It started when a tourist flew home to Chicago from China. He was 52 and in decent health, but deep in his body a virus was quietly killing his respiratory system. Within days of his arrival in the U.S., this unknown illness was spreading among people he’d encountered. In just weeks, hospitals around the country were being overrun with patients experiencing chills, fevers, coughs—and dying.
But the worst was yet to come. The nation’s medical supply chain failed. Lacking key protective gear, doctors and nurses contracted the still-unknown virus. Badly structured federal response systems and poor communication from Washington squandered any opportunity to track and contain the pandemic before it overwhelmed the country.
Just a few months later, this new virus had infected more than 100 million Americans and killed nearly 600,000 of them—far more than all the U.S. soldiers, sailors, Marines and airmen who died in combat during World War II.
If you think you recall these events, you’re wrong, writes Gen. Stanley McChrystal in the opening to his fascinating and useful new book Risk: A User’s Guide. This isn’t Covid-19. It’s actually the outcome of a Department of Health and Human Services exercise called Crimson Contagion. Played out in 2019 to test the ability of the United States to react to the early stages of a serious pandemic, “its results were as alarming as they were conclusive,” writes McChrystal. “Our nation was woefully underprepared.”
For anyone who has lived through the last two horrible Covid years, the idea that the country had studied the potential for a viral pandemic and not heeded the warnings of what might happen is frustrating, and disappointing. For McChrystal, the retired four-star general who, most famously, ran all operations during the “surge” in Afghanistan after spending most of his professional career enmeshed in some of the riskiest situations imaginable, the outcome may be both of those—but it shouldn’t be surprising.
It simply illustrates what happens when an organization—in this case, a nation—fails to strengthen the key systems, processes and structures required to remain resilient in the face of an increasingly unsettled world—and lacks the leadership required to maintain those systems. In the face of threats like Covid, or a million other potential risks to our businesses or our country, “we can blame outside threats all we want, but there is much we can do to prepare for them—often far more than we care to admit,” says McChrystal.
That’s the key idea in his new book. Rather than try to create foolproof plans for every imaginable scenario you might face, McChrystal lays out the case for building a hearty “Risk Immune System” comprised of 10 operational elements that, when maintained and improved, will make your organization more resilient than a dozen underground bunkers filled with dusty contingency binders. There’s also a good chance it will make your business run faster, smoother and with far-greater esprit de corps than ever before.
“This is a really good measure of how you can look at an organization,” says McChrystal, who has served on the boards of JetBlue, Navistar and Deutche Bank NA. “I think the board should be able to get enough information from management so they get a sense of the 10 Risk Control Factors. Are we healthy in these 10? If something really goes badly, I am 99 percent of the time sure you’re going to go back and find one or more of these badly lagging.”
THE RISK IMMUNE SYSTEM
The key metaphor of the Risk Immune System came to McChrystal while studying HIV/AIDS with Dr. Kristina Talbert-Slagle, a Yale immunologist who saw parallels between the human immune system and counterinsurgency operations in the military. While most of us might recall this decades-long scourge as a deadly disease that killed tens of thousands, the reality is that people don’t die of HIV/ AIDS. They die of other illnesses that attack once HIV has destroyed their body’s ability to fight infection.
Organizations have the same issue, McChrystal realized. Problems—whether societal in scope or simply the unexpected loss of your single best customer or some other nightmare scenario—are as inevitable and mundane as germs on your sink. What makes them dangerous—deadly even—is your inability to react effectively to the threat. Why? Problems with what he calls your Risk Control Factors, the 10 operational areas that comprise the Risk Immune System: Communication, Narrative, Structure, Technology, Diversity, Bias, Action, Timing, Adaptability and, at the heart of it all, Leadership.
“About 80 percent of what you do in a crisis is the same, whether it’s a natural disaster, a cyber attack or a financial crisis,” says McChrystal. “You have to communicate clearly. You have to have a solid narrative and align your organization on it. You have to overcome inertia and act. You need to act at the right time. You need to avoid blind spots with diversity and overcome your biases. You have to tie all that together with leadership. So, about 80 percent of what you do are basics, and then you add in those things that are unique to that particular threat, whether you’re dealing with a flood or a cyber attack.”
So, what are the elements, and how do they work together? We asked McChrystal to help us understand the essentials of a healthy—or compromised— Risk Immune System.
Central to everything is the ability to communicate—which requires four things: working physical infrastructure, a willingness to pass along information or engage in communication, a high-quality message that is accurate and not misleading and a respondent who is willing or able to listen and digest the message.
