Thursday, July 16, 2009

Identity Crisis


It's a conundrum.

Unfortunately, it's definition 2b rather than 1 or 2a according to Merriam-Webster OnLine ( Definition 2b tells me that a conundrum is "an intricate and difficult problem."

My quandary (for which there only is one definition) is this: What am I?

I know who and where, but ...

I know who I am and where I am (Hollywood/Fort Lauderdale FL), but WHAT am I?

I am certified by The BCI as a Business Continuity practitioner sans any prefixes.

Problem is, "Business Continuity" means too many different things to too many different people.

To many who live behind data center doors, "business continuity" is really little more - if at all - than disaster recovery with some casual input from one or two of the user base.

To some others, "business continuity" is a profit center function and while it may look at more threats to the process than just InfoTech, it pretty much stops right there. Yes, it is "business" continuity, but it is at best ineffectual business continuity.

Do what we do

When we, as * practitioners - at this point let's use the asterisk in lieu of a name; consider it a "wildcard" for want of a better identifier - start Phase 2 of a business continuity process (Phase 1 being SOW and Project Plan development and approval) we work with the Subject Matter Experts (SMEs) at ground level to identify critical processes.

I suggest that we, as * practitioners, do the same thing with what we do.

True, we are concerned with the continuity of the business, even if the business isn't in the common sense a "business." What do I mean, a business that's not a business? Most of us don't consider a charity a business. Likewise a non-profit. Ditto government. But these are businesses. They all produce or provide "something." They all are concerned with Profit and Loss (P&L) and Return On Investment (ROI). They all have a payroll and clients to satisfy.

But what are the concerns?

The basic questions are:

What can happen to interrupt "business as usual"?

What could be the impact be if whatever could happen did happen.

Yes, Virginia, I know I'm "weasel wording" ; it will become clear shortly.

What do we call these potential interruptions?

Most often we, collectively as * practitioners, refer to them as "risks."

What do we manage?


Then what we are doing, with all our avoidance and mitigation work and response planning and exercises, is managing risks.

That would make us "risk managers."

To my Winnie-the-Pooh mind, that also opens up the realm of possible risks well beyond the traditional. What's "traditional?" For most its environment, human nature, and technology.

In some circles, it also includes vendor management; since 2007, money vendors (lenders) have been included in my risk list (see Responsibilities Outside Planner's 'Area of Authority', DRJ Winter 2007). Wasn't that before the financial melt down became headlines?

So be it. We are risk managers.

But wait ...

But wait, as the infomercials always add, there's a problem.

If you visit the Major Job Boards (and some that aren't so "major") and search for "risk management" you get hits for medical professionals, insurance claims people, and more.

I don't know about you, but while I have a distant medical background, I'm neither doctor nor nurse, and while I worked for an insurance giant, I'm hardly qualified to rate risks according to statistical evidence, be it for human coverage or property.

Doctors, nurses, and insurance people are some of the SMEs to whom I turn.

While I deal with risks, calling myself - as I did - an "Enterprise Risk Management" practitioner still isn't clear to the boards and, if not to the boards, then also not to people who would engage my services.

So, good bye Enterprise Risk Management (ERM) practitioner. Besides, I suspect "ERM" can mean too many other things.

Since I have been working in the defense industry the last several years and since the "pandemic du jour" is headlined as a threat, and we all know about Homeland Security's national Threat Level, perhaps "Enterprise Threat Management" - ETM - is suitable.

The Free Dictionary only lists 37 entries for "ETM" compared to 42 for "ERM." Do we have a winner? Not really; abbreviations are not really my "thing."

But I think that when someone asks me what I do, I'll tell them I am an "Enterprise Threat Manager."

That is, after all, what I do.

Here's the rub

The title doesn't agree with my certification as a Member of The Business Continuity Institute. No "threat" in either the title or the credentialing organization's name.

Just for kicks, I ran a job search for "Threat Management."

Indeed ( returned 17 hits, many of which linked back to InfoTech. There was one really interesting hit, TASO-2408: Threat Environment and Scenario Developer. Hardly business continuity, the job called for the selected candidate to "be responsible for developing the threat environment and various scenarios to be used within an Analysis of Alternatives (AoA) for an existing Mobile Nuclear Air Sampling (MNAS) capability."


As I was at the top of this piece, I know WHO I am and WHERE I am, but I'm no closer to WHAT I am then when I started this exercise.


M-W's other definitions for conundrum are:

1: a riddle whose answer is or involves a pun
2 a: a question or problem having only a conjectural answer


John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at may be sent to Planner @ JohnGlennMBCI. com.

© 2009, John Glenn MBCI    

No comments: