Enterprise risk management helps organizations identify, analyze and manage circumstances that can create business risk. In companies, risk comes in many different forms and could lead to disruptions that negatively affect business or IT operations. Some of the most common risks that ERM programs must address include financial, operational, legal, compliance and strategic ones.
ERM is also concerned with IT and cybersecurity risks that can hamper business activities. That includes cyber attacks and other security threats, as well as inadequate IT systems, a lack of technical skills and technology failures caused by security incidents, natural disasters, power outages or other issues.
A successful risk management initiative provides an ERM framework that enables an organization to be aware of the various risks it faces and better prepared to deal with them. But ERM expertise is also required, and one way for IT, security and risk management professionals to obtain it is by earning enterprise risk management certifications.
What is the value of an ERM certification?
In general, certifications enable job seekers to stand out from the crowd of applicants. Also, with the right type of certification, an existing employee can earn higher pay and potentially a promotion. ERM certifications in particular provide third-party validation of an individual's knowledge of the risk management process.
This article is part of
An ERM certification is especially useful for members of a risk management team in an organization. But risk management expertise is often a requirement for other workers too. For example, ERM skills are valuable for the CFO and employees in finance and accounting roles to help manage financial risk. ERM certifications are also useful for IT operations and security management professionals and for workers who are responsible for regulatory compliance, project management and other functions.
Risk management requires being able to both plan for unknown incidents and react quickly to limit potential harm when they occur. While those capabilities are rarely gained via certification alone, an ERM certification is a baseline indicator of a person's know-how, which can then be expanded further through on-the-job experience.
16 ERM certifications to know about
There are a variety of ERM certifications for individuals and organizations to consider. Often, the key difference surrounding them is their focus and area of concentration. Some certifications are truly enterprise in nature and cover all aspects of risk management, while others are more specifically aligned with financial, IT, cybersecurity, business continuity or project risks.
The following list of 16 certifications is organized along those lines -- it starts with broadly focused ones followed by ones that are narrower in nature.
1. Certified Risk and Compliance Management Professional (CRCMP)
Issuing organization: International Association of Risk and Compliance Professionals (IARCP).
Who should get this certification: The target audience is IT managers and professionals who want to document their ability to lead or support regulatory compliance and ERM initiatives.
Certification details: The CRCMP program includes a six-part course of study that starts with an introduction to risk management and governance, risk and compliance (GRC) concepts. Other modules cover the Sarbanes-Oxley Act and its international derivatives; the Basel II and III standards on GRC practices; the COSO ERM and internal control frameworks; implementing risk management and compliance programs; and AI issues in risk management. The IARCP provides presentations with a total of 1,935 slides as a self-directed study guide. The exam includes 35 multiple-choice questions that must be completed within 90 minutes. It's an open-book exam -- the IARCP says the goal of the program for participants is to "acquire knowledge and skills, not commit something to memory."
2. COSO Enterprise Risk Management Certificate
Issuing organization: Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Who should get this certification: Risk management professionals, ERM consultants and board members who oversee risk management programs. Participants should have at least two to six years of ERM experience and some exposure to COSO's updated ERM framework, which was published in 2017.
Certification details: Participants are trained on the concepts and principles of the COSO ERM framework through a course that includes seven self-study modules and a hands-on workshop component. After passing an online exam, they also receive 13.5 hours of continuing professional education (CPE) credits. COSO oversees the certification, which is available through four of its five sponsoring organizations: the American Institute of Certified Public Accountants; Financial Executives International; the Institute of Internal Auditors; and the Institute of Management Accountants.
3. Enterprise Risk Management Certified Professional (ERMCP)
Issuing organization: Enterprise Risk Management Academy (ERMA).
Who should get this certification: The ERMCP target audience is experienced risk management professionals who have at least three to six years of experience and are looking to boost their ERM expertise and career progression.
Certification details: The ERMCP involves an exam that assesses an individual's knowledge of ERM practices based on the ISO 31000 risk management framework developed by the International Organization for Standardization, commonly known as ISO. The exam consists of 140 multiple-choice questions designed to test technical competency and 10 that focus on professional behavior. Registrants get access to study materials and an exam simulation in ERMA's exam portal. The certification is valid for two years; to maintain it, holders are required to obtain 40 professional development units -- akin to CPE credits -- through ERMA's Continuous Professional Development program.
4. GRC Professional (GRCP) Certification
Issuing organization: Open Compliance and Ethics Group (OCEG).
Who should get this certification: GRCP is primarily designed for professionals who work in GRC positions or various related roles. But no specific work experience or educational degrees are required.
