What Is Risk Management?
Identifying, analyzing, assessing, controlling, avoiding, minimizing, or eliminating unacceptable hazards is what risk management is all about. Where do risks come from? Causes include Acts of God (natural causes and disasters), unpredictable or unknowable events, and deliberate attacks from adversaries, such as agents of terrorism. There are also legal liabilities, credit risks, financial market uncertainties, accidents, or threats of project failures.
Legal Regulations and Risk Management Standards
Most people associate risk management with legal compliance around financial risk, such as the enactment of the Sarbanes-Oxley Act (SOX) in the wake of the Enron scandal and the passing of the Dodd-Frank Act after the financial chaos following the stock market crash of 2008. But there are numerous other laws pertaining to risk management, including those designed to protect citizen’s health records Health Insurance Portability and Accountability Act (HIPAA), consumer protection laws, like the Federal Food, Drug, and Cosmetic Act (FD&C), and regulations to protect employees in the workplace, like the Occupational Safety and Health Administration (OSHA).
There are also business risks that you cannot legally regulate, but that still require risk management. These may involve strategies around competition, operational strategies to limit the effect of the loss or breakdown of equipment, or commercial risks, like the failure of key suppliers or customers. You can learn more about vendor risk management in this article: Definitive Guide to Vendor Risk Management.
Who Creates Risk Management Standards?
Worldwide standards have been developed to establish accepted frameworks, practices, and processes to protect people, property, businesses, and money. Generally set by recognized industry groups or international standards bodies, these standards reflect the varied motivations and technical concerns of their developers. Unlike laws, standards are usually not obligatory, although a contract or regulator may stipulate compliance nonetheless. To keep up with the pace of change, you must amend and update standards regularly. That’s one of the reasons many risk management certifications require or encourage ongoing education — so that you can retain formal recognition and stay informed of updates made.
Risk management standards have been established by the National Institute of Standards and Technology (NIST), actuarial societies, the Project Management Institute (PMI), and the International Organization for Standardization (ISO), among many others. These standards differ according to industry — you can obtain risk management certifications for contractors, engineers, industrial concerns, finance, actuarial assessments, project management, public health and safety, and security.
Risk management is a subject of great depth and breadth. To help explain the significance of this discipline, as well as risk management certifications, two professionals share their expertise:
What’s the Value of Risk Management Certification?
Government bodies and industries have expanded regulatory compliance rules that examine companies' risk management policies since the early 2000s. As a result, an ever-growing number of industries require boards of directors to review and report on the effectiveness of enterprise risk management processes. This focus on risk management has made it one of the major components of overall business strategy.
Universities now offer undergraduate and advanced degrees in risk management in various fields. Many organizations employ regulatory compliance officers to ensure that they conform to legal standards.
Risk management certifications in every business help practitioners establish metrics, understand how to work with risk, and avoid behavior and decision-making errors. Certifications support frameworks to make good decisions under pressure, use innovation principles to generate alternatives, and gain buy-in from stakeholders for effective implementation.
Risk management certifications help professionals learn the organizational skills to assess and prioritize real and potential risks, and they often use matrices in the risk assessment process. You can find more information and tools about creating a risk assessment matrix within this article: All the Risk Assessment Matrix Templates You Need.
The Benefits of Risk Management Certification for Individuals and Organizations
The value of risk management certifications for individuals keeps growing, according to Berman. “Certifications are important tools for individuals to demonstrate knowledge, increase professional marketability, and attain higher salaries, as well as affirm professional expertise,” he notes. “The more companies and industries value professional certifications, the more opportunities for career progression a certified individual will have.”
For organizations, there are multiple benefits. “Not only does certification add prestige to both the company and its employees,” says Berman, “it also provides independent verification that certified employees and the organization they work for are knowledgeable of industry standards, The industry standard bearers ensure these standards by conducting rigorous tests. Organizations with certified employees also benefit from their continuous professional development, increased skill set, and ever-growing expertise from interacting with a network of certified colleagues.”
