Enterprise risk management lessons from the BP Deepwater Horizon catastrophe

Get free weekly news by e-mailEvery large organization can learn from the ongoing Deepwater Horizon disaster says Geary W. Sikich.

The BP Deepwater Horizon catastrophe casts a shadow reflecting on all oil company CEO’s and senior executives, not just BP’s Tony Hayward. It also provides lessons that every large organization can learn. While CEO Tony Hayward and COO Doug Suttles will suffer the brunt of criticism and subsequent consequences; all enterprise board members should see this as a wake-up call.

Ability to identify and manage risk

Risk; business leaders know it exists. However, oftentimes companies aren't taking a holistic approach to assess and manage their risk exposures. Disruption happens. Natural disasters, technology disasters, manmade disasters happen. Oil companies entered the deep waters of the gulf armed with technology that works and generally works well. How did technology fail them? The failure is not in the technology it is in the unanticipated difficulties that are encountered when drilling at depths that are relatively unfamiliar to the industry.

Could a technology breakthrough have changed what occurred to the Deepwater Horizon? Will there be a shift in consumer demand or a rise, or fall, in the price of oil that affects critical markets? Any of these can rewrite the future of a company – or a whole industry. If you haven't faced this moment, you may soon. It's time that executives change the way they think about enterprise risk management, continuity of business operations and the way they run their businesses.

Because a splintered approach to enterprise risk management has been the norm, with silos of risk management within organizations, the result has been that risk is often poorly defined and buffering the organization from risk realization is; pardon the pun, risky at best. Taking enterprise risk management on with a truly integrated head-on approach is necessary.

Enterprise risk management (ERM) is defined by many different groups in a variety of ways. Each group has a vested interest in their view of what ERM constitutes. Risk and non-risk management professionals are so enmeshed in following risk management protocols promulgated by financial and non-financial regulatory and oversight entities that they cannot see risk for what it really is. They get caught in the ‘activity trap’.

Many view ‘mitigation’ as a panacea, thinking that, once mitigated, risk does not have to be worried about. This false premise creates a reaction time gap. Practitioners can only hope that they are buying their enterprises sufficient reaction time, when in fact, they should be asking, “How much reaction time are we losing because our ERM program is fragmented and fails to understand risk throughout the enterprise?”

The greatest failure of most enterprise risk management programs is that they cannot de-center. That is, they cannot see the risk from different perspectives internally or externally. Poor or no situation awareness generates a lack of expectancies, resulting in inadequate preparation for the future.

Corporate governance, enterprise risk management and compliance

Corporate governance has traditionally defined the ways that a firm safeguards the interests of its financiers (investors, lenders, and creditors). Governance provides a framework of rules and practices for a board of directors to ensure accountability, fairness and transparency in a firm's relationship with all stakeholders (financiers, customers, management, employees, government and the community).

The governance framework generally consists of explicit and implicit contracts between the firm and the stakeholders for distribution of responsibilities, rights and rewards; secondly it establishes procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, and roles and third, it establishes procedures for proper supervision, control, and information-flows to serve as a system of checks-and-balances.

The failure to identify and manage the risks present in the energy industry will have a cascade effect, creating reputational damage (either real and/or perceived). The oil industry is faced with several issues that are transparent to many. A heavy dependence on performing processes that become activity traps creates an inability to change and/or even recognize the need for change. In his book entitled, ‘Management and the Activity Trap,’ George Odiorne concludes that activity traps are created when:

  • Processes and procedures are developed to achieve an objective (usually in support of a strategic objective).
  • Over time goals and objectives change to reflect changes in the market and new opportunities. However, the processes and procedures continue on.
  • Eventually, procedures become a goal in themselves – doing an activity for the sake of the activity rather than what it accomplishes.

W. Edwards Deming created 14 principles for management. Deming recognized the folly in working for the sake of procedure rather that finding the goal and making every effort to achieve it. We know now what to measure, we know the current performance and we have discovered some problem areas. Now we have to understand why problems are generated, and what the causes for these problems are; however, as I stated in a speech given in 2003 “because we are asking the wrong questions precisely, we are getting the wrong answers precisely; and as a result we are creating false positives.”

