In considering the recent hacking incident involving Sony, I’ve been trying to put myself in the position of the decision-makers who had to react to the crisis. I’ve been asking myself, “What advice would I give my CEO in this situation?” It is easy to second-guess such decisions after the fact. It is also easy to spout platitudes such as, “no negotiations with terrorists” or “we must stand firm in the face of terrorism.” But when it is your loved one that is the focus of the negotiation or your local theater that is firebombed, the discussion takes on a more personal dimension.
CEOs receive advice from many during a crisis and the nature of that advice is, to a certain extent, predictable. Corporate counsel will inevitably recommend the most cautious approach that limits company liability, for example. But too cautious an approach carries a price as well, as we are seeing in the many voices criticizing Sony’s decision to capitulate. On the other hand, a decision to continue business as usual carries enormous liability in the event an incident actually occurs.
So how do we give the best possible advice to corporate decision-makers? Ultimately, we must fall back on the fundamental emergency management skill of assessing risk. In this case, we need to ask, “What is the capability of those making threats to actually carry them out.” Secondly we must consider our own ability to block any attempts to harm the public. But this only takes us so far. We also need to consider the ramifications of any decision that we make.
Let me put this in a slightly different context. The Disney Corporation is seldom sued. The reason for this is that years ago Disney made a conscious decision not to settle frivolous lawsuits. There was clearly an initial cost in litigating frivolous lawsuits but, in the long run, this upfront costs was recouped 100 times over through the avoidance of future frivolous lawsuits. Lawsuits against Disney became an expensive proposition that yielded few rewards and few attorneys were willing to take them on without a solid complaint.
Returning to the Sony incident, we need to consider not only the ramifications of this single incident but what it will mean in terms of future incidents. Can we allow anyone with an Internet connection to dictate how we lead our lives? Risk is an inherent part of life and I believe that if we make people aware of the risk and allow them to decide whether it is acceptable or not they will support us. There are ample historical examples of this. In the end, we must take the long term view and accept that nothing we do is truly risk-free.