In advance of the much anticipated full report due on January 11th from the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, a chapter was recently released outlining some key findings that are relevant not only to the oil industry but also every other enterprise.
Low + Low = High
“The well blew out because a number of separate risk factors, oversights, and outright mistakes combined to overwhelm the safeguards meant to prevent just such an event from happening.”
This was not a black swan. Every organization involved had a developed Risk Management Program for the sole purpose to prevent this exact, known event. Perhaps the likelihood was miscalculated, but the impact was surely known.
What adjustments can be made to be better prepared in the future? 1) Ensure layers of controls are implemented and tested for known risks. 2) Do not underestimate or ignore the low risk vulnerabilities. It does not take many in aggregate to result in catastrophe.
Risk Management Starts with Objective Accountability
“… most of the mistakes and oversights at Macondo can be traced back to a single overarching failure—a failure of management.”
While the management of risks requires awareness and execution at all levels of your organization, it starts at the top with accountability. Until accountability has been assigned to an individual who is not also incentivized to bypass safeguards for the bottom line, unnecessary risk will exist. This is why every regulated industry, including Healthcare, Finance, Energy, Retail, etc has standards (HIPAA, FFIEC, NERC CIP, PCI, etc) requiring formal management responsibility of the organization’s Security Program. Who is accountable in your organization?
Regulatory Oversight and Technical Expertise
“… the Macondo blowout was the product of several individual missteps and oversights by BP, Halliburton, and Transocean, which government regulators lacked the authority, the necessary resources, and the technical expertise to prevent.”
There is a need for regulatory oversight. But the regulators are not leading technical innovation within your industry; they are just trying to keep up with it. Regulators are relying on companies within each industry to provide them with the capabilities and information to prevent another Gulf oil spill or healthcare data breach. What are you doing to help your regulators ensure you are in control of your risk?