What is the Risk Management Framework (RMF)? What is risk mitigation?
X

Top enterprise risk management certifications to consider

Certifications are essential to many careers. Here are some useful enterprise risk management certifications for risk managers, IT professionals and other workers.

Enterprise risk management helps organizations identify, analyze and manage circumstances that can create business risk. In companies, risk comes in many different forms and could lead to disruptions that affect business operations. Some of the common risks that ERM programs must address include financial, operational, legal, compliance and strategic ones.

ERM is also concerned with IT and cybersecurity risks that can hamper business activities. That includes cyberattacks and other security threats, as well as inadequate IT systems, a lack of technical skills and technology failures caused by natural disasters, power outages or other issues.

A successful risk management initiative provides an ERM framework that enables an organization to be aware of the various risks it faces and better prepared to deal with them. But ERM expertise is also required. One good way for IT, security and risk management professionals to obtain it is by earning enterprise risk management certifications.

What is the value of an ERM certification?

In general, certifications enable job seekers to stand out from the crowd of applicants. Also, with the right type of certification, an existing employee can earn higher pay and potentially a promotion. ERM certifications, in particular, provide third-party validation of an individual's knowledge of the risk management process. Requiring specific certifications for open positions can help risk leaders and others involved in the hiring process attract job candidates with the desired expertise.

An ERM certification is especially useful for members of a risk management team. But risk management expertise is often a requirement for other workers, too. For example, ERM skills are valuable for the CFO and employees in finance and accounting roles to help manage financial risk. ERM certifications are also useful for IT operations and security management professionals, as well as for workers responsible for regulatory compliance, project management and other functions.

Risk management requires being able to both plan for unknown incidents and react quickly to limit potential harm when they occur. While those capabilities are rarely gained via certification alone, an ERM certification is a baseline indicator of a person's know-how, which can then be expanded further through on-the-job experience.

16 ERM certifications to know about

There are a variety of ERM certifications for individuals and organizations to consider. Often, the key difference surrounding them is their focus and area of concentration. Some certifications are truly enterprise in nature and cover all aspects of risk management, while others are more specifically aligned with financial, IT, cybersecurity, business continuity or project risks.

The following list is organized along those lines, beginning with broadly focused certifications, followed by ones that are narrower in nature. The list is unranked, and the entries in the different sets of certifications are listed alphabetically.

1. Certified Risk and Compliance Management Professional (CRCMP)

Issuing organization: International Association of Risk and Compliance Professionals (IARCP).

Who should get this certification: The target audience is IT managers and professionals who want to document their ability to lead or support regulatory compliance and ERM initiatives.

Certification details: The CRCMP program includes a six-part course of study that starts with an introduction to risk management and governance, risk and compliance (GRC) concepts. Other modules cover the Sarbanes-Oxley Act and its international derivatives; the Basel I, II and III standards on GRC practices; the COSO ERM and internal control frameworks; implementing risk management and compliance programs; and AI issues in risk management. The IARCP provides presentations with a total of more than 2,000 slides as a self-directed study guide. The exam includes 35 multiple-choice questions that must be completed within 90 minutes. It's an open-book exam: The IARCP says the goal of the program is for participants to "acquire knowledge and skills, not commit something to memory."

Website: https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

2. COSO Enterprise Risk Management Certificate

Issuing organization: Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Who should get this certification: Risk management professionals, ERM consultants and board members who oversee risk management programs are the target audience. Participants should have at least two to six years of ERM experience and some exposure to COSO's updated ERM framework, which was published in 2017.

Certification details: Participants are trained on the concepts and principles of the COSO ERM framework through a course that includes seven self-study modules and a hands-on workshop component. After passing an online exam, they also receive 13.5 hours of continuing professional education (CPE) credits. COSO oversees the certification, which is available through four of its five sponsoring organizations: the American Institute of Certified Public Accountants; Financial Executives International; the Institute of Internal Auditors; and the Institute of Management Accountants.