Insurance is all about risk, and risk certifications certainly make sense in that particular industry. Thompson comments that in the insurance profession, there are a wide variety of certifications that make sense for the practitioner and the clients. “Insurance professionals have an opportunity to obtain a myriad of designations to solidify their technical knowledge, including Chartered Property Casualty Underwriter (CPC), Chartered Life Underwriter (CLU), Chartered Financial Consultant (ChFC), Certified Insurance Service Representative (CISR), Certified Insurance Counselor (CIC), Chartered Advisor for Senior Living (CASL), Certified Patient Protection & Affordable Care Act Professional (PPACA), Associated Risk Manager (ARM), Professional Risk Manager (PRM), and others,” she says. “Both the long-standing, more general certifications and the more recent, niche ones are highly respected, and both are crucial to protecting clients and deepening professional authority.”
Risk Management in Action: A Case Study
DRI International, the nonprofit Berman helms, supports Business Continuity Management (BCM), which integrates the disciplines of emergency response, crisis management, disaster recovery (technology continuity), and business continuity (organizational/operational relocation) and provides internationally recognized risk management certifications.
Berman notes that risk management certification is important to society as a whole. “Since the majority of the nation’s infrastructure is owned by the private sector, certified professionals offer a significant service to society by protecting these valuable assets.” He provided the following case study to show how multiple actions taken simultaneously make sense in large-scale disaster situations:
TELUS is Canada’s fastest-growing national telecommunications company, with $12.8 billion in annual revenue and 12.7 million customer connections. It is also a major Canadian provider of mission-critical services and infrastructure for the community, businesses, and government, including areas affecting national security and public safety. The Corporate Business Continuity Office (CBCO) manages an extensive business continuity program that addresses response and recovery, risk mitigation, preparedness, business continuity, and team member protection. The CBCO also activates and facilitates the Emergency Management Operations Committee (EMOC) process.
They were ready when disaster struck. On May 3, 2016, wildfires swept through the Northern Alberta communities of Fort McMurray, Wood Buffalo, and the Athabasca Chipewyan First Nation, covering an estimated 590,000 hectares (nearly 1.5 million acres), destroying over 2,400 homes and buildings, and leading to the evacuation of approximately 88,000 citizens. At $3.58 billion, it is Canada’s costliest disaster.
TELUS’ focus over the coming days was to ensure the safety and well-being of its team members and customers, protect the telecommunications network, and support the communications needs of responders and community emergency operations. TELUS responded quickly and collaboratively with stakeholders to safeguard the continuity of its services and ensure the wellbeing of customers and team members within the community. Its community-first approach was central to an effective response and recovery in Fort McMurray and surrounding communities.
He concludes, “Communities rely on the private sector in times of crisis, and certified professionals are responsible for assuring continuity of operations, including the supply chain.” He went on to emphasize, “This is vital post-crisis when the public looks to businesses to provide water, food, building materials, and other basic necessities.”
Six Steps to Professional Risk Management Certification
Details regarding the number of classes, etc., may differ slightly from organization to organization, but, in general, there are six steps to certification:
- Decide Which Certification Is Right for Your Field: Risk management certifications are usually specific to your profession.
- Determine Your Eligibility and Skill Level: Many risk management certification programs offer different levels of certification.
- Register for Exam: You can usually register online.
- Complete Coursework if Necessary: Some certifications only require having experience in the field and passing an exam, while some require a series of courses before certification eligibility. For most certifications, you can take coursework in person or virtually.
- Take Exam: You can usually take exams online. Some certifications require taking one exam and then following up with another exam (see Global Association of Risk Professionals as an example) or may require periodic “refresher” exams to retain certification.
- Receive Certificate: Some certifications require continuing education and retesting to retain certification (see The National Alliance for Insurance Education & Research as an example).
Risk Management Coursework and Certification: Online or Face-to-Face?
Most institutions offer both online and in-person training, and for many busy professionals, it’s simply more convenient to take courses and complete exams on the web. “DRI certifications are a two-part process — verification of knowledge and confirmation of experience — and are offered in 13 different forms,” says Berman, “along six career tracks, at experienced and novice levels. While DRI offers in-person training across the globe, online study makes certification even more accessible, particularly for those isolated by location.”
When asked about web or face-to-face instruction, Thompson says, “Insurance professionals and risk managers have developed their technical experience through classroom training or on-the-job training. When first entering the insurance industry, you usually get on-the-job training, but many professionals seek to further their knowledge. The Risk Management Society, the National Association of Health Underwriters, and the Independent Insurance Agents & Brokers of America are great resources for continuing your education. You can obtain designations that are specific to your personal development and your business.”
