ATU| Qualifi Certified Professional in Operational Risk Management
(ATU| QCP-ORM) Assessed Certificate
Qualifi Endorsed Course for Arab Trainers Union
|
Document purpose |
Foundational specification for programme design, approval, delivery, assessment, and quality assurance. |
|
Programme status |
Qualifi Endorsed course specification. |
|
Primary market |
Banking, fintech, insurance, payments, regulated services, large enterprises, and professionals responsible for operational risk, control, resilience, and assurance. |
|
Recommended duration |
80 guided learning hours plus 80 independent/applied learning hours over 6–12 weeks standard delivery, or 4–6 weeks intensive. |
|
Version |
Version ATU-1.0 | launch specification | June 2026 |
Important positioning note
• This programme is designed as a Qualifi Endorsed Course offered by Arab Trainers Union and The Association of Banks in Jordan (ABJ).
• The course should be marketed and certificated as an endorsed professional certificate, not as a regulated qualification on the Regulated Qualifications Framework.
• No QAN, RQF credit value, or formal regulated level claim should be used.
Purpose of this specification
This specification defines the design architecture, learner standard, delivery model, assessment framework, quality assurance controls, and launch requirements for the Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate. It is intended to serve as the controlling document for programme development, trainer approval, learner onboarding, assessment design, internal quality assurance, and continuous review.
The specification adapts the discipline, structure, and quality expectations seen in formal risk-management programmes while remaining suitable for an endorsed-course environment. It therefore combines the clarity of a qualification-style handbook with the flexibility expected of a professional certification programme.
Programme rationale and market need
Operational risk has expanded far beyond traditional process-failure and loss-event management. Current practice expects risk professionals to understand governance, risk appetite, controls, key risk indicators, event data, scenario analysis, operational resilience, ICT and cyber risk, third-party dependency risk, incident response, business continuity, and assurance interactions across the three lines.
§ Financial-sector standards now explicitly connect operational risk management with change management, ICT, business continuity, and resilience testing.
§ Contemporary operating models require stronger control over outsourcing, critical ICT providers, data integrity, cyber disruption, and cross-functional incident management.
§ Benchmark certificate programmes in the market emphasize practical frameworks, measurement methodologies, and scenario-based application rather than theory alone.
§ Employers increasingly expect professionals to translate policy into evidence: dashboards, risk registers, RCSA outputs, KRIs, loss-event reporting, action tracking, and assurance-ready documentation.
ATU| QCP-ORM is therefore designed as an applied professional certificate that validates a learner’s ability to interpret operational risk standards and use them in realistic workplace situations.
Programme status and award statement
The ATU| QCP-ORM Certificate is an endorsed professional course. It is not intended to replicate a regulated qualification and should not be described as an Ofqual-regulated award. Qualifi endorsement confirms confidence in the centre’s ability to develop and deliver a quality course within its area of expertise; it does not in itself place the programme on the Regulated Qualifications Framework.
|
Award title |
Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate |
|
Award category |
Professional certification / endorsed course |
|
Awarding/endorsement route |
Qualifi Endorsed Courses for Arab Trainers Union, lead delivery centre for Qualifi purposes and delivered by Arab Trainers Union & The Association of Banks in Jordan (ABJ) |
|
Regulatory status |
Non-regulated. Quality Assured |
|
Credit claim |
No formal RQF credit claim to be used in marketing or certification |
|
Certification condition |
Successful completion of all required learning and assessment components |
Target learner profile
The programme is intended for:
§ Operational risk officers, analysts, and coordinators
§ Risk and control self-assessment (RCSA) owners and facilitators
§ Internal control, compliance, conduct-risk, and governance staff
§ Business continuity, resilience, incident management, and crisis-response professionals
§ Operations, technology, information-security, outsourcing, and third-party risk managers
§ Internal audit staff transitioning into second-line or integrated risk roles
§ Supervisory, regulatory, or assurance professionals needing operational-risk literacy
Entry requirements
Recommended entry requirements are intentionally professional rather than academic:
1. Either a degree level education or equivalent professional experience.
2. At least two years of relevant experience in risk, audit, compliance, operations, technology, resilience, finance, or internal control; exceptionally, lecturers and high-potential learners may be admitted via diagnostic interview and manager endorsement.
