On July 16, 2009, Alan Orlob landed in Jakarta to conduct a security review of the Ritz-Carlton and JW Marriott hotels. The city’s security situation seemed to be improving.1 As Marriott International’s vice president for global safety and security, Orlob knew that Indonesia had long struggled with Islamist terrorism. But in recent years, Jemaah Islamiyah (JI), the country’s deadliest group, appeared to be weakening. Best known for the 2002 Bali nightclub bombings that killed more than two hundred, the terror group had not waged a significant attack in four years. New Indonesian security measures, enhanced counterterrorism efforts by American-trained Indonesian police, and the arrests or deaths of many top JI operatives led many analysts to believe that JI no longer had the capabilities to launch a major operation. A year earlier, the United States had lifted its travel warning on Indonesia.2 More recent political news was also promising. Indonesia had just celebrated a peaceful democratic presidential election. Orlob went to bed that night in the Ritz-Carlton “feeling confident that the authorities were dealing successfully with the terrorism threat in the country.”3
At 7:30 the next morning, Orlob was getting out of the shower when he heard an explosion. Out the window, he saw smoke billowing from the JW Marriott across the street. Having served more than twenty years in Army special forces, Orlob instinctively rushed toward the danger, not away from it. But before he could get outside, he felt another explosion—this one inside the Ritz.4 It was a double suicide bombing, carried out by terrorists masquerading as guests. Investigators would later discover that the bombers had worked with an insider, the hotels’ florist, to learn how to evade the hotels’ stringent security measures.5 The attack killed nine people and injured dozens.
Romeo Gacad/Getty Images
John van Hasselt/Getty Images
Marriott activated its crisis response team to evacuate and account for all guests, support victims’ families, assist investigators, tend to employees, and assess ongoing threats. The company’s communications staff issued regular updates on Twitter, careful to avoid reporting developments until they could be verified. Within 150 minutes of the bombings, chairman and CEO Bill Marriott published a blog post expressing his condolences and providing details about what the company was doing to help victims and guests.6
The company’s response was quick, decisive, and compassionate. There was just one problem. The terrorist attacks had garnered global news coverage, and much of it featured scathing and erroneous criticism of Marriott’s security. “I was listening to the media reports. They were so inaccurate and it was really frustrating for me,” Orlob told us. “I knew what had happened. I had been there from the beginning. And I was listening to this wild speculation from the media.” Some senior executives did not want anyone from the company talking to the press. As a result, nobody was defending Marriott.
In truth, the Ritz-Carlton and JW Marriott were among the most secure hotels in the world. Marriott was widely recognized as an industry leader. The company considered security a significant competitive advantage in the business travel market, particularly in cities like Jakarta. Starting in the 1990s, as Marriott’s international footprint grew, its investment in security did, too. By 2009, the company was operating thousands of properties in seventy countries.7 Many destinations posed elevated risks of civil unrest, kidnapping, natural disasters, disease, and terrorism. Senior management recognized that security was important to the value of the Marriott brand. As Orlob put it, “They understood the damage that could ensue if terrorists decided to target Marriott because of its name and its reputation as an American company.”8 Robust security was a must-have for consumers and investors.9
At the time of the bombing, both the Ritz-Carlton and JW Marriott were operating under “condition red,” the company’s highest threat level.10 Security at these two hotels was arguably the best in the city. At the JW Marriott, for example, vehicles were inspected at a roadway checkpoint away from hotel buildings separated by a blast wall and guarded by an armed police officer. In addition, the company had installed explosive vapor detection devices, brought in a bomb-sniffing dog, placed security cameras throughout the facility, and added specially trained security officers to conduct countersurveillance. Anyone entering the hotel went through a metal detector monitored by security officers, and luggage was screened outside the building. These and other procedures were tested by an independent auditor on unannounced visits, so that implementation could be confirmed, failures reported, and employees penalized.11 This was no lax security environment. When tragedy struck on July 17, 2009, it was not because Marriott was asleep at the wheel.
Frustrated that none of this context was in the news, Orlob made a gutsy decision: When a friend from CNN called for an interview, he said yes. That interview began changing the narrative. “I used the interview to tell our story, to talk about the type of security we did have in the hotel,” Orlob recounted. “It gave us a chance to push our story out there rather than listening to all the negative media information that was coming out about our security procedures.” Senior leadership at Marriott liked what they saw and asked him to do more. In the next few days, Orlob gave nearly two dozen interviews. His message: Marriott security was robust, but the company was committed to conducting a complete review of this attack, and if additional security measures were necessary, they would be implemented.12
Marriott’s experience shows how to handle “Zulu time,” when events erupt and response cannot wait until tomorrow. Everyone knows that crisis response should be coordinated across time zones and corporate functions. But good crisis response starts long before any crisis appears. Effective communication in the heat of the moment is important. It is never enough. Companies need to lay the foundation, learning from near misses, rewarding employees for doing difficult and courageous things, leading with core values, and taking steps to ensure that crisis response capabilities are honed without being hidebound. These “back room” practices enable “front room” successes when political risks get real.
In this chapter, we take you through the three questions companies should ask so that they can perform at their best when crisis conditions are worst.
The best way to deal with crises is not to have them. All organizations want to learn from failures. Not enough try to learn from near misses, events that could have ended poorly but didn’t because luck saved the day. Individuals and organizations tend to take false comfort in near misses, seeing them as signs of success rather than warnings of potential failure. Even descriptors mislead. These events are often called “close calls” or “lucky breaks,” not “near disasters that could get us the next time.”
