Skip to content
Pacific Resilience Institute
Practitioner credential

Certified
Resilience Officer.

CRO is a professional credential, awarded on demonstrated capability. There is no taught course component and no examination that, on its own, confers the credential. To earn CRO, a candidate must verify at least three years of practitioner experience, submit a seven-item portfolio of workplace evidence (one item per competency domain — artefacts or essays where commercial sensitivity prevents sharing), and complete a competency-based assessment against the PRI seven-domain framework at design and leadership level. The PRI Operational Resilience Course is available as preparation for practitioners refreshing or upskilling, but is a separate offering and not a route to certification.

CERTIFIEDRESILIENCEOFFICER
How this credential is awarded

On demonstrated capability — not attendance or examination alone.

PRI credentials are professional designations. They are awarded on evidence of capability, experience and professional judgement, assessed against the PRI competency framework. Completing a PRI programme, or sitting a PRI examination, prepares a candidate for this assessment but does not, on its own, confer the credential.

Competency framework

Assessed across seven domains.

CRO assessment focuses on design and leadership: applying the seven domains across important services and accountable to senior stakeholders.

Domain 01
Risk & impact

Identifying important services, modelling impact and quantifying tolerance for disruption.

Domain 02
Service mapping

Mapping people, processes, technology and third parties supporting each important service.

Domain 03
Resilience design

Designing controls, redundancy and recovery to operate within tolerance under stress.

Domain 04
Incident response

Detecting, triaging and managing live disruption with disciplined logging and communications.

Domain 05
Governance

Operating resilience inside a board-accountable governance model with clear escalation.

Domain 06
Leadership

Leading teams through ambiguity, regulatory engagement and post-incident learning.

Domain 07
APAC environment

Operating across the regulatory, cross-border and infrastructure realities of Asia-Pacific.

Assessment model

How the credential is assessed.

01

Scenario-based assessment

A multi-part competency assessment conducted live by PRI assessors, structured around a severe-but-plausible regional disruption. Candidates demonstrate the design and leadership-level capabilities required of a mid-career practitioner — setting impact tolerances, mapping dependencies, designing escalation, and engaging regulators.

02

Evidence submission

A portfolio of seven items — one per competency domain — drawn from the candidate's own work. Where commercial sensitivity prevents sharing an artefact (for example a service map, an impact-tolerance paper or a board submission), candidates submit a structured essay of roughly 1,200–1,800 words in its place, with anonymised examples and the reasoning shown.

03

Assessor review

Independent PRI assessors review the live assessment and the seven-item portfolio against the seven competency domains, with a moderation step before the credential is awarded.

Tier
Practitioner
Route
Competency assessment + evidence + experience
CPD
20 hrs / year
How you earn it

Awarded on demonstrated capability — not attendance, not examination alone.

CRO is not awarded for attendance and not awarded on examination alone. The credential is awarded on the strength of a competency assessment, a seven-item portfolio of workplace evidence, verified practitioner experience, senior references and assessor review — all measured against the PRI seven-domain framework at design and leadership level. Practitioners refreshing or upskilling sometimes complete the PRI Operational Resilience Course first; it is preparation, not a substitute.

ARO foundation

Hold the ARO credential in good standing, or be assessed against the ARO execution-level capabilities alongside CRO during the same assessment cycle.

Three years of practice

Documented practitioner experience in operational resilience or a closely related risk function.

Two senior referees

References from senior people who can speak to the scope of your work and how you handled it.

Seven-item evidence portfolio

One submission per competency domain — workplace artefacts (e.g. service map, tolerance paper) or structured essays where commercial sensitivity prevents sharing the artefact.

Code of practice

A signed commitment to PRI's published code of practice and continuing professional standards.

What a CRO holder can do

Seven demonstrated capabilities.

One capability per competency domain. Every CRO is assessed against all seven at design and leadership level before the credential is awarded.

  • Domain 01 · Risk & impact

    Set quantitative tolerances

    Set customer-focused thresholds based on transaction volumes, financial value caps and data-loss limits — calibrated to your regulator(s), or to recognised standards where no specific regime applies.

  • Domain 02 · Service mapping

    Build deep dependency maps

    Follow a critical service through to its fourth-party and nth-party suppliers, surfacing shared concentration nodes.

