“An expert is someone who has made all the mistakes in a field that can possibly be made.” - Niels Bohr
There is an entire industry built around the idea of risk management consulting. The industry is perhaps more than just an idea, but arguably it is not yet a mature profession. It can be challenging to find people who are genuinely subject matter experts, not just in risk but also in developing real-world solutions to business risks.
So how do you find a subject matter expert (SME) to help you with your risk management? Sometimes you'll be fortunate enough to have one or more in your organization or to have a panel of consultants pre-selected for you. Even then, nobody is an expert in everything, and you'll need to find, among that group of people, someone who can help with your specific challenge.
The first step is to define the scope of what you want to achieve. Succinctly but tightly, with as little ambiguity as possible. What are the boundaries, and equally important, what exactly are the outcomes or deliverables? Do you want to build a risk management framework, design training programs, or conduct a risk assessment?
Each of these roles involves different specific skill sets. Below is a checklist to help you answer those questions.
Identify the scope and define Terms of Reference (ToR). What are the geographical, divisional, or financial boundaries of the project? Which risks will be addressed: safety, finance, engineering, security, or enterprise risks? Spend as much time as possible on this exercise and ensure that key stakeholders agree on the ToR.
At the end of the project, what objectives will you have achieved? Imagineering is the process of defining the ideal outcomes or what your organization will look like at the end of the project.
Make a list of the core competencies you would need. e.g., Training design, risk management experience (at what sort of levels: strategic, operational, tactical?), domains of knowledge required (if security, is it information security, physical security, personnel security, security management, etc.), audit experience, industry experience (banking, mining, commerce, etc.).
Take the above list and define the most essential and what levels of experience your ideal SME would have.
Do a web search and see if any professional qualifications or certifications will help. Professional certifications are perhaps the best way to identify an individual's skills at first glance. Is there a Certified Safety Practitioner or Certified Practicing Risk Manager accreditation that would help you define the particular skillsets you need and identify the individuals who have those skills? Have a detailed look at the actual competencies for a few of the certifications and see how closely they align with what you need as defined in terms of Reference. Are there professional associations that can guide the sort of SME's that you might need? Do you have colleagues in comparable organizations who can advise you on where to look for SMEs and which ones to avoid?
Draft a project plan. What will we achieve by hiring this expert? How long will it take to implement all this? How many people will I need? Do I have budget and management support for it? How much will it cost?
Look around close at hand for assistance. Is there anyone in your organization or network with the expertise? Or refer you to someone who does?
If you'll need to procure outside assistance, find out what the process is? Can you call someone in, or do you need to release a formal request for a quotation or perhaps go to tender?
Narrow down the list to a few people who appear to have the skills, then interview them. Ask them what their approach would be. Ask them if they have the skills as defined in your ToR and ask them for evidence of their experience in the form of examples, referees, etc. People will often be keen to say that they can do things to get the job, so you must check with referees. They may have done a similar task, but to what quality standards and how did they resolve issues came up?
Review, adjust, and agree the scope and deliverables with your chosen SME(s). Then commence the project.
There you have it, my 'top ten' list for finding a consultant in risk management (or anything else for that matter).