“A near miss can be evidence of two things,” says Georgetown professor Cathy Tinsley. “It can be evidence of a system’s resiliency, or it can be evidence of that system’s vulnerability.”13 Too often, people conclude the system worked well when in reality it just got lucky. Why? Because we all like to think we are good at our jobs and because giving luck that much power is scary.14 Tinsley and her colleagues have studied near misses in companies, government agencies, and lab experiments. They repeatedly find that people either disregard or misinterpret them: “When people observe a successful outcome, their natural tendency is to assume that the process that led to it was fundamentally sound, even when it demonstrably wasn’t.”15
“When people observe a successful outcome, their natural tendency is to assume that the process that led to it was fundamentally sound, even when it demonstrably wasn’t.”
—Catherine Tinsley, Robin Dillon, and Peter Madsen, Harvard Business Review, 2011
Apple, for example, had an unusually troubled product launch of its iPhone 4 in 2010 because the company dismissed earlier consumer complaints as reassuring signs of loyalty rather than warning signs of technical deficiencies.16 Customers had been complaining for years that signal strength declined when they touched the phone’s external antenna, but they still lined up to buy iPhones. Instead of addressing these concerns, Apple ignored them. When the iPhone 4 came out, Apple was barraged with complaints that simply holding the device resulted in dropped calls. Steve Jobs and other executives blamed customers for holding the phone incorrectly and labeled the problem a “non-issue.” As Tinsley and her colleagues write, “If Apple had recognized consumers’ forbearance as an ongoing near miss and proactively fixed the phones’ technical problems, it could have avoided the crisis.”17 Instead, Consumer Reports did not recommend the iPhone for the first time in product history.
The Challenger shuttle tragedy is a classic example of a disaster that could have been avoided if only managers had paid attention to near misses. On January 28, 1986, Challenger exploded shortly after liftoff when unusually cold weather caused O-ring seals in one of the solid rocket boosters to fail.18 O-ring problems had been a common occurrence on previous shuttle flights, and although they had not failed before, they had come close. Just a year earlier, Challenger launched from Florida when the temperature had dropped to 51.8 degrees Fahrenheit, the lowest for a shuttle launch to date.19 After the mission, engineers discovered that O-rings in both rocket boosters had experienced significant damage.20 Engineers at O-ring manufacturer Morton Thiokol concluded that cold weather was the culprit and recommended against future shuttle launches if temperatures dipped below 53 degrees.21 This was a major near miss, but NASA didn’t see it. Instead, when a cold front sent temperatures in Florida plummeting to 36 degrees, NASA okayed the Challenger launch anyway. Thiokol engineers’ worst fears came true: All seven astronauts, including Christa McAuliffe, the first teacher in space, were killed.
The Rogers Commission that investigated the Challenger disaster concluded that NASA accepted escalating risk because they “got away with it last time.” They mistook near misses as signs of resilience, not vulnerability. Commissioner and physicist Richard Feynman likened the process to Russian roulette, noting that whenever the shuttle flew with O-ring erosion and nothing happened, “it… suggested, therefore, that the risk is no longer so high for the next flights.”22
New York Times
In these cases, Apple and NASA did not take near misses seriously enough. But in the case of aircraft carrier operations, the U.S. Navy does. In the summer of 2016, Amy spent some time aboard the USS Carl Vinson during flight training exercises at sea. There’s a reason carriers are described as “the most dangerous 4.5 acres in the world.”23 The Vinson is just 1,090 feet long, with each runway or catapult only 350 feet in length.24 (Runways at London’s Heathrow Airport are ten times longer.)25 Fighter jets are catapulted from the flight deck, accelerating from zero to 165 miles per hour in two seconds. Aircraft launch and land less than a minute apart, sometimes simultaneously. Rather than slowing down to land, pilots touch down at full throttle so they can take off again if the plane’s tailhook fails to snag one of the arresting wires stretched across the flight deck. It is a chaotic work environment. The noise is deafening, with sailors communicating mostly by hand signals. Weather can be a huge factor. At night, visibility is poor and landing becomes exponentially more difficult. The movement of planes, people, fuel lines, parts, and pilots is constant, with a razor-thin margin of error. Safety hazards are everywhere: Any loose object—a wrench, a penny, a dropped binder clip—can be sucked into a jet engine, causing severe damage.
On the Vinson, every landing is considered a near miss. Because it is. Each is watched, graded, recorded, and debriefed, no matter what the conditions or time of day or night. A landing safety officer from each squadron both assists and assesses the pilots as they make all the corrections in the final thirty seconds before making the controlled crash. Landing on a carrier requires the confidence and precision of a surgeon and the humility of a clergyman. The pilot can, at best, achieve a grade of “okay” for successfully catching the three wire, a two-foot-by-two-foot space on the deck. The Navy knows that learning from near misses is the best way to prevent big failures.
Only a handful of nations in the world have aircraft carriers.26 It is not because these ships are too difficult to build. It is because flight operations are that difficult to execute. Conducting flight operations is the ultimate exercise of learning from near misses.
The USS Vinson highlights three tips for any organization seeking to learn from near misses:
Organizations that learn from near misses are fundamentally pessimistic. They assume that failure is always just around the corner and invest in developing structures, processes, incentives, cultures, and technical tools to prevent it. They never assume that good outcomes today will continue tomorrow. In carrier aviation, landings are scrutinized no matter who sits in the cockpit, how many times they have flown, or what the circumstances are.
