Friday, May 13, 2011

ERM-BC-COOP: There ought'a
be an award for . . .



Enterprise Risk Management Practitioner & Curmudgeon

Most enterprise risk management (business continuity) practitioners participate on, or at least "lurk" on, one or more professional lists.

There are many.

DRJ has its Forum and a separate presence on LinkedIn.

There are numerous business continuity groups on LinkedIn, including the BC-COOP group.

There are Yahoo groups for business continuity and emergency management.

And of course there are sundry groups focused on Information Technology issues of concern to a practitioner. Most of the time, the discussions are professional.

  • A tyro asking how to approach something.

  • A pro telling how he or she managed to overcome an obstacle
  • .

But occasionally, alas all to frequently, we read a post asking experienced practitioners to give away the farm.

Most practitioners are delighted to mentor the juniors and newbies. We once were in their shoes.

But most experienced practitioners are, to be polite, miffed when asked to do the work for a person claiming to have experience, especially when that person claims expertise in the area they are seeking basic help.

My refrain, one I share with a number of my peers, is "We're becoming a Jacob Cohen profession" due to people claiming expertise they sorely lack.

It became abundantly obvious when one person, appealing for help from a group, admitted via post-appeal correspondence, that his employer of many years insisted he appeal to a wider audience, despite the person's claim to expertise in the area in which he sought assistance.

It's no wonder, then, as Jacob Cohen continually whined:, we "don't get no respect."

Our profession, with tyros masquerading as experts, causes us to "get no respect."

Because of people such as the tyro-pretending-to-expertise, I suggested to some of my peers that we need an award for such folk.

No Respect Award

The first "award" that comes to mind is the "We Don't Get No Respect" award.

The poster boy for this award would be the late Jacob Cohen's alter ego, Rodney Dangerfield.

Mr. Dangerfield made a career of five words: "I don't get no respect."

For us, the profession "don't get no respect" when it's populated by tyros flying professional colors. When a novice with a manufactured resume is turned loose on a client, old timers hope that these mountebanks are hoisted by their own patards.

That some organizations are cognizant that the practitioner lacks expertise is obvious when one such practitioner admitted that his employer instructed him to ask the on-line groups for help.

Microscope Award

This award could have a microscope rampant on a field of personal, macro, mini, and mainframe computers ranging from the Berkeley Enterprises' Simon introduced in 1950 - yes, 1950, that's not a typo - ( to today's smallest and largest machines.

I like the microscope since the focus of this award winner is strictly Information Technology. Ignored is the fact that Information Technology rarely is a profit center; its role most often is as a critical profit center's resource.

Winners of this award are convinced that if InfoTech can be recovered following an event, all is right with the world. Never mind the profit centers that fund Information Technology and never mind avoidance or mitigation efforts.

Head In the Sand Award

The "Head in the Sand" award also could be known as the Ostrich Award; this award would feature an ostrich with its head in the sand.

This award goes to organizational management that either

    a.   fails to engage qualified practitioners, or

    b.   fails to implement the qualified practitioners' recommendations.

In the first instance, one has to wonder why a practitioner was engaged in the first place. The most probable reason is because the organization is trying to get business from a potential client that demands its vendors have risk management or because the organization has a government or industry mandate to have risk management.

We all understand that not all recommendations will be implemented, and certainly not necessarily in the order we think appropriate. That's why management always retains the right to prioritize implementation of the practitioner's suggestions.

Smart management may challenge a practitioner's priorities and perhaps the practitioner's reasoning why Option A would be better for the organization than Option B, but in the end, some option will be put into practice.

Ice Floe Award

Picture a polar bear adrift on a chunk of ice, far away from any solid surface.

The "Ice Flow" award is presented to the practitioner - or perhaps the client manager - who thinks a risk management project can be successfully put together with zero input from anyone.

No successful plan can be created in a vacuum; input must come from all sources, from newest intern to most senior executive.

Managers who refuse to share information about the organization's direction or who prevent the practitioner from having access to all personnel who the practitioner - not the manager - deems to have critical information, almost guarantees that should an event occur, the plan will fail.

Spilled Ink Award

Does anyone still fill real ink pens from an ink bottle?

Probably not, but a tipped over bottle of ink remains a suitable graphic symbol to award a practitioner who can't spell "practitioner."

Documentation plays a large part in every risk management program and every project within the program.

From a Statement of Work - or maybe even a proposal - to the final deliverable, the practitioner is called upon to be a wordsmith with a better-than-average command of the local language.

Indeed, the practitioner may need to communicate his or her thoughts, concerns, and reasoning to several different audiences, each with its own interests.

The practitioner who is honored with this award can claim a high level of self confidence, sufficient that he or she foregoes spell check before submitting a document.

Know Everything Award

This award would have Alex Trebek's likeness on it and would be awarded to managers who believe a risk management practitioner needs to know everything about the organization, preferably before the practitioner's credentials are reviewed.

It's fairly common that organizations expect the risk management practitioner to be an expert in data security, but often there is a requirement that the practitioner have experience in a specific industry.

Granted, there are regulated industries and a practitioner who already knows which regulations apply has a head start, but the bottom lines are that

    a.   99 percent of all regulations are available either on-line or in the client's library , and

    b.   the core processes of all plans are the same

    • Identify key processes

    • Identify risks to the processes

    • Identify ways to manage the risks via avoidance, mitigation, or transfer

    • Prioritize the risks

    • Make recommendations to management on how to manage the risks (ergo "risk management").

In truth, the only subject in which the practitioner need be expert is risk management, a/k/a business continuity or resiliency or COOP or whatever the term du jour.

Flying Funds Award

The "Flying Funds" award, which also can be labeled "My bucket's got a hole in it" goes to management that pays to have a plan created and then ignores it. This award is related to the "Head in the Sand Award" and often is presented to the same person or management team.

This wastes the organizations finances - as well as the practitioner's and plan contributors' time - since a plan neither exercised not maintained quickly loses its value.

Ignored plans, if ever implemented, usually fail and, as most practitioners know all too well, all fingers point to the practitioner, even if the practitioner is long gone from the job.

And finally

An Honorable Mention for pounding round pegs into a template's square holes.

This certificate is presented to managers and practitioners who believe that filling in a form or template pulled from the Web or a book will give the organization a plan that will assure its survival "in the event of."

There ARE good programs that, in the hands of an experienced practitioner, are useful tools, tools that are adapted to meet a specific requirements. Unfortunately, most templates and programs in the hands of a novice only lead an organization to false sense of security.

No comments: