Vulnerability Management for Enterprises: The Impact of Ethical Orientation of Enterprises on their Ability to Manage Crisis by Ian I. Mitroff, Ph.D. The Harold Quinton Distinguished Professor of Business Policy The Marshall School of Business Professor of Journalism The Annenberg School for Communication University of Southern California Los Angeles, California, 90089-0808 Office: (213) 740-0154 Home: (310) 372-3418
[email protected] and Murat C. Alpaslan, Ph.D. Lecturer Marshall School of Business University of Southern California Los Angeles, CA 90089-0808 Office: (213) 740-0762 Home: (310) 445-9438
[email protected] The authors would like to acknowledge the support of the Department of Homeland Security, Directorate of Information Analysis and Infrastructure Protection. They would also like to thank Charles Meister and Morley Winograd for comments on earlier versions of this paper as well as the reviewers from CSC on earlier versions.
April 14, 2004
1
TABLE OF CONTENTS EXECUTIVE SUMMARY: ....................................................................................4 1. INTRODUCTION................................................................................................7 1.1 BACKGROUND ........................................................................................................................ 7
2. TWO CONTRASTING STYLES OF CRISIS MANAGEMENT ............... 13 2.1. ORGANIZATIONAL ETHICAL VALUES................................................................................... 18
3. TWO BASIC THEORIES OF ETHICS......................................................... 19 3.1. THE TRADITIONAL VIEW OF THE FIRM ................................................................................ 23 3.2. THE DEONTOLOGICAL VIEW OF THE FIRM ........................................................................... 25 3.3. BOUNDED MORALITY .......................................................................................................... 26
4. BEFORE AND AFTER 9/11............................................................................ 30 5. CRISIS MANAGEMENT PERFORMANCE ............................................... 33 6. METHODS ........................................................................................................ 38 6.1. FIRST QUESTIONNAIRE ........................................................................................................ 38 6.2. SECOND QUESTIONNAIRE .................................................................................................... 38 6.3. RESPONSE RATE .................................................................................................................. 39 6.4. INTERVIEWS ........................................................................................................................ 40
7. MEASUREMENT............................................................................................. 42
2
7.1. ETHICAL ORIENTATION AND ORGANIZATIONAL VALUES .................................................... 42 7.2. CONTROL VARIABLES ......................................................................................................... 50
8. RESULTS .......................................................................................................... 50 8.1. INTERVIEWS ........................................................................................................................ 50 8.2. QUESTIONNAIRES ................................................................................................................ 54
9. DISCUSSION .................................................................................................... 71 10. CONCLUDING REMARKS ......................................................................... 76 APPENDIX A ........................................................................................................ 77 APPENDIX B ........................................................................................................ 78 REFERENCES...................................................................................................... 79
3
EXECUTIVE SUMMARY: There is a strong relationship between an organization's ethical orientation and its preparation for crises including those caused by terrorist attacks. This relationship was investigated by studying the crisis management behavior of Fortune 1000 companies before and just after 9/11. The study also included a one-year and two-year follow-up questionnaire as well. Corporations with an ethical orientation that is grounded in the notion of “doing no harm to a single person,” or what is known in the ethics literature as a deontological or duty-based approach, valued a proactive approach to crisis management. For proactive organizations, “doing no harm to a single person” means, “doing what is ‘right’ irrespective of how much it costs.” The direct implication of this orientation is that proactive organizations prepare for crises before they experience them. Their level of cyber-security preparedness is likely to be higher, therefore, than those organizations with a radically different philosophical approach. In contrast, reactive organizations prepare for crises, if then, only after they have already experienced them. Reactive organizations have an ethical orientation that is grounded in a utilitarian or cost-benefit philosophy. That is, reactive organizations prepare for crises if and only if their preparations are cost effective and lead to greater profits. Even with strong corporate governance 4
policies with regard to information infrastructure protection and an active CISO/CIO, they are less likely to be prepared for dealing with cyber attacks. The crisis management performance of proactive (deontological) corporations is superior to reactive organizations; for example, proactive organizations experienced 44% fewer crises than reactive organizations. 1 In addition, proactive companies substantially outperformed reactive companies financially, thus demonstrating that “doing the right thing or things” is also good business! In spite of the superior financial performance of proactive organizations, it is extremely difficult to get reactive companies to switch their orientation. While they espouse a deep concern for profits, reactive companies are guided by an underlying ideology that is very difficult to change. Even though it can be demonstrated empirically that a different ethical and philosophical orientation is actually more profitable, this is not sufficient to change their behavior. To construct an effective plan for protecting the nation’s information infrastructure that is in the hands of the private sector, strategies that go beyond the current debate between incentives or mandates must therefore be developed.
1
Survey data revealed that, during the last three years, proactive and reactive organizations experienced 9 and 16 crises, respectively. This corresponds to a 44% difference: (16-9)/16 = 44%.
5
In this regard, the events after 9/11 provide an instructive example of how innovative the strategies must be to change these strong cultural biases. Reactive corporations increased their planning and training for terrorist attacks, but only if they believed that the probability of their being attacked was significantly higher than before 9/11. In contrast, proactive corporations did not change their preparation substantiality for terrorist attacks because they were already doing a great deal. In sum, an organization's "ethical orientation" is a strong determinant of its crisis management behavior and performance. However, we also note the strong limitations of the current data from which these conclusions derive. Further studies are absolutely essential to establish the generality of the conclusions presented in this paper. Of vital importance is the question as to whether reactive organizations can be induced to become more proactive and to what degree the current understanding of this phenomenon holds for the special case of information infrastructure protection.
