24 April 2016

Is Risk Management a Profession?

Is Risk Management a Profession?

So once again I have been invited to attend the ISO 31000 training programme. And at the end the 3 days I will, of course, pass my certification exam, and will be able to call myself a C31000 Professional. Wow am I excited, or not.

When I look at a range of "professions" I see a few things in common; years of experience and study, a professional body or association  (or bodies) that determine a set of standards for professionals, certification, and a set of disciplines. I also see regulatory bodies (even if self-regulating within the profession) that protect the name of the profession, and strike off those that fail to uphold the standards of the profession. I also see the profession seeking to protect itself from charlatans who do damage to the profession, and by pointing out clearly the standards required by the profession, to protect companies that employ such professionals.

So how does "The Google" define a Professional Association?


Somewhat limited I think, but for our purposes we can use this. What seems to be missing is protecting the integrity of the profession and professionals, but that might be included in furthering "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans.

Would the ACCA, ICAEW, IMA, AICPA, or the CICA stand by quietly as an organization or individual offered to create certified accountants in less than a week? The Medical Council would not allow someone to practice medicine without proper training and certification. Yet that is exactly what the Risk Management professional bodies do when someone offers three-day courses with a "professional" certification at the end. Where are the IRM, RIMS, GARP, PREMIA in protecting the reputation of the Risk Management profession and professionals?

So is Risk Management a profession? I'm sure that others have their definitions and expectation of what makes a profession and an professional. For me, as someone engaged in the profession, I like the definition from Google:



Considering this definition, I consider myself to be a Risk Management Professional. I have been advising companies on Risk Management, developed and ERM application from the concept to implementation, and I am a Risk Manager in a business. I am a member of a professional body, and have contributed to thought leadership published by that body, ranging from Risk Appetite and Tolerance, to Cyber Threats, and Risk in the Extended Enterprise.

Which apparently means that I should be "certified". Or at least, someone thinks that this will make me a professional.

So let us look at this kind invitation from Alex Dali again, the one that will, in three days, make me a Certified ISO 31000 Risk Management Professional.

The message from Alex Dali says:

I am pleased to inform you about the next training and certification session in London next month in May for you to become a Certified ISO 31000 Risk Management Professional with the official label C31000 certification.

It then gives the details of the course in London, for a very reasonable £1900, which includes the fee for the exam and certification.

It goes on to say:

Given your profile, I am sure that you will benefit a great deal from being a “Certified ISO 31000 Risk Management Professional” with in depth knowledge on the international ISO 31000 risk management standard. This session is also dedicated to those interested to become Certified ISO 31000 Lead Trainer.

Nice to see that my LinkedIn profile indicates that I would benefit from being such a certified professional. Or not.

So where am I going with this?

I expect my professional body to protect "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans. And that includes calling out examples like this, where people can claim to be a Risk Manager simply by paying for a three-day course.

To be very clear, any programme that offers a professional certification after a three day course and an exam (I wonder what the failure rate is, after paying £1900) is a joke. To be completely honest, I would have a difficult time taking someone seriously if they actually put C31000 or any other notification that they have receive this certification on their profile. I would then question every other certification that they claim, and I would wonder if that MBA or any other degree was from a mail-order "Institute" or "Institution" or just a postbox.

We as a Profession should be calling out specific examples like this, where someone sells certifications. We should be making it clear that we, individually and as professionals, will not accept bogus credentials.

For my part let me be very clear:

If you send me a CV with the C31000 certification on it, or if you have the C31000 certification on your LinkedIn profile, I will NOT be engaging with you. You are not a Risk Management Professional. You are the second definition of a Profession above: "an open but often false claim".

Just so there is not mistaking what I've just said:


To the professional bodies I ask, why are the Risk Management professional bodies and association such as the IRM, GARP, PRIMIA, RIMS and others not calling out the charlatans. Why are the professional bodies not protecting the interests of their members?

If my professional body will not openly state that this type of certification is a sham, then I need to do so, if for no other reason than to state categorically that I want my Profession to stand for something. When I say that I am a Risk Manager, I want it to be clear that this means I have years of experience, that I can back that up with evidence. That I am a professional.






07 April 2016

Panama Papers: Proceeds of Crime?

Drug dealer has a pile of cash. Drug dealer buys mother a house. Mother is pretty certain that the money is not clean, but it was from her son. Sweet boy. Time goes by. Drug dealer is caught. Assets are confiscated. Mother loses house. Proceeds of crime, after all.

