Risk Management Lessons from the Gulf Spill

The National Oil Spill Commission, president Barack Obama's panel investigating the causes of the BP Gulf oil spill, has released its preliminary findings which indicate they do not feel the spill was directly caused by BP, or any of the other companies involved, cutting costs at the expense of safety. This finding runs counter to claims made by some environmental groups which make the case that the spill was caused by cost cutting measures. It is difficult to determine whether BP, or Halliburton, or Transocean, made a conscious decision not to implement safety measures because they would be too costly. The only things we know for certain are that all the players are in the business to make money and that mistakes were made that led to the massive oil spill.

One additional piece of information that has come to light in the course of this investigation is that the blowout preventer which is at the center of the controversy missed an inspection which this equipment is supposed to undergo every 5 years. These inspections are part of a federally regulated certification process. A spokesperson for owner of the equipment, Transocean, stated that the rig was not re-certified because it was being constantly maintained. Inspection of the rig would require that it be brought to the surface and dismantled. Inspection could take up to 3 months, during which time the equipment would not be earning Transocean rentals. Inspection would also mean that any drilling operation the preventer was employed in would be interrupted while the preventer was replaced. It is not clear whether the de-commissioning of this equipment for inspections is a common occurrence elsewhere in drilling industry.

BP could be excused if they assumed that the equipment they were renting was properly certified because it was deployed in February of 2010 and it would make sense that if the equipment were approaching the end of the 5 year window (regulations provide a 3 - 5 year window during which re-certification inspections should take place), either it would be re-inspected before being deployed to the BP well, or another blowout preventer, properly inspected and certified/re-certified deployed. This did not happen at the Deepwater Horizons well. BP should not be let off the hook entirely because, according to a representative of Transocean, modifications were made to the equipment at BP's request. Whether those modifications played any part in the disaster won't be known until the equipment is brought to the surface and inspected. Certainly one would think that any modifications to inspected and certified equipment, beyond normal repairs, would have to be approved by the regulatory body.

There is a further wrinkle complicating this story. The blowout preventer belongs to Transocean but was manufactured by Cameron. Why is this relevant? Because according to Cameron, they did not authorize the repairs that were made to the equipment by Transocean.

The commission is conducting a Lessons Learned session rather than a fact finding/fault finding session, so are not so much concerned about the reasons for the mistakes that were made. Other entities investigating the disaster seem to be more focused on who was at fault. Any finding of fault with BP would seem to be redundant at this point. BP has already agreed to assume full financial responsibility for the disaster and cleanup. No matter how much money (and they've already committed $20Bn USD to the cause) is thrown at the problem, there will still be permanent damage to the gulf coast environment so preventing a similar accident in the future seems a very worthwhile cause.

The commission has also identified the government's role in the disaster. The government being responsible for regulatory oversight. Regulations were in place which may have prevented the disaster, we won't know whether an inspection of the preventer would have identified a fault until it is brought to the surface and inspected, but those regulations were not enforced. The well was using a blowout preventer which was not technically certified because it had missed a required inspection.

One of the recommendations the panel is considering is to model regulations in the drilling industry on the Institute of Nuclear Power Operations regulations. These regulations are partially the result of Lessons Learned from the Three Mile Island disaster. For those who don't remember that event, the nuclear reactor in Three Mile Island suffered a partial core melt down. The results of the accident were not nearly as grave as the Chernobyl disaster that happened in Russia 7 years later, but there were radiation leaks and the incident caused enough concern that safety regulations underwent a major overhaul. The resulting regulations have been effective in preventing similar accidents thus far.

So what does this mean for risk management? No-one has accused BP of violating any regulations thus far, but BP is still bearing the brunt of the impact of this risk event. We are prone to rely on government regulations to set standards when the government provides oversight for an activity. Regulations in the oil and gas industry are one example, building codes are another. It is up to those managing the project to determine if adherence to government regulations will mitigate risks to an acceptable level. There will inevitably be a conversation with the project sponsor about the cost of a fool proof mitigation strategy. Would the cost of a regulatory inspection of the blowout preventer be justified by reduction in risk of a blowout? It's difficult to imagine the inspection cost being greater than the $20Bn to BP of the accident. Project managers shouldn't hesitate to work from a "worst case" scenario when making the business case for a mitigation strategy. Project managers should also not make the assumption that the government is perfect and that their regulations will be effective in mitigating the possibility of a risk event to zero probability. Treat those regulations like any other mitigation strategy and analyze their effect on the risk. If the residual risk is still too great, don't hesitate to propose another, more effective mitigation strategy.

There is a very good chance that the modifications made to the blowout preventer contributed to the accident. This seems to be borne out by testimony from workers who tried to activate the preventer after the explosion at the well. Updated drawings for the well were not immediately available, delaying recovery efforts, and when they were available they were not always accurate. It is up to the project manager to ensure that none of the activities of the project introduce new, unmitigated risks. First of all, the plan should be analyzed for any risks and then the project manager must ensure that the team follows the plan exactly. Your change management process should engage your risk management process. Changes should be examined for their effect on project risk. Would implementing the change introduce new risks? If it would introduce a new risk, how would that risk be mitigated? How much would mitigation cost? What is the business case for mitigation (cost of mitigation strategy vs. cost of risk event)?

Finally a risk management policy is useless if that policy is not carried out by the vendors engaged for the project. There were a lot of players involved in the Deepwater Horizons project - it was a big project. Communicating policies to the vendor should include making adherence to the policy part of the bid solicitation process. The ability to adhere to the policy should also be part of the vendor selection criteria. The project manager is then responsible for ensuring that the vendors plan includes all the mitigation strategies identified for mitigating risks that the vendor's work poses to the project. Risk mitigation should be a joint effort between the buyer and vendor, with the buyer's project manager taking ultimate responsibility for the vendor's risk management activities.

Carpenters used to using power tools will tell you that they started out with a healthy respect for the damage that a chop saw, table saw, or radial arm saw could do to their fingers but over the years they lost that respect and paid for it, in some cases, with their fingers. The accident with the table saw is another example of a risk event. Just because we've gone through umpteen projects without seeing the event doesn't mean it has disappeared. We need to maintain our healthy respect for the risk events our projects are prone to, no matter how remote the probability, and mitigate them accordingly. Using Lessons Learned to avoid disasters is an expensive way to plan projects and once we've lost 10 fingers no amount of Lessons Learned will help.