If there is one thing I’ve learnt since being in contact with UK BIMers, it’s that you love a BIM pun!

However, behind a poorly conceived title is a serious concern over the methods employed to ensure data integrity.

A main risk area for our tech clients is Information Security. Driven, partly by the damage an organisation’s reputation can suffer, but mainly by the looming threat of a £500,000 Information Commissioner’s Office (ICO) fine for breaches under the Data Protection Act or the Electronic Communications Regulations1.

I think we would all agree, the construction industry has more to worry about than half-million-pound fines. Lives can be lost through simple data errors being missed, overlooked or wrongly accepted as correct.

Information Exchange

Due to the nature of BIM, exchange of information is fundamentally important but where data is passed from one party to another – there is risk. Take, for example, a BIM project where one party captures data by laser scan and a second party creates a 3D model using some industry leading software.

However, the laser scan data has a 5mm tolerance and when the point-cloud is modelled using the software, it also has a 5mm tolerance.

We’re not talking about the same 5mm. Imagine the compounded effect of tolerance every time data is processed by a different party.

Technology Failure

Of course BIM is not just 3D modelling and you can’t rely on conditional formatting and clash detection as the sole methods of identifying data integrity issues.

The body of processes, forms and documentation that surround BIM projects has started to be formalised, see PAS 1192-2, and this is set to increase. Some of these things still need a human brain to verify them.

Even the simplest of data processing tasks can result in corrupt output; as a recent issue with particular Xerox copiers demonstrates. According to a BBC News report, a computer scientist discovered that numerical digits (numbers) on copied documents were being changed, for example a 6 would become an 8 and vice versa.

The report goes on to say the error ‘has been blamed on faults with compression software used in a setting offered by the models’.

If you can’t trust a copier, what can you trust? Let’s not get paranoid.

Managing Risk

A first step to managing risk is to measure it. ISO 27001, the international standard for information security3, outlines a methodology for this, and a late-2013 revision should make it even easier.

Risk assessment in construction conjures images of PPE, fluorescents and signage, but what we are interested in here is the threats to Confidentiality, Integrity and Availability of the data.

A register of project-information-assets could be a good starting point, taking in to account intangible data-sets, plans and processes, but also physical assets such as measuring equipment and people.

Then by assessing, as a minimum, the threat, vulnerability and likelihood of each risk, some priority areas start to appear.

And while the overall risk of miscopied documents on the photocopier might remain quite low, the risk of tolerance shift in the supply chain is likely to remain high. By choosing appropriate controls, the risk can be managed to an acceptable level.

Good People Making Bad Choices

The photocopier story is a great example of an issue that was unexpected and unnoticed for a period of time, but human error is another unpredictable occurrence – and a particularly interesting concept is that of ‘GroupThink’.

Identified by the psychologist Irving Janis in 1972, GroupThink describes that sometimes things go wrong because the members of a group give up or put aside their own individual thought processes and evaluating skills in order to fit into the group.

Groups can sometimes become isolated from reality, even to the extent that normal moral and social values can be ignored by holding to the view that what they are trying to achieve is morally correct. Alternative views and actions fail to be explored, and risks that would be obvious to someone new coming into the group, are missed, underestimated or ignored.

You can see how the contractor/sub contractor hierarchies and the highly collaborative nature of BIM might foster GroupThink more than in other industries.

Independent Assurance Programmes

An assurance programme provides one method to evaluate the effectiveness of controls implemented, and verify that data and processes are performing as expected.

An independent person or body has numerous advantages including the ability to remain objective, avoid pressures from the project and take a wider view sharing experiences of best practice from other projects.

As with most audit programmes, it should be process based and the frequency of checks should be appropriate to the identified risk.

Of course, things go wrong and discrepancies are found, but this should be seen as a positive.

As has become the culture in health & safety, lessons should be learnt from mistakes and experiences shared throughout the industry without judgment.


ICO Enforcement Fines, ICO Website, downloaded 04/09/13:

Confused Xerox copiers rewrite scanned documents, BBC News Website, downloaded 04/09/13:

ISO 27001 Information Security Management System, Assent Risk Management Website, downloaded 04/09/13:

Robert is a director at risk management consultancy Assent, heading the Tech practice for Information Security & Business Continuity.

Robert works with standards in a variety of industries including construction, chemical, manufacturing software and print.

This article was first published by Assent Risk Management Director Robert Clements on BIMCrunch 15th October 2013.


Robert Clements
Robert Clements
Articles: 293