Selecting a candidate to protect the organization
The perennial question is once again causing clutter in the ether. The question:
Must a practitioner be an IT expert?
In a word: No.
Perhaps the practitioner should be an MBA to handle the business side? Is a degree even necessary?
Maybe an SPHR to understand the human relations concerns?
How about a CompTIA Security+ certification for security issues?
Is a PMI or Six Sigma black belt necessary to manage the project or program?
Same answer. No, No, No, and No again.
So what qualifications should a practitioner possess?
Ability to “think outside the box,” to ask seemingly “off-the-wall” questions.
Did I mention curiosity?
I practiced enterprise risk management for roughly 15 years.
I am not an IT guru, but I know people who are.
I am not an HR expert, but I know people who are.
I am not a security maven, but I know people who are.
As a former reporter, PR flack, and technical writer, I am a good interviewer and I am a very good writer. In order to be a good reporter, a person MUST be curious.
I also am pretty good at playing the “What if” game – what if this happens or what if that fails to happen.
Although I never stopped to get a degree or even a project manager certification, I am a reasonably decent manager; at one point I managed 47 sites across 17 U.S. states staffed by people I only knew over the phone and via the Internet.
People who write job requirements that are heavy on IT or business or, frankly, any single area of expertise don’t understand risk management.
I don’t expect agencies such as BCManagement to push back to their clients with that statement, even though the folks there know its in the client’s best interest. It is not in BCManagement’s best financial interest to try to educate the client. I understand that.
A risk management practitioner must, first and foremost, know how to work with everyone: from very senior management to the newest intern in the mailroom. The practitioner must know how to relate on the other person’s level without being condescending or putting on airs.
The practitioner needs to be a Subject Matter Expert (SME) in one – and only one – discipline: Enterprise Risk Management or, one step down, Business Continuity.
The practitioner must be able to work with managers and SMEs from all functional units, and the practitioner needs to realize that SMEs don’t always carry a label proclaiming them to be SMEs. That includes people outside of the organization.
Over the years I learned a little about a lot of things, and that little often led me to be ask the right questions of the right people at the right time. That skill has nothing to do with a degree or a specialty certificate; it has everything to do with creating successful plans and programs.
If I wrote it, you may quote it