The financial and reputational freefall that Eli Lilly experienced in the first few weeks of Musk’s tenure as Twitter chief illustrated an underappreciated factor in an organization’s level of vulnerability: validity. Companies need a risk model that includes the key elements of vulnerability — and that helps them take precautions, set up checkpoints and plan for contingencies.
A couple weeks ago, all was calm on the Twitter front. Big companies were spending millions both advertising on the platform and interacting with consumers there. All that changed overnight: A fake Twitter post drove both Eli Lilly’s and Lockheed Martin’s stock down by billions of dollars. What happened? How does this episode illustrate shortcomings in the way the vast majority of companies think about their vulnerability?
What happened is straightforward enough: New Twitter owner Elon Musk changed the way Twitter accounts were “verified.” Previously, the system required someone who said they were speaking for Eli Lilly to prove their bona fides. That done, their account displayed a blue verification checkmark, assuring others that the account could be trusted — that something appearing to be an announcement from Eli Lilly, for example, actually was.
Musk changed the system so that literally anyone could receive that blue checkmark, just by paying $8 a month. Suddenly, any clown, troll, competitor, ten-year-old, foreign actor or company malcontent with eight bucks in their pocket could speak for Eli Lilly — and be believed (unsurprisingly, Musk suspended the new policy just two days later). So, when somebody in one of those categories — with an account sporting a blue checkmark — said the company was about to give away a product (insulin) bringing in hundreds of millions annually, chaos ensued.
Lilly’s share price crashed, billions in market cap were vaporized, and the pharmaceutical giant was in a terrible public-relations position. It did not help matters that the verified-but-fake account later issued a brutally insensitive ‘apology’ to hoodwinked investors and insulin users on the company’s behalf.
What Lilly experienced was an example of one of the underappreciated elements that determine an organization’s level of vulnerability: validity. With Russian bots masquerading as American patriots, millions steeped in ‘facts’ that are really fiction, spammers and scammers purporting to be from banks or governments, and deniers casting doubt on climate science and using disinformation to increase opposition to clean energy projects, it should be clear that validity is a critical chunk of vulnerability in almost every arena.
And yet, a detailed framework for understanding vulnerability isn’t nearly widespread enough. Frameworks matter: They keep the essentials, however obscure, in the corporate frontal lobe. If validity, for example, is simply an intuitive concern, then something like Twitter’s verification policy change — an obvious red flag — will merely set off some individual alarm bells.
But if validity had been part of a clear, institutional vulnerability framework that was regularly examined and updated, Musk’s validity tinkering would have set off swift, coordinated actions: Perhaps Lilly’s communications department would have alerted its network to be on the lookout for fake news, and to only believe announcements from the real account. Maybe Lilly could have put out preemptive press releases, gotten its rapid response team into the starting blocks, warned Wall Street to be ready for “verified” account shenanigans or posted notices on all the company’s other social-media platforms.
Would this have averted Lilly’s stock crash? Possibly not, given how quickly it happened. But an awareness that validity issues might occur, and their potential impact, might have at least blunted the damage.
Major factors that can affect vulnerability are worth recognizing and planning for. To that end, Valutus uses such a framework — which we call the V Model — to help identify key forces that can affect a company’s vulnerability:
…and, of course
For example, the more variability there is in both external conditions and demand, the higher the vulnerability. Ditto for volume, as vulnerability rises along with the volume of resources you need. (For example, what happens when you need a lot of lithium and its price increases tenfold?)
Velocity is just that: The world moves fast, and you must also. You can’t outrun climate change or shifts in what people care about; but you might be able to outrun your competitors and win the race to adapt. Companies are also vulnerable to disruptions because of increased variety — the greater the variety of products made and inputs required, the greater the number of potential failure points.
Visibility is a kind of insurance against social, environmental and commercial risks that are growing in importance. Bringing to light your company’s values around caring for the world and those who live in it increases the visibility of these risks, thus improving your foresight. And vitality addresses one cause of the difference between theory and reality: awareness of right action, but failure to do it — the business version of someone knowing they should eat less and exercise more, but not doing that.
As for validity, we now know for certain what we knew intuitively before: Validity should be in all models of risk vulnerability. The V Model makes it clear that Musk’s incompetence at Twitter is not a one-off; the business world is now bristling with threats, even more than it was before. Organizations need a risk model that includes the key elements of vulnerability — and that helps them to take precautions, set up checkpoints and plan for contingencies.
This world is one of unimaginable complexity. Businesses need to understand the types of vulnerabilities they face, or they will be surprised by events and harmed by the consequences. In a world where sources of vulnerability are frequently hidden — and increasing every day — a better framework is an invaluable ally.
Adapted from Daniel Aronson’s forthcoming book, The Value of Values, available fall 2023 from MIT Press.