Tylenol Redux — Institutional Amnesia
in 1982 a crazy person put cyanide laced capsules in several bottles of Tylenol painkiller and put them back on the shelves of drugstores for sale. Several people died or became ill as a result. I’ve often talked about this case primarily to highlight the wisdom of dealing with crises proactively to minimize the potential damage. In 1982, we had not yet had a case where toxic chemicals were placed into over-the-counter bottles with such dramatic effect. There was no precedent; no one knew what to do. But the McNeil company, makers of Tylenol (now subsidiary of Johnson & Johnson) didn’t let that stop them from mounting what in retrospect still appears to be one of the most adroit crisis response efforts ever mounted by a company in response to a crisis that threatened its very existence.
Yesterday, we learned that that same company has experienced a growing rate of incidence of quality problems in its Tylenol production but over a period of several months has not managed to either bring about a convincing response or explain itself to the public. The United States Food and Drug Administration has apparently referred the matter to the authorities for potential criminal prosecution. What a difference 28 years makes in the evolution of corporate culture. Apparently Johnson & Johnson and McNeil have a serious problem with corporate amnesia. Of course, the executives and managers who responded in 1982 are probably all retired by now. One might assume that the 1982 problems with Tylenol would be required reading for people at McNeil and even at Johnson & Johnson. Or, maybe some genius MBA told McNeil management “look at the mortgage meltdown: ethics don’t matter anymore.” Whatever the cause, McNeil has obviously lost all touch with the wisdom and in a common sense that guided it 28 years ago.
What probably happened at McNeil was plain old garden variety CYA and inertia. Same as happened in the hours leading up to the Challenger disaster in 1986. Management was committed to launch. Engineers had really good gut instincts and a little bit of data to support their gut. But the engineers lacked a convincing argument connecting their instincts to their data and, as a result, management made the wrong decision. The real question here is: is there a systemic problem in McNeil’s production processes? If we think there’s a systemic problem isn’t it good for business to confront that problem publicly and deal with it decisively? Even if we are sure that there is no systemic problem, could the public perception that a systemic problem exists develop and still hurt our business? Don’t we have an obligation to stop that from happening? What’s the best way to stop it? Apparently, this line of reasoning did not emerge at the McNeil. Or, if it did emerge, management was not convinced.
It’s too soon to tell whether the recent problems with McNeil quality in Tylenol production will have the same effect on Johnson & Johnson stock price and Tylenol market share as the cyanide incident had in 1982. But we can safely assume that McNeil will discover (re-discover?) that when it comes to consumer confidence, perception is reality. Toyota discovered this. In 1982 McNeil discovered this. So perhaps the real wisdom in the latest Tylenol scare is that preserving institutional knowledge is hard work whether it is the recipe for a popular soft drink or the chemical process for fabricating a market-leading product. In the case of Tylenol, we’ve learned that it is possible for an organization to completely forget principles that were almost universally recognized to contribute directly to the company’s success. It is a rather stunning lapse.
What does all this have to do with information security? In the real world, bad things happen. Well implemented processes contain controls commensurate with the risk posed to the firm from potential process failure. Lapses in product quality are just like data breaches in this regard. Our information handling processes must take into account the risks of potential process failure to the organization. Information security is primarily concerned with this issue. Do you have breaches in your past? Does your industry have breaches that everyone should learn from? Study those incidents and cases and take as much learning from them to help form your own business decisions. Don’t be like McNeil and forget the guiding principles of crisis management that stood you in such good stead only a relatively short time ago.