Marriott and FedEx also plan for failure. When Alan Orlob arrived in Jakarta, he had many reasons to be hopeful about Indonesia’s security environment. But he was also wary, which was why the JW Marriott and Ritz-Carlton had such tight security measures in place even though there had not been a major JI terrorist attack in four years. FedEx relentlessly plans for contingencies because, as Fred Smith told us, “We brush up against” risks “so often.” Soon after the company built a large hub in Guangzhou, China, for example, Smith took the board to meet with Chinese leader Jiang Zemin. But as tensions began rising in Sino-American relations, FedEx began building other regional hubs in Osaka, Anchorage, and Singapore. Smith was not about to wait for a crisis to start developing a Plan B. “While we’re not sure how U.S.-China relations will play out,” said Smith, “we’ve been trying to take steps to protect ourselves.”
Organizations that adopt a “planning for failure” mentality are more likely to see near misses, take them seriously, and learn from them.
As Karl E. Weick and Kathleen M. Sutcliffe note, organizations that learn from near misses also look for weak signals that things may not be working as intended. They know that the earlier they identify a potential problem, the more time and options they have to prevent disaster. Performance indicators for people, processes, and parts are critical. Anything that does not perform as expected could be an early indicator of a serious problem. Of course, not every weak signal is. That’s why it is important to look deeper, at possible systemic deficiencies, whenever weak signals are found. And then take strong action.
Remember General Electric’s botched Honeywell deal? It was the first time that European regulators had ever rejected a major American merger. But just barely. Four years earlier, the European Commission made headlines for opposing the proposed merger of two American civilian aircraft giants, Boeing and McDonnell Douglas.29 For months, it looked like that deal was doomed. The commission recommended blocking the merger, and competition experts from all fifteen EU member nations unanimously agreed. The merger went through only after Boeing agreed to several major eleventh-hour concessions. Boeing’s 1997 deal was a signal that European regulators would no longer rubber-stamp American corporate mergers.30
In the Deepwater Horizon disaster, British Petroleum (BP) and its offshore drilling rig owner/operator, Transocean, responded poorly to a series of not-so-weak signals.31 On April 20, 2010, a cement seal on the Macondo well in the Gulf of Mexico failed, creating an explosion that took the lives of eleven crew and caused one of the nation’s worst environmental catastrophes.32 Millions of barrels of oil flowed into the Gulf over the next eighty-seven days, contaminating ecosystems and damaging economies from Texas to Florida. Five years later, BP reached a $20.8 billion settlement with the U.S. government. It was the largest American pollution penalty ever paid.33
Investigations concluded that the Deepwater Horizon disaster stemmed from complex causes—and that failing to notice warning signs was a big one.34 Internal BP documents showed that as early as 2009, BP engineers were expressing concerns about using certain casings for the well because they violated the company’s safety and design guidelines. The casings were used anyway.35 A month before the disaster, the oil rig was hit with a burst, or “kick,” of explosive methane gas. According to the Coast Guard’s joint investigation, kicks are considered “critical indicators” of potential safety hazards, but BP and Transocean employees dismissed the incident.36
Around the same time, the well’s blowout preventer, which served as a last line of defense, was discovered leaking fluids at least three times.37 Problems at the well were so common, Deepwater Horizon personnel referred to Macondo as the “well from hell.”38 In April, employees at Halliburton, BP’s cementing contractor, warned that BP’s well design violated Halliburton’s best practices, and that a “severe” gas flow problem could result.39 BP drilling engineer Brett Cocales responded in an internal email, “Who cares, it’s done, end of story, will probably be fine…”40
Perhaps most important, BPs own investigation found that its site leaders and the Transocean rig crew discounted a negative-pressure test indicating that the cement barrier around the well casing might not be secure. These are critical tests, designed to assess the integrity of the well after it has been cemented. The first test showed pressure buildup in the drill pipe, a dangerous indication that gas had invaded the well. The finding, however, was “explained away” as an acceptable anomaly.41 Although there were no industry standards to interpret or approve negative-pressure test results, BP’s review concluded that any pressure in the drill pipe should have been considered unacceptable. “The negative-pressure test was an opportunity to recognize that the well did not have integrity and to take appropriate action to evaluate the well further,” the report noted.42 Other expert investigations came to the same conclusion. A National Academy of Engineering report called the negative-pressure test “an irrefutable sign” that the cement did not establish an effective seal.43 James Dykes, cochair of the Coast Guard’s Joint Investigation Team into the disaster, testified before Congress that “the crew’s collective misinterpretation of the negative tests was a critical mistake that would escalate into the blowout, fire and eventual sinking of the Deepwater Horizon.”44 Missed signals compounded risks and contributed to disaster. By the time anyone on board Deepwater Horizon noticed that hydrocarbons were leaking from the well and into the rig, it was too late.
By contrast, Marriott is constantly searching for weak signals and reacting strongly to them. Marriott’s Alan Orlob ensures that the thousands of hotels he oversees around the world are audited at unanticipated times to make sure they are following security procedures fully. If they aren’t, individuals face disciplinary action. Partially meeting requirements is not an option. Threat condition blue, the company’s lowest level of enhanced security, requires nearly forty different procedures.45
Weick and Sutcliffe discovered that one East Coast power company uses bees as weak signals. That’s right. Bees. When the rate of bee stings for linemen in the field goes up, managers know that workers probably are not looking as carefully as they should before reaching for a power line. They don’t assume operations “will probably be fine.” Rising bee sting rates trigger greater attention to addressing safety risks within the company before something bad happens.46
Third and finally, organizations that learn from near misses develop cultures that reward courageous acts. Learning from near misses often requires someone to say, “Hold on a minute. Why are we moving full speed ahead when we may have a problem here?” The pressure to stay on schedule and on budget can be immense. Calling a time out to examine a weak signal is an act of courage. Recognizing those moments can make a difference.