And that is the way it is supposed to work. While mother is a nice woman and loves her son, she did knowingly accept assets that were the direct result of criminal activity. Apparently this standard does not apply to journalists. Journalists get Pulitzer prizes instead.

The "Panama Papers", while shining a bright light on the world of offshore companies and diversion management of assets, more importantly highlights the very grey line between the ethical hacker and the crooks, including the users of the information that was stolen. We still do not know how the information was released, although Mossack Fonseca is stating that the document were stolen in an external hack of their systems.

Basically there are two options; and insider copied the documents and made them available to the Süddeutsche Zeitung, or an external individual or group of individuals hacked Mossack Fonseca's systems and copied the files, providing them to Süddeutsche Zeitung.  We are told that the person (singular) who provided the document has not asked for money, only protection of identify. It is worth noting of course that an internal party could have been the hacker, to help obscure the source of the information.

As there was too much information for one news agency to fully explore, the data was distributed to a number of news agencies and papers, using the ICIJ (International Consortium of Investigative Journalists) as the network for distribution.

What is disturbing is the wide dissemination of the information for a long period of time, and teh ability of the journalists brought in to keep their silence. Almost mafia-like. While journalists as individuals have, in liberal western countries, a theoretical legal protection for use of sources (and in some case protection from releasing their sources), the information used in this case was sourced illegally. Once sourced however;

A network of about 400 journalists in 80 countries put together by the consortium spent months researching the documents. The media partners included the Guardian and BBC in the U.K., El Confidencial in Spain, Le Monde in France, Falter and ORF in Austria, Sonntagszeitung in Switzerland, and L’Espresso in Italy.

We are also told that newspapers and journalists have had access to the documents for many months, with the various reports saying anything from six months to a year. It is interesting that in that six months to a year, the story was kept secret from all, until Sunday April 3rd, when the bombshell exploded onto newspapers (online of course) and the TV news.

And what an explosion. 12 heads of state, 120 senior politicians or close associates of politicians, family members, etc. The first scalp has been taken, with the Prime Minister of Iceland stepping down. Score one for the "Revenge of the Sith Bankers". Personally I would not be surprised to find that the IMF, Troika, and individual banks that lost big in Iceland, are rubbing their hands in spiteful glee, but I digress.

In total, something like 214,000 companies were established by MF, with these companies spread around the world. Strangely, there are few American companies or individuals reported thus far - the current number seems to be 3072, with a total of 441 clients, but we're told to expect more. 3072 out of 214,000? Really?

Putin is just missed, but some around him are having their affairs aired in public. All, according to the Kremlin, part of a campaign of Putinphobia. Whose to know, but the Panama Papers are highlighting goings on that seem a little unsavory. In fact, a lot unsavory, by a huge range of people, from football stars to royalty, to criminals and (not criminal) individuals and companies.

And yet, all the information is not being released, raising questions about the political motives of those that released the information. Wikileaks climbed into the fray by stating categorically that one of the organisations involved in the dissemination of the information is effectively a front for Soros and his anti-Russia pro-democracy agenda.

And it is to that background that the relatively low number of Americans identified raises questions. If there is a dearth of Americans, is this because the information has been massaged? Is the number so low because the United States already has significant tax havens in Arizona and Delaware, and therefore there is less "need" for Americans to create international vehicles? Really?

At the core of my concerns then, is the question of whether the release of information, stolen information, was a crime, and not a "whistle blowing" action. And if it was a criminal activity (which hacking resulting in the theft of company information clearly is) then while there may be an argument that the thief was a whistle-blower, it does not absolve organisations from their use of the information for gain.

In this case, Süddeutsche Zeitung, the Guardian and other news organisations, instead of being legitimate news gathering and reporting organisations, are in fact the recipients and exploiters of illegally gains assets (the data). The drug data dealer has given then a home, and they know it came from criminal activity.

This makes their activities effectively the exploitation of the proceeds of crime.

I would expect that the vast majority of the companies formed will have been for perfectly valid business or personal reasons, legally using mechanisms to manage business activities and assets while also managing tax exposure - legally. None of that matters of course. Panama and anyone who does business with a Panama legal firm is now assumed to be a crook, while the real criminals, the Hacker(s) and the news outlets that has used the proceeds of that crime, will wear a mantel of purity of spirit.

If anything, I wonder if there will not be legal actions taken against the organisations that used and reported the data. Proceeds of crime indeed.