If any one of these areas is deficient in your organization, due to anything from broken technology to office politics, then you’ll have a tough time in the face of any unexpected challenge. Because, McChrystal argues, whether you’re in combat or business, everything is dependent on the ability to communicate effectively.
“There’s no problem in communication that gets fixed and stays fixed,” he says. “So the first thing you have to do is understand that there are all these bad communication habits and pitfalls. You’ve got to establish communications, you’ve got to put test communications through it, you have to exercise it, you’ve got to determine that it’s working.”
While running the U.S. Army’s elite Ranger Regiment as a colonel, for example, McChrystal would test how well communication was functioning by putting out policies and then asking privates in the regiment to explain them.
“They’d go, ‘Sir, why do we have to wear our underwear on our heads?’ And I’d go, ‘What are you talking about?’ And they’d go, ‘We were told.’ You find out that by the time it got to them that it was just absurdly incorrect, and yet, they go, ‘Okay. The boss said X.’ So you have to constantly check that.”
He suggests every leader find ways to analyze how well their organization is faring when it comes to the four key points of communication failure. “You have to have feedback loops that do that. You have to force people to understand that they are responsible for the flow of information, that if you have information, you are responsible to make sure other people get it. It’s not their responsibility to ask for information that they don’t know exists.”
An often-overlooked part of building resilient teams is the story your organization tells about itself. “The narrative is extraordinarily powerful because it drives what we try to do, what we try to be, how we self-identify,” says McChrystal. “It’s got to do with inspiration and cohesion. If we have a narrative that we believe we are a band of brothers doing something honorable and bravely, we just perform differently.”
A great example, says McChrystal, is the Marine Corps motto, Semper Fidelis—always faithful—an idea drummed into each Marine from the day they join up, giving them a shorthand for what’s expected in that culture. Google had an equally potent motto—Don’t Be Evil—at the core of its culture for years, but, says McChrystal, they ran into trouble when many in the organization felt the company’s dealings with the Pentagon betrayed this ideal.
“It was perceived to be at odds with Google’s stated values, and, therefore, people became cynical,” says McChrystal. “They said, ‘You said don’t be evil, but you don’t really believe that.’ How many times do we see a gap between our narrative and then what we actually do?”
McChrystal counsels working deliberately and continually on honing the story you tell about yourselves to yourselves— and keeping an eye out for signs it is failing, such as cynicism, the “say-do gap” that hurt Google, muddled priorities and tensions that can undermine confidence. While the right narrative can create a potent ethos to tackle challenges, “when our narrative is misaligned to our purpose, values or strategy,” McChrystal writes, “We invite risk into our organization.”
“Structure gives us predictability,” says McChrystal. “It gives us a sense of stability. If you’ve got structure in an organization, when something is happening in crisis, you know where to go because the structure is clear…so you can focus on the emerging problem at hand. Structure really helps with that.”
That means everyone has clarity about the key elements that help us understand our place and role in the organization: What’s my job? Where do I go? Who’s my boss? What are their expectations? How is success measured? What are the procedures we follow?
“One of the principles of counterterrorism is always go after key individuals in the enemy’s network and take them out to try to disrupt their structure,” says McChrystal. “We’re vulnerable the same way.”
Of course, the wrong structure can slow decision-making, create rigidity and thwart cooperation. And if it changes too quickly—watch out for restructuring for restructuring’s sake—it can be “very destabilizing,” says McChrystal.
Signs that your structure isn’t working? Unclear roles and responsibilities, duplicated efforts, slow communication and very long chains of approval, ie: “your boss’s boss’s boss” must sign off on things, as the book puts it. Ask yourself this key question all the time: Does our structure make sense for what we’re trying to do and for the environment in which we’re operating?
Like many of the other Risk Control Factors, technology is a double-edged sword. McChrystal is a self-admitted early adopter, buying his own $4,800 Radio Shack computer back in 1982 to help him better organize and run a platoon. But he’s come to realize that every upside associated with technology in our organizations also creates a substantial chance to increase—rather than decrease—risk.
“For every advantage or strength it provides, it provides a corresponding weakness,” he says. “If you have something that provides a perfect service to do this function, now you’ve got a weakness, because you probably no longer maintain the ability to do it without that technology. If that technology breaks or is attacked, then suddenly, you’ve got a vulnerability—that function is at risk.”
