Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A. Guidance on the Use of the Standard

NOTE: The additional text given in this annex is strictly informative and is provided to assist in understanding and implementing the requirements contained in this Standard. While this information addresses and is consistent with the requirements of this Standard, it is not intended to add to, subtract from, or in any way modify those requirements.

A.1 Introduction

Organizations need to manage their uncertainties in achieving their strategic, operational, tactical, and reputational objectives to identify and pursue opportunities and minimize the likelihood and consequences of natural, intentional and unintentional events. Natural disasters, environmental accidents, technology mishaps, and man-made crises have historically demonstrated that undesirable and disruptive events can happen, impacting the public and private sectors alike. The challenge goes beyond merely reacting to adversity but rather identifying and modifying risk factors before they manifest themselves. Organizations need to engage in a comprehensive and systematic process of anticipation, avoidance, prevention, preparedness, readiness, mitigation, response, continuity, and recovery. Managing risks requires the creation of an on-going, dynamic, and interactive process supporting proactive risk management, assuring the continuation of an organization’s core activities and functions before, during and after an undesirable or disruptive event.

This Standard provides organizations of all sizes and types with the elements needed to achieve and demonstrate proactive risk management and enhanced organizational resilience performance related to their physical facilities, services, activities, products, supply chains, and operations. They do so within the context of:

  • Increasing risks and threats in a dynamic global risk environment;

  • Increased dependencies and interdependencies, including supply chain volatility;

  • Increased threats that do not recognize physical or jurisdictional boundaries (e.g. cyber threats);

  • More stringent legislation and regulation;

  • More competitive business realities;

  • Increasing interdependencies in society due to a global economy (on an organizational, functional, or jurisdictional level);

  • Heightened awareness of the need for adequate security, safety, environmental, emergency response and remediation planning;

  • Concerns of interested and affected parties; and

  • The need to assure continuity and resilience of operations and supply chains.

An undesirable event not properly managed can rapidly escalate into a disruptive incident (emergency, crisis, or even a disaster). Preparing for a risk event before it occurs can identify opportunities and/or minimize its impact. An unmanaged event can taint an organization’s image, reputation, or brand in addition to resulting in significant physical or environmental damage, injury, or loss of life. This Standard provides a framework to aid organizations in successfully managing risks by developing a strategy and action plan to safeguard its interests and those of its stakeholders.

Proactive planning and preparation for potential risk events can leverage an opportunity, avoid an undesirable event, mitigate event impacts and minimize length of a disruption. The holistic, integrated, discipline-neutral approach to risk management of adopting adaptive, proactive and reactive risk treatment measures can help avoid a disruption and minimize the suspension of critical services and operations, thereby allowing return to normal services and operations as rapidly as possible.

This Standard provides guidance or recommendations for any organization in the private, not-for-profit, and public sectors to identify and develop best practices to assist and foster action in:

  • Reducing risks throughout the organization and its supply chain;

  • Providing top management driven vision and leadership for strategies to protect human, tangible and intangible assets and assure the resilience of the organization;

  • Identifying, evaluating and managing risks critical to its short- and long-term success;

  • Minimizing the likelihood and consequences of a wide variety of hazards and threats;

  • Mitigating the impact of a wide variety of hazards and threats, including natural disasters, technological and environmental accidents, and man-made disasters (terrorism and crime);

  • Understanding the roles and responsibilities needed to protect assets and further the mission and achievement of objectives;

  • Managing incident response measures and resources;

  • Developing strategic alliances and mutual aid agreements;

  • Developing, testing and maintaining incident prevention and response plans, and associated operational procedures;

  • Developing and conducting training and exercises to support and evaluate incident/emergency preparedness, response plans, and operational procedures;

  • Developing and conducting training and exercises to support and evaluate prevention, protection, preparedness, mitigation, response, recovery and operational procedures;

  • Ensuring that relevant employees, supply chain partners, customers, suppliers, and other stakeholders are aware of the risk management arrangements and have confidence in their application;

  • Developing internal and external communications procedures, including response to requests for information from the media or the public;

  • Establishing metrics for measuring and demonstrating success;

  • Documenting the key resources, infrastructure, tasks, and responsibilities required to support critical operational functions; and

  • Establishing processes that ensure the information remains current and relevant to the changing risk and operational environments.

