Playing To Win At The Game Of Risk

The recent escalation of information security incidents around the world, from the Equifax hack and the publishing of NSA-derived exploits and global ransomware attacks, to the barrage of hacking continuing to plunge the Ukraine into a constant state of unease, has highlighted the increased need for better risk assessment and management in all areas of business.

As a former information security professional turned exam sponsor, I view risk assessment and management as being innately imbedded into the management of our credentialing program. It is increasingly evident, however, that my path to the certification realm differs significantly from the path taken by most professionals who also end up there.

As technology continues to transform our industry rapidly, everyone needs to understand risk assessment and management basics to make informed decisions affecting the validity, integrity, and credibility of our assessment and credentialing programs.

In the credentialing world, the concept of “legal defensibility” is a consistent theme. We spend significant time, money, and effort ensuring our programs are legally defensible, and applying rigorous psychometric standards and processes. Yet this term rarely extends beyond supporting the basic validity of the assessment score interpretations. Exam security rarely extends beyond maintaining the confidentiality of the test items and delivery.

In the information security world, legal defensibility is enshrined in two specific concepts: due diligence and due care; bridging these two is the risk assessment process. A basic understanding of these concepts and the process will allow certification sponsors to make better decisions across their credentialing programs.

Due Diligence