About Us
Site Map
PMP® Certification
PM Tips & Tricks
PM Tools & Techniques
Contact Us



This page is devoted to news, tips, and any other information the Project Management community may find useful or interesting.

Monitoring Risks

Monitoring Risk

I don't like to pick on BP, but when a disaster as large as the Gulf Oil Spill happens we should learn all we can from it. The latest news in this saga comes from a report released late Tuesday, November 16, 2010 that questions the risk management efforts put forth by BP and their sub-contractors. BP and their sub-contractors were not the only organization to be criticized. The report also criticized the U.S. Minerals Management Service and other regulatory agencies. The report was released by National Academy of Engineering and National Research Council and in it the independent panel cites a failure to learn from several near misses as evidence of a lack of risk management. It should be noted that this is only an interim report and a full report will be released by the council when they have concluded their investigation.

The report is critical of BP and its sub-contractors for making bad decisions which could have been better informed if the probability of certain risk events had been properly estimated. They were critical of the oversight agencies for not questioning the decisions. One example was the decision to continue abandonment operations despite several tests that indicated the cement used to plug the well,  put in place after the installation of a long-string production casing, was not an effective barrier to prevent gases from entering the well. The test results were accepted by the folks on sight as satisfactory but subsequent examination of the results by experts working on the investigation show that the results were not satisfactory and did not support the decision to proceed. There were also more general criticisms of the players such as the lack of a systems approach to integrate the multiple factors impacting well safety, to monitor the overall margins of safety, and to assess various decisions from a well integrity and safety perspective. The council called several other decisions about the cementing process into question, including attempting to cement across multiple hydrocarbon and brine zones in the deepest part of the well in a single operational step. The council felt that this approach made a hydraulic fracture in a low-pressure zone more likely.

BP lost drilling materials deep in the hole about a month prior to the disaster but did not use this as an opportunity to recalibrate their risk information, or identify new mitigation strategies. The risk event that should have been avoided was the failure of the blowout preventer which was designed to prevent leakage from the capped well, as the name would suggest. There could be any number of root causes for the blowout, including the type of cement chosen for the plug and the amount of time allowed for the cement to cure. The loss of the oil rig, blowout preventer, witnesses (11 of the crew died in the accident), and much documentation deny the investigation information that would help them identify causes so it is unlikely that the root cause will be found with any degree of accuracy. Failing that, the investigation seems to be focusing on failures in BP's risk management.

It will be impossible to determine whether the desire to maximize profits played any role in BP's decisions, and how much they influenced them, if they did. Rather than make assumptions, let's look at the lessons it can teach risk managers. The first lesson I'd like to point out is that risk management is a cyclical activity. You can't just identify and analyze risks at the outset of the project, or project phase, and then put your risk register away. Risk management activities have to be performed repeatedly throughout the lifecycle of the project if your goal is to avoid derailment of the project due to a missed or unmitigated risk event. There are some obvious points that call for a review of the risk register, such as at the end or beginning of each phase. There are less obvious ones such as when a change is introduced to the project plans, even a minor change. Your risk management and change management processes should be tightly integrated such that no change is introduced to the project which has not been thoroughly analyzed for new risks, or impact on existing ones.

Another less obvious point is when a corrective or preventive action is necessary. These actions should be treated as changes to the project plan, after all they are just that, even if they are introduced by the project manager. Analyze your action for the introduction of new risks or an impact on existing ones. Only when you are satisfied that risks have been properly dealt with should you take the proposed action. The occurrence of a risk event is another point for review. Was the risk event identified? If it was identified and mitigated, what went wrong with the mitigation strategy? Does the failure of this particular strategy indicate that there are other strategies which may fail? In BP's case there were a number of strategies that failed without causing a review of their risk management plan.

The simple passage of time is another cause for review. As time passes, work is completed and as work is completed, more is learned about that work and similar work. The information accumulated could bring about improved mitigation strategies for work to be done in the future. Even without the additional information, the passage of time affects risk. Think of a risk event that would prevent you from taking a flight you have booked. 3 months before the flight, the impact of this risk event is slight. Canceling the flight will usually not incur any penalties. If that exact same risk event were to occur the night before the flight, the damages could be significant, up to the forfeit of the price of your ticket. That's why they sell flight insurance. Check the risks in your register for the impact of the proximity of the milestone they apply to and adjust your mitigation strategy if the proximity elevates the impact to an unacceptable level.

Lastly, analyze your most significant risks for quantitative impact. This analysis usually quantifies the risk event in terms of money. If the risk event were to happen, the cost would be $X. The value of this exercise is its effectiveness at putting the risk into perspective against the goals and objectives of the project. I guarantee that if BP had done this analysis on the risks around that well, they would have taken a different approach to managing the risks.

Effective risk management is all about residual risk. Residual risk is the amount of risk remaining after a mitigation strategy has been implemented. All the risks in the project should be managed so that risk is below the organization's risk appetite. Acceptable risks should score less than that threshold with mitigation. Mitigated risks should be re-evaluated after the mitigation strategy has been implemented. The new score should be less than the threshold.

Login or Sign up to post comments.