CORM Syllabus

Certificate in Operational Risk Management

An ATHE Level 4 Qualification

Qualification overview

Qualification Credit Framework (QCF) Level 4
Credit Value 15
Total Qualification Time (i.e. hours of self-study and preparation for examination) 152
Unit Grading Structure Pass/ Fail
Assessment Guidance Students will be assessed by an examination containing multiple choice questions.

The Certificate is recognised by Ofqual, a regulator of qualifications, exams and tests in England and Wales, and is assessed as QCF Level 4, equivalent to EQF Level 5 (European Qualification Framework).


The aim of the material is to provide students with an introduction to operational risk management, the tools used in the process, and how operational risk management fits into the wider risk management of the firm. The qualification is designed for students who have completed secondary education. Relevant work experience would be useful, but is not essential.

On completion of this course, the learner will be able to:

  1. Explain the role of operational risk management.
  2. Understand operational risk governance arrangements.
  3. Understand and know how to use the key operational risk tools.
  4. Describe the impact of regulation on operational risk


Course structure

The Course Workbook consists of 9 chapters and covers the learning outcomes and assessment criteria outlined below.

Learning Outcomes

The student will:

Assessment Criteria

The student can:

1.      Understand the fundamentals of operational risk management. 1.1       Examine the definition of operational risk.

1.2       Identify the common risk types.

1.3       Explain the relationship between operational risk and other risk types.

1.4       Explain the different manifestations of operational risk within a firm.

1.5       Explain the relationship between cause, event and impact.

1.6       Examine the key components of the operational risk framework and governance structures.

2.      Understand the nature and role of governance in the management of operational risk. 2.1       Explain how the components of a risk governance framework interact.

2.2       Describe the roles and responsibilities of the operational risk function.

2.3       Describe the accountabilities, roles and responsibilities in the management of operational risk.

2.4       Explain the needs and expectations of external stakeholders in relation to operational risk.

3.      Understand the nature and application of operational risk appetite. 3.1       Examine the nature of risk appetite.

3.2       Describe the elements of an effective operational risk appetite framework.

3.3       Identify the purpose and content of an operational risk appetite statement.

3.4       Examine the nature and uses of qualitative and quantitative expressions of operational risk appetite.

3.5       Differentiate between risk appetite, risk tolerance and risk capacity in relation to operational risk appetite.

3.6       Describe the process for setting operational risk appetite.

3.7       Describe the process for monitoring and reporting operational risk in relation to appetite.

3.8       Explain the role of operational risk appetite in risk culture.

4.      Understand the nature and use of data categorisation in the management of operational risk. 4.1       Define the objectives of data categorisation and use of data categorisation in the management of operational risk.

4.2       Describe the different data types that need categorisation.

4.3       Distinguish between different approaches to creating and applying categorisation structures.

4.4       Explain the various challenges in creating and applying categorisation structures.

5.      Understand the nature and role of risk and control self-assessments in the assessment and management of operational risk. 5.1       Examine the nature of risk and control self-assessments in the management of operational risk.

5.2       Describe the benefits of risk and control self-assessments.

5.3       Explain the role of risk and control self-assessments in identifying operational risk.

5.4       Consider the advantages and disadvantage of different methods for undertaking risk and control self-assessments.

5.5       Explain the concepts of likelihood and impact in assessing operational risk and controls.

5.6       Examine the nature and role of controls.

5.7       Explain the roles and relationships between risk owners and control owners.

5.8       Describe common methods of reporting risk and control self-assessments.

6.      Understand the fundamentals of the use of operational risk indicators as applied to operational risk management. 6.1       Explain the role and purpose of different forms of operational risk indicators.

6.2       Examine the nature and use of operational risk indicators.

6.3       Describe the challenges surrounding operational risk indicators.

7.      Understand the role of events and losses in the management of operational risk. 7.1       Differentiate between the types of events.

7.2       Describe the attributes of event data and their use.

7.3       Explain the importance of root cause analysis.

7.4       Describe the role and implication of thresholds in relation to reporting event data.

7.5       Describe issues, roles and responsibilities in relation to reporting event data.

7.6       Explain the uses and limitations of internal event data.

7.7       Describe the benefits and limitations of sources of external loss event data.

7.8       Explain the uses of external loss event data.

8.      Understand the nature and role of scenario analysis in the management of operational risk. 8.1       Examine the nature of scenarios.

8.2       Describe the benefits of scenario analysis.

8.3       Explain the internal and external factors which may affect the scenario analysis process.

8.4       Describe the approaches to analysing scenarios.

8.5       Examine the challenges associated with the different approaches to analysing scenarios.

8.6       Describe the elements involved in constructing scenarios.

8.7       Describe the forms of bias which may affect scenario analysis.

8.8       Explain the methods of validating scenario analysis results.

8.9       Explain the relationship between scenarios and other operational risk tools and techniques.

9.      Understand the role of regulation in the development and management of operational risk. 9.1       Define the key regulatory influences on operational risk.

9.2       Describe evolving approaches to regulation and supervision.

9.3       Describe regulatory interest in specific operational risk categories.

9.4       Explain the capital adequacy implications of operational risk management.



  • Students need to successfully complete a 50 multiple-choice question exam online, based solely on the content of the Workbook chapters, to attain the Certificate in Operational Risk Management. Students have 75 minutes to answer all of the questions and will be advised, on a provisional basis, whether they have passed or failed the examination upon its completion. If successful, they will receive the Certificate. Further details may be found in the Student Handbook on the IOR Education web portal.
  • The exam is available in English only.
  • Students should refer to the IOR website for the latest information on changes to law and practice and when they will be examined.


Examination specification

Each examination paper is constructed from a specification that determines the weightings that will be given to each unit. The specification is given below. It is important to note that the numbers quoted may vary slightly from examination to examination as there is some flexibility to ensure that each examination has a consistent level of difficulty. However, the number of questions tested in each element should not change by more than plus or minus 1.

Examination specification

  • 50 multiple choice questions.
Element Number Element Questions
1.     Fundamentals of Operational Risk 5
2.     Management of Operational Risk 6
3.     Operational Risk Appetite 5
4.     Operational Risk Tools – Categorisation 3
5.     Operational Risk Tools – Risk and Control Self-Assessment 7
6.     Operational Risk Tools – Operational Risk Indicators 7
7.     Operational Risk Tools – Events and Losses 7
8.     Operational Risk Tools – Scenario Analysis 7
9.     The Regulatory Treatment of Operational Risk 3
Total 50

Changes to Syllabus for 2017
Version Change Author
V1.0 Issued for CORM Soft Launch in May 2017. The Syllabus was written by the Institute of Operational Risk in collaboration with ATHE (Awards for Training and Higher Education), an awarding organisation regulated by Ofqual.

The content of this document is the property of IOR Enterprises Limited. It is made available on the understanding that no part of it shall be modified, copied, stored in a retrieval system, or transmitted in any form, by any means or supplied to a third party without prior written consent of IOR Enterprises Limited.

The content of this document does not constitute a contractual agreement with IOR Enterprises Limited. IOR Enterprises Limited accepts no obligations associated with this document except as expressly agreed in writing. The information contained in this document is subject to change. All rights reserved.

© IOR Enterprises Limited 2017

You may download the syllabus as a PDF here: 

©2017 The Institute of Operational Risk. All Rights reserved Site designed and powered by Eko UK Limited

Log in with your credentials

Forgot your details?