BP Oil Spill A Stain On Risk Management

The BP oil spill disaster exposed serious shortcomings in both technology and regulation, but the biggest culprit is a catastrophic failure of enterprise risk management.

The job of a risk manager is to hope for the best, but be prepared for the worst. That means putting emergency response systems in place to cope with a worst-case scenario.

It's hard to imagine a scenario any worse than this. An offshore oil rig explodes, killing 11 workers. The rig collapses. Oil keeps gushing from a deep-sea well, threatening the Gulf Coast, Florida Keys and perhaps even the Eastern Seaboard.

One makeshift solution after another is attempted, with BP officials offering no guarantees–essentially keeping their fingers crossed. The situation remains out of control and the damage substantial–environmental, economic and political.

Where was the risk management department in this mess? Where were the fail-safe systems? Why does it feel as if BP is making up its response as it goes along?

Most important, how can we make sure something like this never happens again? And what can risk managers in other organizations learn from BP's mistakes?

BP officials defended the company's risk management preparation in a May 10 Wall Street Journal article (http://bit.ly/9c1OCC).

"You have here an unprecedented event. Never before have you seen a blowout at such depth and never before has a blowout preventer failed in this way," according to a company spokesman, Andrew Gowers. "The unthinkable has become thinkable, and the whole industry will be asking searching questions of itself."

The Journal went on to report that "BP's plan, as submitted to the Mineral Management Service, placed exceedingly low probabilities on oil reaching land in the event of a major spill. Even in the case of the worst spill, BP said, there was only a 3 percent chance that oil would come ashore after a month in any part of the Gulf other than Plaquemines, La…."

Did BP shy away from expensive loss control measures because a worst-case scenario was so unlikely? Was this considered an acceptable risk?

I am not ready to throw the BP risk manager under the bus…at least not yet. It's quite possible a more reliable loss prevention system was suggested, but rejected after a cost-benefit analysis. Uncle Sam will no doubt be probing this point.

In the meantime, if we insist on sticking straws into the Earth deep under the ocean to suck out more oil, we need to be better prepared to react if something–especially the worst possible thing–goes wrong.

To start, there needs to be more vigilant, arm's-length regulation to make sure oil companies are better prepared for the worst-case scenario, because so much is at stake, and damage could be irreversible.

That means more accountable risk management, of the enterprise-wide variety.

When I blogged on May 24 about this debacle (at www.NUSamSoapbox.com), most readers raced to defend the risk management department–which, after all, only has as much authority (and budget) as corporate bosses give them.

No matter what the BP risk manager did or didn't do to prepare for this exposure, the buck stops in the C-Suite–the CEO, COO and CFO. That's why ERM is so critical–when implemented correctly, the top dogs can't claim they were unaware of risks within their operations.

In any case, if we're going to play with fire, we had better be prepared to put out the flames before they consume us all.