As a risk practitioner, have you ever tried to describe what you do for a living to a family member or a friend? If so, you’ve likely experienced their acquiescent and politely confused reaction as you articulate concepts like risk assessments, controls, tests, tolerance, appetite, key risk indicators, governance and a host of other tactics that are commonly executed as part of a practitioner’s day-to-day responsibilities. At the conclusion of your pride-filled intellectual description, you feel like you did a great job explaining what you do, when your conversational partner replies with, “Wow, that sounds awesome! So, what do you actually do?” Uncertain about how to respond, you begin to retrace your words only to realize that internally, you are asking yourself that very same question, combined now with an unclear perspective about your professional identity. You ponder, “What DO I do, and, who am I as a professional?”
Over the past 20 years, I’ve observed a plight all too common among risk practitioners wherein there is an enthusiastic rigor to schedule tasks, complete action plans, provide reporting/updates and declare that risks have been mitigated, when the most certain of questions is to follow: “So, what risk did we eliminate/reduce and how does that add value to our organization?” The enduring effort to complete tasks and assignments by the risk practitioner propagates and reinforces an illusion of risk management, because work, in the form of tasks and actions, was completed.
Reality strikes! In absence of utilizing an industry framework with principles, common taxonomy and structured objectives to clearly articulate how issues, losses and events are being prevented or reduced, the risk practitioner’s reputation, brand, self-esteem and identity progressively deteriorates. I’ve equipped hundreds of professionals with the training and tools provided by the CRISC certification and the outcome is nearly always the same, where CRISC training/certification served as a catalytic fuel energizing the risk practitioner’s identity while at the same time accelerating organizational maturity in the direction of a value-driven, risk intelligent culture. Here is how:
Individuals Identify Themselves as Competent and Confident Practitioners
- A Strong Foundation: They learn the basics, they speak a common language and they use a proven methodological approach
- A Community of the Like-Minded: They are part of a formally recognized community of professionals
- A Distinction: They have made it through the studies and requirements necessary to obtain the CRISC distinction
- Unlocking Strategic, Big-Picture Thinking: Their competencies become habits, freeing up their mind to think more broadly with intriguing inquisition
- Clearly Articulating Value: Labeling/linking value and purpose effectively with executives, second/third line and examiners
Organizations Evolve to a Risk Intelligent, Value-Driven Ecosystem, Fueled by Trained Practitioners
- Organic Neural Networking Within the Company: Team members formed their own think/brain tanks resulting in multiple innovations/enhancements within the first few months after CRISC training
- Advancing and Benchmarking Industry Expertise: Team members developed external relationships within and across ISACA chapters to anticipate opportunities, prevent issues/events, and design better controls
- Organic Employee Development Ripple Effect: Coaching took on a natural form, where CRISC candidates willingly encouraged, coached and mentored others
When you were asked about what you do for a living, it would have been so much easier to reply with something like: “I prevent bad things from happening to our customers/company. When I do my job well, my customers are safe and secure, and my company’s brand becomes stronger.”
With CRISC as an enabler, your employees will grow, develop and identify as professionals, and your organization will become enmeshed in a risk culture that is strong, resilient and organically intelligent.
Editor’s note: To find out more about the custom training program opportunities offered through ISACA, visit ISACA’s enterprise training page.