6
1. INTRODUCTION 1.1 Background In 1982, Tylenol capsules laced with cyanide killed five people. Johnson & Johnson executives responded quickly and effectively. J&J quickly became a model for crisis management. Although J&J executives did not know in the very beginning if the poisonings were due to internal or external causes, they ordered all Tylenol products off the shelf at the very first hint of a crisis. In addition, they shared the complete details of the situation with the media and the public. In sharp contrast to organizations as diverse as Enron and the Catholic Church, they neither lied nor withheld information. They were completely open and honest. They wanted to do the right thing no matter how much the consequences of their decisions and behavior might have affected them. In other words, they were willing to accept the costs of a huge product recall. For J&J executives, doing no harm to a single individual was more important then making profits. Although the recall of capsules was costly and the initial stock market impact was negative (Marcus & Goodman, 1991), J&J not only survived the Tylenol crisis, but it also reinforced its reputation for integrity and trustworthiness (Fink, 1986; Mitroff & Anagnos, 2001; Wood, 1994). J&J’s decisions were based on organizational values that emphasized moral principles 7
and doing the right thing (Mitroff & Anagnos, 2001). In the end, their decisions led to better consequences for everyone involved. During the 1970s, Ford Pintos were prone to catch fire as a result of rearend collisions. At the time, federal standards on fuel tank integrity required that cars should be able to withstand a 30-mile per hour rear collision. The Ford Pinto did not meet federal standards. Although Ford executives knew that the car had a defective design and was unsafe, they continued production (Dardis & Zent, 1982). Gioia identified two principles on which Ford executives based their decisions (Gioia, 1992: 383): First, they believed that “safety doesn’t sell.” Second, Ford had a corporate norm that required managers to adhere to the production “limits of 2000” that aimed to keep the cost and the weight of the car below $2000 and 2000 pounds. According to an internal memo, the estimated cost to solve the fuel tank problem was $11 per car and the estimated value of a human life was at $200,000 (Dowie, 1977). In short, Ford executives chose to wait until they were sued because settling a few lawsuits filed by burn victims or their families was more cost-effective than modifying the initial design (Velasquez, 1982). Ford’s decisions were based on organizational values that emphasized conformity and cost-effectiveness (Gioia, 1992). In the end, their decisions led to worse consequences for everyone.
8
These cases illustrate two very different approaches to crisis management. As a result, their outcomes are very different as well. What are these different approaches? And why are they different? Researchers have studied the antecedents of crises and what constitutes effective crisis management from multiple perspectives including: technical, organizational, structural, social, psychological, and cultural (Turner, 1978; Perrow, 1984; Mitroff and Pauchant, 1990; Kovoor, 1991; Pauchant and Mitroff, 1992; Pearson and Clair, 1998; Mitroff & Anagnos, 2001; Weick and Sutcliffe, 2001). Pearson and Clair (1998) proposed a link between how managers perceive crises and the crisis management practices they adopt. Other researchers have also suggested that top managers’ perceptions about risk and risk taking influence their crisis preparedness (Kets de Vries, 1984; Kets de Vries & Miller, 1986; Mitroff et al., 1996). Although the perceptions of managers about crisis and what crisis management practices they prefer are affected by many factors, we believe that three are paramount: (a) bounded emotionality (Mitroff & Pauchant, 1990), (b) bounded rationality (Simon, 1972), and (c) bounded morality. The literature has paid a great deal of attention to the first two factors. But the third factor, "bounded morality," has not received the attention it deserves.
9
Mitroff and Pauchant (1990) argued that major crises occur and are not managed effectively because people and institutions are bounded emotionally. Mitroff and Pauchant employed the concept of "bounded emotionality" to describe managers who cannot acknowledge and cope with feelings triggered by crises: fear, anxiety, guilt, anger, depression, and hopelessness. Weick (1993) argued that crises induce a heightened sense of vulnerability, and thereby impair victimized managers’ sense making and rationality. At the organizational level, Staw, Sandelands, & Dutton (1981) found that events perceived to have negative implications lead organizations to stick with well understood, previously implemented activities with which organizations are comfortable. Kovoor (1991) studied managers’ beliefs about their organizations’ level of preparedness for crises. She also audited their actual level of preparation for crises. She found that the managers of less prepared organizations believed that their organizations were better prepared than they actually were. They even believed that they were invulnerable to crises. On the other hand, the managers of better-prepared organizations believed that their organizations were more vulnerable to crises. In other words, "prepared" managers acted as if they were "unprepared" and vice versa. In short, emotionally bounded managers deny their vulnerabilities, and as a result, make their organizations even more vulnerable to crises. 10
“Bounded emotionality” is not the only cause of ineffective crisis management. Mitroff and Pauchant (1990: xiii) noted that major crises occur and are not managed effectively because of "bounded rationality" (Simon, 1972): "People and institutions are limited in the amounts and the variety of information and alternatives that they can consider and process." In other words, the constraints on our mental processes limit our understanding and our control of complex systems. According to Perrow (1984), "interactive complexity" and the "tight coupling" of a system’s characteristics make accidents virtually inevitable. Starbuck & Milliken (1988) argued that "fine-tuning" makes socio-technical systems cheaper, less redundant, more efficient, more profitable, and more versatile. However, fine-tuning can also cause problems. It can violate system limitations—often unknown-- by improving the performance of part at the expense of the whole. This may not be known until an error results. Thus, finetuning can have effects other than those intended. In short, the elimination of systemic failures that cause crises has been difficult because complex technologies and organizations have made it virtually impossible for rationally bounded managers to anticipate and to consider all of the possible interactions that can occur within large systems. This is especially true for today’s complex information infrastructures.
