ATU| Qualifi Certified Professional in Operational Risk Management

ATU| Qualifi Certified Professional in Operational Risk Management

(ATU| QCP-ORM) Assessed Certificate

Qualifi Endorsed Course for Arab Trainers Union

Document purpose

Foundational specification for programme design, approval, delivery, assessment, and quality assurance.

Programme status

Qualifi Endorsed course specification.

Primary market

Banking, fintech, insurance, payments, regulated services, large enterprises, and professionals responsible for operational risk, control, resilience, and assurance.

Recommended duration

80 guided learning hours plus 80 independent/applied learning hours over 612 weeks standard delivery, or 46 weeks intensive.

Version

Version ATU-1.0 | launch specification | June 2026

Important positioning note

This programme is designed as a Qualifi Endorsed Course offered by Arab Trainers Union and The Association of Banks in Jordan (ABJ).

The course should be marketed and certificated as an endorsed professional certificate, not as a regulated qualification on the Regulated Qualifications Framework.

No QAN, RQF credit value, or formal regulated level claim should be used.

Purpose of this specification

This specification defines the design architecture, learner standard, delivery model, assessment framework, quality assurance controls, and launch requirements for the Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate. It is intended to serve as the controlling document for programme development, trainer approval, learner onboarding, assessment design, internal quality assurance, and continuous review.

The specification adapts the discipline, structure, and quality expectations seen in formal risk-management programmes while remaining suitable for an endorsed-course environment. It therefore combines the clarity of a qualification-style handbook with the flexibility expected of a professional certification programme.

Programme rationale and market need

Operational risk has expanded far beyond traditional process-failure and loss-event management. Current practice expects risk professionals to understand governance, risk appetite, controls, key risk indicators, event data, scenario analysis, operational resilience, ICT and cyber risk, third-party dependency risk, incident response, business continuity, and assurance interactions across the three lines.

§  Financial-sector standards now explicitly connect operational risk management with change management, ICT, business continuity, and resilience testing.

§  Contemporary operating models require stronger control over outsourcing, critical ICT providers, data integrity, cyber disruption, and cross-functional incident management.

§  Benchmark certificate programmes in the market emphasize practical frameworks, measurement methodologies, and scenario-based application rather than theory alone.

§  Employers increasingly expect professionals to translate policy into evidence: dashboards, risk registers, RCSA outputs, KRIs, loss-event reporting, action tracking, and assurance-ready documentation.

 

ATU| QCP-ORM is therefore designed as an applied professional certificate that validates a learner’s ability to interpret operational risk standards and use them in realistic workplace situations.

Programme status and award statement

The ATU| QCP-ORM Certificate is an endorsed professional course. It is not intended to replicate a regulated qualification and should not be described as an Ofqual-regulated award. Qualifi endorsement confirms confidence in the centre’s ability to develop and deliver a quality course within its area of expertise; it does not in itself place the programme on the Regulated Qualifications Framework.

Award title

Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate

Award category

Professional certification / endorsed course

Awarding/endorsement route

Qualifi Endorsed Courses for Arab Trainers Union, lead delivery centre for Qualifi purposes and delivered by Arab Trainers Union & The Association of Banks in Jordan (ABJ)

Regulatory status

Non-regulated. Quality Assured

Credit claim

No formal RQF credit claim to be used in marketing or certification

Certification condition

Successful completion of all required learning and assessment components

Target learner profile

The programme is intended for:

§  Operational risk officers, analysts, and coordinators

§  Risk and control self-assessment (RCSA) owners and facilitators

§  Internal control, compliance, conduct-risk, and governance staff

§  Business continuity, resilience, incident management, and crisis-response professionals

§  Operations, technology, information-security, outsourcing, and third-party risk managers

§  Internal audit staff transitioning into second-line or integrated risk roles

§  Supervisory, regulatory, or assurance professionals needing operational-risk literacy

Entry requirements

Recommended entry requirements are intentionally professional rather than academic:

1.      Either a degree level education or equivalent professional experience.

2.      At least two years of relevant experience in risk, audit, compliance, operations, technology, resilience, finance, or internal control; exceptionally, lecturers and high-potential learners may be admitted via diagnostic interview and manager endorsement.

3.      Sufficient language proficiency for the delivery medium. For Arabic-medium cohorts, learners should be able to produce professional written reports in Arabic; English reading ability is desirable because many reference frameworks are published in English.

