Independent Verification under the OCRM® Risk Maturity Framework
OCRM® Risk Maturity Certification provides organisations with an independently reviewed maturity classification under the OCRM® Risk Maturity Framework.
Certification is an optional outcome of the OCRM® Risk Maturity Assessment process for organisations seeking external verification of demonstrated risk management maturity.
Certification reflects assessed maturity at the time of evaluation, based on structured scoring, documented evidence, sampled review and defined governance safeguards. It is not regulatory approval, statutory audit, financial assurance, legal assurance or a guarantee of future performance.
Certification Assurance
Designed for organisations seeking credible external verification of demonstrated risk management maturity.
What Certification Represents
OCRM® Risk Maturity Certification confirms an independently assessed maturity classification within the stated assessment scope.
Certification confirms
Certification does not confirm
Certification is based on information provided by the organisation, evidence made available for review and sampled evidence reviewed during the verification process.
Verified and Certified Classifications
Following independent review, organisations may receive one of the following classifications, subject to evidence, scoring outcomes, stated assessment scope and applicable OCRM® criteria.
Reactive
Not eligibleNot eligible for verification or certification.
OCRM® Verified
Developing Risk MaturityBasic risk management structures exist but require further embedding, consistency and evidence of operation.
OCRM® Verified
Structured Risk ManagementDefined risk management processes operate across relevant areas of the organisation, with evidence of structured application.
OCRM® Certified
Integrated Risk MaturityRisk management is embedded, consistently applied and supports governance, oversight and decision-making.
OCRM® Certified
Advanced Risk MaturityRisk management is proactive, data-informed and subject to structured monitoring, review and continuous improvement.
Use of the term Certified applies only to Level 4 and Level 5 classifications. Level 2 and Level 3 outcomes are described as Verified classifications.
Level 1 is not eligible for verification or certification.
Independent Verification Process
Risk Maturity Certification involves a structured independent review conducted under OCRM® governance. The depth of verification increases according to the maturity level claimed, organisational complexity and assessment scope.
Submit assessment materials
Completed assessment materials are submitted in the format required by OCRM®.
Review documentation and evidence
Supporting documentation, risk governance materials and selected evidence are reviewed within the agreed scope.
Risk-based sampling
Selected indicators are sampled to review consistency, operation and embedding.
Leadership and stakeholder discussions
Structured interviews or discussions may be held with relevant leadership, governance, risk, assurance or operational representatives, where agreed.
Scoring safeguards and moderation
Scoring safeguards, domain-level thresholds and moderation review are applied where required.
Evidence expectations increase with maturity: Higher maturity classifications require stronger evidence of consistency, embedding and sustained operation across relevant domains.
Independent review is based on evidence reviewed within scope and applicable OCRM® criteria.
Scoring Integrity & Safeguards
OCRM® Risk Maturity Certification incorporates defined safeguards designed to support balanced, credible and consistent maturity outcomes. These measures help ensure that certification reflects demonstrated practice within the stated scope.
Defined maturity indicators
Assessment is anchored to defined maturity indicators under the OCRM® Risk Maturity Framework.
Domain-level thresholds
Minimum thresholds help support balanced outcomes across relevant maturity domains.
Evidence expectations
Higher maturity levels require stronger evidence of consistency, embedding and operation.
Anchor requirements
Core governance and risk assessment areas must meet defined anchor expectations.
Limits on exclusions
Non-applicable exclusions are controlled to avoid distortion of results.
Cross-domain consistency checks
Outcomes are reviewed for consistency across governance, process and practice areas.
Moderation review
Advanced maturity classifications may be subject to moderation or additional review where required.
Certification outcomes are based on demonstrated practice, not future plans, policy statements alone or isolated examples of good practice.
Safeguards are designed to prevent isolated strengths from masking structural weaknesses and to support consistent application across organisations.
Validity, Oversight & Assessment Relationship
Risk Maturity Certification is time-bound and subject to ongoing governance. Organisations maintain verified or certified status through transparency, re-verification and compliance with OCRM® requirements.
Verified Classifications
Level 2 and Level 3Typically valid for up to 2 years subject to the stated scope and applicable terms.
Certified Classifications
Level 4 and Level 5Typically valid for up to 3 years subject to the stated scope and applicable terms.
