Not that it matters. CRISC is proving itself irrelevant by failing to make anyone care. By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public Accountant (CPA) for good measure.
Needless to say, CPA crushed the audit and security certs with ?30,700,000 Google hits. CISM & CISA had 15,400,000 and 15,000,000, respectively. The CISSP showed a not-disrespectable 9,390,000.
Then we got into what I will kindly call the “add-on” certs, even though they are frequently intended to be extensions or specialist certifications. I chose the ISSAP and ISSMP, the post-CISSP Architecture & Security Management certifications from ISC^2. ISSAP had 181,000 hits, ISSMP had only 69,000 hits, making it the only certification I checked that fared worse than CRISC.
Now that the data is out of they way, I can get to the real question.
Does no one care about CRISC because no one cares about yet-another-super-specialized-certification? And/Or does no one care about CRISC because no one cares about risk assessment?
Well, given that googling “Risk Assessment” (in quotes) got me 12,400,000 hits, I’m going to go with yes on the first question and no on the second.
Now, combining Alex’s CRISC-O post with something Nick Selby said in a conversation he and I had a while back, “You can’t manage a risk you don’t understand,” then all a Risk Assessment Certification can even potentially do is imply that the holder knows how to follow a process–which I would argue is the least intellectually challenging and valuable part of any knowledge work activity.
Personally, I care a great deal about Risk Assessment, both as an interesting intellectual problem and also as a tool for solving real-world problems, even if I generally lack the time to do it right. I certainly don’t have time to get certified as a Risk Assessor, nor do I feel the need. Given my opinion that certifications are just a signalling mechanism in the hiring process, that should come as a surprise to no one.