11
While “bounded emotionality” and “bounded rationality” have been examined in the literature, the relationship between an organization’s ethical orientation and its approach to crisis management has not. We have found no empirical studies of the relationship except for Seeger and Ulmer (2001). Seeger and Ulmer examined two cases of ethical response to crisis and concluded that highly virtuous responses, such as immediacy of response, supportiveness of victims, and rebuilding and renewal, proved effective in managing crises. The lack of interest in the relationship between ethics and crisis management is surprising because virtually all crises raise serious moral questions. Enron’s collapse, Ford Pintos’ exploding gas tank, and Ford-Firestone tire crises are just a few examples where the moral values held by top executives were questioned as a result of the crises. The crisis in the Catholic Church is the most recent example of the link between an organization’s values and its response to a major crisis of confidence. Whether the government knew or should have known about 9/11 has also been questioned not just on technical grounds, e.g., intelligence, but on ethical and moral grounds as well. In this paper, we report recent data that show how the ethical orientations of the Fortune 1000 corporations affect their crisis management behavior. We argue that an organization's "ethical orientation" is a strong determinant of its crisis management behavior and performance. First, we identify two styles of 12
crisis management and briefly review the literature on ethics. Second, we draw parallels between the two styles of crisis management and two schools of ethics. We then argue that one of these crisis management approaches leads to a better organizational crisis management performance, providing a potential new strategy for protecting the nation’s information infrastructure.
2. TWO CONTRASTING STYLES OF CRISIS MANAGEMENT A review of the literature on crisis management suggests that there are two different approaches to crisis management: proactive and reactive (Fink, 1986; Mitroff, Shrivastava & Udwadia, 1987; Wildavsky, 1988; Kovoor, 1991; Pauchant & Mitroff, 1992; Pearson & Mitroff, 1993; Pearson & Clair, 1998; Mitroff & Anagnos, 2001; Weick and Sutcliffe, 2001). The Dictionary defines proactive as, “Acting in advance to deal with an expected difficulty; anticipatory.” Wildavsky (1988) defined anticipation as, “A mode of control by a central mind; efforts are made to predict and prevent potential dangers before damage is done.” Aragon-Correa (1998) identified proactivity as a firm's tendency to initiate changes in its strategic policies rather than to react to events. Campbell (2000) pointed out that, at the individual level, a proactive employee has a well-developed sense of responsibility. He also suggested that proactivity is about showing initiative and going well beyond 13
customary job requirements. O’Reilly and Chatman (1986) stressed that proactive employees put forth extra effort and actions to prevent organizations from unexpected danger. Kelley (1988) argued that proactive employees have a willingness to take action based on principle and therefore to bring perceived inconsistencies to attention. In short, proactivity is: (a) anticipating problems, (b) initiating action, and (c) going the extra mile, i.e., exceeding expected job requirements. Research on crisis management suggests that proactive crisis management (PCM) has the following elements, all desirable traits for protecting an enterprise’s information infrastructure (Pearson & Mitroff, 1993; Pearson & Clair, 1998; Mitroff & Anagnos, 2001): (a) Anticipating and being prepared for a wide variety of crises, (b) Picking up and amplifying the early warning signals that accompany virtually all crises; (c) Instituting damage containment mechanisms in advance of the occurrence of crises to limit their spread; (d) Forming and training crisis management teams; (e) Auditing one's corporate culture for values which promote denial, and hence, hinder effective crisis management; and,
14
f) Anticipating and including diverse stakeholders into one's crisis plans and procedures. Reactive crisis management (RCM), on the other hand, reacts to “known” crises primarily after they occurred and/or prepares for “normal” (Perrow, 1984) crises. It uses the tools of risk assessment. RCM predominantly identifies crises, or risks, by computing the severity of their consequences and the probabilities of their occurrence. The expected cost of a certain crisis is the product of its quantifiable consequences and its probability of occurrence. This is a particularly troubling approach in the area of cyber-security since it leads those who follow it to demand concrete ROI formulas and calculations before making any investments in information infrastructure protection. March and Shapira (1987) pointed out that risk refers to the expected value of an outcome rather than its variability. Therefore, a risk is considered important if its cost times its probability is above a certain threshold. This threshold is not arbitrary. It is the level above which being unprepared hurts profits. In effect, RCM classifies and prioritizes crises. The most important crises are those with the highest expected costs and those that are "normal" to one's industry, clearly not a prioritization that would place cyber attacks high on the list in many of the nation’s critical infrastructure sectors.
15
March and Shapira (1987: 1411) stressed that the combination of low probability and high consequence presents a dilemma of “preparing for a world that is certain not to be realized.” RCM, thus, focuses on known crises that have happened in the past and it ignores certain crises caused by sabotage, tampering, and terrorist attacks because they have not yet happened and/or have a small probability of occurring in the future (Perrow, 1984; Pauchant & Mitroff, 1992). As a result, organizations that value RCM do not waste their valuable time and resources worrying about "abnormal" crises. They tend to invest less in the early warning systems, damage containment mechanisms, and crisis management training programs that are necessary to prevent and to manage extremely low probability crises. Instead, they focus on high probability crises or "normal" crises, such as financial crises, major lawsuits, and product recalls—not attacks on their information infrastructure. Pauchant and Mitroff (1992) found that crises cluster in certain types or families. Within a particular family, specific crises share strong similarities, while there are sharp differences between families. An example is information crises such as tampering with databases or stealing proprietary information and trademarks. Another is a psychopathic crisis such as terrorism, kidnapping, product tampering, and workplace violence. Organizations that value PCM do not use traditional probability theory to determine the set of crises for which they 16
prepare. Proactive organizations prepare for at least one crisis in each family no matter what its probability of occurrence (Pauchant & Mitroff, 1992; Pearson & Mitroff, 1993). Proactive organizations also realize that any particular type of crises can cause or be caused by any other crises. As a result, they do not plan for individual crises in isolation but consider complex, interactive crises scenarios such as attacks on physical infrastructure exacerbated by simultaneous attacks on their information infrastructure. They create a diverse and thereby robust crisis portfolio to spread and cover their risks (Pauchant & Mitroff, 1992; Pearson & Mitroff, 1993). In short, they take a systemic view of crises. It is impossible to prevent all crises. Nonetheless, it is possible to limit their damage and to shorten recovery times dramatically. PCM emphasizes the importance of telling the truth and keeping the public informed before or at the first hint of a crisis (e.g.: J&J’s Tylenol crisis). RCM, on the other hand, calculates the expected costs and the benefits of hiding the truth from the public. For example, in the 1970s, Ford Pintos were prone to catch fire as a result of rear-end collisions. At the time, federal standards on fuel tank integrity required that cars should be able to withstand a 30-mile per hour rear collision. The Ford Pinto did not conform to federal standards. Although Ford executives knew that the car had a defective design and was unsafe, they continued production (Dardis 17
& Zent, 1982). They chose to wait until they were sued because settling a few lawsuits filed by burned victims or their families was more cost-effective than modifying the initial design (Velasquez, 1982). The different crisis management approaches taken by J&J, Ford, and Firestone can be partially explained by the “bounded rationality” and the “bounded emotionality” of their managers. However, in this paper, we also suggest that ethical orientation, or “bounded morality,” is another determinant of effective crisis management.