It is simply good business for an organization to protect its physical, virtual, and human assets. The success of the management system depends on the commitment of all levels and functions in the organization, especially the organization’s top management. Decision makers must be prepared to budget for and secure the necessary resources to make this happen. It is necessary that an appropriate administrative structure be put in place to effectively deal with prevention, mitigation, and management. This will ensure that all concerned understand who makes decisions, how the decisions are implemented, and what are the roles and responsibilities of all persons working on behalf of the organization. The Standard drives a risk management culture within the organization at all levels. Personnel used for incident management should be assigned to perform these roles as part of their job description and not be expected to perform them on a voluntary basis. Regardless of the organization – for profit, not for profit, faith-based, non-governmental – its leadership has a duty to stakeholders to plan for its survival.

Adaptive and preemptive planning and preparation for potential undesirable and disruptive events will help reduce the likelihood and consequences of an event. The holistic management process can help avoid or minimize the interruption or suspension of mission critical services and operations.

A.2 General Requirements

The implementation of an ORMS specified by this Standard is intended to result in enhanced agility and resilience including improved security, preparedness, response, continuity, and recovery performance. Therefore, this Standard is based on the premise that the organization will periodically review and evaluate its ORMS to identify opportunities for improvement and their implementation. The rate, extent and timescale of this continual improvement process are determined by the organization in the light of its risk profile, economic objectives, and other circumstances. Improvements in its ORMS are intended to support the integration of risk and business management thereby supported improving resilience. This Standard requires an organization to:

  • Establish an appropriate ORMS policy;

  • Identify the sources or risk (hazards and threats) related to the organization’s past, existing, or planned activities, functions, products, and services to determine the level of risk and necessary control measures;

  • Identify applicable legal, regulatory and contractual requirements and voluntary commitments to which the organization subscribes;

  • Identify priorities and set appropriate ORMS objectives and targets;

  • Establish a structure and programs to implement the policy and achieve objectives and meet targets;

  • Facilitate planning, control, monitoring, preventive and corrective action, and auditing and review activities to ensure both that the policy is complied with and that the ORMS remains appropriate; and

  • Be capable of adapting to changing circumstances.

Consideration should be given to normal and abnormal operations and functions within the organization, its relationships with relevant stakeholders, and to potential undesirable and disruptive conditions. Tools and methods for undertaking a review might include checklists, conducting interviews, direct inspection and measurement, or results of previous audits or other reviews, depending on the nature of the activities.

An organization has the freedom and flexibility to define its boundaries, and may choose to implement this Standard with respect to the entire organization or to specific operating units of the organization. The organization should define and document the scope of its ORMS.

Scoping is intended to clarify the boundaries of the organization to which the ORMS will apply, especially if the organization is a part of a larger organization at a given location. Once the scope is defined, all activities, products, and services of the organization within that scope need to be included in the ORMS system. In setting the scope, the credibility of the ORMS will depend upon the choice of organizational boundaries. Where a part of an organization is excluded from the scope of its ORMS, the organization should be able to explain and document the exclusion.

If this Standard is implemented for a specific operating unit, policies and procedures developed by other parts of the organization can be used to meet the requirements of this Standard, provided that they are applicable to the specific operating unit that will be subject to it.

Risk management involves issues and actions before, during, and after a disruptive incident. Therefore, this Standard encompasses avoidance, prevention, deterrence, readiness, mitigation, response, continuity, and recovery. The risk environment, as well as business/operational realities, focuses different strategic weights on each of these components; however, no component should be weighted zero. The Statement of Applicability should explain the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management, and business continuity management in developing the management system, based on the risk assessment and context.

