Risk Management BP Style
News concerning BP’s oil spill has made the daily headlines for the last several months. Fortunately, the leaking well has now been successfully sealed, yet experts tell us that the lingering effects of the spread of crude oil over so much land and sea are likely to affect our environment for years. What should concern the US public even more, however, is the possibility that another catastrophic event of the size of the recent one may occur sometime in the not-too-distant future because of the risk management approach that BP’s executive management has by all appearances adopted.
The recent Gulf of Mexico catastrophe is only one of a number of highly-related incidents involving BP’s failure to mitigate operational and safety risks. You may, for instance, have read about the explosion at a BP refinery in Texas in 2005 that resulted in the deaths of 15 workers and injuries to another 170. In 2005 the Occupational Safety and Health Administration (OSHA) ordered BP to pay a fine of $21 million for numerous safety infractions at the refinery. This fine was increased to $50.6 million last year because of BP’s failure to implement safety measures mutually agreed upon by BP and OSHA, and at the same time BP was ordered to set aside at least $500 million more to implement safety and other measures that the (OSHA) has determined are still missing. Labor Secretary Hilda Solis went so far as to say that the amount of these fines parallels “BP’s disregard for workplace safety and shows that we will enforce the law so workers can return home safe at the end of their day.” OSHA has in fact over the years cited BP for many hundreds of safety infractions in Texas and in other locations; recently BP had to pay another $5.9 million dollars for the most recent round of these infractions. Remember, too, the BP oil spill in Prudhoe Bay, Alaska in 2006 involving over 210,000 US gallons of crude oil. In late 2007, BP Exploration-Alaska pled guilty to negligent discharge of oil in violation of the US Clean Water Act and was ordered to pay a fine of $20 million.
With hate talk about BP being very popular nowadays, you might think that I am just following suit, but I really am not. My focus is instead on enterprise governance within BP (or the apparent lack thereof). BP’s executive management must have an incredibly high level of risk tolerance. BP’s goal ostensibly is to bring in the money, lots of it, without adequately dealing with a variety of serious operational and safety-related risks. If catastrophic events occur, BP then uses legal maneuvers, blames its contractors and affiliates to reduce the PR damage, and deploys other tricks in an attempt to reduce legal and regulatory liability and other negative consequences. For all practical purposes BP was caught completely off guard when the Gulf well blew up; apparently BP’s executive management felt that the probability of this or any other well blowing up in the fashion that it did was so small that it did not justify the cost involved in meeting safety standards and creating and testing a disaster recovery plan. When forced to appear before a Congressional committee investigating the oil spill, the then president of BP attempted to put the blame on the contractor who supplied the drilling rig equipment. Hmmm–the BP risk management modus operandi should be becoming very apparent.
Is BP’s executive management stupid? Although there may be ethical issues within this team, on the surface it appears to be anything but stupid. So far BP has had to pay a total of less than $600 million in fines over the years, but in the first quarter of this year this company was making $93 million each day. Risk mitigation costs should never exceed risks. Face the facts–BP’s executive management has ostensibly weighed the costs versus the risks and has decided that risk mitigation is too costly. So BP operations continue without adequate concern for safety of its workers and for the welfare of those who are unfortunate enough to live close enough to BP oil rigs and refineries to be affected by each catastrophic incident.
BUT–BP’s executive management may have failed to consider a very pertinent and serious risk–stock price devaluation. The price of BP stock has plummeted since the Gulf oil spill. Perhaps it is thus time for BP’s executive management team to rethink their risk management strategy.
So what does all this have to do with information security? As I have said before, if an organization has little or no enterprise governance, it is nearly impossible for an information security program to achieve high levels of governance. If BP’s executive management tolerates the amount of risk that it does and if safety and the welfare of the public is of little or no consideration within executive ranks, whoever the CISO of BP is must not be getting far in managing information security-related risk. Support of executive management is critical in obtaining the authority and resources needed to manage security-related risk to a truly acceptable level. I wish the BP CISO lots of luck, but it might be a good time for this person to do a resume’ update.