2.1. Organizational Ethical Values Values are strong determinants of human behavior (Rokeach, 1973). Researchers have argued that there is a match between the dominant values and cultures of organizations and their managers’ mindset (Kanter, 1977; Bennis & Nanus, 1985; Kets de Vries & Miller, 1986; Martin, 1992), and that managers’ values influence organizational decision-making (Hambrick & Mason, 1984). Schein (1985) theorized that executives’ values and decisions create or reinforce organizational values. Enz (1988, p. 287) defined organizational values as "the beliefs held by an individual or group regarding means and ends organizations ought to or should identify in the running of the enterprise, in choosing what
18
business actions or objectives are preferable to alternative actions, or in establishing organizational objectives." Although organizational values are large and varied, we focus on an organization's moral and ethical values. Organizational ethical values can be shown to affect organizational outcomes, such as performance and satisfaction (Victor & Cullen, 1988). In this paper, we argue that moral and ethical values partly explain why some organizations prefer a proactive approach to crisis management, while others prefer a reactive crisis management or risk management approach. This is important because if an organization’s crisis management behavior is dependent on its underlying ethical values, then getting a firm to change its crisis management behavior cannot be accomplished simply by passing laws, issuing mandates, or even providing increasingly generous financial incentives. First, we introduce two fundamental theories of ethics. Then, we argue that these two different ethical orientations lead to, or at the very least are associated with, two different styles, or strategies, of crisis management.
3. TWO BASIC THEORIES OF ETHICS The philosophical and management literatures abound with various theories of ethics. We focus on two of the most fundamental: consequentialist 19
and nonconsequentialist. Consequentialist theories of ethics judge behavior to be ethical or not in terms of its consequences. According to this perspective, moral judgments are rendered a posteriori, or after-the-fact, and moral principles are derived inductively. Nonconsequentialist theories of ethics judge behavior to be ethical in terms of the rightness or soundness of basic principles. According to this perspective, moral judgments are rendered a priori, or before the fact, and moral principles are derived deductively from first principles or prior assumptions. Two important consequentialist theories of ethics are utilitarianism and ethical egoism. According to utilitarianism, individuals ought to behave so that the consequences of their behavior have the greatest utility (benefits) for the greatest numbers of people (Mill, 1957). According to ethical egoism, individuals ought to behave so that the consequences of their behavior have the greatest utility (benefits) for themselves. Utilitarianism presupposes that what is good for all is good for one (Hinman, 1994). "One" in this case can be an individual or a subgroup of society. In either case, "one" is a means to the larger ends of society. Utilitarians see human individuals as inputs to the utility function of society. For example, every society benefits from a healthy economy and a healthy economy requires energy resources. Therefore, operating a nuclear power plant, although it may cause 20
cancer in employees or residents of the area, is morally acceptable because it benefits the larger society as a whole. Ethical egoism presupposes that "what is good for me and me alone is good for all" (Hinman, 1994). It demands that each individual treat him or herself as an end and everybody else as means because this is the only way to achieve the greatest good of society. Ethical egoists see everyone else as an input to their own utility function. Ayn Rand (1943), a staunch proponent of ethical egoism, maintained that if people acted selfishly and took care of themselves, the overall effect would be to make the world a better place for everyone. According to Rand, helping others creates nothing but harm because it fosters dependency. The most influential nonconsequentialist theory of ethics is Kant's deontological, or duty-based. According to Kant, principles that guide behavior must not be derived from consequences of behavior but they must be good in themselves (Kant, 1964). Deontological ethics presupposes that what is fair for one is fair for all (Hinman, 1994). It respects an individual and his or her free will. Human beings have an intrinsic dignity merely by being humans. According to Kant, human beings are ends-in-themselves. Therefore, they should never be treated as means, but always as ends. An everyday example of a deontological principle is, "Killing is never justified; therefore, do not kill." The principle is not, "Do not kill if the 21
consequences of doing so harm you or the majority," because this principle justifies killing if the societal "benefits" of killing are greater than "costs.” The principle “Do not kill” is often violated in war because war offers a conflicting principle, "Killing is justified if it is undertaken or supported by the State." Even though the State often justifies killing, a strict deontologist would consistently uphold the principle that killing is not justified under any circumstances. Therefore, “Do not kill” is a “greater” and a more fundamental ethical principle. Deontological arguments try to arrive at fundamental principles that apply universally to all people at all times and in all places. The fact that deontologists often fail to arrive at universally applicable principles is not enough to deter them from their position because they are committed to it irrespective of the consequences of being a deontologist! In a similar fashion, consequentialists are committed to their position because they believe in consequentialism as a fundamental principle, i.e., deontologically! More contradictions, imperfections, or difficulties inherent in a position are not enough to shift one out of that position when one is committed to it in principle. Instead the firm’s underlying ethical paradigm will need to shift before a new approach to preparing for an attack will be considered.
