Sunday, February 14, 2010

ERM-BC-COOP: Perspective

Another BCM blogger took issue with my Risk Management vs. Risk Management piece, noting that "It certainly seems that they (the State of Florida) are looking for industry-specific risk training. Is that such a bad thing?

"Given that regulatory requirements are probably very specific in health I could see that would be a sensible approach."

The remarks were prompted by my comment that the State of Florida, in its wisdom, certifies risk management people who want to work for medical facilities; the certification requires a very narrow focus (vs. an "enterprise" approach.)

If "industry-specific risk training" is a good thing, then anyone performing a risk analysis for an IT function would need to be an IT guru; a person doing the same for HR would need to be an HR expert, and a person doing risk management for a finance unit would need accountancy training, possibly a CPA.

There is nothing WRONG with having a background in a functional area providing that knowledge doesn't get in the way of the holistic "big picture."

Risk management, be it for a hospital or a transportation company or a - you name a business, including NGOs and non-profits/charities - is ESSENTIALLY the same for all:

    (a) identify the critical process(es)

    (b) identify risks to the process(es)

    (c) prioritize the risks (probability vs. impact)

    (d) identify means to avoid/mitigate/transfer the risk

and then come up with ways to recover to "business as usual" if the risk occurs despite our best efforts.

I approach risk management as a generalist, and that certainly colors my opinions. I have a broad, and varied, background having come to risk management via journalism and technical documentation. I know a little about a lot of things; enough to ask intelligent questions that elicit answers that often lead me down paths I never anticipated - nor would I, perhaps, have traveled if I was an "expert' in the function.

Being a generalist means, to me, that I realize I lack guru status in any area except perhaps risk management where I am at least a "subject matter expert." (Just ask me.)

But back to what I perceive to be the dangers of "focused" risk management.

Based on 13-plus years in the business I am convinced that there are so many inter-dependencies in any organization - that the only effective risk management program is an enterprise, holistic program. While that does not preclude independent "functional unit" plans (which I promote), it does mean that, due to interdependencies any program less than enterprise-wide is bound to overlook risks that can quickly ripple through an organization.

My fellow practitioner and I agree to disagree.

Hopefully, our discussions provide value not only for ourselves but other practitioners as well.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Seeking work in -- or from -- southeast Florida

1 comment:

kensimpson said...

John, I shall continue the discussion as nobody else has jumped in yet.

I disagree that IT and HR as support functions have the same status as Health as an Industry. If you want to do risk management of IT in Health you should know something about Health regulations.

I get the impression that your state Health authority are expecting the wider focus on risk management - certainly the curricular of the various courses you note in the earlier piece would indicate that.

Just by way of interest I searched for the term "Enterprise Risk Management" in ISO 31000 - the international standard for risk management. It does not occur at all.

Isn't your state just asking for standard risk management certification and training?