  • Domain 03 · Resilience design

    Design severe-but-plausible scenarios

    Build scenarios with compounding failures that match real risk patterns in your operating footprint — cross-jurisdictional where you work regionally, or deep within your own jurisdiction where you do not.

  • Domain 04 · Incident response

    Run high-velocity escalation

    Design and operate automated escalation triggered by threshold breach, sized for 4-hour and 24-hour regulator notice windows.

  • Domain 05 · Governance

    Operate the governance routines

    Draft and shepherd board, ExCo or steering-committee papers — risk appetite, policy refresh, investment options, remediation status — so leadership can make resilience decisions on the evidence in front of them.

  • Domain 06 · Leadership

    Manage material vendor risk

    Run material-vendor and non-traditional-provider assessments that hold up in internal audit, due-diligence and — where relevant — regulator engagement.

  • Domain 07 · APAC landscape

    Read the APAC landscape at leadership level

    Demonstrate executive-level understanding of the Asia-Pacific operating environment — the regulatory landscape (own jurisdiction(s) and the wider region), the threat picture, and the cultural and organisational dynamics that shape resilience decisions — submitted as a required ~1,500-word thought-leadership piece. Multi-jurisdiction practitioners show how they run a unified posture (e.g. APRA CPS 230, MAS TRM, HKMA OR-2, DORA) without duplicating effort; single-jurisdiction practitioners show depth in their own; practitioners in contexts without a specific resilience regime anchor to recognised standards (ISO 22301, BCI GPG).

Evidence portfolio

What candidates submit.

One item per competency domain — seven in total. Each item is drawn from the candidate's own work and aligned directly to the capability assessed for that domain at design and leadership level.

For domains 1–6, where commercial sensitivity prevents sharing a workplace artefact (for example a service map, an impact-tolerance paper or a board submission), the candidate may submit a structured essay of roughly 1,200–1,800 words in its place — describing how they have applied that domain in practice, with anonymised examples and the reasoning shown. Submissions are corroborated with senior referees. Domain 7 (APAC landscape) is always a required ~1,500-word thought-leadership piece — there is no artefact alternative for that domain.

Domain 01 · Risk & impact

Artefact example: An impact-tolerance paper you authored — customer-focused thresholds with transaction volumes, financial value caps and data-loss limits.

Essay alternative accepted where the artefact cannot be shared.

Domain 02 · Service mapping

Artefact example: A deep dependency map for an important service, taken through to fourth- and nth-party suppliers and shared concentration nodes.

Essay alternative accepted where the artefact cannot be shared.

Domain 03 · Resilience design

Artefact example: A severe-but-plausible scenario design you built, with compounding failures sized to your operating footprint — across jurisdictions if you work regionally, or deep within your own jurisdiction if you do not.

Essay alternative accepted where the artefact cannot be shared.

Domain 04 · Incident response

Artefact example: An escalation playbook or live-incident debrief you designed or led, sized for 4-hour and 24-hour regulator notice windows.

Essay alternative accepted where the artefact cannot be shared.

Domain 05 · Governance

Artefact example: A board, ExCo or steering-committee paper you drafted or substantially contributed to that informed a resilience decision — investment, policy, risk appetite or remediation.

Essay alternative accepted where the artefact cannot be shared.

Domain 06 · Leadership

Artefact example: A material-vendor or non-traditional-provider assessment you led that held up in an internal audit, due-diligence review or — where relevant — a regulator engagement.

Essay alternative accepted where the artefact cannot be shared.

Domain 07 · APAC landscape

Artefact example: A ~1,500-word thought-leadership piece on the Asia-Pacific operating environment for resilience at design and leadership level — the regulatory landscape (own jurisdiction(s) and the wider region), the threat picture, and the cultural and organisational dynamics that shape executive resilience decisions. Required of every candidate. There is no artefact alternative for this domain.

Required submission. No artefact alternative — every candidate writes this piece.

Continuing professional development

20 CPD hours a year, weighted to systems and leadership.

CRO holders log 20 hours of CPD a year. The split is deliberately tilted toward strategic work: at most 5 hours of standard practice, and at least 15 hours of advanced systems, testing, and leadership.