Website: https://www.coso.org/erm-certificate

3. Enterprise Risk Management Certified Professional (ERMCP)

Issuing organization: Enterprise Risk Management Academy (ERMA).

Who should get this certification: The ERMCP target audience is experienced risk managers and risk analysts who have more than four years of relevant experience and are looking to boost their ERM expertise and career progression.

Certification details: The ERMCP involves an exam that assesses an individual's knowledge of ERM practices based on the ISO 31000 risk management framework developed by the International Organization for Standardization, commonly known as ISO. The exam consists of 140 multiple-choice questions designed to test technical competency and 10 that focus on professional behavior. Registrants get access to study materials and an exam simulation in ERMA's exam portal. The certification is valid for two years; to maintain it, holders are required to obtain 40 professional development units -- akin to CPE credits -- through ERMA's Continuous Professional Development program.

Website: https://www.erm-academy.org/risk-management-certification/ermcp

4. GRC Professional (GRCP) Certification

Issuing organization: Open Compliance and Ethics Group (OCEG).

Who should get this certification: GRCP is primarily designed for professionals who work in GRC positions or various related roles. But no specific work experience or educational degrees are required.

Certification details: Based on the OCEG's GRC Capability Model, the GRCP certification involves an open-book exam with 100 scored and up to 15 unscored questions to be completed within a two-hour time limit. All the questions are multiple choice; the unscored ones, which aren't labeled, are used to test new questions for future exam updates. An upfront course isn't mandated, but the OCEG provides an online self-study one and offers in-person courses by training partners. The certification is valid for one year, then requires eight CPE credits annually, which are included at no extra cost. Recipients are required to pass the exam every five years to retain the certification.

Website: https://www.oceg.org/certifications/grc-professional-certification/

5. International Certificate in Enterprise Risk Management

Issuing organization: Institute of Risk Management (IRM).

Who should get this certification: The IRM's certificate is geared toward risk management and business professionals across all sectors globally.

Certification details: Obtaining the certificate involves completing two modules, which typically takes six to nine months through a self-directed online learning course. The first module focuses on risk management principles and has a 60-question exam and one essay assignment, while the second is about ERM practices and includes two essay assignments but no exam. Participants can pay extra to attend a series of four virtual workshops that offer more interactive learning. The course can also be taken as the first part of a more advanced International Diploma in Risk Management program.

Website: https://www.theirm.org/qualifications/international-certificate-in-enterprise-risk-management/

6. Professional Risk Manager (PRM) Designation

Issuing organization: Professional Risk Managers' International Association (PRMIA).

Who should get this certification: The PRM program is designed for risk management specialists, particularly in the financial services industry, who are looking to obtain a graduate-level risk credential.

Certification details: The program consists of two certification exams that candidates must pass within a two-year period. The full enrollment period is three years to provide upfront study time. Applicants must be a PRMIA sustaining member or a member of the associated Risk Management Initiative in Microfinance, known as RIM for short. They must also hold a graduate degree or be a chartered financial analyst (CFA) charterholder through the CFA Institute, an association for investment management professionals. Individuals with a bachelor's degree only are eligible if they have two years of full-time work experience in financial services or a risk management department in any industry. PRMIA also offers a less-advanced Associate PRM Certificate focused on risk management fundamentals.

Website: https://www.prmia.org/Public/Public/PRM/Becoming_a_Certified_PRM.aspx

7. RIMS-Certified Risk Management Professional (RIMS-CRMP)

Issuing organization: Risk and Insurance Management Society (RIMS).

Who should get this certification: RIMS-CRMP is suitable for current and aspiring risk management professionals looking to validate their knowledge of key risk-related competencies.

Certification details: Applicants must have a college degree in risk management and one year of related work experience; another type of degree and three years of risk management work; or six years of experience in risk management with no degree. Students in the final year of a risk management degree program can also apply. Eligible applicants qualify for a two-hour exam, which consists of 120 multiple-choice questions and can be taken remotely or in person at Pearson VUE testing sites. RIMS provides a study guide, an online self-study overview course and exam prep workshops. RIMS-CRMP requires recertification every two years, which can be achieved by earning 50 recertification points, 35 of which must come from continuing education.