Risk Management Certification Institutions
There are quite a number of institutions that provide risk management certifications, as well as ongoing training. Ongoing training is mandatory in some cases, particularly in the insurance industry.
About insurance, Thompson says, “Some designations offer practical knowledge, while others are theory driven, but all are geared to making professionals better and more knowledgeable about their jobs. Most states require continuing education as part of maintaining your insurance license, and there are various courses available which include specific topics that fulfil those education requirements.” She stresses that “Certifications are a good way to comply with that obligation and simultaneously further your professional career.”
We’re covering some of the more notable risk management certification organizations in the overview below, because as risk management becomes more prevalent, more certifiers are entering the arena. With very few exceptions, certification is a fee-based service of non-profit organizations. However, there’s one organization, the International Organization for Standardization (ISO), that stands apart from the others in several ways. The ISO drives certifications by many different entities and sets standards of all kinds, although it doesn’t provide them. It has developed and published 21,561 international standards, which can be viewed and purchased from the ISO Store. ISO 31000, ISO 31000:2009, and IEC 31010:2009 relate specifically to risk management, but the non-profit organization provides benefits to almost every business and government sector with standards that ensure quality and underlie the technology we depend on.
Below is an alphabetical list and description of the most prominent certifying bodies:
- The American Hospital Association (AHA®): The AHA, along with other government and non-government agencies, seeks to improve the ability of its members to deliver quality healthcare by influencing federal legislation and regulation. The AHA Certification Center partners with The American Society for Healthcare Risk Management (ASHRM) to administer the Certified Professional in Healthcare Risk Management (CPHRM) exam.
- DRI International (DRI): DRI provides a wide range of certification and acts in an advisory capacity to organizations and government institutions worldwide to help foster and create professional standards and promote greater security, resilience, and safety for society. DRI works hand-in-hand with many of the world’s disaster relief and reduction organizations, like the United Nations Office for Disaster Risk Reduction (UNISDR) and the Private Sector Alliance for Disaster Resilient Societies (ARISE).
- Enterprise Risk Management Academy (ERMA): With members in over 100 countries, ERMA is helping enterprises efficiently manage risk with appropriate methods and processes. (This task has become a major challenge for many corporations.) ERMA provides a comprehensive set of ERM courses and certifications and is facilitating collaborative efforts with professionals the world over.
- Financial Industry Regulatory Authority: FINRA exists to provide investor protection and market integrity by effectively and efficiently regulating broker-dealers. A non-government, non-profit agency authorized by Congress, FINRA provides education and certification for the financial sector.
- Global Association of Risk Professionals (GARP): GARP educates and informs the risk community at all levels, from professionals just starting their careers to those risk program leaders at the world’s largest financial institutions to their governing regulators. The organization helps professionals make better-informed risk decisions by “creating a culture of risk awareness®.”
- Information Systems Audit and Control Association (ISACA®): An independent, worldwide IT association, ISACA aims to develop, adopt, and use globally accepted, industry-leading practices and knowledge for information systems.
- Information Technology Infrastructure Library (ITIL/Axelos®): Focused on aligning IT services with business needs, ITIL is a set of best practices for IT service management (ITSM). The ITIL Certification Management Board (ICMB) manages ITIL certification and includes representatives worldwide. The recognized user group is the IT Service Management Forum (itSMF).
- Institute of Certified Construction Industry Financial Professionals (ICCIFP): Affiliated with the Construction Financial Management Association (CFMA), ICCIFP is an independent entity. The CCIFP credential recognizes financial managers with a deep understanding of the construction business and its risks, and is endorsed by multiple industry organizations. In an ever-changing field, construction accounting certification holders can maintain their knowledge with continuing education.
- The Institute of Internal Auditors (IIA): The Institute of Internal Auditors (IIA) is an international, professional association that provides education, information, and networking opportunities to auditors in the financial services industry, business, and government. Recognized as the authority, chief advocate, and principal education resource, IIA has 185,000 members worldwide. Members work in the fields of security, governance, internal control and auditing, risk management, information technology audit, and education.
- Institute of Risk Management (IRM): IRM provides globally recognized qualifications and training, publishes research and guidance, and sets professional standards in risk management. The organization’s members work in every industry and in every role, across private, public, and nonprofit sectors around the planet.
