The global skills and competency framework for the digital world

#1349 BURM – consider making risk management skills applicable across more domains. change request accepted

Risk management is applicable in a number of business and technology domains. At first glance the name of the skill and some of the description may get in the way of wider adoption.

Risk management is a broad concept which has some universal principles as well as some specifics according to the context in which it is being applied.

Feedback suggest that for some users…

  • The prefix "Business" is a barrier to adoption – it may imply an unintended sub set of risk management
  • The descriptors could be more generic to focus on the common elements of risk management needed across different domains
  • The examples given in the overall skill description are not representative of the breadth of risk management and could provide a barrier to adoption

In SFIA’s capability model the skill of “risk management” can be separated from the specific domain knowledge needed to implement risk management processes and tasks.

  • E.g. security, business continuity, energy supply, disposal of materials, hardware or data.

An alternative approach is creating additional, specialised risk management / risk assessment skills. This option should be considered.

Proposed change applies to Risk management

Current status of this request: accepted

What we changed

Skill renamed to Risk management. Skill descriptions and guidance notes updated to reflect broader applicability.

Ian Seward (General Manager)
Dec 31, 2020 10:05 PM

Supported: From discussions with many 'specialisms' and many SFIA users globally, risk management is a common skill and any necessary restriction (implied or otherwise) does not make sense.

Ian Seward (General Manager)
Jan 11, 2021 05:11 PM

Further comments:
The name of the skill should be changed to Risk Management
- People can interpret Business Risk Management to be too restrictive - while the essence of the skill is common across many risk areas

I'm sure the below can be improved but her is a starting point?

Need to reword Skill Definition:
- Suggest:
"The planning, implementations and execution of organisation-wide processes and procedures for the management of risk within any business function or area or in the context of the business as a whole. Such areas may include IT, operations, environmental, information security and safety"

Need to reword Skill Level Descriptors - as a start see below, needs to be cascaded throughout the levels:
- Add a new Level 3:
" Undertakes basic risk assessments in business functions or technical specialisms such as information security or safety. Provide administrative support to risk management activities - such as collating risk and mitigation reports.

- Edit Level 4 to be:
"Conducts complex risk assessments in business functions or technical specialisms such as information security or safety. Engages domain experts as necessary. Investigates and reports on potential risks and hazards and contributes to mitigation activities.

- Edit Level 5to be:
"Carries out complex and substantial risk assessments in business functions or technical areas such as information security or safety. Uses consistent processes for identifying potential risks or hazards and quantifies and documents their probability and impact. Engages domain experts as necessary particularly where specialist knowledge is required (such as architecture, environmental, security and safety). Coordinates complex mitigation activities and strategies and develops contingency plans. Advises on the organisation's approach to risk management."

- Edit Level 6 to be:
"Plans and manages the implementation of organisation-wide processes and procedures, tools ands techniques for the identification, assessment and management of risks. Considers risk and mitigation activities from all programmes within the context of the business as a whole."

- Edit Level 7 to be:
"Establishes organisational strategy for addressing risk. Defines and communicates the organisation's appetite for risk. Provides resources to implement the organisation's risk strategy. Delegates authority for detailed planning and execution of risk management activities across the organisation including such areas as operations, architecture, environmental, information security and safety."