Nassim Taleb, author of the best seller, ‘The Black Swan: The Impact of the Highly Improbable,’ has stated that “we lack knowledge when it comes to rare events with serious consequences. The effect of a single observation, event or element plays a disproportionate role in decision-making creating estimation errors when projecting the severity of the consequences of the event. The depth of consequence and the breadth of consequence are underestimated resulting in surprise at the impact of the event.”

While BP is an easy target for those who see risk as something that can be eliminated, it is far from clear that BP’s risk management framework, to the extent it is evidenced in public documents, is any different from other oil companies; and from many other large organizations across the globe.

The oil industry is faced with risk issues that go well beyond fraudulent financial reporting. Greater recognition that operational risks can be the root cause of corporate failure is now becoming apparent. BP is not alone in its failure in the gulf. Toyota, Ford, Firestone, PDVSA (Venezuela’s State Oil Company), all have given us horrible examples of operational failure. While these have been less tragic than the gulf spill, more are certain to come.

The oil and gas business is inherently risky. Tony Hayward’s recent statement in BP’s annual report (2009) reflects the recognition of risk:

“Risk remains a key issue for every business, but at BP it is fundamental to what we do. We operate at the frontiers of the energy industry, in an environment where attitude to risk is key. The countries we work in, the technical and physical challenges we take on and the investments we make – these all demand a sharp focus on how we manage risk.”

In spite of all its efforts to manage risk, BP has more than its share of operational incidents from the explosion at its Texas City refinery to the temporary shut-down of Prudhoe Bay production. Is BP just unlucky? Or has the oil industry become susceptible to the activity trap by relying on generally accepted risk management practices that may not work in today’s environment? What seems abundantly clear is that there is a large and ever growing gap in the ability of large global corporations to identify, alter and manage operational risks.

While the board of directors of most companies correctly place reliance on assurance providers and executives, it is increasingly clear that it may not be possible to audit our way to better operational risk. A new model of enterprise risk management is essential. And, while risk management technology may be available; dependence on its output should never become the cornerstone of enterprise risk management.

Some final thoughts:

 If your organization is content with reacting to events it may not fair well;

 Innovative, aggressive thinking is one key to surviving;

 Recognition that theory is limited in usefulness is a key driving force;

 Strategically nimble organizations will benefit;

 Constantly question assumptions about what is ‘normal’.

Lord John Browne, former Group Chief Executive of BP, sums it up well:

“Giving up the illusion that you can predict the future is a very liberating moment. All you can do is give yourself the capacity to respond to the only certainty in life - which is uncertainty. The creation of that capability is the purpose of strategy.”

In a crisis you get one chance – your first and last. Being lucky does not mean that you are good. You may manage threats for a while. However, luck runs out eventually and panic, chaos, confusion set in; eventually leading to collapse.

How you decide to respond is what separates the leaders from the left behind. Today's smartest executives know that disruption is constant and inevitable. They've learned to absorb the shockwaves that change brings and can use that energy to transform their companies and their careers.

About the author

Geary Sikich is a Principal with Logical Management Systems, Corp., a consulting and executive education firm with a focus on enterprise risk management and issues analysis; the firm's web site is www.logicalmanagement.com. Geary is also engaged in the development and financing of private placement offerings in the alternative energy sector (biofuels, etc.), multi-media entertainment and advertising technology and food products. Geary developed LMSCARVER the ‘Active Analysis’ framework, which directly links key value drivers to operating processes and activities. LMSCARVER provides a framework that enables a progressive approach to business planning, scenario planning, performance assessment and goal setting.

Geary is an Adjunct Professor at Norwich University, where he teaches enterprise risk management (ERM) and contingency planning electives in the MSBC program. He is presently active in executive education, where he has developed and delivered courses in enterprise risk management, contingency planning, performance management and analytics. Geary is a frequent speaker on business continuity issues business performance management. He is the author of over 195 published articles and four books, his latest being ‘Protecting Your Business in Pandemic,’ published in June 2008 (available on Amazon.com).

Geary is a frequent speaker on high profile continuity issues, having developed and validated over 1,800 plans and conducted over 250 seminars and workshops worldwide for over 100 clients. Geary consults on a regular basis with companies worldwide on business-continuity and crisis management issues.


•Date: 17th June 2010 • Region: US/World •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help