The night before the Challenger launch, five engineers at Morton Thiokol recommended postponing the flight because they were concerned that predicted cold temperatures could cause a catastrophic O-ring failure.47 NASA manager Lawrence Mulloy, the head of NASA’s booster rocket program, infamously exclaimed, “For God’s sake, Thiokol, when do you expect me to launch? Next April?”48 Soon after, Thiokol managers overruled their own engineers, okaying the launch.49 The Rogers Commission found that launch schedule pressures were very much on the minds of NASA managers. As a result, the courageous dissent of Thiokol engineers was not heeded or rewarded. “I fought like hell to stop that launch,” said one of the engineers on the twentieth anniversary of the disaster. “I’m so torn up inside I can hardly talk about it even now.”50
Compare the experience of Morton Thiokol engineers to a crew member working on the flight deck of the USS Carl Vinson. Twenty years before Amy landed on the carrier, professors Martin Landau and Donald Chisholm wrote about how a seaman serving on the Vinson lost a tool during flight operations. The seaman was concerned that the lost tool could be sucked into a jet engine and cause an engine failure. The Navy repeatedly warns carrier crews about the dangers of “foreign object debris.” So when the seaman could not find his tool, he told the air boss. It was a big deal. About a dozen planes in the air had to be diverted to airfields on land. The flight deck had to be shut down. Hundreds of people had to stop what they were doing to “walk the deck,” searching inch by inch until they found the missing tool. The next day, a formal ceremony was held. Instead of being punished, the seaman got an award. That’s what we call rewarding courageous acts. It is one thing to tell the crew they should always report any foreign object debris. It’s another to show that you mean it.51
Employees often have ideas about how to avoid failure or improve performance that they never tell the boss. A 2009 survey by the Cornell University Survey Research Institute found that 53 percent of respondents admitted they never spoke up about an idea or problem. When asked why, many said they thought it would be a waste of time or could hurt their careers.52 After failure, postmortems reveal all sorts of information that could have been shared beforehand but wasn’t. Rewarding courageous acts fosters a premortem culture—encouraging people in the organization to volunteer information about what could go wrong before it does go wrong.53
Learning from near misses is never easy. Organizations that do it well plan for failure, look for weak signals and respond strongly to them, and reward courageous acts that empower everyone to avert disaster.
No matter how hard an organization works to do everything right—understanding and communicating the risk appetite, integrating political risk analysis into the business, collecting good information, using analytic tools to reduce cognitive bias and groupthink, mitigating risks, and learning from near misses—big surprises can still occur. Your organization’s response determines whether that crisis fades or festers. As Warren Buffett once said, “It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”54
“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
—Warren Buffett
Johnson & Johnson’s handling of the Tylenol tampering deaths is still considered the gold standard of crisis response. When seven people were poisoned by laced Tylenol capsules in 1982, Tylenol was the best-selling nonprescription pain medication in the United States, with 35 percent market share.55 It was also Johnson & Johnson’s top-selling product.56 Johnson & Johnson (J&J) public relations executives learned of the deaths from the press. It was the worst possible way for a crisis to unfold. News quickly spread. According to one news service, it was the biggest media event since President Kennedy’s assassination.57
The company responded decisively. J&J pulled all Tylenol capsules from store shelves nationwide, offered to replace them with tablets free of charge, promised a reward for information leading to the arrest of anyone involved in the murders, issued warnings against using Tylenol, set up a toll-free hotline for consumers, and communicated directly with the public through news shows and paid advertising.58 Within ten weeks, the company launched new tamper-resistant packaging for Tylenol products that became the industry standard.59 The recall cost more than $100 million, with the total cost of the crisis estimated between $500 million and $1 billion.60 Many thought Johnson & Johnson would never recover. Yet within two months, its stock had returned to its fifty-two-week high,61 and within a year Tylenol had resumed its place as the leading pain relief medication.62
Although the Tylenol crisis occurred more than thirty years ago, Johnson & Johnson’s approach can be distilled into five steps for any company confronting a crisis.
The first step in crisis management is to get a better handle on what is happening. Early moments of a crisis are swirling with uncertainty. What is the problem? How serious is it? Is the crisis over or just beginning? How do you know? Don’t jump to conclusions. Assess the situation.
Assessing the situation takes discipline and time. Yet modern communications technologies are straining discipline and compressing time. Twitter, YouTube, Facebook, and “citizen-journalist” Internet reporting are ever-present and fast-moving. Crisis management isn’t what it used to be.
We see these pressures every time we teach our cyber crisis simulation. The simulation involves a hypothetical technology company called Frizzle, which offers Internet-related services and products, including search, email, cloud computing, mobile payments, and drone delivery services. Founded by an East German immigrant, Frizzle is headquartered in California but operates globally, with 75 percent of revenues generated outside the United States. Like many Silicon Valley companies, Frizzle believes deeply in protecting the privacy of its users. Its mission statement declares, “Doing What’s Right lies at the core of who we are and how we operate. At Frizzle, Doing What’s Right means having the courage to protect our users, their information, and their trust in us.”
The crisis starts when executives learn that Frizzle’s email system has been breached in an attack targeting the accounts of Chechen activists. Frizzle’s security team believes the attack originated from Eastern Europe. The U.S. Department of Defense has publicly acknowledged that the Russian government appears to be behind an escalating number of attacks ostensibly perpetrated by individuals and other proxy groups against American companies and government agencies. Still, at this early stage, the Frizzle security team is unable to determine the person or organizations behind the attack, although they believe they have identified the computer used. Company data may still reside on it. Executives must decide how to respond, including whether and how to work with the U.S. government; whether to “hack back” against the perpetrators; how to communicate the breach to customers, partners, and the public; and what, if any, longer-term steps should be taken to improve Frizzle’s cyber security and political risk management.
