Tag Archives: risk management

Will Sony’s Capitulation Have Far-Reaching Consequences?


In the November 1995 issue of Harvard Business Review, Norman R. Augustine, who was President of Lockheed Martin Corporation at that time, observed that “the essence of crisis mismanagement is the propensity to take a bad situation and make it worse.” In its response to a serous hacking incident, likely directed by North Korea’s government, Sony Pictures may have provided business schools with a new case study on crisis mismanagement. The fallout from its crisis mismanagement could be far-reaching. Worse, those consequences could also be of an enduring nature.

In my BBA 407 Strategic Management course, one of the things we discuss is risk management, ranging from strategic risk mitigation to contingency planning for corporate crises. Risk management is a necessary component of any credible strategic planning exercise. Among other things, effective risk management requires companies to maintain a focus on understanding the sources of their sustainable competitive advantages, identifying risks that could erode those advantages, developing robust approaches for mitigating harm to those assets, and maintaining a focus on the big picture and the long term.

In the wake of a serious hacking incident, it increasingly appears that Sony Pictures had no coherent and organized plan for dealing with such an incident, even as cyberattacks ranging from sophisticated infiltration of Target’s customer payments system to several South Korean banks have made headlines. Instead, a chaotic decision making process culminating in Sony Pictures’ dramatic decision to pull the release of The Interview, a fictional film concerning the assassination of North Korea’s President, ensued.

That decision has potentially profound consequences. Those consequences extend far beyond Sony Pictures or Hollywood.

First, Sony’s decision has all but eliminated the possibility that the U.S. could have taken countermeasures that would have had deterrence value. In his The Necessity for Choice (Harper & Brothers, 1961), Henry Kissinger warned:

Deterrence is either effective or it is not. There is no margin for error. Mistakes are likely to be irremediable. If the gains of aggression appear to outweigh the penalties even once, deterrence will fail.

Had Sony released the film on schedule, the hackers’ demands would have yielded no material gains. Their end goal—and likely North Korea’s, too—would have gone unfulfilled. Then, even if the U.S. only publicly blamed North Korea for a role in the hacking incident, North Korea’s government would have incurred a measure of costs. Had the U.S. taken a less likely course and used some of its cyber capabilities against North Korea’s limited information infrastructure, those costs would have been even higher. Instead, either approach will now be weighed against the benefits achieved from Sony’s pulling the film. Hence, the costs of any countermeasures will, in relative terms, wind up much lower and almost certainly not prohibitive. As a result, there will be no deterrence value. Other state, non-state, and criminal actors will likely take notice.

Second, Sony Pictures’ success depends, in large part, on its ability to leverage the talent of Hollywood’s creative community. In abandoning the film, Sony Pictures’ decision, at a minimum, created the perception that it will not effectively stand behind that community when confronted by adversity. This actual or perceived lack of reliability has undercut the credibility of its commitment to creative expression.

Not surprisingly, a number of Hollywood celebrities swiftly condemned Sony’s decision. Rob Lowe declared that “the hackers won” and labeled the outcome “an utter and complete victory for them.” Mia Farrow termed Sony’s decision “a disgrace.” As a result, the company is now in the midst of a fully avoidable public relations crisis on account of that backlash. More importantly, should a meaningful share of Hollywood’s creative community lose confidence in Sony Pictures to the extent that they demand higher payments to compensate them for their added intellectual risk taking, Sony’s competitive and financial position will be weakened. The public nature of the crisis could also erode Sony’s overall brand reputation, a development that would impact the company beyond its entertainment division.

Looking into the future, Sony’s precedent may embolden would-be cyber attackers to target the nation’s knowledge enterprises, including but not limited to colleges and universities. Activities ranging from research to course content could become the objects of such attacks. Academic freedom related to research, inquiry, and the dissemination of knowledge is the lifeblood of colleges and universities. Without such freedom, colleges and universities cannot impart on their students the intellectual capacities that are critical to their post-graduate success, much less expand the frontiers of knowledge.

In a world in which innovation and knowledge are increasingly vital to economic and social progress, such an outcome might represent perhaps the highest cost stemming from Sony’s mismanagement of its crisis. Moreover, the compounding nature of a slowdown in innovation could result in those costs far exceeding Sony Corporation’s recent nearly $25 billion market capitalization.

Therefore, in the longer-run, the U.S. will need to develop an effective approach to deter state-sponsored cyberattacks (by state and non-state actors), much as it can deter military attacks given its overall power. Establishing deterrence in cyberspace is a complicated and difficult process, but a necessary one. If state or non-state actors, such as terrorist groups, conclude that they can utilize cyberspace with impunity, among two broad scenarios are plausible in the longer-term:

1. Such attacks will wreak increasing harm, particularly in critical economic and societal sectors (government, finance, energy, air control, defense, etc.).

2. The United States (and other countries) will limit their use of technology, even as the benefits of advancing technology are enormous. Such a retreat will undermine innovation, scientific progress, long-term economic growth, consumer welfare, etc.

Toward the conclusion of his article, Augustine wrote, “Crises tend to be highly formative experiences—watershed experiences, sometimes even life-threatening experiences—for a business… But once you’re in one, accept it, manage it, and try to keep your vision focused on the long term.” In capitulation, Sony Pictures lost sight of the “long term.” Its consequential choice has risked transforming a short-term crisis into a long-term strategic disaster with implications far beyond Sony Pictures.