4.      Basic digital literacy, including spreadsheets, document preparation, and virtual-learning participation.

Recognition of prior learning and advanced standing

Recognition of prior learning (RPL) may be used for entry, but not for automatic full certification. Learners may use prior experience or prior study to demonstrate readiness for the programme, yet all summative assessment requirements of ATU| QCP-ORM must still be completed.

Programme aims

  • Develop a deep and practical understanding of operational risk management concepts, terminology, and governance;
  • Enable learners to design and operate an operational risk management framework aligned with risk appetite and organisational objectives;
  • Build competence in risk identification, control evaluation, RCSA design, scenario analysis, event management, and key risk indicator reporting;
  • Strengthen applied capability in operational resilience, business continuity, incident response, ICT/cyber risk interaction, and third-party dependency management;
  • Improve the learner’s ability to communicate operational-risk information to management, boards, and assurance functions;
  • Support the ethical and professional conduct expected in high-trust and regulated environments.

Learning Outcomes and Assessment Criteria

Learning Outcomes

Assessment Criteria

Learning Outcome 1

Understand the nature, drivers, and context of operational risk.

1.1 Define operational risk in an organisational context.
1.2 Explain the main drivers, sources, and categories of operational risk.
1.3 Distinguish operational risk from enterprise risk, compliance risk, and conduct risk.
1.4 Analyse the relationship between operational risk and organisational resilience.
1.5 Classify examples of operational risk exposures using an appropriate risk taxonomy.

Learning Outcome 2

Understand operational risk governance and the design of an operational risk management framework.

2.1 Interpret the responsibilities of boards and senior management in operational risk governance.
2.2 Explain the roles of first-line management, second-line risk functions, and third-line assurance in managing operational risk.
2.3 Analyse the purpose of policy, risk appetite, risk tolerance, and control environment within an operational risk management framework.
2.4 Evaluate the importance of escalation and reporting arrangements in supporting risk oversight and decision-making.
2.5 Design the core elements of an operational risk management framework for an organisation or case-study context.

Learning Outcome 3

Be able to identify, assess, analyse, and report operational risk using structured methods.

3.1 Conduct operational risk identification using process analysis or activity review.
3.2 Carry out a structured risk and control self-assessment (RCSA) for a business area, process, or case scenario.
3.3 Apply scenario analysis, control evaluation, and event review to assess operational risk exposures.
3.4 Produce and interpret operational risk information using key risk indicators, threshold triggers, loss-event data, issue logs, and action plans.
3.5 Prepare a concise operational risk report or dashboard for management purposes.

Learning Outcome 4

Be able to evaluate operational-risk exposures and prepare evidence-based recommendations that support resilience and professional practice.

4.1 Evaluate operational-risk implications arising from technology dependency, cyber events, data issues, model use, outsourcing, and critical third-party relationships.

4.2 Assess the role of business continuity, incident response, disruption testing, and dependency mapping in operational resilience.

4.3 Analyse lessons learned from incidents, near misses, or case material to identify improvement priorities.

4.4 Prepare a coherent operational risk recommendation, dashboard, or action plan based on case material or workplace evidence.

4.5 Demonstrate ethical judgment, confidentiality awareness, and professional communication in presenting operational risk findings and recommendations.

Assessment Approach

For an endorsed professional certificate, this Program could be assessed through a combination of:

  • written assignment
  • case-study analysis
  • practical RCSA or risk-reporting task
  • short professional presentation
  • workplace-based evidence, where available
  • Knowledge test

Programme size, duration, and delivery model

Measure

Standard route

Intensive route

Notes

Guided learning hours

80

80

Tutor-led classes, workshops, supervised labs, webinars, feedback clinics

Independent/applied learning

80

80

Pre-reading, workplace application, case preparation, assignments, revision

Total notional learning hours

160

160

Used for planning only; not an RQF credit claim

Duration

612 weeks

46 weeks

Final schedule may vary by cohort and contact pattern

Class pattern

1–2 sessions per week

2–3 sessions per week

May be delivered evenings or weekends

Assessment window

Throughout course + final assessment period

Condensed, scheduled milestones

No compensation between components

Delivery modes are face-to-face, live online, or blended. Fully asynchronous delivery is not recommended for the main certified version because coached discussion, applied workshops, and supervised assessment are important to the standard of the award.

Programme structure

The programme is organised into four mandatory modules, each aligned to one of the overall programme learning outcomes. The modular design reflects current operational-risk practice and professional certification expectations, while maintaining a clear applied focus on governance, framework design, risk assessment, resilience, and professional recommendations.

