Artefact example: An impact-tolerance paper you authored — customer-focused thresholds with transaction volumes, financial value caps and data-loss limits.
Essay alternative accepted where the artefact cannot be shared.
CRO is a professional credential, awarded on demonstrated capability. There is no taught course component and no examination that, on its own, confers the credential. To earn CRO, a candidate must verify at least three years of practitioner experience, submit a seven-item portfolio of workplace evidence (one item per competency domain — artefacts or essays where commercial sensitivity prevents sharing), and complete a competency-based assessment against the PRI seven-domain framework at design and leadership level. The PRI Operational Resilience Course is available as preparation for practitioners refreshing or upskilling, but is a separate offering and not a route to certification.
PRI credentials are professional designations. They are awarded on evidence of capability, experience and professional judgement, assessed against the PRI competency framework. Completing a PRI programme, or sitting a PRI examination, prepares a candidate for this assessment but does not, on its own, confer the credential.
CRO assessment focuses on design and leadership: applying the seven domains across important services and accountable to senior stakeholders.
Identifying important services, modelling impact and quantifying tolerance for disruption.
Mapping people, processes, technology and third parties supporting each important service.
Designing controls, redundancy and recovery to operate within tolerance under stress.
Detecting, triaging and managing live disruption with disciplined logging and communications.
Operating resilience inside a board-accountable governance model with clear escalation.
Leading teams through ambiguity, regulatory engagement and post-incident learning.
Operating across the regulatory, cross-border and infrastructure realities of Asia-Pacific.
A multi-part competency assessment conducted live by PRI assessors, structured around a severe-but-plausible regional disruption. Candidates demonstrate the design and leadership-level capabilities required of a mid-career practitioner — setting impact tolerances, mapping dependencies, designing escalation, and engaging regulators.
A portfolio of seven items — one per competency domain — drawn from the candidate's own work. Where commercial sensitivity prevents sharing an artefact (for example a service map, an impact-tolerance paper or a board submission), candidates submit a structured essay of roughly 1,200–1,800 words in its place, with anonymised examples and the reasoning shown.
Independent PRI assessors review the live assessment and the seven-item portfolio against the seven competency domains, with a moderation step before the credential is awarded.
CRO is not awarded for attendance and not awarded on examination alone. The credential is awarded on the strength of a competency assessment, a seven-item portfolio of workplace evidence, verified practitioner experience, senior references and assessor review — all measured against the PRI seven-domain framework at design and leadership level. Practitioners refreshing or upskilling sometimes complete the PRI Operational Resilience Course first; it is preparation, not a substitute.
Hold the ARO credential in good standing, or be assessed against the ARO execution-level capabilities alongside CRO during the same assessment cycle.
Documented practitioner experience in operational resilience or a closely related risk function.
References from senior people who can speak to the scope of your work and how you handled it.
One submission per competency domain — workplace artefacts (e.g. service map, tolerance paper) or structured essays where commercial sensitivity prevents sharing the artefact.
A signed commitment to PRI's published code of practice and continuing professional standards.
One capability per competency domain. Every CRO is assessed against all seven at design and leadership level before the credential is awarded.
Set customer-focused thresholds based on transaction volumes, financial value caps and data-loss limits — calibrated to your regulator(s), or to recognised standards where no specific regime applies.
Follow a critical service through to its fourth-party and nth-party suppliers, surfacing shared concentration nodes.
Build scenarios with compounding failures that match real risk patterns in your operating footprint — cross-jurisdictional where you work regionally, or deep within your own jurisdiction where you do not.
Design and operate automated escalation triggered by threshold breach, sized for 4-hour and 24-hour regulator notice windows.
Draft and shepherd board, ExCo or steering-committee papers — risk appetite, policy refresh, investment options, remediation status — so leadership can make resilience decisions on the evidence in front of them.
Run material-vendor and non-traditional-provider assessments that hold up in internal audit, due-diligence and — where relevant — regulator engagement.
Demonstrate executive-level understanding of the Asia-Pacific operating environment — the regulatory landscape (own jurisdiction(s) and the wider region), the threat picture, and the cultural and organisational dynamics that shape resilience decisions — submitted as a required ~1,500-word thought-leadership piece. Multi-jurisdiction practitioners show how they run a unified posture (e.g. APRA CPS 230, MAS TRM, HKMA OR-2, DORA) without duplicating effort; single-jurisdiction practitioners show depth in their own; practitioners in contexts without a specific resilience regime anchor to recognised standards (ISO 22301, BCI GPG).
One item per competency domain — seven in total. Each item is drawn from the candidate's own work and aligned directly to the capability assessed for that domain at design and leadership level.
For domains 1–6, where commercial sensitivity prevents sharing a workplace artefact (for example a service map, an impact-tolerance paper or a board submission), the candidate may submit a structured essay of roughly 1,200–1,800 words in its place — describing how they have applied that domain in practice, with anonymised examples and the reasoning shown. Submissions are corroborated with senior referees. Domain 7 (APAC landscape) is always a required ~1,500-word thought-leadership piece — there is no artefact alternative for that domain.
Artefact example: An impact-tolerance paper you authored — customer-focused thresholds with transaction volumes, financial value caps and data-loss limits.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: A deep dependency map for an important service, taken through to fourth- and nth-party suppliers and shared concentration nodes.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: A severe-but-plausible scenario design you built, with compounding failures sized to your operating footprint — across jurisdictions if you work regionally, or deep within your own jurisdiction if you do not.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: An escalation playbook or live-incident debrief you designed or led, sized for 4-hour and 24-hour regulator notice windows.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: A board, ExCo or steering-committee paper you drafted or substantially contributed to that informed a resilience decision — investment, policy, risk appetite or remediation.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: A material-vendor or non-traditional-provider assessment you led that held up in an internal audit, due-diligence review or — where relevant — a regulator engagement.
Essay alternative accepted where the artefact cannot be shared.
Artefact example: A ~1,500-word thought-leadership piece on the Asia-Pacific operating environment for resilience at design and leadership level — the regulatory landscape (own jurisdiction(s) and the wider region), the threat picture, and the cultural and organisational dynamics that shape executive resilience decisions. Required of every candidate. There is no artefact alternative for this domain.
Required submission. No artefact alternative — every candidate writes this piece.
CRO holders log 20 hours of CPD a year. The split is deliberately tilted toward strategic work: at most 5 hours of standard practice, and at least 15 hours of advanced systems, testing, and leadership.
Annual recertification fee from $89 AUD (Tier 3) to $179 AUD (Tier 1).
One standard, three regional pricing bands. Set in AUD by country of residence.
| Fee | Tier 1 | Tier 2 −30% | Tier 3 −50% |
|---|---|---|---|
| CRO credential assessment (one-off) | $1,999 | $1,399 | $999 |
| CRO recertification (annual) | $179 | $125 | $89 |
| Operational Resilience Course (optional preparation) | $999 | $699 | $499 |
AU · NZ · SG · JP · HK · KR · TW
MY · TH · CN · FJ
IN · PH · ID · VN
No payment is taken at application. The assessment fee is invoiced when the candidate submits the completed evidence portfolio.
On award, you are entitled to append CRO after your name on business cards, LinkedIn, professional correspondence, and any internal or external publication while your certification remains in good standing.