22
Since both perspectives approach the subject matter of ethics very differently, they apply ethics in the context of business differently. We examine these differences.
3.1. The Traditional View of the Firm In the context of business, consequentialists judge a business decision to be ethical if its consequences result in the most efficient utilization of society's resources. The traditional view of the firm (Friedman, 1980 with R. Friedman) supports a consequentialist ethical orientation. It argues that society's resources are utilized in the most efficient and effective way only when self-interested parties try to maximize their profit. Therefore, the only job of a manager is to make profit. Fritzsche and Becker (1984) found that due to the strong role economics plays in managerial decision-making, most managers have a strongly utilitarian orientation. Goldman (1980) has argued that the traditional view of the firm assumes a purely competitive market. In a purely competitive market, corporations that fail to put profit first will be at a disadvantage. They will spend time and resources that will increase the price of their products, and customers will purchase products of competing companies that charge less (Goldman, 1980). As a result, companies that fail to put profit first will suffer financial losses. The traditional 23
view also assumes that consumers have perfect knowledge of products and services and the way in which corporations conduct their business (Goldman, 1980). Thus, the public and the market will immediately punish those corporations that have engaged in unethical conduct. Punishment by the market and the resulting decline in reputation and profits will force managers to satisfy all ethical and legal constraints in their pursuit of profit. As a result, putting profit first will not only ensure that society’s resources are utilized more efficiently but also create a moral and law abiding society (Goldman, 1980). Neither abiding by the law nor a perfectly competitive market, however, always protects consumers' rights. For instance, Ford and Firestone managers did not inform NHTSA (the National Highway Traffic Safety Administration) or the government about problems with tires that were sold overseas because they were not legally required to do so (Eisenberg & Zagorin, 2000). The proponents of the profit first perspective argue that it is not up to the corporations to protect consumers' rights (Goldman, 1980). In fact, they believe that it must be the responsibility of the political system to do so. This is called the “the hand of government” argument (Goodpaster and Matthews, 1982; Barry, 1986). Consequentialists approach their ideal of the effective use of society’s resources through the "invisible hand of the market" or the "visible hand of the government" or both. For the former, the locus of moral force is the market; for 24
the latter, it is the government (Goodpaster and Matthews, 1982). Both agree, however, that better consequences for self and society will only be approached if all parties, including the government, work hard to achieve their purposes. The proponents of the traditional view argue that it will hurt stockholders, organizations, employees, and eventually the whole society if managers waste money and resources by not putting profits first. According to them, it is unethical not to put profits first.
3.2. The Deontological View of the Firm To deontologists, ethics is universal in both its scope and application. It does not change from context to context. It guides action in every sphere of life. If lying, cheating, and stealing are wrong for managers, then they are wrong for everyone. Consumers' rights have to be respected and protected not because they are consumers but because they are humans, and humans are the proper subject of ethics. Therefore, deontologists do not subscribe to a specific view of the firm. According to deontologists, a decision or an act can be morally right even if it does not promote the greatest possible balance of good over evil. Therefore, they do not consider profit or the greater good of society as a relevant starting point in their moral decisions. Furthermore, they argue that corporations should act for the sake of duty, i.e., act out of reverence for a universal moral law (Kant, 25
1964), rather than always avoid potential harm to their profit. From a deontological point of view, putting ethics first is the right thing to do regardless of the costs and the benefits associated with it. Deontological ethics, in fact, demands sacrifice of profit, efficiency, self-interest, and at times, even the greater good of society. According to Kant, moral behavior must be consistent with what he formulated and is known as the categorical imperative: "Act only on that maxim [principle] through which you can at the same time will that it should become a universal law." For Kant, the categorical imperative functions as a “test” to judge the validity of a proposed ethical principle. A principle “passes” the test if and only if it can be generalized to all persons in all contexts. Kant's second formulation of the categorical imperative is: "Act in such a way that you always treat humanity, whether in your own person or in the person of any other, never simply as a means, but always at the same time as an end." Therefore, corporations should treat humanity as an end in itself.
3.3. Bounded Morality We use ”bounded morality” to describe executives and organizations that do not, or cannot, acknowledge or accept responsibility for the complete range of the consequences of their actions and decisions. Furthermore, they reduce all 26
moral issues to a cost-benefit analysis of measurable consequences for themselves or for society. Two different factors contribute to “bounded morality”: (a) the focus of moral analysis; and (b) the level of moral development (Kohlberg, 1981). The first factor that contributes to “bounded morality” is an exclusive focus on consequences as the only arbiter of morality. In fact, utilitarianism focuses on only one consequence: happiness, which means pleasure or the absence of pain. In the context of business, utilitarianism focuses solely on consequences and reduces all values and motives to economic values. Costs are to pain as benefits are to pleasure. Therefore, it is not a coincidence that the traditional view of the firm focuses on profit, or happiness, as the only measure of what is good for one’s self and for society. As a result, managers who believe in this view consider the financial consequences of a business decision or conduct as the only inputs to their moral reasoning. These managers are morally bounded because they ignore non-economic principles and motives behind actions and decisions. For deontologists, the right consequences alone do not make behavior a moral one. The intentions must be right too. Kohlberg (1981) suggested three general levels of moral development: pre-conventional, conventional, and post-conventional. At the pre-conventional level, consequentialists are ethical egoists who believe that moral behavior is 27
that which has the right consequences for one’s self and one’s self-alone. At the conventional level, consequentialists are utilitarians who believe that moral behavior is that which has the right consequences for the group to which one belongs and only for that group. At the post-conventional level, consequentialists have developed empathy and a sincere interest in the well being of others, including future generations and the natural environment. Therefore, they believe that moral behavior is that which has the right consequences for all stakeholders. Kantian deontologists belong to the post-conventional level because their principles apply to all people and in all contexts. The traditional view of the firm originates at the pre-conventional and the conventional levels of moral development. Thus, it inevitably focuses on the short-term and acknowledges only a limited subset of stakeholders. For instance, if Ford executives were pursuing their self-interest over the "long-run," or if they cared about victims injured by the Pinto, then they would have fixed the Pinto. Managers who subscribe to the traditional view of the firm are morally bounded because they do not, or cannot, recognize the full range of the consequences of their actions and decisions for themselves and for other stakeholders. For Kant, someone who tries to ground morality in consequences and in self-interest has not understood the nature of morality.
