by Gary Alterson
I’m reading the Chief Counsel’s Report issued by the National Commission on the BP Deepwater Horizon Oil Spill released on February 17th. I’m not finished with the report, but even in the 10 or so pages I’ve read, there’s a treasure trove of “lessons learned” for risk management and GRC professionals.
In addition to detailing the technical decision making errors leading up to the spill, the report highlights several “Overarching Failures of Management” including the following 7 themes:
- Ineffective leadership at critical times
- Ineffective communication and siloed information
- Failure to provide timely procedures
- Poor training and supervision of employees
- Ineffective management and oversight of contractors
- Ineffective use of technology
- Failure to appropriately analyze and appreciate risk
The management failures were essentially risk management failures, or poor risk oversight that resulted in a large tail end event – the oil spill. Some of the key elements identified are symptomatic of issues I’ve observed in the implementation of governance, risk and compliance programs in many organization. These include:
Often times there is an assumed or explicit shared accountability for both the acceptance of risks and decisions made about risk rather than assignment to specific individuals and roles. In the case of the Deepwater Horizon incident, the Chief Council found confusion over who is accountable for critical decisions, information silos between operations and engineering, resulting in a state where there wasn’t a shared view as to who was accountable for important practices associated with safety and a diffusion of personal responsibility. There was no explicit accountability assigned for the completion and quality of risk assessments and no one took full management ownership before the blowout.
Lack of clearly defined communication channels
In many cases, it’s assumed communication will happen or the appropriate relationships will just be built as necessary rather than explicitly defining relationships and processes that facilitate communication. In this case, risks were not clearly communicated by the onshore team to the offshore team performing the drilling. There was inadequate guidance on when additional expertise or escalation was necessary, and lessons learned from near misses were not actively applied to new or similar situations or even proactively promoted to key decision makers.
Gaps in controls and risk oversight
One of the key benefits of a clear risk and compliance governance program is the provision of management oversight and transparency on to the execution of controls and the risk based decision making of the organization. In the case of Deepwater Horizon, the report found “significant gaps” in supervision and oversight. In some cases a single person made critical decisions and performed critical activities without checks – either by supervisors or other companies.
There are lots of lessons to take away from large disasters such as the Deepwater Horizon Oil Spill. Some of the key ones to apply to your GRC program are:
- Clearly and explicitly assign accountability to individuals or individual roles within your organization
- Define clear communication paths and facilitate communication through clear process and procedures
- Build a robust system oversight onto the decisions being made within your organization organization