An organization with no existing ORMS should establish its current position with regard to risk management and its capabilities to manage potential risk scenarios by means of a gap analysis. A gap analysis will enable the organization to compare its actual performance with the potential performance needed to meet its objectives. The analysis should consider the organization’s risks (including potential impacts) as a basis for establishing the ORMS.

The gap analysis should cover five key areas:

  • Identification of risks, including those associated with operating conditions, emergency situations, accidents, and potential undesirable and disruptive events;

  • The capacity to identify and pursue opportunities;

  • Identification of applicable legal, regulatory, contractual and other requirements to which the organization subscribes;

  • Evaluation of existing risk management practices and procedures, including those associated with subcontracting activities; and

  • Evaluation of previous emergency situations, and accidents, as well as previous measures taken to prevent and respond to undesirable and disruptive events.

In all cases, consideration should be given to operations and functions within the organization, its relationships with its relevant stakeholders (e.g., clients, supply chain partners, subcontractors, and the local community), and to potentially undesirable, disruptive and emergency conditions. Tools and methods for undertaking a gap analysis may include checklists, conducting interviews, direct inspection and measurement, benchmarking against best practices, or results of previous audits or other reviews, depending on the nature of the activities.

A.3 Management System

A management system is a dynamic and multifaceted process, with each element interacting as a structured set of functional units. It provides a framework that is based on the premise that the component parts of a system can best be understood when viewed in the context of relationships with each other and with other systems, rather than in isolation. The only way to fully understand and implement the elements of a management system is to understand the parts in relation to the whole. Therefore, it should be noted that a management system is not a simple cycle, but rather a complex set of interrelated elements interacting with each other. This results in an iterative process where establishing the context and policy, risk assessment, implementation, operation, evaluation, and review are not a series of consecutive steps, but rather a network of interacting functions.

The management systems approach is characterized by:

  • Understanding the context and environment within which the system operates;
  • Identifying the core elements of the system, as well as the system boundary;
  • Understanding the role or function of each element in the system; and
  • Understanding the dynamic interaction between elements of the system.

The systems approach ensures that holistic strategies and policies are developed. It provides a sound analytical basis for developing strategies and policies that are to be implemented in the complex and changing environment in which the organization operates. Establishing a framework for assessing the risks and effectiveness of strategies and policies prior to and during implementation provides a feedback loop for decision-making throughout the process.

The implementation of the ORMS specified by this Standard is intended to result in:

  • Improved provision of goods, products and services;
  • Security and safety of internal and external stakeholders; and
  • A culture of risk management within the organization and its supply chain.

A.4 General Principles

Organizations should integrate all the principles described in Clause 4 of this Standard into the design of its management system for the ORMS to be successful. The goal is to achieve the organization’s objectives and protect assets (human, tangible, and intangible) while enhancing the resilience of the organization and its supply chain. ORMS will depend on the effectiveness of integrating these principles into the management framework, which drives a risk management culture throughout all levels of the organization. Use of these principles should establish an environment where information is adequately reported and used as a basis for decision-making and accountability at all relevant organizational levels.

The ORMS framework provides key principles, a common language, and clear direction and guidance for decision making. Managing risks is not just the responsibility of management. For a ORMS program to be effective, it needs to be implemented by every person working on behalf of the organization. It is a top-down, bottom-up approach. Managing risk must become an integral part of the organization’s culture. Therefore, all risk-makers and risk-takers should be the risk-managers.

All organizations face a certain amount of uncertainty and risk. In order to assure sustainability of operations and maintain competitiveness and performance, organizations must have a system to manage their risks. The challenge is to assess, evaluate, and treat risk in order to cost effectively manage the risk and uncertainty while meeting the organization’s, and stakeholder’s, strategic and operational objectives. Given the finite resources of organizations, it is imperative that they build a robust management system to address any array of risks they may face.

Next: Annex A - Establishing the Framework

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement
Annex A: Guidance on the Use of the Standard

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References