But, as there are "universities" and "universities," there are, in the risk management (a/k/a business continuity and COOP) discipline "certifying organizations" and "certifying organizations."
For risk management (as I define it, anyway) there are several "name" certifying organizations. These are, alphabetically:
- Business Continuity Institute, the BCI, which awards *BCI certifications
- Disaster Recovery Institute International, the DRII, which awards *BCP certifications
- Richmond University's Certified Recovery Planner Program which awards *RP certifications
Truth in blogging: I am certified by the BCI (MBCI) and Richmond (SRP).
There are others, but the above are the "Big Three" and have been around the longest.
Each has a vetting process in an attempt to assure the people awarded the certifications have at least a basic understanding of the business to the level at which they are certified; that is, an "A" certificate - typically an "Associate" - is a tyro in the field who can at least spell "BC"; an intermediate certificate - MBCI, CBCP, CRP as examples - are practitioners with at least a couple of years' experience; while higher-level certificates such as FBCI, MBCP, and MRP are awarded to practitioners who have been around the block a bit longer and, frankly, who are willing to pay a premium for the honor.
Most certifications are awarded following successful completion of a multiple question test. Mid- and upper-level certifications require some indication of experience.
Does that mean the person knows what they are doing?
Not necessarily. Some people simply are good at short-term knowledge retention and test taking; we all know people in that category. Certifications for these people only indicates that they know how to read (to their credit) and pass tests.
I know some certified planners who I would not trust to plan a safe way to cross a deserted road. I also know some planners who, albeit lacking certification, are excellent planners.
Still, a certification from a legitimate organization (such as, but not necessarily limited to, the "Big Three" - caveat emptor) provides some level of confidence to the person engaging the planner).
Who needs it?
An InfoTech associate called certification "eye candy," and it may be that - especially if the consultant depends solely on the paper rather than curiosity and common sense - but in the consulting world, people are expecting paper. At one time, a high school diploma could get a person through the door, then the entry was via the bachelor's degree; now, anything less than a master's makes getting some jobs a challenge. (Security clearance is another "prestige" issue: "confidential" won't open any doors; "secret" barely gets someone inside; "top secret," or "TS," is the current base requirement.)
Unfortunately, my discipline (profession, trade: check one) lacks an apprenticeship or mentoring program, so the degree (certification) must be suspect until it can be supported by real-world experience.
If that sounds like a "Catch 22," it is, but one which a planner's employer can overcome with minimal cost and less effort.
More on that next.
Considerations before engaging a risk management practitioner.
- Besides reviewing a practitioner's resume and making an independent reference check - would anyone offer bad references? - make an effort to test the practitioner's interviewing skills.
- Does the practitioner ask open questions or questions designed to elicit a specific, desired answer?
- Does the practitioner listen to the responder? Does the practitioner follow a tangent suggested by a responder, and then return to the main line of questions when the thread's end is reached?
John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com