3. Sufficient language proficiency for the delivery medium. For Arabic-medium cohorts, learners should be able to produce professional written reports in Arabic; English reading ability is desirable because many reference frameworks are published in English.
4. Basic digital literacy, including spreadsheets, document preparation, and virtual-learning participation.
Recognition of prior learning and advanced standing
Recognition of prior learning (RPL) may be used for entry, but not for automatic full certification. Learners may use prior experience or prior study to demonstrate readiness for the programme, yet all summative assessment requirements of ATU| QCP-ORM must still be completed.
Programme aims
- Develop a deep and practical understanding of operational risk management concepts, terminology, and governance;
- Enable learners to design and operate an operational risk management framework aligned with risk appetite and organisational objectives;
- Build competence in risk identification, control evaluation, RCSA design, scenario analysis, event management, and key risk indicator reporting;
- Strengthen applied capability in operational resilience, business continuity, incident response, ICT/cyber risk interaction, and third-party dependency management;
- Improve the learner’s ability to communicate operational-risk information to management, boards, and assurance functions;
- Support the ethical and professional conduct expected in high-trust and regulated environments.
Learning Outcomes and Assessment Criteria
|
Learning Outcomes |
Assessment Criteria |
|
Learning Outcome 1 Understand the nature, drivers, and context of operational risk. |
1.1 Define operational risk in an organisational context. |
|
Learning Outcome 2 Understand operational risk governance and the design of an operational risk management framework. |
2.1 Interpret the responsibilities of boards and senior management in operational risk governance. |
|
Learning Outcome 3 Be able to identify, assess, analyse, and report operational risk using structured methods. |
3.1 Conduct operational risk identification using process analysis or activity review. |
|
Learning Outcome 4 Be able to evaluate operational-risk exposures and prepare evidence-based recommendations that support resilience and professional practice. |
4.1 Evaluate operational-risk implications arising from technology dependency, cyber events, data issues, model use, outsourcing, and critical third-party relationships. 4.2 Assess the role of business continuity, incident response, disruption testing, and dependency mapping in operational resilience. 4.3 Analyse lessons learned from incidents, near misses, or case material to identify improvement priorities. 4.4 Prepare a coherent operational risk recommendation, dashboard, or action plan based on case material or workplace evidence. 4.5 Demonstrate ethical judgment, confidentiality awareness, and professional communication in presenting operational risk findings and recommendations. |
Assessment Approach
For an endorsed professional certificate, this Program could be assessed through a combination of:
- written assignment
- case-study analysis
- practical RCSA or risk-reporting task
- short professional presentation
- workplace-based evidence, where available
- Knowledge test
Programme size, duration, and delivery model
|
Measure |
Standard route |
Intensive route |
Notes |
|
Guided learning hours |
80 |
80 |
Tutor-led classes, workshops, supervised labs, webinars, feedback clinics |
|
Independent/applied learning |
80 |
80 |
Pre-reading, workplace application, case preparation, assignments, revision |
|
Total notional learning hours |
160 |
160 |
Used for planning only; not an RQF credit claim |
|
Duration |
6–12 weeks |
4–6 weeks |
Final schedule may vary by cohort and contact pattern |
|
Class pattern |
1–2 sessions per week |
2–3 sessions per week |
May be delivered evenings or weekends |
|
Assessment window |
Throughout course + final assessment period |
Condensed, scheduled milestones |
No compensation between components |
Delivery modes are face-to-face, live online, or blended. Fully asynchronous delivery is not recommended for the main certified version because coached discussion, applied workshops, and supervised assessment are important to the standard of the award.
Programme structure
The programme is organised into four mandatory modules, each aligned to one of the overall programme learning outcomes. The modular design reflects current operational-risk practice and professional certification expectations, while maintaining a clear applied focus on governance, framework design, risk assessment, resilience, and professional recommendations.
|
Module |
Module title |
Linked learning outcome |
GLH |
Independent hours |
Primary summative evidence |
|
M1 |
Operational Risk Foundations, Drivers, Taxonomy, and Risk Context |
LO1 |
20 |
10 |
Knowledge checks and analytical written task |
|
M2 |
Operational Risk Governance and Framework Design |
LO2 |
20 |
30 |
Governance critique, framework design task, or policy memo |
|
M3 |
Operational Risk Identification, Assessment, Analysis, and Reporting |
LO3 |
20 |
20 |
Applied RCSA, control review, and dashboard/reporting assignment |
|
M4 |
Technology, Third-Party Risk, Operational Resilience, and Professional Recommendations |
LO4 |
20 |
20 |
Integrated case study, resilience analysis, and action plan/presentation |
Assessment strategy
Because ATU| QCP-ORM is a professional certification programme rather than an attendance course, assessment must validate applied competence as well as knowledge. The model therefore combines supervised knowledge testing with workplace-style written outputs and professional discussion.
