ENDS Report 428, p. 54, September 2010.

BP’s analysis of what caused the oil spill in the Gulf of Mexico sounds uncomfortable echoes of the US military’s reaction to events at Abu Ghraib prison during the Iraq war. Corporate and military approaches to risk have much in common.

Unpicking the complex causal geology of BP’s nightmare in the Gulf of Mexico will require the imagination of a Wegener, and then some. It probably won’t take as long as the 50 years it took for plate tectonics to be accepted, but it may well feel like that. The oil industry seems slow to learn. It is 22 years since Piper Alpha and 15 since Brent Spar, but you could be forgiven for thinking that neither the operational nor reputational lessons have yet been learned.

Last month BP published its own investigation into the massive oil spill. It presented a highly detailed – if somewhat self-serving – analysis of what went wrong with the hardware. BP highlighted six critical factors resulting in the breach of eight engineered barriers that should have prevented oil from escaping into the sea. This investigation offered 25 recommendations – all of which BP proudly announced it had accepted.

As I read BP’s account of the events and reflections on what this meant for the oil industry, a rather uncomfortable thought crossed my mind. This was rather like reading the accounts of what happened in Abu Ghraib during the Iraq war. Somehow this was an operational rather than a cultural problem. A responsible and well-intentioned leadership had been let down by lower-ranking employees, and by its contractors. There were problems. They had been recognised. Now they will be fixed.

I found BP’s account no more convincing than that of Donald Rumsfeld. The unforgivable behaviour of junior ranks in the prison in Iraq reflected a culture endorsed and promoted from the president down. Results were what mattered. And quickly. No explicit permission was ever given to break the rules of war. But no permission was needed. Even the lowliest GI knew it was OK to do whatever it took.

Corporate risk cultures have much in common with military risk cultures. They take their lead from the top and they take considerable time and effort to build. It was Tony Hayward’s bad luck to have begun a process of safety culture change within BP when it was too late to avoid Deepwater Horizon.

There is a wider lesson here. It is no accident that BP’s fraught history in recent years has been in the US, and after its take¬¬overs of Amoco, Arco and Burmah. Mergers of giant corporations generate an immediate and intense process of integration to capture the purported efficiencies that justified the merger. Its primary purpose is to lose jobs and align management systems. Far less, if any, effort goes into aligning corporate cultures or retaining corporate memory, which 0ften evaporates as key staff are lost in the lottery of redundancy.

There is an abyss of difference between the regulatory philosophy underpinning the management of health, safety and environment in the US and that applied in the EU and much of the rest of the world. This results in the construction of fundamentally different corporate cultures. In the US, technical compliance with elaborately detailed rules is prized. Elsewhere, there is a much greater focus on achieving desired outcomes. As I saw for myself when I worked at BP during the takeover years, the scope for miscommunication is much increased as leadership messages navigate the resulting cultures differently.

Deepwater Horizon cost BP at least $20bn in hard cash and wiped about $90bn off its value. Even with the well itself plugged, BP’s shares are still worth only two thirds of their value before the spill. We have had one hard lesson in the cost of mismanaging risk from the world’s bankers. BP has delivered another. All this contributes to an increasingly sharp focus on corporate risk.

Corporate risks can be seen as falling broadly into two categories. There are endogenous risks, those driven primarily by factors within the business envelope. These are usually well understood by successful firms, which have built the competences and structures necessary to managing them. They include the financial, market and operational risks that firms are able to manage every day.

There are also exogenous risks, those driven mainly by factors outside the business envelope. These include the risks entailed in the impact of a company’s activities or products on human rights, indigenous peoples, corruption, health, communities and the environment. These are not well understood by the corporate world, which manages them largely by ad hoc arrangements.

In its efforts to discipline corporate behaviour, the NGO sector is increasingly looking to how corporations manage their exogenous risks. CERES, the Boston-based ethical investment campaign, is currently pressing the Securities and Exchange Commission in the USA to require listed firms to define and value their climate risk.

In the UK, Fairpensions recently secured important support for a shareholder resolution that requires BP to publish a report on the exposure of their investment in tar sands to climate change. The coalition government in the UK has announced its intention to reintroduce the requirement for firms to publish an operating and financial review detailing their non-business risks and their measures to manage them.

Labour peer Lord Boyd recently proposed at a UK Environmental Law Association seminar that firms be required by statute to appoint a risk officer to advise boards on these risks in the way financial institutions have a nominated risk officer. His point was that the non-executive directors, who are there to protect the interests of shareholders, need more information about what is happening in the company to do their job properly.

This idea clearly captures a growing public mood. It fits well with the developing interest among NGOs in using company law to enforce high corporate standards of environmental and social behaviour. We should – and will – hear more of it.