Certification details: Based on the OCEG's GRC Capability Model, the GRCP certification involves an exam with 100 scored and up to 15 unscored questions to be completed within a two-hour time limit. All the questions are multiple choice; the unscored ones, which aren't labeled, are used to test new questions for future exam updates. An upfront course isn't mandated, but the OCEG provides an online self-study one and offers in-person courses by training partners. The certification is valid for one year, then requires eight CPE credits annually, which are included at no extra cost. Recipients are required to pass the exam every five years to retain the certification.
5. International Certificate in Enterprise Risk Management
Issuing organization: Institute of Risk Management (IRM).
Who should get this certification: The IRM's certificate is geared toward risk management professionals across all sectors globally.
Certification details: Obtaining the certificate involves completing two modules, which typically takes six to nine months through a self-directed online learning course. The first module focuses on risk management principles and has an exam and one essay assignment, while the second is about ERM practices and includes two essay assignments but no exam. Participants can pay extra to attend a series of four virtual workshops that offer more interactive learning. The course can also be taken as the first part of a more advanced International Diploma in Risk Management program.
6. Professional Risk Manager (PRM) Designation
Issuing organization: Professional Risk Managers' International Association (PRMIA).
Who should get this certification: The PRM program is designed for risk management professionals, particularly ones in the financial services industry, who are looking to obtain a graduate-level credential.
Certification details: The program consists of two certification exams that candidates must pass within a two-year period. The full enrollment period is three years to provide upfront study time. Applicants must be a PRMIA sustaining member or a member of the associated Risk Management Initiative in Microfinance, known as RIM for short. They must also hold a graduate degree or be a chartered financial analyst (CFA) charterholder through the CFA Institute, an association for investment management professionals. Individuals with a bachelor's degree only are eligible too if they have two years of full-time work experience in financial services or a risk management department in any industry. The PRMIA also offers a less-advanced Associate PRM Certificate focused on risk management fundamentals.
7. RIMS-Certified Risk Management Professional (RIMS-CRMP)
Issuing organization: Risk and Insurance Management Society (RIMS).
Who should get this certification: RIMS-CRMP is suitable for current and aspiring risk management professionals looking to validate their knowledge of key risk-related competencies.
Certification details: Applicants must have a college degree in risk management and one year of related work experience; another type of degree and three years of risk management work; or six years of experience in risk management with no degree. Students in the final year of a risk management degree program can also apply. Eligible applicants qualify for a two-hour exam, which consists of 120 multiple-choice questions and can be taken remotely or in person at Pearson VUE testing sites. There's no formal course involved, but RIMS provides a study guide for the exam. RIMS-CRMP requires recertification every two years, which can be achieved by earning 50 continuing education points.
8. Certified Enterprise Risk Manager (CERM)
Issuing organization: American Association for Investment and Financial Management (AAIFM).
Who should get this certification: It's primarily intended for professionals in the investment and financial management industry who want to demonstrate their compliance and risk management knowledge as well as relevant skills.
Certification details: Applicants must have a bachelor's degree in any field or at least two years of risk-related work experience. Twenty-five hours of approved training on compliance and risk management is also required. The CERM exam is three hours long and includes a combination of case study and essay questions with a heavy focus on risks related to environmental, social and governance programs. The AAIFM provides an exam handbook and training sessions on exam questions; participants can also get more comprehensive training through authorized partners or Prometric test centers. CERM holders are required to recertify every four years by documenting 25 hours of further educational activities.
9. Certified Enterprise Risk Manager (CERM)
Issuing organization: Institute of Financial Consultants (IFC).
Who should get this certification: The IFC's certification validates the expertise of practitioners who are working in risk management, strategic planning, project management and related disciplines, as well as business consulting.
Certification details: Although this has the same name as the certification offered by the AAIFM, it's a separate one. The IFC's CERM program includes four main modules: an ERM overview followed by sections on ERM management, culture and control; risk management tools and techniques; and different types of business risks. Applicants must have a bachelor's degree and at least two years of relevant work experience, and they're also required to get 30 hours of CERM training from IFC-accredited providers before taking the one-hour exam.
10. Certified Enterprise Risk Professional (CERP)
Issuing organization: American Bankers Association (ABA).
Who should get this certification: It's designed for risk management professionals who work in the banking industry.