Website: https://www.rims.org/certification

8. Certified Enterprise Risk Manager (CERM)

Issuing organization: American Association for Investment and Financial Management (AAIFM).

Who should get this certification: It's primarily intended for professionals in the investment and financial management industry who want to demonstrate their compliance and risk management knowledge as well as relevant skills.

Certification details: Applicants must have a bachelor's degree in any field or at least two years of risk-related work experience. Twenty-five hours of approved training on compliance and risk management is also required. The CERM exam is three hours long and includes a combination of case study and essay questions with a heavy focus on risks related to environmental, social and governance programs. The AAIFM provides an exam handbook and training sessions on exam questions, but participants can also get more comprehensive training through authorized partners or Prometric test centers. CERM holders are required to recertify every four years by documenting 25 hours of further educational activities.

Website: https://www.aaifm.org/view_Article.aspx?type=2&ID=1069&certification=1

9. Certified Enterprise Risk Manager (CERM)

Issuing organization: Institute of Financial Consultants (IFC).

Who should get this certification: The IFC's certification validates the expertise of practitioners who are working in risk management, strategic planning, corporate governance, project management and related disciplines, as well as business consulting.

Certification details: Although this has the same name as the certification offered by the AAIFM, it's a separate one. The IFC's CERM program is offered through a partnership with Bristol Opus Leadership College (BOLC), a U.K.-based online learning provider. BOLC's course includes 13 modules that offer a risk management overview and cover specific ERM functions such as risk identification, risk evaluation and management of different types of business risks. The final module outlines the process of developing a risk management plan. There are no eligibility requirements, but 500 study hours are recommended before taking the exam. Successful participants receive a diploma from BOLC and can get the CERM designation after paying an additional fee to the IFC.

Website: https://www.ifconsultants.org/cerm.html

10. Certified Enterprise Risk Professional (CERP)

Issuing organization: American Bankers Association (ABA).

Who should get this certification: It's designed for risk management professionals who work in the banking industry.

Certification details: The CERP examination is composed of 200 multiple-choice questions spanning risk governance and risk management topics, to be completed within four hours. Applicants must have a bachelor's degree and five years of financial-industry experience, including three years in risk management or a closely related role; without a degree, the work experience requirements are seven and five years, respectively. The ABA offers an interactive online course to prepare for the exam, as well as risk management training courses and more in-depth "risk management schools." CERP certification holders need to earn 60 continuing education credits every three years to maintain their status.

Website: https://www.aba.com/training-events/certifications/certified-enterprise-risk-professional

11. Chartered Enterprise Risk Analyst (CERA)

Issuing organization: CERA Global Association.

Who should get this certification: Actuaries who work in financial services are the intended candidates.

Certification details: The CERA certification is available from more than 25 actuarial associations around the world that follow a common syllabus but use different education and testing approaches. The syllabus covers seven areas, including ERM concepts, the risk management process, risk modeling, risk metrics and risk management tools and techniques. In the U.S., the certification is primarily offered by the Society for Actuaries. The SOA's program includes an ERM e-learning module that will be revised by the end of 2025 and an exam that will also be replaced by a new one in the fall. CERA candidates also must pass a risk modeling statistics exam, as well as ones on probability, financial mathematics and actuarial mathematics, in addition to providing validation of several non-SOA educational courses.

Website: https://ceraglobal.org/cera-credential/what-is-cera/

12. Certified in Risk and Information Systems Control (CRISC)

Issuing organization: Information Systems Audit and Control Association (ISACA).

Who should get this certification: This is a good option for mid-career IT audit, risk and security professionals looking to grow in a cyber-risk role.