He’s not talking just about cybercrime. As a director at JetBlue, McChrystal learned how computer-driven scheduling could go haywire, with system-wide failures cascading through the company after an unexpected snowstorm pushed crews and aircraft out of position. More recently, the failure of many manufacturers’ supply chains over the past year came as a result of their deep reliance on just-in-time delivery. “We are the most connected society in history, and, therefore, we are now the most vulnerable,” says McChrystal.
Do you fully understand where and how your organization incorporates technology? To what extent do you rely on automated processes? Who oversees them? Where is your technology vulnerable to malfunction, interruption or outside manipulation? And, increasingly, how do humans interact with all this—where have you substituted algorithms for human judgment?
“You have to do an assessment of every part of your organization where functions occur,” he says. “How do we pay people? How do we account for people? And you’ve got to figure out, therefore, what’s our weakness in that? Where can that go badly?” Doing so will not only help you understand your weaknesses and thus potentially mitigate risk, but it will also help you get a much deeper understanding of how your company actually functions—and how it might be improved.
In Risk, McChrystal makes a powerful—and pragmatic—case for building diversity into all levels of your organization. He absolutely subscribes to the idea that bringing in a more robust mix of race and gender is the morally right thing to do in our society, but there’s a more practical reason for doing so: Mitigating the deadly risk of groupthink.
“Diversity is different experiences and perspectives and getting people who actually see the problem in a different way so that you cover the waterfront as effectively as you can,” says McChrystal, “which means that first you’ve got to assemble those different perspectives, and then you’ve got to give voice to them. You can’t just assemble them all in the room and if you’ve got too-big personalities, you do all the talk, and then the other people that are in the room don’t feel empowered to say anything. You’re not going to get diversity out of it. The key is you’re trying to eliminate blind spots, you’re trying to make sure that you don’t get surprised where you don’t need to be.”
Building the kind of culture where lots of people feel accepted and empowered to speak up can be tricky. McChrystal learned a tip years ago from his boss at the Army’s storied 82nd Airborne Division. He told McChrystal to disagree with him publicly—even if he didn’t actually disagree with him. “He goes, ‘I want you to do that because that’s going to make it okay for other people to do that,’” recalls McChrystal. “And he was very intentional about that.”
Diversity also helps us see the filters though which we, and our organizations, see the world—many of which, psychologists will tell you, may simply be inescapable facets of human behavior. Bias is a hall of mirrors where we often see what we want to see, and, as McChrystal says, “buy what we want to buy.”
“In Afghanistan, when I commanded, I requested additional forces from President Obama, got them, and we went forward,” remembers McChrystal. “But part of that was based upon was an assessment that we could do certain things. One of those was improve the performance of the Government of Afghanistan. Now, we could improve security. We knew we could, and we did. We could do some economic things. But improving the performance, decreasing the corruption of the Government of Afghanistan was more of a Hail Mary.
“I thought we could do it. When I look back now, I say, ‘If I had been harder on myself, if people had been harder doubting that, it certainly was in question.’ It’s one of those things where I would have been hard put to convince people that it was 85 percent probability of going through it.”
His takeaway from the experience: It’s unlikely you’ll be able to eliminate your—or your company’s—biases. But you can and should be able to identify some of them before you act. Activities such as doing an “assumptions check” and “Red Teaming” can help (see sidebar, p. 35). But building more diversity and inviting a culture where speaking up is prized are essential tools for combating bias and the risk it poses.
You’d think this would be an easy one for most CEOs—after all, who doesn’t see themselves as a can-do, move-the-needle leader? McChrystal’s experience in both the army and private industry has shown the opposite to be true. “Every CEO says they’re an action person, and it’s absolutely foolishness,” he says. “The average one does not want to act at all, because there’s personal risk in acting. If an organizational leader takes the organization in an uncharted direction and it goes badly, they’re screwed.”
This feeds into every organization’s natural inclination toward maintaining the status quo. “There are always constituencies for the inertia,” he says, which makes us vulnerable to all kinds of risks. “It makes us vulnerable for rationalizing that we are doing something, that we are addressing vulnerabilities or even addressing an emerging threat, when we, in fact, are not doing that.”
Symptoms of inaction include slow reaction time to trends, missed chances, contradictory efforts among teams, falling behind competitors and analysis paralysis. Watch out for all of these, says McChrystal—but especially your own bias for inaction.