In addition to Stanford MBAs, we have run this simulation for national reporters and senior congressional staff.63 Each time, most of our Frizzle “executives”—who come from all over the world and all different industries and backgrounds—want to get in front of the story as fast as they possibly can. This instinct is natural. Yet moving too fast runs some hidden risks. The biggest one is that the engineering team does not yet know what it is dealing with. Is the worst over or yet to come? Typically, a few hours into an attack, it is impossible to know. As one real-world chief information security officer of a major tech company told us, “The first twenty-four to forty-eight hours of a major breach are usually crazy. We have to let the engineers do their thing to stop the bleeding. It’s all very foggy. It takes discipline to stay calm.” Staying calm is especially important in cyber crises because if adversaries are tipped off too soon, they can change their methods and inflict even more damage before the company can bolster its defenses. The company also has to contend with breach reporting and remediation requirements that vary by state and country and could turn company offices into a crime scene, making it harder to stop the attack. Going public as fast as possible may seem like a good idea but may make life worse for the customers and the company. While responding quickly is important, executives today need to resist the urge to respond so fast that they provide inaccurate information, worsen the damage, or make promises about fixes that they cannot deliver.
“The first twenty-four to forty-eight hours of a major breach are usually crazy. We have to let the engineers do their thing to stop the bleeding. It’s all very foggy. It takes discipline to stay calm.”
—Tech company chief information security officer
Target could have used this advice when it was hit with a cyber attack during the 2013 Christmas shopping season. The breach was a watershed event, one of the largest thefts of consumer information. An estimated forty million payment cards and personal records of seventy million Target shoppers were stolen.64 The breach and resulting negative publicity came at a terrible time for the retail giant, and Target’s response made it worse. Eager to get in front of the story, Target sent frequent updates. But they contained conflicting information, giving the impression that executives did not understand what they were facing. Customers flooded Target with complaints and questions, jamming phone lines and causing the company’s credit card website to crash.65 Efforts to provide information backfired and efforts to reassure customers ended up annoying them. The stock price tumbled, and within six months, CEO Gregg Steinhafel resigned.
Communications experts often highlight the importance of issuing statements immediately: Studies find that 20 percent of online news stories about a subject appear within just eight hours of its occurrence.66 Research also finds that the longer executives wait to take action, the less moral they seem, even if they ultimately make a decision judged to be moral.67 But Target shows that speedier is not always better. As we discuss below, the best way to navigate this terrain is for executives to communicate values immediately, explaining what they stand for and what steps they intend to take.
The upshot is this: Do not say what you know. You could end up being wrong. Instead, say what values you believe in and what actions you will take to get to the bottom of the crisis while you figure out what is going on.
In 1982, Johnson & Johnson did not have a crisis response team, so CEO James Burke formed one as soon as the news broke.68 J&J’s experience is exemplary, but twenty-first-century crises demand more. Today, no company should be designating a crisis response team or formulating a plan after a crisis breaks. Companies should already have a system in place for reporting crises, a plan for gathering and sharing relevant information, and well-defined roles that are updated and practiced. Not everything can be anticipated, but having these basic capabilities in place provides a head start.
Marriott’s Alan Orlob likens corporate crisis response to military training. As he puts it, “The military spends a lot of time training soldiers so that when confronted by the enemy, they don’t need to think. They react to the training they received.”69 Marriott regularly conducts tabletop exercises simulating various scenarios to hone processes, define roles, and learn new lessons. When the Jakarta JW Marriott was attacked by terrorists in 2003, it took just thirty minutes to assemble Marriott International’s crisis team on a conference call in the middle of the night. The roles and tasks were already clear.
Reputation expert Daniel Diermeier finds that when crises erupt, managers too often get sidetracked figuring out who is to blame.70 That is not what customers and other stakeholders want to hear. They want to hear what your company stands for and why. They want to know what you will do to earn back their trust. They want to know that you care, that you are committed, and that you are contrite.
J&J CEO James Burke knew what his company stood for. Johnson & Johnson’s credo, crafted in 1943 by founding family member Robert Wood Johnson, states, “We believe our first responsibility is to the doctors, nurses, and patients, to mothers and fathers and all others who use our products and services.” Burke took it seriously. To him, the credo meant that J&J had to safeguard the well-being of its customers even though the Tylenol deaths did not result from any corporate wrongdoing. The most important priority was protecting public health, not shareholder value. “The credo is all about the consumer,” Burke later said. When the deaths occurred, “the credo made it very clear at that point exactly what we were all about. It gave me the ammunition I needed to persuade shareholders and others to spend the $100 million on the recall. The credo helped sell it.”71 It was Burke who pushed for a nationwide recall against the wishes and advice of the FBI and the Food and Drug Administration, who thought a recall might embolden the perpetrator and stoke public anxiety.72
Burke’s second goal was saving the Tylenol brand. This would only be possible, he believed, by meeting the crisis head-on, undertaking enormous costs to pull the product, addressing public fears fast and fully, and then relaunching a better tamper-resistant Tylenol product as fast as possible. At the time, Burke’s approach defied conventional marketing wisdom, which counseled keeping a low profile and circling the wagons until the crisis passed. “Before 1982, nobody ever recalled anything,” said Albert Tortorella, a managing director at Burson-Marsteller, the public relations firm that advised Johnson & Johnson. “Companies often fiddle while Rome burns.”73
Johnson & Johnson was a victim of a crime. Most companies facing political crises are not. For them, the lesson from J&J is the power of accepting responsibility. Assuming full responsibility for a crisis, even one not of your making, and demonstrating that your organization truly cares about rebuilding trust can go a long way. In the medical field, for example, research finds that honest disclosure of mistakes reduces malpractice lawsuits dramatically.74 Conversely, dodging responsibility for a crisis or issuing halfhearted expressions of concern is likely to backfire and spark greater furor.75
That’s what United Airlines CEO Oscar Munoz learned in April 2017 when he issued a lackluster apology for having to, in his words, “re-accommodate these customers” after video surfaced showing police forcibly removing a sixty-nine-year-old passenger from an overbooked United flight to make room for United employees. The passenger, Dr. David Dao, was seated on the last flight of the day. “I won’t go, I’m a physician, have to work tomorrow, eight o’clock…,” Dao explained. Police then proceeded to drag him off the plane in front of horrified passengers. Dao sustained a concussion, a broken nose, and broken teeth. “Oh my God! Look at what you did to him!” screamed one passenger in the video.
