, FedEx succeeded by drawing on its existing repertoire and skills practiced every day.
KEY TAKEAWAYS: MITIGATING POLITICAL RISKS
Prepare for the unexpected.
Know what assets are most valuable and vulnerable.
Reduce exposure by dispersing critical assets, flying the empty plane, and aligning with others in the industry.
Set tripwires and develop protocols so that you have a system for timely warning and action.
Remember to drink the cup of coffee! Limit the damage when something bad happens by building relationships with stakeholders before you need them.
Develop contingency planning processes built on the three Rs: roles, repertoires of action, and routines of coordination.