You can do everything right but do it at the wrong time—and fail. Or you can do a lot of things wrong, but at exactly the right time—and win. That’s why, for McChrystal, it’s essential to build in systems that help you make decisions and move at a time scale that increases—not decreases—chances for success.
Jeff Bezos is a master at this, says McChrystal. As CEO of Amazon, he would spend tons of time doing due diligence and deliberating on decisions that would decide the future of the company. But other kinds of decisions? Not so much. He’d push people deep within the organization to make those decisions quickly, with very limited information—and zero input from the top. He was more afraid of standing still than getting minor things wrong.
“Bureaucratically, it’s easier for leaders to wait until the tsunami has hit because then you get this groundswell, ‘Hey, we gotta go do something,’” says McChrystal. “Well, of course we do. But how much cheaper would it have been if we’d done it before? And that’s what leadership is about.”
Simply put, writes McChrystal, adaptability determines “who survives and who doesn’t.” It leans on all the other Risk Control Factors and has similar flaws. “The problem with leaders here is that it is safer not to adapt, because you’re doing something you’re already doing and theoretically people have already approved that, or people before you have done this 1,000 times before. So, nobody’s going to get fired for doing what their boss did when they were in their job.”
Clues that your organization may be exacerbating risks by being inflexible include lagging behind competitors, being “frozen” by fears of failing, doubling down on approaches that have worked in the past even when circumstances change, an inability to innovate and a sense of surprise at what rivals bring to market.
Pay particular attention to any part of your systems that may restrict your ability to adapt to change, starting with an unceasing preoccupation with efficiency. “Maximum efficiency is usually very brittle,” McChrystal says. “Adaptability means you’ve got the ability to respond to things, which usually means you’ve got to have some flexibility in the system. You’ve got to have the opportunity to adapt.”
LEADERSHIP: THE ESSENTIAL INGREDIENT
In the early days of 2020, Boston Mayor Marty Walsh saw Covid arrive in America and, like most of us, was not too concerned. When an infected student arrived in Boston from Wuhan, China, he was quickly isolated. McChrystal, who helped the mayor’s response team and tells the story in the book, reports that Walsh was hopeful Covid might be contained there.
When the virus flared in early March, Walsh knew he’d misjudged the situation. The president of the Boston Fed warned him that Covid might mean shuttering schools and businesses soon, as well as cancelling key public events like the Boston Marathon and St. Patrick’s Day—political suicide in Boston. Others in the local scientific and medical community concurred.
Walsh and his team were as stunned as thousands of other public officials across the country, but what they did next was very different—and ultimately made a world of difference to the people of Boston and the surrounding area. The mayor listened, and then he acted—quickly.
“He put together this daily crisis response meeting,” says McChrystal. “It was really magic.”
On video screens run out of City Hall, Walsh and his chief of staff, Kathryn Burton, would bring together an eclectic gathering of stakeholders—not just the city government, but others, like bankers, hospital administrators and private school leaders.
Each day, they’d figure out what needed to be accomplished over the next day or few days, and by whom. They’d then start each meeting by going around and finding out the status of each assignment. Day after day after day, doing the nuts-and-bolts work of keeping a city of 600,000 people operating and safe through one of the most disastrous episodes in U.S. history.
“Marty was masterful at keeping everybody focused and inspired on this,” says McChrystal, who helped structure the setup. “So as a consequence, instead of a bunch of different organizations pulling in different directions, there was a sense that we’re all solving this problem together, and we’re all getting ground truth every day. It was really impressive. He was willing to make tough decisions, which people knew were politically dangerous. And so I give him extraordinarily high marks for it.”
So far, Boston has fared far better than many similar-size metro areas in the country. Walsh was named U.S. Secretary of Labor by President Biden soon after his election.
Walsh’s performance serves as a stark counterpoint to the lessons of Crimson Contagion—and also a reminder of how essential leaders and leadership are to making our organizations stronger and more resilient in the face of risk. It isn’t about charisma or scrambling or pep talks in the face of disaster. It’s about staying focused on the key processes that actually make organizations stronger. That’s the big takeaway from McChrystal’s work—as unsexy, perhaps, as it is vital.
“We tend to look for leaders to provide something few ever really could—salvation from the things that threaten us,” McChrystal writes in Risk. “But the more constructive analysis would be to acknowledge that the real requirement in the people who lead us is not that status, but actual leadership, or the ability to effectively oversee the multidimensional Risk Control Factors—to turn the dials, so to speak—to enable the Risk Immune System to operate successfully.” And help guide our people through whatever comes their way.