Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A.6 Leadership

A.6.1 Management Commitment

The top management of the organization (such as the managing director or chief executive) should demonstrate commitment and resolve to implement the ORMS in the organization. Without top management commitment, no management system can succeed. Top management should demonstrate to its internal and external stakeholders a visible commitment to managing risks and promoting a culture facilitating good business management and enhanced resilience. To initiate and sustain the ORMS effort, top management should communicate to all persons working on behalf of the organization the importance of:

  • Making organizational and individual competence inherent in everything the organization does;

  • Emphasizing that respect for laws, regulations and contractual obligations and voluntary commitments is an integral component of ORMS;

  • Integrating ORMS throughout the organization; and

  • Looking at problems as opportunities for improvement.

The top management should provide evidence of its commitment to the development and implementation of the ORMS and continually improve its effectiveness by:

  • Communicating to the organization the importance of meeting the requirements of this Standard;

  • Setting and communicating the policy and risk criteria;

  • Validating risk appetite and the outcomes of the risk assessment process are within set levels of risk tolerance;

  • Ensuring that ORMS objectives are established at all levels and functions;

  • Appointing one or more individuals within the organization to be responsible for the management system;

  • Ensuring that the responsibilities and authorities for relevant management system roles are assigned and communicated within the organization;

  • Allocating appropriate resources for the management system;

  • Demonstrating commitment to the management system and risk minimization;

  • Promoting awareness of risk and ORMS requirements throughout the organization;

  • Leading by example; and

  • Participating in reviews and driving the continual improvement process.

It is essential that top management of the organization sponsors, provides the necessary resources, and takes responsibility for creating, maintaining, testing, and implementing a comprehensive ORMS. This will insure that management and staff at all levels within the organization understand that the ORMS is a critical top management priority and are empowered to support risk and business decision-making processes. It is equally essential that top management engage a “top down” approach to the ORMS so that management at all levels of the organization understand accountability for system maintenance as part of the overall governance priorities.

A.6.2 ORMS Policy

The ORMS policy is the driver for implementing and improving an organization’s ORMS. This policy should therefore reflect the commitment of top management to:

  • The sanctity of human life and safety as a top priority;

  • The pursuit of opportunities;

  • Avoid, prevent, and reduce the likelihood and consequences of undesirable and disruptive events;

  • Comply with applicable legal, regulatory, contractual and voluntary commitments and other requirements;

  • Respect human rights (including commitments to social responsibility and minimizing the organization’s adverse impacts on stakeholders, the environment and the community); and

  • Continual improvement.

The ORMS policy is the framework that forms the basis upon which the organization sets its objectives and targets. The ORMS policy should be sufficiently clear to be capable of being understood by internal and external stakeholders and should be periodically reviewed and revised to reflect changing conditions and information. Its area of application (i.e., scope) should be clearly identifiable and should reflect the unique nature, scale, and impacts of the risks of its activities, functions, products, and services.

The ORMS policy should be communicated to all persons who work for or on behalf of the organization, including its clients, customers, supply chain partners, subcontractors, and relevant members of the local community. Communication to subcontractors and other external parties can be in alternative forms to the policy statement itself, such as rules, directives, and procedures. The organization’s ORMS policy should be defined and documented by its top management within the context of the ORMS policy of any broader corporate body of which it is a part and with the endorsement of that body.

A ORMS planning team – including senior leaders from all major organizational functions and support groups – should be appointed to ensure wide-spread acceptance of the ORMS.

A.6.3 Resources, Roles, Responsibilities, and Authorities

The resources needed for the ORMS should be identified. These include human resources and specialized skills, equipment, internal infrastructure, technology, information, intelligence, and financial resources. Top management should ensure the availability of resources essential for the establishment, implementation, control, testing, and maintenance of the ORMS.

The management system is implemented by people within the organization. One or more qualified persons should be appointed and empowered to implement, test or exercise, and maintain the ORMS. Top management should conduct its own periodic reviews and audits of the overall ORMS. A ORMS planning team, including senior leaders from all major organizational functions and support groups, may be appointed to ensure wide-spread acceptance of the ORMS.

Next: Annex A - Planning

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References