|
Component |
Type |
Weight |
Indicative size |
Minimum component pass |
Purpose |
|
A1 |
Supervised knowledge examination |
30% |
90 minutes; MCQ + short scenarios |
60% |
Tests breadth of knowledge and decision logic |
|
A2 |
Applied assignment: ORMF / RCSA / controls |
25% |
2,500–3,000 words or equivalent pack |
60% |
Tests framework design and risk assessment capability |
|
A3 |
Risk information and escalation case |
20% |
1,800–2,500 words plus dashboard |
60% |
Tests reporting, metrics, and management communication |
|
A4 |
Integrated resilience and third-party case study |
15% |
1,500–2,000 words |
60% |
Tests resilience, incident, ICT, and dependency judgment |
|
A5 |
Professional discussion or presentation |
10% |
15–20 minutes |
Pass/competent |
Tests defensible reasoning and professional communication |
Award rule: learners must achieve an overall minimum of 65% and pass every mandatory component. No compensation should be permitted between the examination and applied components.
Assessment principles and controls
§ Assessment briefs must be standardised across cohorts and version controlled.
§ Case studies should reflect real or realistic operating environments and include evidence sets, committee papers, event logs, or dashboard extracts where appropriate.
§ The supervised knowledge exam will invigilate on-site or supervised live online with robust identity checks and malpractice controls.
§ Assignments must include authenticity declarations and be screened for plagiarism, collusion, and inappropriate use of generative AI.
§ Assessors should annotate against published marking rubrics and clearly identify where the evidence meets the standard.
§ Learners will receive formative feedback before final submission, but this must not amount to coaching the answer.
§ Resubmission should be permitted once for referred components within a defined assessment cycle.
Grading and award rules
|
Rule |
Standard |
|
Award classification |
Pass / Refer |
|
Overall pass threshold |
65% minimum overall |
|
Component threshold |
60% minimum on A1–A4 and competent pass on A5 |
|
Completion rule |
All modules are mandatory and all summative components must be passed |
|
Compensation |
Not permitted |
|
Resubmission |
One further attempt per referred component within published reassessment rules |
|
Certification decision |
Issued only after internal verification and final centre approval |
Delivery methodology
The pedagogy is practice-led. The course should not rely on lecture-only delivery. Each module should blend concept explanation with workshops, mini-cases, dashboards, policy excerpts, loss-event reviews, scenario exercises, and facilitator-led discussion.
- Tutor-led briefings to introduce concepts and standards
- Short applied workshops using operational-risk templates and case facts
- Peer discussion on risk judgments and escalation choices
- Template-based exercises such as risk registers, RCSA sheets, issue logs, and committee papers
- Capstone integration exercises that combine governance, resilience, technology, and third-party issues
Equality, accessibility, malpractice, and data protection
The centre should operate fair-access, reasonable-adjustment, special-consideration, and anti-malpractice arrangements that are clear, documented, and auditable. All learner data, assessment scripts, identity records, and results information must be stored securely and processed according to applicable data-protection requirements.
Certification and transcript recommendation
The certificate should state:
- Award title: Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate
- Award route: Qualifi Endorsed Course
- Delivery centre: The Association of Banks in Jordan (ABJ) and Arab Trainers Union
- Issue date, certificate number, authorised signatures, and verification statement
This is an endorse profession program there will be no transcript or result letter issue. Marketing or certificates must avoid statements that imply the award is an Ofqual-regulated qualification.
Progression opportunities
- Advanced responsibilities in operational risk, control, resilience, governance, or assurance roles;
- Specialist development in business continuity, third-party risk, cyber risk, control testing, or compliance risk;
- Progression to broader enterprise risk or regulated qualifications in risk, governance, business, or finance, where separately admitted;
- Employer-recognised CPD pathways and internal talent-development tracks.