Organisations are expected to disclose material changes in governance, risk management arrangements, ownership, scope or organisational structure that may affect the basis of verification or certification during the validity period.
Re-verification is required upon expiry to maintain verified or certified status.
OCRM® may amend, suspend or withdraw verified or certified status where evidence indicates material misrepresentation, breach of applicable terms or significant change affecting the basis of the original determination.
Relationship to Risk Maturity Assessment
Risk Maturity Certification is an optional output of the OCRM® Risk Maturity Assessment process.
1. Use Assessment for Internal Insight
Organisations may complete an assessment to understand their current maturity, strengths and improvement opportunities without seeking external verification.
2. Proceed to Independent Verification
Organisations may choose to pursue independent verification to obtain an OCRM® Verified or OCRM® Certified classification within the stated assessment scope.
3. Reassess Over Time
Organisations are encouraged to reassess periodically to demonstrate improvement, respond to change and maintain the currency of their certification status.
Certification is a governed maturity classification, not a one-time badge. It reflects the organisation's maturity at the time of assessment, within the stated scope, under OCRM® governance and professional standards requirements.
Who Should Consider Certification & Public Representation
Certification helps organisations demonstrate credible risk management maturity and communicate it responsibly to stakeholders.
Who Should Consider Certification
Board & Executive Confidence
Provides assurance to the board and executive that risk management maturity has been independently verified.
Stakeholder Demonstration
Helps demonstrate credible risk management maturity to regulators, investors, partners and other stakeholders.
Governance Transparency & Accountability
Supports transparency and accountability for governance, risk oversight and organisational resilience.
Validation of Internal Assessment
Independently validates the outcomes of the organisation's risk maturity assessment.
Maturity Baseline & Improvement Direction
Establishes a credible maturity baseline and supports prioritisation of improvement activities.
Evidence of Progression Over Time
Provides evidence of maturity improvement across the organisation over time.
Informed Governance, Assurance & Stakeholder Discussions
Supports more informed discussions with assurance providers, regulators and other key stakeholders.
Public Representation Rules
When publicly representing your certification status, you must:
State the Classification
Clearly state your OCRM® Verified or OCRM® Certified classification and maturity level (Level 2–5).
State the Scope
Clearly state the scope of the assessment to which the certification applies.
State the Validity Period
Clearly state the validity period and the date of issue.
Follow OCRM® Usage Rules
Use the certification mark and related wording only in accordance with OCRM® usage requirements.
Avoid Overstatement
Public statements must be accurate, balanced and must not overstate the meaning or value of certification.
OCRM® certifications are maturity classifications based on independent verification. They are not endorsements, approvals or guarantees of future performance.
Governance, Timeline & Next Steps
Certification is governed by robust standards, clear timelines and a transparent process. We're here to support you at every step.
Certification Governance
Risk Maturity Certification is delivered under the OCRM® Governance & Professional Standards Framework.
Defined Assessment Criteria
Clear maturity indicators, thresholds and evidence requirements.
Evidence Review & Sampling
Independent review with risk-based sampling for assurance.
Conflicts of Interest
Strict independence and conflict management protocols.
Quality Assurance
Ongoing quality oversight and consistency assurance.
Moderation & Oversight
Moderation for higher maturity levels and complex assessments.
Renewal, Suspension & Withdrawal
Time-bound certifications, with rights to suspend or withdraw where required.
Typical Timeline
Timelines vary based on scope, complexity and evidence readiness.
1. Self-Assessment Preparation
4 - 8 weeksOrganisations complete the OCRM® Risk Maturity Assessment and prepare supporting evidence.
2. Independent Verification Process
4 - 8 weeksIndependent review, sampling, interviews and final determination of verified or certified status.
Timelines are indicative and will be confirmed after the initial scoping discussion.
Begin the Certification Process
We'll help you determine readiness, clarify scope and plan the right path forward.
Information Required
- Organisation name and primary contact details
- Brief description of your organisation and operating environment
- Intended assessment scope
- Preferred timeline for assessment and certification
- Any specific considerations or questions
Certification reflects assessed maturity at the time of evaluation, within the stated scope. It is not regulatory approval, statutory audit, legal or financial assurance, ISO/COSO certification or a guarantee of future performance.
