RIMS-CRMP Stories

Heather Moldowan is a strategy and risk management consultant at Optiv, a cybersecurity firm headquartered in Denver, Colorado. Based in Calgary, Canada, Heather took her risk knowledge to the next level by passing the RIMS-CRMP exam in 2023. She discussed why other enterprise risk management (ERM) and cyberrisk professionals should pursue the certification to build on their experience.

RIMS: What inspired you to pursue the RIMS-CRMP?

Moldowan: I have a unique background, starting in sales, moving into IT/cybersecurity talent acquisition, talent management and resource management, and then eventually crossing over into cyber risk management consulting.

My passion for risk management began at that point but I wanted to expand my knowledge beyond cyberrisk. Cyberrisk is an enterprise risk that all organizations must contend with, but all too often cyber and IT teams exist in silos and don't speak the language of the business—the two groups don't always communicate well. I wanted to help bridge this gap in the industry by approaching it from both sides. The RIMS-CRMP offered me the exact type of education I sought—strategic, business focused, enterprise risk management.

RIMS: You have deep experience in ERM and cyber. How were those two areas addressed in the exam?

Moldowan: The exam emphasizes the strategic role of ERM by focusing on aligning risk with organizational objectives. What stood out to me was how the scenarios required thinking beyond technical controls, encouraging a holistic understanding of risk, governance, and resilience. It reflected the way risk professionals today must bridge operational knowledge with strategic insight, especially in evolving areas like cyber. The exam reinforced the importance of risk-informed decision-making at all levels of the organization, which is critical in both ERM and cybersecurity contexts.

RIMS: How does the RIMS-CRMP coincide with your other certifications?

Moldowan: My RIMS-CRMP and Certified Information Systems Security Professional (CISSP) certifications are a powerful combination. The CISSP grounds my work in cybersecurity with a strong understanding of controls, governance, and threat management, while the RIMS-CRMP adds a broader enterprise risk perspective—connecting cybersecurity risks to organizational strategy, performance, and resilience. This alignment helps me bridge the gap between cybersecurity and executive-level risk conversations, ensuring that cybersecurity is integrated into overall enterprise risk management and decision-making processes.

RIMS: Can you share an example of a time when your RIMS-CRMP training helped you communicate risk insights more effectively to senior leadership?

Moldowan: One example that stands out is when I facilitated a risk appetite workshop for senior leadership as part of a broader enterprise risk management refresh. Drawing on the principles from my RIMS-CRMP learning, I structured the session to move beyond abstract risk concepts and focused on how risk appetite directly supports strategic decision-making.

RIMS: How did you study for the exam?

Moldowan: I really like the structure of the RIMS-CRMP certification—it's about truly understanding concepts, rather than memorizing a textbook. I set a goal to study for six weeks, 15-20 hours of study per week. I relied on the examination study guide, focusing on the domains and learning objectives that I needed to further my understanding. I utilized a broad array of resources: I think I consumed almost every resource on the RIMS website, read various frameworks (ISO 31000, COSO ERM), listened to podcasts (including the RIMS podcast), watched YouTube videos, read whitepapers, attended webinars, and read a couple great books.

RIMS: What does professional growth look like to you now, and how has the RIMS-CRMP credential played a role in shaping your career trajectory and goals?

Moldowan: My risk management career started in cyber, moved into ERM, and I now find myself back in cyber, but with an entirely different perspective. I am a more business-focused, strategic-thinking cyberrisk management consultant and the RIMS-CRMP gave me the foundation to do that. I'm excited to continue helping organizations build strategic cyber risk programs that fit with their business. Currently, I'm expanding my knowledge in the areas of cyber resilience and business continuity management—helping companies plan for cyber risk events, as it's truly not a matter of "if" an attack happens, rather "when."

RIMS: Have you found that holding the RIMS-CRMP credential has opened doors to new opportunities or leadership roles that might not have been available otherwise?

Moldowan: The biggest opportunities I see are to speak on cyber risk with leaders and boards, in a language that resonates. This has helped my clients succeed in getting the buy-in from leadership they need to do the important work of cyber risk management.

RIMS: How do you plan to recertify?

Moldowan: I have just recently recertified. I accrued credits by attending RISKWORLD 2025 in Chicago, building risk management programs, and of course am always reading, learning, and listening to RIMScast to keep up with the latest risk trends.

See the full RIMS-CRMP Exam Prep calendar.

Interview by Justin Smulison, RIMS Business Content Manager