Certified Operational Risk Professional


This certification has been designed for all staff in organisations who wish to develop their ability to manage operational risk in their functions.

For staff in the operational risk management function, this certificate would enable the individual demonstration a practical and  professional understanding of operational risk environment in the organisation. It would also help prepare the holders for higher responsibilities within the industry.

The certificate is also very important for senior managers with an operational risk oversight role. The certificate is based on ISO 31000: 2009 Risk Management Principles/ Guidelines, Basel Accords and the COSO framework.

The syllabus covers all aspects of operational risk management process, modeling and stress testing. The Examination is in two stages: Stage One [ fundamentals]  and Stage 2 [ Advanced].

Course Modules

Emerging risks, Conduct and Risk Culture

  • Risk identification tools and emerging risks
  • Tools and techniques for risk identification
  • Exposures and Vulnerabilities
  • The Risk Wheel
  • Value drivers and reverse stress testing
  • Risk register: a list
  • Risk connectivity: network of risks
  • World economic forum: risk map
  • Emerging risks

Implementing ORM: The Invisible Framework

  •  Governance of Operational Risk
  • 1st line and 2d line: The partnership model
  • Use and reuse: The Invisible Framework
  • Business value of ORM

Risk Reporting and Conduct Reporting

  • Modern issues on events and risk reporting: the regulator’s view
  • Analysing operational risk data: get insight, tell a story
  • Management information: the “reporting cake”
  • Aggregate and escalate risk information: your options
  • Conduct reporting: themes and details
  • Highlights of best practice, Group discussion and sharing of experience

Defining Risk Culture

  • Acting on behaviours: the Influencer
  • Necessary conditions: willingness and ability
  • Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce – Evaluate
  • Assessing the risk culture

Risk Appetite, Internal Controls and KRIs

Defining Risk Appetite statements and tolerance limits

  • Industry guidance on Risk Appetite
  • Risk appetite, tolerance, risk limits and controls
  • Templates and options for actionable Risk Appetite
  • Risk Appetite Statements: Features and Examples
  • Cascading Risk Appetite: RCSA & Indicators
  • KRI and risks limits
  • Slips and mistakes: Typology and causes of human errors
  • HRA: Human Reliability Analysis and other methods
  • Understand and treat the causes of human error
  • Effective or Illusory controls
  • Prevention by Design

Root causes analysis – the bow-tie

  • Root cause analysis: tool and method
  • Benefits of root cause analysis: tracking the common failures and systematic patterns
  • Treating causes over symptoms
  • Bow-tie: a most effective tool to define
  • Preventive and corrective controls
  • Leading KRIs
  • Risk likelihood and expected impact

Features of leading KRIs

  • KRI, KPI, KCI: definitions and uses.
  • A typology of Key Risks indicators
  • KRIs: metrics of risks drivers

Cyber Security, Scenario Analysis and Project Risks

Cyber threats and information security

  • Cyber threat landscape
  • An old emerging risk
  • Key controls in cyber security
  • Physical and behavioural measures
  • Priorities in prevention
  • Lessons learnt from some incidents

Scenario Analysis: Governance, Stress testing and Assessment methods

  • Four dimensions of stress-testing
  • Steps and governance of scenario analysis
  • Tackling behavioral biases in scenario assessment
  • Industry practices and lists of scenarios
  • Assessing probabilities of rare events
  • Acting on Scenario Analysis

Reorganisation risk and project management

  • Risk due to changes and re-organisations
  • The trap of cost-cutting
  • Invisible opportunity costs
  • Essentials of project risk management

Key Risk Indicators

What are Key Risk Indicators?

How are they different from Key Performance Indicators?

Relationship to KPIs

Common challenges

KRIs as leading indicators

Root cause events

Intermediate events

KRI Framework

Risk Appetite

Defining and maintaining a KRI framework

Selecting KRIs

Setting thresholds

Monitoring and reassessing KRIs

Identifying and Investing KRIs

Escalating Exceptions

Linking objectives and strategies to risks

Contribution of objectives, strategies and potential risks

KRIs as a strategic management tool

Proactively addressing emerging risks

Relationship to Enterprise Risk Management

Common Mistakes

Core Elements of Well-Designed KRIs

Common KRIs for financial firms

Communication and Reporting

Role of the board

Procedures and policies

Communicating the value proposition of KRIs

Preventive KRIs

Selecting and designing KRI steps by step

Metrics of risk drivers

A typology of KRIs: Exposure, stress, casual and failure

KRI design and reporting

Root cause analysis for KRI identification

Root cause analysis and lessons learn from large incidents

Cause of the cause: the benefits

Bow tie tool: tracking common failures and systematic patterns

Root cause and risk prevention

Process mapping and control design

Process mapping: Highlights risk and controls at every step

KCIs: Assessing controls: Their existence, their effectiveness

Typology of controls

Typology of human error: the work of James Reason

Active and latent errors

Prevention by design

KRI for information security risks

Information security risk assessment method: case study

Key controls in information and cyber security

KRIs for information security: exposure, failures and stress indicators

Reporting & Governance on KRI 

Reassess your current indicators and select appropriately

KRIs for project risk management & validation

Project management and risk management involvement

KRI for projects

Reporting on projects and changes

Testing KRIs: assess the validity of your indicators

Governance around risk indicators

Indicators for conduct and risk culture

Conduct and Culture: metrics and behaviours



Risk & Control Self-Assessment


Revisiting risks and controls —what are we assessing?

The risk Bow Tie: Causes, Events and Impacts

A risk framework and where RCSA fits

Inherent, Residual, Expected and Targeted Risk

Treatment methods and control effectiveness

Understanding likelihood and impact drivers


Objectives of RCSA

What is RCSA?

The importance of linking RCSA to strategy and objectives

The various approaches to RCSA


Identifying business and process objectives

Identifying critical processes

Identifying risks

Identifying controls

Assessing risks: Inherent and residual

Assessing the effectiveness of controls

Creating escalations, follow-ups and action plans


Determining what to assess

Identifying risks

Risk descriptions: what are the rules?

Identifying treatment methods

Types of Control

Likelihood and impact scales

Setting likelihood scales: What measure?

Setting impact scales: How many types of impact?


Linking risks to objectives and critical processes

Linking risks to causes and impacts

Linking risks to controls

Assessing the size of risk

Is inherent risk useful and can it be determined?

Cumulative and aggregated control effectiveness

Determining treatment/control improvements


Deciding on participants

Background information

Carrying out an initial assessment

Carrying out periodic assessment updates

Towards continuous assessment


Types of report

Information to report

Including RCSA in an aggregated dashboard report

Interpreting reports


Escalations and notifications

As a risk monitoring and management tool

As a benchmarking tool

As a driver of behaviour


Linking RCSA to KRIs, Compliance, Incident Management, Issues and Action Tracking

Obtaining business engagement


Maximising the value from the RCSA process

The main pitfalls and how to overcome them

Who Can Sit for the Exam?

  • Managers and officers in operational risk management function
  • Process and business owners
  • Team Leaders
  • Holders of the CRMP certificate issued by RMA
  • Enterprise Risk Managers
  • Operational Risk Managers
  • Operations Managers
  • Internal Auditors
  • HR officers
  • Compliance officers
  • Consultants
  • Regulators
  • All staff in an organisation