Risk Maturity Certification – OCRM®

Independent Verification under the OCRM® Risk Maturity Framework

OCRM® Risk Maturity Certification provides organisations with an independently reviewed maturity classification under the OCRM® Risk Maturity Framework.

Certification is an optional outcome of the OCRM® Risk Maturity Assessment process for organisations seeking external verification of demonstrated risk management maturity.

Certification reflects assessed maturity at the time of evaluation, based on structured scoring, documented evidence, sampled review and defined governance safeguards. It is not regulatory approval, statutory audit, financial assurance, legal assurance or a guarantee of future performance.

Certification Assurance

Independent review
Evidence-based classification
Defined assessment scope
Governance safeguards
Time-bound status

Designed for organisations seeking credible external verification of demonstrated risk management maturity.

What Certification Represents

OCRM® Risk Maturity Certification confirms an independently assessed maturity classification within the stated assessment scope.

Certification confirms

Demonstrated risk management maturity at the date of assessment
Evidence reviewed within the agreed scope
Structured scoring under the OCRM® Risk Maturity Framework
Application of defined maturity safeguards
Review under OCRM® governance and professional standards requirements

Certification does not confirm

!That all risks are controlled
!That the organisation is compliant with all legal or regulatory requirements
!That risk management will remain effective after the assessment date
!Regulatory approval, statutory audit, financial assurance or legal assurance
!A guarantee of future performance

Certification is based on information provided by the organisation, evidence made available for review and sampled evidence reviewed during the verification process.

Verified and Certified Classifications

Following independent review, organisations may receive one of the following classifications, subject to evidence, scoring outcomes, stated assessment scope and applicable OCRM® criteria.

LEVEL 1

Reactive

Not eligible

Not eligible for verification or certification.

LEVEL 2

OCRM® Verified

Developing Risk Maturity

Basic risk management structures exist but require further embedding, consistency and evidence of operation.

LEVEL 3

OCRM® Verified

Structured Risk Management

Defined risk management processes operate across relevant areas of the organisation, with evidence of structured application.

LEVEL 4

OCRM® Certified

Integrated Risk Maturity

Risk management is embedded, consistently applied and supports governance, oversight and decision-making.

LEVEL 5

OCRM® Certified

Advanced Risk Maturity

Risk management is proactive, data-informed and subject to structured monitoring, review and continuous improvement.

Use of the term Certified applies only to Level 4 and Level 5 classifications. Level 2 and Level 3 outcomes are described as Verified classifications.

Level 1 is not eligible for verification or certification.

Independent Verification Process

Risk Maturity Certification involves a structured independent review conducted under OCRM® governance. The depth of verification increases according to the maturity level claimed, organisational complexity and assessment scope.

01

Submit assessment materials

Completed assessment materials are submitted in the format required by OCRM®.

02

Review documentation and evidence

Supporting documentation, risk governance materials and selected evidence are reviewed within the agreed scope.

03

Risk-based sampling

Selected indicators are sampled to review consistency, operation and embedding.

04

Leadership and stakeholder discussions

Structured interviews or discussions may be held with relevant leadership, governance, risk, assurance or operational representatives, where agreed.

05

Scoring safeguards and moderation

Scoring safeguards, domain-level thresholds and moderation review are applied where required.

Evidence expectations increase with maturity: Higher maturity classifications require stronger evidence of consistency, embedding and sustained operation across relevant domains.

Independent review is based on evidence reviewed within scope and applicable OCRM® criteria.

Scoring Integrity & Safeguards

OCRM® Risk Maturity Certification incorporates defined safeguards designed to support balanced, credible and consistent maturity outcomes. These measures help ensure that certification reflects demonstrated practice within the stated scope.

01.

Defined maturity indicators

Assessment is anchored to defined maturity indicators under the OCRM® Risk Maturity Framework.

02.

Domain-level thresholds

Minimum thresholds help support balanced outcomes across relevant maturity domains.

03.

Evidence expectations

Higher maturity levels require stronger evidence of consistency, embedding and operation.

04.

Anchor requirements

Core governance and risk assessment areas must meet defined anchor expectations.

05.

Limits on exclusions

Non-applicable exclusions are controlled to avoid distortion of results.

06.

Cross-domain consistency checks

Outcomes are reviewed for consistency across governance, process and practice areas.

07.

Moderation review

Advanced maturity classifications may be subject to moderation or additional review where required.

Certification outcomes are based on demonstrated practice, not future plans, policy statements alone or isolated examples of good practice.

Safeguards are designed to prevent isolated strengths from masking structural weaknesses and to support consistent application across organisations.

Validity, Oversight & Assessment Relationship

Risk Maturity Certification is time-bound and subject to ongoing governance. Organisations maintain verified or certified status through transparency, re-verification and compliance with OCRM® requirements.

