Module 01
Multi-hub compliance
Cross-mapping APRA CPS 230, DORA, MAS, and HKMA rules into a single data model. Translating one operational data set for multiple regulators.
What you produce
A unified cross-border compliance governance dashboard.
Level 2 · Practitioner tier
Certified
Resilience Officer.
A three-day advanced live virtual course followed by a 150-minute case-study exam delivered live over Microsoft Teams and proctored by PRI faculty. Candidates verify at least three years of practitioner experience. The eight-module curriculum is built around what mid-career practitioners are actually asked to do — multi-regulator compliance, hard tolerance numbers, deep dependency mapping, and scenario design. Join the waiting list — course dates are released when numbers allow. All sessions run Australian Eastern Standard Time (AEST).
Tier
Practitioner
Format
3 days virtual (AEST)
Exam
150 min case study
CPD
20 hrs / year
How you earn it
One standard. One examination.
CRO is not awarded for attendance. Every candidate sits the same 150-minute, case-study driven paper — delivered live over Microsoft Teams and proctored by PRI faculty — and meets the verified experience threshold. Teaching is delivered as a three-day advanced live virtual cohort. The credential carries the same letters wherever in APAC it is sat.
Live case-study exam
A 150-minute, scenario-based written paper sat live over Microsoft Teams under PRI faculty proctoring.
Three years of practice
Documented practitioner experience in operational resilience or a closely related risk function.
Two senior referees
References from senior people who can speak to the scope of your work and how you handled it.
Code of practice
A signed commitment to PRI's published code of practice and continuing professional standards.
What a Certified Resilience Officer can do
Three capabilities, defended on the page.
- Outcome 01
Build dependency maps that follow a critical service all the way through to its fourth-party and nth-party suppliers.
- Outcome 02
Set quantitative tolerance metrics that work across more than one regulator at the same time.
- Outcome 03
Manage material vendor risk — including for the non-traditional providers that don't fit standard outsourcing models.
The eight modules.
Three live virtual days, eight modules, each paired with a deliverable that goes into your candidate portfolio.
Module 02
Quantitative tolerances
Setting customer-focused thresholds based on transaction volumes, financial value caps, and data loss limits — not red/amber/green.
What you produce
Defensible impact tolerance metrics for an enterprise service.
Module 03
Nth-party concentration
Graphing downstream supply chains past primary vendors to map the shared cloud and hosting nodes that quietly link unrelated services.
What you produce
A relational asset dependency graph mapping fourth-party nodes.
Module 04
ICT hardening
Managing technology infrastructure resilience, data availability, and tracking weaknesses across API networks.
What you produce
An ICT infrastructure resilience profile for core systems.
Module 05
High-velocity escalation
Bypassing manual approval bottlenecks with automated triggers — designed to meet tight 4-hour and 24-hour regulator notice windows.
What you produce
Automated incident escalation playbooks tied to threshold breaches.
Module 06
Severe scenario design
Simulating compounding failures — for example, a GCC corridor outage paired with a digital liquidity run.
What you produce
A multi-border, multi-inject simulation testing playbook.
Module 07
Secure information sharing
Sharing threat data and vulnerabilities safely under regional privacy and compliance laws.
What you produce
A privacy-compliant industry information-sharing protocol.
Module 08
Actionable remediation
Calculating cost-benefit data for resilience investments and building the case that gets capital expenditure approved.
What you produce
A formal business case for infrastructure upgrades based on test gaps.
Continuing professional development
20 CPD hours a year, weighted to systems and leadership.
CRO holders log 20 hours of CPD a year. The split is deliberately tilted toward strategic work: at most 5 hours of standard practice, and at least 15 hours of advanced systems, testing, and leadership.
Standard practice · max 5 hrs
- ·Routine BIA refresh oversight.
- ·Standard policy review and sign-off cycles.
Advanced systems & leadership · min 15 hrs
- ·Designing and executing complex cross-border scenario simulations.
- ·Performing structural fourth-party concentration assessments.
- ·Architecting unified compliance frameworks (DORA / CPS 230 conversions).
- ·Publishing peer-reviewed research through PRI.
Annual recertification fee from $175 AUD (Tier 3) to $350 AUD (Tier 1).
What to expect, end to end.
- Delivery
- Advanced live virtual cohort over 3 consecutive days, 09:00–17:00 AEST, with pre-reading issued 4 weeks before. Join the waiting list — dates are released when course numbers allow.
- Cohort size
- Capped at 18 candidates to keep the case-study work intensive and the regulator-facing discussion candid.
- Intakes
- Join the waiting list. Cohort dates are released once sufficient numbers allow us to confirm a course. All sessions run Australian Eastern Standard Time (AEST).
- Prerequisites
- Three years of verified practitioner experience in resilience, operational risk, or a closely adjacent function. ARO not required but recommended.
- References
- Two senior referees — line manager or equivalent, plus an independent practitioner — submitted before the exam sitting.
- Language
- Delivered and examined in English. Case-study material includes APAC regulator excerpts in original wording.
- Exam
- 150 minutes, delivered live over Microsoft Teams and proctored by PRI faculty. Two long-form case studies, marked anonymously by a panel of two examiners; pass mark 65%.
- Resits
- One resit at 40% of the regional exam fee within 6 months; full re-examination thereafter.
- Accommodations
- Extra time and quiet-room scheduling available on documented request to the registrar before the exam window opens.
- Refunds
- Full refund up to 28 days before the cohort starts; 50% up to 10 days; transfer to a later cohort otherwise.
Using the designation
Post-nominal letters you can use.
On award, you are entitled to append CRO after your name on business cards, LinkedIn, professional correspondence, and any internal or external publication while your certification remains in good standing.
Example signature
Marcus Tan, CRO
Usage rules · CRO
- Use the letters CRO after your name in professional contexts while your certification is current and CPD obligations are met.
- The CRO digital badge may be used on LinkedIn, professional bios, conference speaker materials, and your organisation's profile of you.
- CRO holders may identify themselves as an examined resilience practitioner; do not use the title to imply chartered or regulator-conferred status.
- Where you publish research or commentary under the credential, identify yourself as an individual — PRI does not endorse views.
- If your CPD lapses or your certification is suspended, remove the post-nominal until you are restored to good standing.
Frequently asked questions.
No. ARO is the most direct route, but candidates can enter CRO with three years of verified practitioner experience and senior references. Most direct-entry candidates come from operational risk, internal audit, or technology resilience leadership roles.