28
Morally bounded organizations believe that it is ethical to sacrifice a few people in the name of the greater good for themselves or for greater numbers of people. They treat human beings as inputs to a societal utility function. In the context of business, they value profits above everything else because doing so serves greater numbers of people. They perform cost-benefit analyses. They prepare only for "normal" crises or for those that have higher expected cost. Thus, they inevitably put a price on human life. In case of a crisis, they respond so as to maximize personal and organizational benefits and to minimize personal and organizational costs. Deontologist organizations believe that it is completely immoral to harm even a single individual, even in the name of the greater good of society. They treat human beings as ends in themselves; thus, they refuse to put a price on human life. They value the safety of their customers, products, and employees— even their information-- above everything else. Since they want to maximize safety, they put in the extra efforts and resources to prepare for a wide variety of crises. When a crisis occurs, they respond quickly and honestly because they respect a person's rights to life, safety, and information. Based on these considerations, we can form the following hypothesis: Hypothesis 1. Organizations with a stronger deontological ethical orientation will exhibit a greater tendency to value a proactive crisis management 29
approach; organizations with a stronger consequentialist ethical orientation will exhibit a greater tendency to value a reactive crisis management approach. For the sake of convenience, organizations that value a deontological ethical orientation and a proactive crisis management approach will be referred to as DE organizations. Organizations that value a consequentialist ethical orientation and a reactive crisis management approach will be referred to as CE.
4. BEFORE AND AFTER 9/11 Two questionnaires on crisis management were sent to the Fortune 1000 corporations before and following 9/11. The first questionnaire was sent out in February 2001 and personal follow-ups were conducted with those who agreed to be interviewed. Hypothesis 1 was developed before the first questionnaire was sent out. After 9/11, we hypothesized that DE and CE organizations would respond differently. Therefore, the same executives were interviewed a second time. They were asked how their organizations responded to the threat of terrorist attacks. The second round of interviews indicated that DE and CE organizations responded differently to 9/11. Thus, the same questionnaire, with extra questions, was sent out a second time in November 2001. The extra questions were also sent to the executives who responded to the first questionnaire but did not want to be interviewed. The next set of hypotheses in 30
this study were developed both inductively, i.e., from the data and the interviews, and deductively from prior findings. The media, the public, and many of the executives we interviewed believed that the events of 9/11 hit the transportation industry and the businesses in and around New York City the hardest. Several executives in CE organizations mentioned their industries, their locations, and even the height of their buildings as possible protection from a terrorist attack. There was a widespread belief that terrorists chose to attack New York because it is the financial capital of the U.S. and the symbol of American capitalism. The attack on New York was seen as an attack on the U.S. economy. Therefore, a second or a third attack on New York was not even a remote possibility. The transportation, gas, communications, and energy industries were likely targets, too, because their destruction could hurt the economy and could affect many people. For example, airline passengers could be used to spread disease. Larger organizations were more fearful of being attacked because they have a greater number of locations and affect greater numbers of lives. In short, the probability of being hit by a terrorist attack was perceived to be higher for those organizations that were: (a) located in and around New York; (b) in the transportation, gas, communications, and energy industries; and (c) larger in size.
31
Most DE organizations were already prepared for terrorist attacks before 9/11, even though terrorism belongs to a family of low probability crises in the United States. DE organizations’ responses to 9/11 did not depend on their size, location, and industry. Most CE organizations, however, were not prepared for terrorist attacks before 9/11. After 9/11, CE organizations increased their preparation for terrorism but not to the same level of preparation DE organizations had before 9/11. Because CE organizations base their decisions on whether the probability of getting hit by a particular crisis is above a certain threshold, their response to 9/11 was a function of their size, industry, and geographical proximity. Thus, the following hypotheses were generated to test whether these presumptions were more generally valid: Hypothesis 2. The effects of 9/11 on DE organizations are independent of the probability of their being attacked; the effects of 9/11 on CE organizations are dependent on the probability of their being attacked. Hypothesis 2a. The response of CE organizations to 9/11 is a function of their distance from New York City: CE organizations that are closer to New York City will prepare for terrorist attacks directed against them because the closer they are to New York City, the higher the probability of being hit. Hypothesis 2b. The response of CE organizations to 9/11 is a function of their industry: CE organizations in the transportation, gas, communications, and 32
energy industries will prepare for terrorist attacks directed against them because they are more likely to be targeted. Hypothesis 2c. The response of CE organizations to 9/11 is a function of their size: Larger CE organizations will prepare for terrorist attacks directed against them because they are more likely to be targeted. Hypothesis 2 tests the relationship between an organization’s ethical orientation and its level of preparation for terrorist attacks directed against them. Hypothesis 3 tests the relationship between an organization’s ethical orientation and its preparation level for low probability crises, in general. Hypothesis 3. DE organizations will be more prepared for low probability crises than CE organizations.
