The presidential commission stated that compliance, the focus of GRC efforts, was not a key cause of the Deepwater Horizon disaster. They concluded instead that it was BP’s lack of governance or an ERM approach to risk management that was the root cause of their failure.
The commission reported that, “BP did not have adequate controls in place to ensure that key decisions in the months leading up to the blow-out were safe or sound from an engineering perspective.”
This report confirms what we have been saying since 2006 in our blogs BP Oil Pipeline Leak: A Cry for Enterprise Risk Management and Don’t Let BP’s Disaster Happen to You; in these blog entries we revealed that BP had failed to identify key vendor risks and depended too heavily on quantitative models to make decisions.
Following both incidents employee written notifications surfaced that identified critical risks not addressed and that BP lacked the ability to reach front line managers with a risk management infrastructure to prioritize these unresolved issues.
An oil rig blowout that could cost billions in losses and clean-up is certainly a risk BP can manage, however it is the gaps between silos (vendor management) and the consequences of those gaps that blindsides them in their most critical core competency areas. As long as this blind side exists, the accidents will continue to occur.
There are far too many controls to spend resources on all of them equally. If BP were using an ERM approach they would have identified which controls were managing the most risky issues and put their resources on those most impactful controls.
GRC solutions miss the point; more money allocated to safety regulations is not going to solve the problem. You can spend all you like on compliance but it’s a waste of time unless you can use a risk based approach to prioritize resources to those issues that matter most and deliver actual business value.
Here are the top three things that BP should do now:
- Connect vendor risk to business processes based on the impact of their products and services
- Have front line process owners assess their risks
- Use standards in risk assessment criteria to make priorities comparable across business silos