- The National Alliance for Insurance Education & Research (NAIER): The organization develops and delivers continuing education programs and certification for all individuals in the insurance and risk management industry, from the newest entries to the most seasoned professionals in the field.
- Open Compliance and Ethics Group (OCEG®): A non-profit think-tank, OCEG provides certification and helps organizations enhance their culture and improve performance as they boost internal controls, lower risk, and improve compliance management and corporate governance with practical resources.
- The Risk Management Society (RIMS™): An advocate and educational resource for the global risk community, RIMS represents over 3,000 industrial, corporate, service, non-profit, charitable, and government entities internationally. RIMS provides risk management content, networking, professional development, and certification opportunities. It has a membership of over 11,000 risk practitioners in more than 60 countries.
- The Professional Risk Managers' International Association (PRMIA): The non-profit PRMIA institute delivers thought leadership, peer-vetted research, certification, and stewardship of the risk management profession worldwide.
- Project Management Institute (PMI®): PMI supports 2.9 million project management professionals working in nearly every country in the world. The institute advances careers and enhances organizational success through globally recognized standards, academic research and publications, certifications, tools, resources, professional development courses, and networking opportunities.
Types of Risk Management Certifications
“How do risk certifications help your career?” asks Thompson. “It endows the professional with true confidence and reflects commitment to the industry. Individuals with designations are likely to receive higher compensation than those without.” She adds that in her industry, “Clients have an increased perceived value of your knowledge. Still, regardless of classroom training, designations, and on-the-job experience, the professional advisor must be committed to seeking current information in our ever-changing industry.”
Here are two dozen risk management certifications, along with information about where and how to obtain them:
- Associated Risk Management Professional (ARMP) Certified by DRI: For those in any field with under two years of risk management experience, ARMP certification supports proficiency at the entry level with knowledge in risk management. Designed for individuals who have not yet gained advanced experience, their certification shows that they have acquired knowledge. Certification is linked to higher salaries and marketability.
- Certified Business Continuity Professional (CBCP) Certified by DRI: Applicants for CBCP are professionals who have been working as industry leaders in disaster recovery and/or business continuity and want the recognition and marketability that comes with certification. It is the most widely recognized business continuity certification in the world.
- Certified Construction Industry Financial Professional (CCIFP®) Certified by ICCIFP: The only certification for construction financial professionals, The CCIFP designation is accredited by the American National Standards Institute (ANSI). The CCIFP provides verification by a third party of ethical financial management, an essential asset in today’s complex construction environment.
- Certified in the Governance of Enterprise IT (CGEIT®) Certified by ISACA: Considered a prerequisite by many companies and government agencies for employees involved with enterprise IT governance, this certification is for IT professionals who already have deep knowledge of principles and practices. Certificants align IT with business strategies and goals and enhance the value of their organizations through governance and risk-optimization measures.
- Certified Information Systems Auditor (CISA®) Certified by ISACA: A recognized certification for information systems audit control throughout the world, the CISA is for experienced security and assurance professionals. Being CISA-certified demonstrates knowledge, skills, and the ability to assess risk, report on compliance, and institute controls within the organization.
- Certified Information Security Manager (CISM®) Certified by ISACA: As the need for information security management professionals escalates, the globally-accepted CISM certification is a standard sought by enterprise and government agencies. They increasingly expect IT and information systems professionals to hold CISM certification and favor it because it assures a holistic view of information systems security management and its relationship to the success of the entire enterprise.
- Certified Professional in Healthcare Risk Management (CPHRM) Certified by AHA and ASHRM: The CPHRM is offered to healthcare risk managers by the American Hospital Association with certification services provided by ASHRM. It proves that health care risk managers have the deep, healthcare-specific knowledge and practical skills needed to excel in an increasingly competitive healthcare marketplace.
- Certified Regulatory and Compliance Professional (CRCP™) Certified by FINRA Institute at Wharton: Developed by FINRA, the largest independent regulator for all securities firms doing business in the United States, the CRCP program is the premier executive program designed specifically for compliance and securities industry regulatory professionals. The CRCP program provides a unique learning experience for participants. It’s intended for compliance professionals, regulatory, legal, and compliance staff, business-line professionals with increasing compliance responsibilities, and state, federal, and international regulators.
