Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A.5 Establishing the Framework

A.5.1 Understanding the Organization and its Context

The organization establishes the context of its ORMS by identifying and understanding the internal and external influences and environment in which it operates. By establishing the context, an organization can define the scope of its ORMS and design a fit-for-purpose framework for ORMS. This should help assure that the organization meets the objectives, needs, and concerns of internal and external stakeholders (e.g., clients, supply chain partners, subcontractors, local communities). The context will determine the criteria for managing the risk to the organization, clients, and impacted communities thereby providing a basis for setting risk criteria and parameters for the risk assessment and treatment processes.

External context includes:

  • Social, socio-economic, environmental, geographic, political, cultural, competitive, business, financial, supply chain, interdependencies, and community factors;
  • Key drivers and trends having impact on objectives;
  • Client and supply chain needs and requirements; and
  • Needs, interests, and perceptions of external stakeholders.

Internal context includes:

  • Policies, processes, and business mission;
  • Capabilities, resources and knowledge (people, processes, systems, technology, time, and capital);
  • Overall risk management strategy;
  • Information – systems, flows, and decision making processes;
  • Nature of internal supply chains;
  • Internal stakeholders;
  • Objectives and strategies of the organization;
  • Perception, values, and culture;
  • Policies and processes; and
  • Governance, roles, and accountabilities.

During the process of establishing the internal and external context, the organization should identify the significant tangible and intangible assets of the organization. This includes identifying the relative importance of various types of assets to the viability and success of the organization.

A.5.2 Enterprise Value of Tangible and Intangible Assets and Services

In order to understand the organization, it is necessary to identify the people, assets, and services that provide the enterprise tangible and intangible value. People involved in or affected by the organization include employees, customers, visitors, vendors, patients, guests, passengers, tenants, contract employees, and any other persons who are lawfully present on the property being assessed. Unauthorized persons (such as trespassers) need to be considered in the risk assessment. Property includes real estate, land and buildings, facilities; transport mechanisms; tangible property such as cash, precious metals, and stones; monitoring, control, data, and communication systems; support infrastructure, instruments; materials (e.g., raw materials, process materials, finished goods, and hazardous materials); high theft items (e.g., drugs, securities, cash, etc.); as well as almost anything that can provide value, be stolen, damaged, or otherwise affected.

Intangible assets include the brand, goodwill, or reputation of an enterprise that could be impacted. Another high value intangible asset is information. Information includes intellectual property, export controlled technology, and proprietary data (e.g. trade secrets, marketing plans, social media interaction, business expansion plans, plant closings, confidential personal information about employees, customer lists, and other data) that if stolen, altered, or destroyed could cause harm to the organization).

Services provided to the internal and external stakeholders are important parts of the organization’s value chain and may be affected. For example, non-availability of IT or accounting services may have an impact on the organization; its operations and assets.

The enterprise value of assets and services should be considered within the context of:

  • Value relative to critical mission activities, services, and products;
  • Exclusive possession;
  • Utility;
  • Cost of creation or re-creation;
  • Criticality and competitive edge;
  • Critical human resources and knowledge;
  • Operational and business impact (including dependencies and interdependencies);
  • Cost of lost opportunity;
  • Shelf life of the asset;
  • Reputation and brand impact; and
  • Other considerations important to management or clients.

The value of an asset and service should be considered within the context of how the assets contribute to the organization’s achievement of its objectives. While organizations may have a myriad of assets, products and services, typically not all are mission critical. Therefore, in addition to considering the monetary value of assets, valuation should consider how the asset fits within the value chain of the organization and its relative value in achieving strategic, tactical, operational, and reputational objectives.

A.5.3 Supply Chain and Subcontractor Node Analysis

Supply chains and the use of subcontractors are typically integral parts of any organizations operations. While there is significant interdependence within a supply chain, each individual node of a supply chain is unique in certain respects. This uniqueness may require unique approaches to the management of the risks involved. Therefore, to manage the risks within a supply chain, the organization needs to identify:

  • The role of organizations and individuals at each tier or level of its upstream and downstream supply chain or network;

  • Understand the interdependencies and supporting infrastructure critical to mission success;

  • How each node plays a role in adding value to the performance of other members of the chain, directly or indirectly;

  • Determine how each node has the potential to contribute to the risk profile of the organization, both positively and negatively; and

  • Evaluate how each node exerts some influence on the success of minimizing risk implementation of the management system.

When conducting node analysis, the organization should recognize the decisions taken at the individual node which has potential chain-wide implications. Therefore, the risk factors throughout the supply chain need to be understood and controlled for successful implementation of the ORMS.

A.5.4 Scope of ORMS System

An organization has the freedom to define the boundaries for implementing its ORMS. It may choose to implement the ORMS across the entire organization, specific operating units, discrete geographic locations, or clearly defined supply chain flows. These scoping boundaries reflect top management objectives for the ORMS, and the size, nature, and complexity of the organization and its activities. Once top management defines the ORMS scope, all assets, activities, products, and services within that scope become elements of concern within the ORMS.

The organization should justify all exclusions from the scope of the ORMS using the risk assessment in the justification. Exclusions may include the inability of an organization to control certain services or operations; however, exclusions do not negate the organization’s responsibilities to value the sanctity of human life or its obligations to respect human rights, laws, and its voluntary commitments. The scope should ensure the integrity of the organization and its supply chain. The credibility of the ORMS depends on the choice of organizational boundaries defined in the scope.

Outsourced and subcontracted activities remain the organization’s responsibility and should be within the ORMS. If an outsourced or subcontracted product, service, activity, or part of the organization’s supply chain remains under the organization’s risk accountability and management control, then top management should place it within the scope of the ORMS. The organization should make appropriate agreements and take appropriate measures to assure effective ORMS agreements are in place with its subcontractors and outsource partners.

The level of detail and complexity of the ORMS, the extent of documentation required, and resources committed to the ORMS should guide the ORMS scope statement. When the organization implements the Standard for a specific operating unit, then the organization may use applicable policies, plans, and procedures developed by other parts of the organization to satisfy the requirements of this Standard.

A Statement of Applicability defines the strategic weighting of risk-related disciplines such as security management, preparedness, information security management, emergency management, disaster management, crisis management, and business continuity management in developing the management system, based on the risk assessment.

Next: Annex A - Leadership

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References