Munoz’s uncaring apology fueled outrage online and in the press, prompting calls for new legislation to change airline overbooking practices and protect consumers. Hours later, Munoz exacerbated the crisis by issuing a letter to United employees (which leaked immediately) blaming Dao for being “disruptive and belligerent.”76 Munoz eventually reversed course, saying, “No one should ever be mistreated this way,” and promising a review of United policies, but the public relations damage was severe.77 It was a textbook case of how not to handle a crisis. “The back-against-the-wall, through-gritted-teeth apology isn’t generally a winning strategy,” noted Jeremy Robinson-Leon, a public relations partner at Group Gordon.78
The moral of the story is that genuine contrition matters. Corporate crises are ultimately about trust. The best way to restore trust is to own the problem, know your company’s core values, and manage to them. That is particularly true today, when polls show that trust in business executives is not much higher than it is in used-car salesmen.79 As J&J CEO James Burke reflected before his death in 2012, “Trust has been an operative word in my life. [It] embodies almost everything you can strive for that will help you to succeed. You tell me any human relationship that works without trust, whether it is a marriage or a friendship or a social interaction; in the long run, the same thing is true about business.”80
As we discuss above, companies need to be careful about letting their desire to say something fast cause them to say something wrong that could erode stakeholder trust. But taking time to gather facts does not mean that companies should stay silent. They need to tell their story rather than hiding from the press and difficult conversations. As FedEx’s Fred Smith told us, “We live in an unprecedented real-time diffuse communications environment and you’re generally not in control of the narrative that somebody wants to advance and you have to be equally adept in that milieu to be able to deal with it.”
“We live in an unprecedented real-time diffuse communications environment and you’re generally not in control of the narrative that somebody wants to advance and you have to be equally adept in that milieu to be able to deal with it.”
—Fred Smith, founder, chairman, and CEO, FedEx
Smith is no stranger to these real-time communications challenges. On Thursday, January 26, 2017, a FedEx delivery driver tried to stop some protesters from burning American flags outside a shopping mall in Iowa. A video circulated online showing the driver, Matt Uhrin, using a fire extinguisher to put out the fire, pushing back the protesters, and taking one of the flags away. It went viral. Then erroneous reports surfaced that FedEx had decided to discipline or fire Uhrin and an uproar ensued. Online petitions gathered thousands of signatures. “Let’s make sure Matt Uhrin keeps his job at FedEx,” noted one petition movement. “He was standing up for our American flag and should be commended, not punished.”81
FedEx’s crisis team unit jumped into action. As Smith told us, the company made a decision to support the driver and communicated it quickly. On Friday, FedEx communications adviser Jim Masilak sent an initial statement to the Daily Caller News Foundation saying that the company had “reviewed the facts of the incident and interviewed our courier to better understand what took place. As with all personnel issues, we are handling the matter internally.”82 By 7:30 on Saturday morning, FedEx issued a press release and sent it out on Twitter, stating, “We have reviewed the matter in Iowa City involving driver Matt Uhrin. He remains a FedEx employee & we have no plans to change his status.” The crisis quickly subsided.
FedEx is in many ways a best-practice crisis response company because it has to respond to crises nearly all the time, from driver interactions caught on video to lost packages. “We’re primed to respond in this way perhaps more so than other companies because we operate in real time with all kinds of major equipment (such as airplanes),” Smith reflected. “We also try to actively respond to complaints on social media. Given our state-of-the-art tracking system, we’re usually able within a few seconds to tell customers where their packages are.”
How can companies in other industries—where the business model does not demand real-time response to customer concerns—handle sudden crises effectively? How can they react quickly without falling into the Target trap? The answer is by carefully distinguishing between facts and values. Facts take time to unfold. Values can be communicated immediately.
When the 2009 Jakarta terrorist attacks struck two Marriott-operated properties, some senior executives wanted the company to stay as far away from the press as possible. That’s a common and natural response. Alan Orlob, though, sensed that there could be benefits to surfing the media wave and talking directly about how seriously Marriott took security when the eyes of the world were on them. As he told us, “There’s a huge advantage to being able to get your word out when there’s an event like that.” Orlob was careful to avoid speculating or commenting about what could have gone wrong; instead, he focused on communicating his determination to find out and fix it. He told Marriott’s story.
