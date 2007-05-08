When corporate executives are faced with a crisis -- be it a product recall or an executive scandal -- the typical knee-jerk reaction is to send up the white flag. But that strategy doesn't stand up well when managers are trying to fend off bloodthirsty competitors or a panic-stricken public, claims Eric Dezenhall, a crisis management expert. In an interview with Computerworld, the co-author of a new book, Damage Control: Why Everything You Know About Crisis Management Is Wrong, talked about how IT managers and corporate executives can best handle such situations.

What's wrong with contemporary thinking on crisis management? It's all Mother Goose aphorisms. Always apologize, always show concern, always immediately recall your product. It's not that this thinking is de facto wrong, but it's singularly uncreative. In this modern age, creative thinking and tactics are called for. Inherent in contemporary crisis management thinking is that the company is always wrong and should surrender. The approach of our book is that making nice is not the answer.

What are some recent examples? British Petroleum took out ads for years under the banner of Beyond Petroleum, [believing] that if they showed public concern about global warming, it would inoculate them against attacks. And it didn't. Don Imus apologized and lost his job. Michael Richards of Seinfeld apologized, and it's back to oblivion for him. Then look at Martha Stewart and Lance Armstrong. They didn't apologize, they said, "Go pound sand," and it worked out well for them.

Say a bank's computer systems get hacked and financial data on thousands of customers is exposed. What would be an effective way for the bank to address this publicly? First thing, remember the name of the game is damage control, not damage disappearance. You don't reverse them, you lessen their impact. We have had situations like that, and you have to quantify the problem. It has to be made clear quickly what the extent of the damage is. People want to know, "Am I going to be OK?" and "What are you doing about it?" Those are the twin goals with something like that. Some organizations go on to explain process, and that is absolutely worthless to the public.

Is that done predominantly to soothe shareholders and calm investors? I think people in crises don't necessarily do what's right, they do what they know. Explaining process is what people with technical backgrounds know. It's not comforting to explain process. It's comforting to explain actions and that there's a plan to prevent this from happening again. It's like psychotherapy: Talking about the problem doesn't solve it, but it can make you feel better.

Should this be handled any differently if, say, a hacker gained access to a health care organization's customer medical records? I think the same principle applies. Financial information and health information is about as personal as it gets, with the exception of sexual information. You're dealing with people who are so furious that they're not interested in being dealt with logically; they want to be reassured that the situation is under control and that it won't happen again. Explaining how something got breached is like the plumber who comes to your house and explains how the sink was clogged when you just want to get it to work.

One situation I'm finding that's increasingly causing crises in IT is how many things are retained in e-mail. This is epidemic. I had a client in financial services who had a small drug ring with a handful of employees that was being run internally and handled through e-mail -- "I'll meet you by the elevator with the stuff." The only people who understand not to save these kinds of e-mails are people who are either too old that they don't use e-mail or others who have spent hundreds of thousands of dollars in litigation because of this.

What are some organizations that have handled damage control well? What characteristics or actions make them stand out? I think a lot of it comes down to very strong leadership. Given the choice between a great crisis management plan and great leadership, always go with great leadership. I think the JetBlue example was very good.

Another good example of crisis management is that it isn't necessarily cinematic, that you do a flashy stunt and it goes away. Bausch & Lomb recently had several problems with their optical products. They were recalled and replaced without a lot of fanfare. They didn't feel a need to call a lot of news conferences with little girls holding daisies. They just did it. The cell phone industry has been very effective on the issue of cell phones causing brain cancer. People like using these products and they want to keep using them. They formed their own independent user panels and they hit back and challenged you on the facts, and I think it was effective.

What did JetBlue's CEO, David Neeleman, do right? He did something tangible. He didn't just apologize; there was some sort of reimbursement program. They formed a passenger bill of rights. It was a very specific portfolio of actions. Next, he wasn't just visible; he was strong. What we want to see in a leader is someone who is competent in a situation. I don't think a groveling CEO is necessarily what you want to see. When the whole spying scandal came up at HP, it wasn't that [CEO] Mark Hurd was just apologetic; he was strong. He said, "This is a very strong company; we're going to pull out of it," and they did just that.

Several companies, such as Hershey, Whirlpool and Nike, have suffered high-profile operational disruptions from problematic ERP systems. Can you share some insights on how these situations might have been handled better? We did have one situation in that category, and the answer is kind of corny. A lot of it came down to charm offensive. A lot of it was interpersonal. A lot of times when you're dealing with operational infrastructure problems, the remedy is interpersonal -- a real offensive with offended parties, showing them what's been done to correct the problem and conveying a personal commitment to making sure it doesn't happen again. I wish I could tell you there was a more clever answer, but that's what it comes down to. You mobilize your team on a personal basis to assuage offended parties.

What are some other overlooked or underserved aspects of crisis management? Conventional crisis management tends to view crises as organic, and what we believe is that most conflicts are communications issues. The way that you deal with the problem is different than the way you'd deal with the problem with a motivated party that's trying to exploit your weakness. People need to think about the nature of adversarial behavior more than they do.