Module

Module title

Linked learning outcome

GLH

Independent hours

Primary summative evidence

M1

Operational Risk Foundations, Drivers, Taxonomy, and Risk Context

LO1

20

10

Knowledge checks and analytical written task

M2

Operational Risk Governance and Framework Design

LO2

20

30

Governance critique, framework design task, or policy memo

M3

Operational Risk Identification, Assessment, Analysis, and Reporting

LO3

20

20

Applied RCSA, control review, and dashboard/reporting assignment

M4

Technology, Third-Party Risk, Operational Resilience, and Professional Recommendations

LO4

20

20

Integrated case study, resilience analysis, and action plan/presentation

Assessment strategy

Because ATU| QCP-ORM is a professional certification programme rather than an attendance course, assessment must validate applied competence as well as knowledge. The model therefore combines supervised knowledge testing with workplace-style written outputs and professional discussion.

Component

Type

Weight

Indicative size

Minimum component pass

Purpose

A1

Supervised knowledge examination

30%

90 minutes; MCQ + short scenarios

60%

Tests breadth of knowledge and decision logic

A2

Applied assignment: ORMF / RCSA / controls

25%

2,500–3,000 words or equivalent pack

60%

Tests framework design and risk assessment capability

A3

Risk information and escalation case

20%

1,800–2,500 words plus dashboard

60%

Tests reporting, metrics, and management communication

A4

Integrated resilience and third-party case study

15%

1,500–2,000 words

60%

Tests resilience, incident, ICT, and dependency judgment

A5

Professional discussion or presentation

10%

15–20 minutes

Pass/competent

Tests defensible reasoning and professional communication

Award rule: learners must achieve an overall minimum of 65% and pass every mandatory component. No compensation should be permitted between the examination and applied components.

Assessment principles and controls

§  Assessment briefs must be standardised across cohorts and version controlled.

§  Case studies should reflect real or realistic operating environments and include evidence sets, committee papers, event logs, or dashboard extracts where appropriate.

§  The supervised knowledge exam will invigilate on-site or supervised live online with robust identity checks and malpractice controls.

§  Assignments must include authenticity declarations and be screened for plagiarism, collusion, and inappropriate use of generative AI.

§  Assessors should annotate against published marking rubrics and clearly identify where the evidence meets the standard.

§  Learners will receive formative feedback before final submission, but this must not amount to coaching the answer.

 

§  Resubmission should be permitted once for referred components within a defined assessment cycle.

Grading and award rules

Rule

Standard

Award classification

Pass / Refer

Overall pass threshold

65% minimum overall

Component threshold

60% minimum on A1–A4 and competent pass on A5

Completion rule

All modules are mandatory and all summative components must be passed

Compensation

Not permitted

Resubmission

One further attempt per referred component within published reassessment rules

Certification decision

Issued only after internal verification and final centre approval

Delivery methodology

The pedagogy is practice-led. The course should not rely on lecture-only delivery. Each module should blend concept explanation with workshops, mini-cases, dashboards, policy excerpts, loss-event reviews, scenario exercises, and facilitator-led discussion.

  • Tutor-led briefings to introduce concepts and standards
  • Short applied workshops using operational-risk templates and case facts
  • Peer discussion on risk judgments and escalation choices
  • Template-based exercises such as risk registers, RCSA sheets, issue logs, and committee papers
  • Capstone integration exercises that combine governance, resilience, technology, and third-party issues

Equality, accessibility, malpractice, and data protection

The centre should operate fair-access, reasonable-adjustment, special-consideration, and anti-malpractice arrangements that are clear, documented, and auditable. All learner data, assessment scripts, identity records, and results information must be stored securely and processed according to applicable data-protection requirements.

Certification and transcript recommendation

The certificate should state:

  • Award title: Qualifi Certified Professional in Operational Risk Management (ATU| QCP-ORM) Certificate
  • Award route: Qualifi Endorsed Course
  • Delivery centre: The Association of Banks in Jordan (ABJ) and Arab Trainers Union
  • Issue date, certificate number, authorised signatures, and verification statement

This is an endorse profession program there will be no transcript or result letter issue. Marketing or certificates must avoid statements that imply the award is an Ofqual-regulated qualification.

Progression opportunities

  • Advanced responsibilities in operational risk, control, resilience, governance, or assurance roles;
  • Specialist development in business continuity, third-party risk, cyber risk, control testing, or compliance risk;
  • Progression to broader enterprise risk or regulated qualifications in risk, governance, business, or finance, where separately admitted;
  • Employer-recognised CPD pathways and internal talent-development tracks.