When Royal Caribbean International got hit with a wave of bad publicity after the 2010 earthquake in Haiti, Adam Goldstein was also quick to communicate what mattered to him and why. His message: Cruise ships were not docking in Labadee to party, they were docking there to help—bringing relief supplies as well as badly needed revenues from tourists to help the stricken nation recover. Goldstein delivered the message himself, through traditional media and his blog. He put a human face on the corporation’s response and explained how Royal Caribbean International was helping Haiti. Reporters cut and pasted from the blog as though they were quoting him directly. It was the first time Goldstein used his blog to communicate during a crisis. Now it is standard practice for him. Goldstein was ahead of his time. A 2014 study found that two-thirds of Fortune 500 CEOs still had no social media presence.83
Third parties, such as NGOs, foreign government officials, and academic experts, can also play an important role in telling your story by lending credibility in times of crisis. This kind of support helped Royal Caribbean International. Because communications in Haiti were in disarray after the earthquake, the cruise line could not get an immediate statement from the Haitian government. But a Haitian official named Leslie Voltaire was visiting New York at the time, so Goldstein asked if he would issue a brief statement explaining that the government wanted Royal Caribbean International ships to keep coming. Voltaire did. “That was very helpful,” Goldstein told us. “It was not just about us anymore.”
Orlob found the same thing. After a Marriott property in Islamabad was struck by terrorists, a terrorism expert in Singapore named Dr. Rohan Gunaratna wrote an article posted on the well-respected SITE Intelligence Group blog about the increasing threat to hotels and the security measures that Marriott was taking. Professor Gunaratna called the Marriott in Islamabad “the world’s most protected hotel.”84 Immediately after the attack, many American companies and officials said they no longer wanted to stay in the Islamabad Marriott. Orlob could use Dr. Gunaratna’s article to show them what type of security Marriott actually had to confront the rising terrorist threat there. “It wasn’t just me telling the story. It was an outside expert telling the story,” Orlob told us. It made a difference.
Finally, organizations need to be aware that they are always speaking to multiple audiences. Each can fan the flames, creating new risks and worsening the crisis. Media reports. Statements by local and state leaders. Grassroots boycotts. Congressional hearings and legislative proposals. Federal investigations and regulations. Actions by international governments and customers. Each of these actions and audiences can affect the others. As Daniel Diermeier notes, “Once the company is portrayed as a villain, many public officials will vie for the role of hero.”85
That’s exactly what happened to British Petroleum after the Deepwater Horizon oil spill. As oil slicks washed ashore and live underwater video showed the broken well spewing oil continuously into the Gulf, BP CEO Tony Hayward declared that the explosion was not BP’s fault, that the environmental impact was likely to be “very, very modest,”86 and that everything was under control.87 The attempt at reassurance backfired horribly, casting the quiet geologist as a callous corporate villain who was more concerned about blaming others than accepting responsibility or showing compassion. So Hayward went to Louisiana to apologize in person and put a human face on BP’s response. But his comments there got him in more trouble. “There’s no one who wants this thing over more than I do. I’d like my life back,” he said to a crowd of reporters, on camera.88 Public anger boiled over. “These are the most idiotic statements I’ve ever heard,” declared irate Louisiana governor Bobby Jindal. “If I was on that board, I would wonder about trusting a multibillion-dollar company to somebody who’s making those kind of statements.”89 Hayward ending up having to apologize for his apology tour.
BP’s expensive national advertising campaign also struck the wrong chord, suggesting the company had the spill under control when it didn’t. “We will get this done, we will make this right,” Hayward declared in one television spot. Crisis management consultant Glenn Selig likened it to a doctor in an emergency room full of dying people telling family members that everything will be fine.90
Tony Hayward became the most vilified man in America. Daily headlines covered his gaffes. Everyone piled on. Presidential spokesman Robert Gibbs took aim at him from the White House press room. Congressional leaders of both parties pummeled BP and its chief executive. Hayward’s appearance at a June 17 House hearing was described as “a public execution.”91 The next day, Hayward was removed from day-to-day control over the company’s oil spill response. In July, he announced his resignation. At a gathering of board members, he said handling the Deepwater Horizon crisis was like “stepping out from the pavement and being hit by a bus.”92
Multiple audiences also became a challenge for United Airlines, causing its crisis to escalate. Within forty-eight hours, the passenger dragging incident moved from social media to mainstream media; triggered calls for congressional hearings and a federal investigation; outrage in China, one of United’s most important foreign markets (where more than one hundred million Chinese viewed the video); and a $255 million loss in shareholder value. We capture the forty-eight-hour escalation in the chart below.
Venture capitalist Marc Andreessen described the predicaments of BP and United Airlines well. He told us, “Things happen in the world, right? Some of those things then become big deals in the press. And then there’s a feedback loop. Something that becomes a big deal in the press, that’s going to cause governments to come after you. Or vice versa. Governments coming after you can cause things to happen in the press… That’s a dynamic that results in your company becoming a political punching bag in a way that’s kind of hard to recover from.”
Responding well to a crisis in the moment is part of the battle. Developing mechanisms to remember the right lessons from that crisis is another.
Here, too, NASA provides a tragic tale of a learning failure. Seventeen years after the Challenger tragedy, the space shuttle Columbia exploded, killing all seven astronauts on board. This time the fatal cause was foam shedding from the shuttle’s external fuel tank, which damaged a thermal shield on the wing during liftoff and caused it to fail on reentry. Like O-ring weaknesses, foam shedding was not a surprise. It had occurred during sixty-five of seventy-nine previous shuttle launches.93 At first, the shedding was considered dangerous. But the more it happened, the less dangerous it seemed. NASA managers fell into the exact same cognitive trap that led to the first shuttle disaster, seeing sixty-five near misses as sixty-five successes. NASA did not just fail to learn from near misses. It failed to learn from tragedy.