Verified Classifications

Level 2 and Level 3

Typically valid for up to 2 years subject to the stated scope and applicable terms.

Certified Classifications

Level 4 and Level 5

Typically valid for up to 3 years subject to the stated scope and applicable terms.

Organisations are expected to disclose material changes in governance, risk management arrangements, ownership, scope or organisational structure that may affect the basis of verification or certification during the validity period.

Re-verification is required upon expiry to maintain verified or certified status.

OCRM® may amend, suspend or withdraw verified or certified status where evidence indicates material misrepresentation, breach of applicable terms or significant change affecting the basis of the original determination.

Relationship to Risk Maturity Assessment

Risk Maturity Certification is an optional output of the OCRM® Risk Maturity Assessment process.

1. Use Assessment for Internal Insight

Organisations may complete an assessment to understand their current maturity, strengths and improvement opportunities without seeking external verification.

2. Proceed to Independent Verification

Organisations may choose to pursue independent verification to obtain an OCRM® Verified or OCRM® Certified classification within the stated assessment scope.

3. Reassess Over Time

Organisations are encouraged to reassess periodically to demonstrate improvement, respond to change and maintain the currency of their certification status.

Certification is a governed maturity classification, not a one-time badge. It reflects the organisation's maturity at the time of assessment, within the stated scope, under OCRM® governance and professional standards requirements.

Who Should Consider Certification & Public Representation

Certification helps organisations demonstrate credible risk management maturity and communicate it responsibly to stakeholders.

Who Should Consider Certification

  • Board & Executive Confidence

    Provides assurance to the board and executive that risk management maturity has been independently verified.

  • Stakeholder Demonstration

    Helps demonstrate credible risk management maturity to regulators, investors, partners and other stakeholders.

  • Governance Transparency & Accountability

    Supports transparency and accountability for governance, risk oversight and organisational resilience.

  • Validation of Internal Assessment

    Independently validates the outcomes of the organisation's risk maturity assessment.

  • Maturity Baseline & Improvement Direction

    Establishes a credible maturity baseline and supports prioritisation of improvement activities.

  • Evidence of Progression Over Time

    Provides evidence of maturity improvement across the organisation over time.

  • Informed Governance, Assurance & Stakeholder Discussions

    Supports more informed discussions with assurance providers, regulators and other key stakeholders.

Public Representation Rules

When publicly representing your certification status, you must:

  • State the Classification

    Clearly state your OCRM® Verified or OCRM® Certified classification and maturity level (Level 2–5).

  • State the Scope

    Clearly state the scope of the assessment to which the certification applies.

  • State the Validity Period

    Clearly state the validity period and the date of issue.

  • Follow OCRM® Usage Rules

    Use the certification mark and related wording only in accordance with OCRM® usage requirements.

  • Avoid Overstatement

    Public statements must be accurate, balanced and must not overstate the meaning or value of certification.

OCRM® certifications are maturity classifications based on independent verification. They are not endorsements, approvals or guarantees of future performance.

Governance, Timeline & Next Steps

Certification is governed by robust standards, clear timelines and a transparent process. We're here to support you at every step.

Certification Governance

Risk Maturity Certification is delivered under the OCRM® Governance & Professional Standards Framework.

  • Defined Assessment Criteria

    Clear maturity indicators, thresholds and evidence requirements.

  • Evidence Review & Sampling

    Independent review with risk-based sampling for assurance.

  • Conflicts of Interest

    Strict independence and conflict management protocols.

  • Quality Assurance

    Ongoing quality oversight and consistency assurance.

  • Moderation & Oversight

    Moderation for higher maturity levels and complex assessments.

  • Renewal, Suspension & Withdrawal

    Time-bound certifications, with rights to suspend or withdraw where required.

Typical Timeline

Timelines vary based on scope, complexity and evidence readiness.

1. Self-Assessment Preparation

4 - 8 weeks

Organisations complete the OCRM® Risk Maturity Assessment and prepare supporting evidence.

2. Independent Verification Process

4 - 8 weeks

Independent review, sampling, interviews and final determination of verified or certified status.

Timelines are indicative and will be confirmed after the initial scoping discussion.

Begin the Certification Process

We'll help you determine readiness, clarify scope and plan the right path forward.

Information Required

  • Organisation name and primary contact details
  • Brief description of your organisation and operating environment
  • Intended assessment scope
  • Preferred timeline for assessment and certification
  • Any specific considerations or questions

Certification reflects assessed maturity at the time of evaluation, within the stated scope. It is not regulatory approval, statutory audit, legal or financial assurance, ISO/COSO certification or a guarantee of future performance.