Another BCM blogger took issue with my Risk Management vs. Risk Management piece, noting that "It certainly seems that they (the State of Florida) are looking for industry-specific risk training. Is that such a bad thing?
"Given that regulatory requirements are probably very specific in health I could see that would be a sensible approach."
The remarks were prompted by my comment that the State of Florida, in its wisdom, certifies risk management people who want to work for medical facilities; the certification requires a very narrow focus (vs. an "enterprise" approach.)
If "industry-specific risk training" is a good thing, then anyone performing a risk analysis for an IT function would need to be an IT guru; a person doing the same for HR would need to be an HR expert, and a person doing risk management for a finance unit would need accountancy training, possibly a CPA.
There is nothing WRONG with having a background in a functional area providing that knowledge doesn't get in the way of the holistic "big picture."
Risk management, be it for a hospital or a transportation company or a - you name a business, including NGOs and non-profits/charities - is ESSENTIALLY the same for all:
- (a) identify the critical process(es)
(b) identify risks to the process(es)
(c) prioritize the risks (probability vs. impact)
(d) identify means to avoid/mitigate/transfer the risk
and then come up with ways to recover to "business as usual" if the risk occurs despite our best efforts.
I approach risk management as a generalist, and that certainly colors my opinions. I have a broad, and varied, background having come to risk management via journalism and technical documentation. I know a little about a lot of things; enough to ask intelligent questions that elicit answers that often lead me down paths I never anticipated - nor would I, perhaps, have traveled if I was an "expert' in the function.
Being a generalist means, to me, that I realize I lack guru status in any area except perhaps risk management where I am at least a "subject matter expert." (Just ask me.)
But back to what I perceive to be the dangers of "focused" risk management.
Based on 13-plus years in the business I am convinced that there are so many inter-dependencies in any organization - that the only effective risk management program is an enterprise, holistic program. While that does not preclude independent "functional unit" plans (which I promote), it does mean that, due to interdependencies any program less than enterprise-wide is bound to overlook risks that can quickly ripple through an organization.
My fellow practitioner and I agree to disagree.
Hopefully, our discussions provide value not only for ourselves but other practitioners as well.
John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
Seeking work in -- or from -- southeast Florida