5. CRISIS MANAGEMENT PERFORMANCE With appropriate advanced planning and preparation, organizations can limit the number and the duration of crises, and the damage they experience (Pauchant and Mitroff, 1992; Mitroff & Anagnos, 2001). DE organizations are prepared for a wide variety of crises. They conduct crisis simulations and crisispreparedness audits. They form cross-functional crisis management teams. They perform stakeholder analyses to increase their awareness as to how different groups and institutions will respond in the event of a major crisis. They critically 33
and continuously question taken-for-granted assumptions. They develop signal detection mechanisms (Clair, 1993) that catch and amplify even the weakest signals of potential crises and deceptive defenses, such as Honey pots (SANS 2003) that act as decoys to allow them to learn from intruder’s actions and prevent attacks on the “real” system. For example, they maintain open information channels and they don’t punish the messengers of bad news. Since no single crisis occurs in isolation but sets off a chain reaction of other crises, proactive organizations attempt to prepare to handle multiple crises (Pearson & Mitroff, 1993; Mitroff & Anagnos, 2001). They install damage containment mechanisms to stop the spread of crises, e.g. firewalls and virus detection mechanisms. They deal with crises proactively not only before but also after they happen. Therefore, they tell the truth before a crisis gets out of hand. In short, DE organizations manage crises proactively. As a result, they experience a fewer number of crises, incur lower cost as a result, and enjoy a stronger financial and corporate reputation. Hypothesis 4a. DE organizations will experience fewer numbers of crises. Hypothesis 4b. DE organizations will enjoy a better corporate reputation. It is possible to argue that DE organizations are more profitable and enjoy better financial reputation since their businesses are less likely to be disrupted. By the same token, CE organizations are less profitable since their businesses are 34
more likely to be disrupted. Given the huge costs incurred as a result of crises, this explanation sounds plausible. The mechanism that explains why DE organizations are more profitable and enjoy better financial reputation than CE organizations may be more complex, however. The differences between DE and CE organizations are not limited to the way they manage crises. In fact, because these differences are grounded in DE and CE organizations’ very fundamental values and taken-for-granted assumptions, many aspects of their organizational cultures, structures, and processes may be different as well. Agency theory (Jensen & Meckling, 1976), and transaction cost economics (Williamson, 1985) are two theories of the firm, which are grounded in economics. Agency theory (AT) and transactions cost economics (TCE) assume that people are opportunists and seek self-interest “with guile” (Williamson, 1975). In other words, people will intentionally "mislead, distort, disagree, obfuscate, or otherwise confuse” (Williamson, 1985: 47) to benefit themselves at the expense of others. AT and TCE claim to be "normative" theories, as well by arguing that only by focusing on the contracts between two entities that are out to “mislead, distort, disagree, obfuscate, or otherwise confuse” each other can we increase the efficiency of organizations or any social system. Many researchers, such as (Perrow, 1986; Noreen, 1988; Quinn and 35
Jones, 1995; Ghoshal and Moran 1996), however, argue against this belief. These researchers believe that AT and TCE are, in fact, more costly and less efficient. For example, Noreen (1988) argued that "because of the lack of mutual trust, some mutually beneficial interchanges do not take place, and even when they do, there are dead-weight losses because of monitoring costs and inefficient risk sharing.” Noreen stressed that everyone may be better off if they don’t behave opportunistically, and thereby economizing on the cost of contracting and monitoring agreements. Ghoshal and Moran (1996) argued that decision-makers that are shaped by the logic of Williamson's theory will prefer rational controls (such as monitoring) to alternative social controls (such as trust). The increased use of rational controls, however, will shift voluntary and extra role behaviors, which are primarily a result of intrinsic motivation, to externally enforced compulsory behavior. In other words, the rational controls used by management to reduce opportunistic behavior will, in fact, increase opportunistic behavior. (See Ann Majchrzak’s White Paper on “Human Issues in Secure Cross-Enterprise Collaborative Knowledge-Sharing: A Conceptual Framework for Understanding the Issues and Identifying Critical Research”) Of course, as a result of this selffulfilling prophecy, principals will increasingly believe that agents are indeed 36
opportunistic. This vicious cycle will increase costs, and make these firms uncompetitive. As noted above, contracts give rise to agency and transaction costs. And firms that are able to decrease these costs will be more profitable than those that do not. Jones (1995: pp) argued, “Firms that contract (through their managers) with their stakeholders on the basis of mutual trust and cooperation will have a competitive advantage over firms that do not.” These firms will incur lower costs of search, bonding, warranty, and monitoring costs. As a result, they will be more profitable and enjoy better financial reputation. AT and TCE are grounded in the consequentialist (or the ethically egoist) view of ethics and morality (Quinn and Jones, 1995), which demands that each individual treat him or herself as an end and everybody else as means. Therefore, CE organizations will exhibit a greater tendency to adapt AT and TCE in the conduct of their businesses. DE organizations, however, will reject AT and TCE, and exhibit a greater tendency to adapt norms of mutual trust and cooperation in their business conduct. Hypothesis 4c. DE organizations will enjoy a better financial reputation. Hypothesis 4d. DE organizations will be more profitable.
37
6. METHODS Both questionnaires were administered anonymously and treated in strict confidence. They were mailed to the highest-ranking public relations managers, safety directors, risk managers, and corporate counsels.
6.1. First Questionnaire Forty-two questionnaires were completed and returned. One hundred random phone calls were made to follow up with executives who did not respond. This resulted in the completion of 6 additional questionnaires. The total number of respondents was 48 and corresponded to a little less than 5% response rate. The total number of companies was 47 because two of the respondents were from the same company.
6.2. Second Questionnaire The total number of respondents for the second questionnaire was 61. The total number of companies was 59. Fourteen corporations that participated in the first questionnaire also participated in the second one.