- Certified Risk Manager (CRM) Certified by the NAIER: CRM designation demonstrates that professionals are steeped in all areas of managing exposures, risks, and hazards. Individuals in risk management and the related fields of accounting, claims, human resources, finance, insurance, law, and loss-control benefit from the coursework and certification. It provides in-depth knowledge about identifying, analyzing, controlling, financing, and administering operational risks in every sector and circumstance.
- Certification in Risk Management Assurance (CRMA) Certified by CRMA: CRMA recognizes experienced individuals who are involved with risk management and assurance, quality assurance, governance, and control self-assessment. CRMAs are trusted advisors to members of audit committees and senior management in large organizations.
- Certified Risk Management Professional (CRMP) Certified by DRI: CRMP is for individuals who have a specific background in the practice of risk management and a minimum of two years in the field. It validates that the professional has the foundation of experience and knowledge needed to implement and manage a business risk management program.
- Certified in Risk and Information Systems Control (CRISC™) Certified by ISACA: This certification is for IT professionals who oversee the development, implementation, and maintenance of information systems controls designed to secure systems and manage risk. Increasingly sought after by enterprises, a CRISC holder understands business risk and has the technical skills and knowledge to implement appropriate information systems controls.
- Enterprise Risk Management Certified Professional (ERMCP™) Certified by ERMA: ERMCP certification is based on the ISO 31000 Risk Management International Standard and is intended for professionals with extensive risk management experience. Companies throughout the world are in search of practitioners who can apply international standards to comprehensively manage risks at technical, managerial, or strategic levels of the organization.
- Energy Risk Professional (ERP®) Certified by GARP: ERP is the only professional energy risk designation. ERPs work with consulting and technology firms with energy-related practices, energy enterprises, financial institutions with direct and indirect investments in energy, and government agencies. The certification process assesses a professional’s knowledge of the energy markets and ability to manage the financial and physical risks in the complex energy environment. Coursework provides a comprehensive view of all major energy markets, an understanding of how diverse energy commodities are structured and traded, and the methods to identify, measure, and manage both physical and financial risks.
- Financial Risk Manager (FRM®) Certified by GARP: As the financial industry becomes increasingly concerned about managing risk and more competitive, it is important to have knowledge that conforms to international, professional standards. FRM holders are leaders employed by leading financial institutions with titles such as head of operational risk, director of risk management, and chief risk officer.
- GRC Professional Certification (GRCP) Certified by OECG: Governance, risk management, and compliance professionals, or GRCPs, help organizations function more effectively with their knowledge of corporate governance, enterprise risk management, and compliance with related laws and industry regulations. The GRCP credential covers a wide spectrum of industries and practices with a goal of understanding the big picture of GRC disciplines and how to apply technology to all of it.
- ITIL Expert (ITIL®) Certified by ITIL/Axelos: ITIL certifications are aligned with the ITIL framework, which describes best practices for designing, implementing, and managing IT service projects. Certifications are known as qualifications in the ITIL realm. An ITIL expert supports an organization by connecting service life-cycle stages and seeing the big picture as the total sum of its parts.
- Operational Risk Manager (ORM) Certified by PRMIA: ORMs have a deep understanding of financial institutions’ measurement methodologies and operational risk management frameworks. An ORM certification is relevant to all risk-related financial services roles. Knowledge of operational risk management techniques is increasingly important to sales and services staff from both a conduct and process perspective in their dealings with market counterparts and clients.
- PMI Risk Management Professional (PMI-RMP®) Certified by PMI: The PMI-RMP endorses a practitioner’s ability to identify and manage project risks, mitigate threats, and take advantage of opportunities. The certification is for those with advanced knowledge and experience in risk management. It’s also beneficial for project managers who need to focus on risk management for large projects, particularly in complex environments.
Professional Risk Manager (PRM™) Certified by PRMIA: The PRM is valuable for professionals who need to have their competence in risk management techniques, theories, tools, and principles recognized. Endorsed by leading enterprises and universities, the certification is designed for risk managers of all types, financial analysts, and CEOs. Current PRM holders are employed by organizations that include major financial institutions, government agencies, and universities.
Smartsheet: An Essential Tool for Risk Management Professionals
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.