The other day a fellow seemed to be challenging my bona fides, so I thought to put together how I happen to be an enterprise risk management practitioner.
I was introduced to risk management at the tender age of a few days.
I didn't know it then, but my first encounter with risk management was in the form of preventive medicine.
As I got older I was taken annually for check-ups and shots - still painful, but I was rewarded with a stick of Wrigley's Juicy Fruit chewing gum.
When I was old enough, I joined the (U.S.) Air Force.
More shots and vaccinations.
Somewhere along the line I encountered veterinary preventive medicine; I must have been on a work detail before starting a specialty school - I was to become a corpsman.
The Air Force drummed into me the need for risk management.
Not just preventive medicine, but as a way of life.
It also convinced me of the value of training, training, and more training.
When the Air Force and I parted company, risk management pretty much was forgotten.
But lessons die hard.
Back in the day I used to carry in the trunk of my car
- 5 gallon can of gasoline
- 5 gallon can of water
- fire extinguisher
plus the standard jack and spare tire.
In the glove box I had a flashlight and fuses.
Back then, leaded regular was about 50 cents-a-gallon so I could afford to give 5 gallons away if I encountered a stranded motorist.
I didn't realize it then, but I was practicing a level of risk management.
For a number of years I worked as a reporter and then as an editor, happily knocking across the country.
Sometimes the newspaper paid for my relocation, sometimes not.
I used to staple a note to my tax forms explaining why I had - or did not have - high fuel deductions. Back in the day, relocation expenses and job-related expenses - i.e., gasoline for a reporter on the beat - were tax deductable with a lot less paperwork. The note was "risk management"; I was never invited to an audit of my returns.
I went overseas as a reporter/editor and came back as a tech writer. I also had done a brief stint as a PR flack.
While overseas, I was documenting mil-spec equipment and systems.
The military - at least the militaries what bought our products - expected to maintain the products, beginning with preventive maintenance.
Preventive maintenance. Preventive medicine. The connection.
Still, risk management was, at best, an after thought.
Working as a contract technical writer, I was engaged to document a disaster recovery program for a national data network. While I did the job, I also bothered the DR pros to find out what DR was all about.
Interestingly enough, about 6 months after the project was completed, the network failed, but because of "our" work, it was quickly restored.
A little later I went to work for a consulting house as a tech writer.
One of our clients monitored data networks. Our client had told its client that it had a business continuity plan. When our client's client asked to SEE the plan, our client asked us to develop a plan "yesterday."
Fortunately for all concerned, we knew the client's operation and we managed to put together a solid continuation of operations plan with not one but two alternate sites; all sites were at least 1200 miles from each other so we could avoid environmental risks.
We - the Business Unit Manager (BUM), the Technical Manager, and this scrivener put the plan together in a matter of a few days. There was no training, no maintenance procedure, no extended contact list, and indeed no response plan other than to "redirect the data to Alternate Site A if available or Alternate Site B if A is not available.
If the communications link failed - and that was THE concern - there were alternate links and the techs could track down the break almost at their leisure.
In retrospect, it wasn't much of a plan, but it WAS a plan . . . of sorts.
Somehow our man in the state capitol managed to sell a business continuity project to a state department.
The company brought down a DRII certified practitioner from Canada to be the technical lead and installed a Project Manager to keep the books. Our girl-from-Canada brought along a fat binder of someone's How to Do Business Continuity instructions and forms; we quickly discovered they were of little use other than as general guidance.
This gig is where I learned to appreciate "all hands" meetings where people can play off each other as they think about risks to their processes and the resources they use to perform the processes.
Both the BUM and I decided certification might be a good idea - this is early 1999 and everyone was thinking Y2K, so I researched the options. DRII was well known, but it was highly recommended that an expensive pre-test course be taken to learn DRII's buzz words and alphabet soup. Then the candidate had to wait until a test venue could be set - testing was at specific sites at specific dates.
The alternative was Norm Harris' Certified Recovery Planner (CRP) certification. His Harris Institute, besides offering a more economical way to certification, appealed to me because DRII accused Harris of "selling" certification . . . while it was selling courses and certification. Pots and kettles.
Anyway, I took four increasingly difficult tests that were reviewed by none other than Norm Harris, a founding father of the industry. On one test I wrote an answer with which the pro disagreed. He called me from Ohio - I was in Florida - to explain the error of my ways.
There were, however two problems with my CRP certification.
Problem One: Hardly anyone outside of the industry knew about the CRP designation.
Problem Two: Norm sold his business, including the certification end, sealing the fate of the CRPs.
Once again I was looking for a suitable certification, and remembering the hassle (then) to get DRII certification I found The BCI, often incorrectly referred to as the British Continuity Institute.
At the time certification was based on what you knew and could prove. I paid the fee, provided the evidence, and became a Member of the BUSINESS Continuity Institute.
Meanwhile, I am working contracts for some Fortune 50 companies, a couple that owned banks so I became familiar with FFIEC expectations. I also worked for a municipal government, an energy developer, a shipping company, and a former leader in the defense industry. There were some other "odds and ends" and some interesting Y2K work to round out the background.
As I learned more and more about business continuity, I began to realize business continuity is too limited for what organizations need.
Business continuity looks, correctly, at the profit center. Then it expands out to the obvious resources - vendors, utilities, in-house resources, including InfoTech.
But business continuity rarely considers (alphabetically)
- financial vendors
- government regulation
- policies and procedures
- succession plans
Today I fancy myself a mentor to tyros and someone with whom other practitioners compare notes.
Now, as Paul Harvey used to say, "you know the rest of the story."
Someday I may explain why the rabbit avatar.