Risk mitigation

One of today’s news stories is that several of the firms responsible for the colossal explosion at the Buncefield oil depot have been hit with fines totalling almost £10m. The judgement centred around ‘slackness’ in operational practices at the site, resulting in serious breaches of health and safety law.

It has taken a while for the penalties to be applied: the explosion happened early on Sunday 11th December 2005. On that day, I was on a flight from Heathrow to San Francisco. Buncefield (near St Albans, north of London) is a little way east of the long-haul flight path from Heathrow to North America, and the gigantic plume of smoke from Buncefield was clearly visible from the right hand side of the plane.

The reason for my trip was to take part in my first team meeting with the group I had recently joined, in Sun Microsystems’ Chief Technology Office. That new role also marked the beginning of my increasing interest in matters of online privacy, and the way in which privacy and identity technology have to interact with corporate and public policy.

I thought of that when I heard an oil industry specialist being interviewed today about the lessons learned from the Buncefield disaster. He said that companies needed to be asking themselves three very simple questions (as opposed to the traditional “one question… do you feel lucky…?”):

  1. Do we understand clearly what can happen when something goes wrong?
  2. Do we have systems in place to prevent and/or manage such failures?
  3. Do we have metrics which tells us whether we are getting it right?

I come back, once again, to Michelle Dennedy’s key principle: organisations which process personal data should treat it as if it were toxic waste. Exactly the same principles should apply:

  1. Does the organisation’s strategy or business plan take into account what can happen when personal data is mishandled, when there is a containment breach, or an explosion of negative publicity?
  2. Are there systems in place to constrain the collection of personal data, manage its retention and prevent inappropriate disclosure?
  3. Do the organisation’s staff and managers get the information which would tell them whether or not personal data is being well managed?

Here’s what I suspect:

  • Some organisations have a reasonable handle on (2)… but a lot more probably have far less of a grasp than they like to believe.
  • Fewer organisations actually weave ‘personal data and privacy risk management’ into their strategy at a corporate, executive level.
  • Still fewer actively seek external evidence of data breaches and reflect that in a ‘data management dashboard’ to inform and guide day-to-day operations.

Of course, if you know otherwise, I’d be delighted to be proved wrong… who knows, I might even end up writing an analyst report on cases of good practice. If you’ve got a good story to tell, you know where to find me…