Certification details: The CRISC certification validates an individual's ability to identify and manage enterprise IT risk with appropriate technology and controls. Topics covered include organizational governance and risk management; IT risk assessment; risk response and risk reporting; and IT and information security. The exam includes 150 questions, and ISACA offers an online study course, review manuals and a database of exam questions, answers and explanations. Both the exam and the preparation materials are due to be updated in November 2025. Group training sessions and access to ISACA's member community for exam guidance from peers are also available. To maintain the certification, holders must earn at least 20 CPE credits annually and a total of 120 over three years.

Website: https://www.isaca.org/credentialing/crisc

13. Certified Information Systems Risk and Compliance Professional (CISRCP)

Issuing organization: International Association of Risk and Compliance Professionals.

Who should get this certification: It's suited to IT managers and staffers looking to validate their knowledge of obligations and best practices in IT risk management, regulatory compliance, information security and data privacy protections.

Certification details: Another certification offered by the IARCP, this program covers cybersecurity-related executive orders and directives from the U.S. government, plus GDPR and other EU regulations on data security and data privacy. It's designed to help participants understand legal and regulatory requirements for organizations on the covered topics. The CISRCP study guide includes presentations with more than 1,100 slides. As with the CRCMP certification, CISRCP candidates must pass an open-book exam with 35 multiple-choice questions and a 90-minute time limit.

Website: https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

14. Certified Information Systems Security Professional (CISSP)

Issuing organization: ISC2 (formerly the International Information System Security Certification Consortium).

Who should get this certification: This is for chief information security officers and other security managers or practitioners who want to demonstrate a broad understanding of cybersecurity concerns, including IT security risks.

Certification details: To qualify for the certification, candidates must have at least five cumulative years of work experience in two or more of the eight security-related areas covered in the CISSP Common Body of Knowledge. Others who pass the CISSP exam get an Associate of ISC2 badge, then have six years to attain the required experience and earn the certification. The exam uses a computerized adaptive testing approach that includes 100 to 150 questions with a three-hour time limit; it's available in English, Chinese, German, Japanese and Spanish. ISC2 offers self-paced or instructor-led online training courses and a classroom training option, plus textbooks, study guides and practice tests.

Website: https://www.isc2.org/Certifications/CISSP

15. Certified Risk Management Professional (CRMP)

Issuing organization: Disaster Recovery Institute International.

Who should get this certification: The CRMP certification is for experienced risk management workers who want to validate their foundational knowledge and experience, with a focus on business continuity.

Certification details: Applicants need two or more years of related professional experience, including in at least two of the four areas of risk management practices covered by the CRMP exam. Two references per subject matter area are also required. In addition, DRI International, as the organization is commonly known, mandates a two- or four-day course on risk management for business continuity as another prerequisite. In addition to passing the exam, participants must write a series of four essays focused on their risk management duties and accomplishments. To maintain the certification, CRMP holders must earn 80 continuing education activity points annually.

Website: https://drii.org/certification/crmp

16. PMI Risk Management Professional (PMI-RMP)

Issuing organization: Project Management Institute (PMI).

Who should get this certification: The target audience is experienced project, risk or functional managers and C-suite executives looking to showcase their expertise in managing project-related risks.

Certification details: The PMI-RMP certification covers five risk management domains: strategy and planning, risk identification, risk analysis, risk response, and risk monitoring. Applicants must have a bachelor's degree and at least 24 months of project risk management experience within the last five years, or a secondary degree and 36 months of experience in the field. The exam includes 115 multiple-choice questions to be completed in 150 minutes, and the PMI offers two study guides, an e-learning prep course and another online learning tool with practice questions, lessons and "gamified activities." Ongoing education is also required: PMI-RMP certification holders must earn 30 professional development units every three years.

Website: https://www.pmi.org/certifications/risk-management-rmp

Editor's note: This article was updated in July 2025 for timeliness and to add new information.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Next Steps

Top risk management skills and why you need them

Traditional vs. enterprise risk management: How do they differ?

How to write a risk appetite statement: Template, examples

Common risk management failures and how to avoid them

ISO 31000 vs. COSO: Comparing risk management standards

Dig Deeper on Risk management and governance