Certification details: The CERP examination is comprised of 200 multiple-choice questions spanning risk governance and risk management topics, to be completed within four hours. Applicants must have a bachelor's degree and five years of financial-industry experience, including three years in risk management or a closely related role; without a degree, the work experience requirements are seven and five years, respectively. The ABA offers an interactive online course to prepare for the exam, as well as risk management training courses and more in-depth "risk management schools." CERP certification holders need to earn 60 continuing education credits every three years to maintain their status.
11. Chartered Enterprise Risk Analyst (CERA)
Issuing organization: Society of Actuaries (SOA).
Who should get this certification: Actuaries and other professionals who work in financial services are the intended candidates.
Certification details: Individuals need to complete a set of e-learning courses, five exams and a seminar on professionalism to earn the CERA certification. The courses include an ERM module that covers developing a risk management framework, identifying operational risks and other topics. There's an associated ERM exam and a risk modeling statistics one, as well as exams on probability, financial mathematics and actuarial mathematics. Candidates also must provide validation of non-SOA educational courses on mathematical statistics, economics, and accounting and finance.
12. Certified in Risk and Information Systems Control (CRISC)
Issuing organization: Information Systems Audit and Control Association (ISACA).
Who should get this certification: This is a good option for mid-career IT audit, risk and security professionals looking to grow in a cyber-risk role.
Certification details: The CRISC certification validates an individual's ability to identify and manage enterprise IT risk with appropriate technology and controls. Topics covered include organizational governance and risk management; IT risk assessment; risk response and risk reporting; and IT and information security. The exam includes 150 questions, and ISACA offers an online study course, review manuals and a database of exam questions, answers and explanations. Group training sessions and access to ISACA's member community for exam guidance from peers are also available. To maintain the certification, holders must earn at least 20 CPE credits annually and a total of 120 over three years.
13. Certified Information Systems Risk and Compliance Professional (CISRCP)
Issuing organization: International Association of Risk and Compliance Professionals.
Who should get this certification: It's suited to IT managers and staffers looking to validate their knowledge of IT risk management, regulatory compliance, information security and privacy obligations.
Certification details: Another certification offered by the IARCP, this program covers cybersecurity-related executive orders and directives from the U.S. government plus GDPR and other EU regulations and directives on data security and data privacy. It's designed to help participants understand legal and regulatory requirements for organizations on the covered topics. The CISRCP study guide includes presentations with 1,540 slides. As with the CRCMP certification, CISRCP candidates must pass an open-book exam with 35 multiple-choice questions and a 90-minute time limit.
14. Certified Information Systems Security Professional (CISSP)
Issuing organization: ISC2 (formerly the International Information System Security Certification Consortium).
Who should get this certification: This is a security-focused certification for IT professionals who want to demonstrate a broad understanding of cybersecurity concerns, including IT security risks.
Certification details: To qualify for the certification, candidates must have at least five cumulative years of work experience in two or more of the eight areas covered in the CISSP Common Body of Knowledge. Others who pass the CISSP exam get an Associate of ISC2 badge, then have six years to attain the required experience and earn the certification. The English-language CISSP exam uses a computerized adaptive testing approach that includes 125 to 175 questions with a four-hour time limit. In other languages, the exam is a fixed-form test with 250 questions that must be completed within six hours. ISC2 offers self-paced or instructor-led training courses plus textbooks, study guides and practice tests.
15. Certified Risk Management Professional (CRMP)
Issuing organization: Disaster Recovery Institute International.
Who should get this certification: The CRMP certification is for experienced risk management workers who want to validate their foundational knowledge and experience, with a focus on business continuity.
Certification details: Applicants need two or more years of related professional experience, including in at least two of the four areas of risk management practices covered by the CRMP exam. Two references per subject matter area are also required. In addition, DRI International, as the organization is commonly known, mandates a two- or four-day course on risk management for business continuity as another prerequisite. In addition to passing the exam, participants must write a series of four essays focused on their risk management duties and accomplishments. To maintain the certification, CRMP holders must earn 80 continuing education activity points annually.
16. PMI Risk Management Professional (PMI-RMP)
Issuing organization: Project Management Institute (PMI).
Who should get this certification: The target audience is experienced project, risk or functional managers and C-suite executives looking to showcase their expertise in managing project-related risks.
Certification details: The PMI-RMP certification covers five risk management domains: strategy and planning, risk identification, risk analysis, risk response, and monitoring and reporting. Applicants must have a bachelor's degree and at least 24 months of project risk management experience within the last five years, or a secondary degree and 36 months of experience in the field. The exam includes 115 multiple-choice questions, and the PMI offers a study guide and prep courses conducted by authorized training partners. Ongoing education is also required: PMI-RMP certification holders must earn 30 professional development units every three years.