38
6.3. Response Rate A low response rate is expected in business ethics research (Randall & Gibson, 1990). Trevino (1986) suggested that managers did not want to be measured or observed to see how ethical they were. Response rates in crisis management research are also low for various reasons (Pearson & Clair, 1998). First, crisis management is at least as sensitive a research area as business ethics. Second, organizations are reluctant to give sensitive information to researchers with whom they have not developed long-term relationships. They also do not want to open past wounds. Since this study examined the relationship between crisis management and ethics, our expectations with regard to response rates were even lower. Nonetheless, even with a small sample size, the results provide sufficient information to conclude that ethical orientation, and crisis management behavior and performance are closely related. Nonetheless, it is vital that this study be replicated with a larger sample to see if the results generalize. Two different checks were implemented to assess the representativeness of the samples: (a) whether the samples came from a particular distribution; and (b) whether non-respondents were significantly different from the respondents. A Chi-square test was performed to see whether the two samples, both separately and combined, came from the distribution of the Fortune 1000 corporations with 39
respect to 1-digit SIC code. Both samples were representative at the 1-digit SIC code level. As a second check, t-tests were performed to compare respondents and non-respondents in terms of various criteria such as age, size, sales, net income, profitability measures, corporate reputation, and financial credibility. There were no statistically significant differences between them. Two checks were implemented to assess the effects of having the same 14 companies in both samples: (a) whether these 14 companies that responded to both questionnaires differed from those that responded to only one; (b) whether the responses of the 14 companies changed significantly after 9/11. In both checks, t-tests were performed to compare groups in terms of their responses to the questionnaire and their age, size, profitability, corporate reputation, and financial credibility. There were no statistically significant differences between companies that responded to both questionnaires and those that responded to only one. The responses of the 14 companies did not change significantly after 9/11. This may be due to the small sample size of 14. It may not have enough power to detect effects due to small samples.
6.4. Interviews Twelve (25%) executives who responded to the first questionnaire and twelve (20%) executives who responded to the second questionnaire agreed to be 40
interviewed. Eighteen executives were interviewed on the phone; two were interviewed in person. They were assured that their responses would be held in strict confidence. As Huber and Power (1985) suggested, no tape recordings of the interviews were used in order to encourage candid response. The interviews lasted approximately 30-40 minutes. The interviewer (Alpaslan ) provided the interviewees with a copy of the questionnaire that they had completed prior to the interview. The interviewees were then asked to verbalize their feelings, thoughts, and emotions with regard to the questions and the scales in the questionnaire. This proved extremely useful in understanding how different people interpreted the questions and the scales. Six 7-point semantic differential scales, by which the interviewees described their organization, were included in the questionnaire: autocratic-democratic, rigidflexible, ethical-unethical, consistent-inconsistent, profitable-unprofitable, people first–profit first, and accepts responsibility–blames others. Interviewees were also asked a series of questions about their organization and its crisis management practices: whether they had a crisis management team, who was on the team, whether they did crisis simulations, what was the ‘most unthinkable” crisis that could happen to them, why they were prepared for certain crises but not for others, how 9/11 affected their organization. Interviewees were not directly questioned on sensitive issues. Rather, they were asked to describe their 41
organization’s values, culture, and behavior. This approach protected the interviewees’ identity and allowed them to answer more openly. There is support in the literature that this technique reveals more frank information about sensitive issues (Burstin, Doughtie, and Raphaeli, 1980). With the exception of the fact that executives were asked how their organizations responded to 9/11, the procedure used during the second round of interviews was identical to that used in the original interviews. 7. MEASUREMENT 7.1. Ethical Orientation and Organizational Values According to Badaracco (1997), human beings expose or reveal their moral and ethical values when they are deciding between various paths each of which is "right." For example, executives may have to pick between installing an extra safety measure to protect their information infrastructure and gaining higher returns for shareholders. To reveal the ethical values of their organizations, we wanted them to make tradeoffs between two equally compelling and valued "rights." That is, both ends of the scale were designed to be equally desirable. In order to force executives to make tradeoffs, we used an analytic hierarchy process (AHP) to assess ethical orientation (Saaty, 1980). AHP is a well-known decision making tool that ranks alternatives by assigning to each a 42
weight of its importance. In AHP, participants do not rate or rank alternatives. Instead, they make pairwise comparisons. The AHP algorithm takes pairwise comparison scores as inputs and transforms them into scores. Our AHP model works at two hierarchical levels: intentional and behavioral. The moral intention scale constitutes the first level and assesses an organization’s motives or intentions: “Which moral principle would your organization follow if it had to make a tradeoff between the following: (a) doing the greatest good for the largest number of people; or (b) doing no harm to a single person.” The former principle implies cost-benefit analysis; the latter principle is categorical. Thus, we expect organizations with a consequentialist intention to follow the former principle and organizations with a deontological intention the latter. A Likert-10 scale with an even number of responses and no middle neutral or undecided choice forced respondents to make a tradeoff between these two moral principles. Six pairwise comparisons of four potential problems that an organization can experience constitute the second, or the behavioral, level. These four problems were declining profits, increasing number of customer complaints, increasing number of quality defects, and increasing number of safety issues (see Appendix A). For each pair of problems, executives indicated which one is more important to their organization. For instance, if “Declining profits” was more 43
important than “Increasing number of product safety issues,” then they would circle numbers 1, 2, 3, or 4 depending on how much more important “Declining profits” was than “Increasing number of product safety issues.” As an example, Organization X’s pairwise comparisons were: 8 on profitssafety tradeoff scale, 5 on quality-customer satisfaction tradeoff scale, 8 on customer satisfaction-safety tradeoff scale, 8 on profits-quality tradeoff scale, 5 on quality-safety tradeoff scale, and 8 on profits-customer satisfaction tradeoff scale. The AHP derived scores for Organization X are: 1. Declining profits (4.23%), 2. Increasing number of customer complaints (20.21%), 3. Increasing number of quality defects (29.58%), and 4. Increasing number of safety issues (45.99%). This means that safety is relatively more important to Organization X than profits. We expected that organizations with a stronger duty-based, or deontological, ethical orientation would rank safety issues as being more important than declining profits. Similarly, organizations with a stronger utilitarian, or consequentialist, ethical orientation would rank declining profits as being more important than safety issues. The correlations between the moral intention scale and the AHP scores on safety and profits were significant. There was a positive correlation (0.399, p