Our Stanford colleague Jim March, one of the world’s most eminent sociologists, spent his career examining how organizations learn. He found that continuous learning involves two skills: “the exploration of new possibilities and the exploitation of old certainties.”94 Exploration is the search for new ways of doing things. Exploitation is the process of implementing them. Exploration and exploitation often compete and conflict. “The essence of exploration is experimentation with new alternatives,”95 March wrote. “The essence of exploitation is the refinement and extension of existing competences, technologies, and paradigms.” One process is creative, disruptive, and uncertain. The other is efficient, order-inducing, and predictable. Companies that excel at continuous learning keep exploration and exploitation in productive tension.96 This is hard to do.
Even Johnson & Johnson has struggled to balance exploration and exploitation. Back in 1982, CEO James Burke developed new ways to manage crises that flew in the face of conventional wisdom. He excelled at exploration. Exploitation has been more challenging. In 2012, a Wharton Business School article asked, “Has the Company Lost Its Way?”97 The article found that J&J wasn’t sustaining its own best practices. In the 2000s, under the leadership of CEO William Weldon, the company suffered a string of major product recalls, including household name brands like Benadryl and Children’s Tylenol as well as products ranging from contact lenses to Rolaids to artificial hips. J&J also faced heightened regulatory scrutiny, critical congressional hearings, and several state lawsuits over improper marketing of its antipsychotic medication Risperdal.98 In 2011, the Food and Drug Administration put three facilities under consent decree.99 Johnson & Johnson issued at least eleven major product recalls, nearly twice as many as health care product giant Pfizer or Procter & Gamble, the largest consumer products company in the world.100 Quality control problems cost an estimated $1 billion in lost sales.101
Many believe that one reason for J&J’s decline was the company’s drift from its core values as the number of its subsidiaries mushroomed, global business grew, and profit pressures increased. “I think the credo used to be quite real there,” says Erik Gordon, a professor at the University of Michigan’s Ross School of Business. “There was a time when people really believed in it and took great pride in it. But those days are long gone.”102 Fortune described the period as a “cascading reputational and quality-control crisis” that had “engulfed” the company’s consumer business.103
In February 2012, when CEO Weldon stepped down and Alex Gorsky took the helm, Gorsky’s first presentation to the board outlining his long-term vision centered on the company credo.104 Among his priorities: creating a unified company out of 250 different global subsidiaries, each operating relatively autonomously. Values were at the core. Today, across Johnson & Johnson there are “credo challenges” where business decisions are evaluated according to the credo. There are also biannual credo surveys that ask employees to assess how well the business is upholding the credo.105 J&J still has its share of crises, and it is still struggling to respond effectively to them, but the company is taking major steps to relearn the lessons of 1982.106
The best learning organizations we know may surprise you: top-notch football teams. We admit it, we both love football. Condi’s father was a collegiate athletic administrator who taught her the intricacies of the sport, among other ways, by insisting she play in his backyard holiday game called “The Rice Bowl.” Amy’s grandfather was a judge who spent his free time recruiting young men from nearby western Pennsylvania steel towns to play for his alma mater, the University of Michigan.
But it also happens to be true. Years ago, Martin Landau and Donald Chisholm seized on football as the ultimate learning organization. “American football may be a game of inches, but above all else, it is a game where success depends on the consistent and progressive reduction of error,” they wrote.107 In football, error is everywhere and success and failure are obvious. In every game, only one team wins. Losing coaches do not keep their jobs for long. The most successful coaches study wins as well as losses, subjecting “every aspect of their plans and executions to careful analysis.” Good coaches balance exploration and exploitation and engage in both processes continuously. Activities like watching game tape, devising plays to exploit opponents’ weaknesses and capitalize on your strengths, and adjusting the lineup for better matchups are exercises in exploration—they are innovations to gain advantage. Activities like practicing hurry-up offense and conducting drills to hone the capabilities of specialized positions, including backup players, so they are ready to substitute in at a moment’s notice are exercises in exploitation. Notably, Landau and Chisholm wrote that “many (if not most) of the coaching profession see their task as teaching.”108 Football teams really are learning organizations. Whether it’s the National Football League or the NCAA, the best teams may not have the best talent; what they often do have are the best learning processes.
Consider one of our favorite examples, the turnaround track record of former Stanford coach Jim Harbaugh, who took Stanford from a tough 1–11 season to become a BCS bowl qualifier and top-ranked team in just four seasons. Harbaugh did the same thing in the NFL. When he joined the San Francisco 49ers in 2011, the team had not had a winning season in eight years. In his first season as head coach, the 49ers, with very little turnover in the roster, won 13 games, the division title, and made it to the NFC Championship Game.109 Then in 2014 Harbaugh moved to the University of Michigan. Before he arrived, the Wolverines went 5–7.110 During Harbaugh’s first season, he took essentially the same players and finished with 10 wins, 3 losses, and a number 12 national ranking. Three teams, three turnarounds. What made the difference? Harbaugh’s intensity, his exceptional ability to motivate a team, and his relentless focus on learning and competition. Everything to him is competitive. Improvement is a mind-set. “You are getting better or you are getting worse. You never stay the same,” he likes to say.111 He’s not afraid to try something new or repeat what works. He takes exploration and exploitation seriously.
Harbaugh is a good reminder that continuous learning takes a heavy dose of leadership to work. Jim March is right that learning requires processes that enable both exploration and exploitation. But real life is not so sterile. Organizations in the real world are filled with people who respond to leaders and values that inspire. Creating mechanisms for continuous learning must involve both the head and the heart—a cold-nosed assessment of what to keep doing, what to stop doing, what to start doing, and an inspirational approach to get everyone to join the journey.