Standard practice · max 5 hrs
  • ·Routine BIA refresh oversight.
  • ·Standard policy review and sign-off cycles.
Advanced systems & leadership · min 15 hrs
  • ·Designing and executing complex scenario simulations — cross-border where the candidate operates regionally, or deep single-jurisdiction equivalents otherwise.
  • ·Performing structural fourth-party concentration assessments.
  • ·Architecting unified compliance frameworks across regimes you operate in (e.g. DORA, CPS 230, MAS TRM, HKMA OR-2), or anchoring a single-jurisdiction or unregulated context to ISO 22301 / BCI GPG.
  • ·Publishing peer-reviewed research through PRI.

Annual recertification fee from $89 AUD (Tier 3) to $179 AUD (Tier 1).

Regional fees · AUD

CRO fees by region.

One standard, three regional pricing bands. Set in AUD by country of residence.

Download fees & tiers (PDF)
FeeTier 1Tier 2 −30%Tier 3 −50%
CRO credential assessment (one-off)$1,999$1,399$999
CRO recertification (annual)$179$125$89
Operational Resilience Course (optional preparation)$999$699$499
Tier 1 · High income

AU · NZ · SG · JP · HK · KR · TW

Tier 2 · Upper-middle

MY · TH · CN · FJ

Tier 3 · Lower-middle

IN · PH · ID · VN

No payment is taken at application. The assessment fee is invoiced when the candidate submits the completed evidence portfolio.

Programme details

What to expect, end to end.

Route to credential
Competency-based assessment against the PRI seven-domain framework, plus a seven-item portfolio of workplace evidence and verified practitioner experience. No taught course component and no examination route.
Preparation
The PRI Operational Resilience Course is available as preparation for practitioners refreshing or upskilling. It is a separate offering and awards a Certificate of Course Completion only.
Assessment format
A multi-part scenario-based competency assessment delivered live over Microsoft Teams with PRI assessors, structured around a severe-but-plausible regional disruption.
Evidence portfolio
Seven items — one per competency domain. Each item is either a workplace artefact (e.g. service map, impact-tolerance paper, escalation playbook, ExCo paper, vendor assessment, framework conversion) or, where commercial sensitivity prevents sharing the artefact, a 1,200–1,800 word essay describing how the candidate has applied that domain.
Turnaround
From a complete application to written outcome is typically 10–14 weeks: intake, evidence review, scheduling and the live assessment, then independent assessor review and moderation. No fixed cohort dates — assessments are scheduled as evidence packs are ready.
Prerequisites
At least three years of verified practitioner experience in resilience, operational risk or a closely adjacent function. Candidates must either already hold the ARO credential in good standing, or demonstrate the seven ARO execution-level capabilities alongside the CRO design and leadership-level capabilities during assessment and within their evidence portfolio.
References
Two senior referees — line manager or equivalent, plus an independent practitioner — submitted before the assessment is scheduled. Referees corroborate both the artefacts and the essay submissions.
Language
Assessed in English. Assessment material includes APAC regulator excerpts in original wording.
Reassessment
Candidates who do not meet the standard receive written feedback and may strengthen and resubmit the specific items identified within 6 months.
Fees & payment
No payment is taken at application. The assessment fee is invoiced in AUD when the candidate submits the completed seven-item evidence portfolio (including the ~1,500-word APAC thought-leadership piece). The live competency assessment is scheduled on receipt of payment.
Using the designation

Post-nominal letters you can use.

On award, you are entitled to append CRO after your name on business cards, LinkedIn, professional correspondence, and any internal or external publication while your certification remains in good standing.

Example signature
Marcus Tan, CRO
Usage rules · CRO
  • Use the letters CRO after your name in professional contexts while your certification is current and CPD obligations are met.
  • The CRO digital badge may be used on LinkedIn, professional bios, conference speaker materials, and your organisation's profile of you.
  • CRO holders may identify themselves as a certified resilience practitioner; do not use the title to imply chartered or regulator-conferred status.
  • Where you publish research or commentary under the credential, identify yourself as an individual — PRI does not endorse views.
  • If your CPD lapses or your certification is suspended, remove the post-nominal until you are restored to good standing.
FAQ

Frequently asked questions.

You must either already hold ARO in good standing, or demonstrate the seven ARO execution-level capabilities alongside the CRO design and leadership-level capabilities during the same assessment cycle. CRO assumes the ARO foundation — it does not replace it. Candidates without ARO can sit a combined assessment; the registrar will outline scope and fees on application.

Apply for the CRO credential

Tell us about your role and your practitioner experience. The registrar will reply within 24 hours with the assessment intake schedule, the regional fee and the referee form.