Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A.7 Planning

A.7.1 Legal and Other Requirements

The organization should identify and understand legal, regulatory, and contractual requirements that affect the achievement of its objectives. Jurisdictional requirements may include international, national, state, local, legal, and regulatory requirements. Identifying and understanding these requirements should help to ensure legal compliance, prevent litigation, minimize liability, and improve the organization’s image.

Examples of other requirements to which the organization may subscribe include, if applicable:

  • Business and other contractual obligations;
  • Agreements with public authorities, community groups, or non-governmental organizations;
  • Agreements with clients;
  • Non-regulatory guidelines;
  • Voluntary principles or codes of practice;
  • Product or service stewardship commitments (e.g., warranties);
  • Requirements of trade associations;
  • Public commitments of the organization or its parent organization;
  • Non-binding protocols;
  • Healthcare requirements;
  • Financial obligations;
  • Social responsibility and environmental commitments; and
  • Identity information and privacy requirements.

Specific legal obligations vary by jurisdiction; geographic location; the type and nature of operations; and the location, type, and nature of the organization’s customers. Therefore, it is important that the organization be aware of its obligations within the context of its operating environment.

The organization should identify all relevant statutory, regulatory, contractual, and other requirements and communicate this information to appropriate stakeholders. The organization should evaluate which requirements apply and where they apply, and identify who should receive this information. The organization should explicitly define, document, and keep current its approach to accessing and addressing these requirements. Similarly, the organization should define and document specific operational controls as well as individual responsibilities to meet these requirements.

A.7.2 Internal and External Risk Communication and Consultation

The organization should establish a formal communication and consultation process with appropriate stakeholders both for the collection of risk assessment input information and for the controlled dissemination of the outcomes. Sensitivity and integrity of the information should be considered in the risk communication and consultation processes.

A.7.3 Risk Assessment and Monitoring

Organizations typically operate in inherently dynamic risk environments. They must manage risk to internal and external stakeholders while also managing risk to the organization. The organization needs to achieve its strategic, operational, tactical, and reputational objectives within the context of protecting and creating value. Respecting laws and rights of individuals creates tangible and intangible value for the organization, and therefore is intrinsically a business objective requiring due diligence. The risk assessment provides a clear understanding of the risk environment in order for the organization to make informed decisions in prioritizing its risks and their treatment.

The risk assessment process provides an understanding of the risks that could affect the organization’s achievement of its strategic, operational, tactical, and reputational objectives. The risk assessment should consider both positive and negative outcomes. It is intended to create a systematic process for an organization to identify, analyze, and evaluate risks to determine those that are significant to the organization and its stakeholders. The risk assessment provides a basis for evaluating the adequacy and effectiveness of current controls in place, as well as decisions on the most appropriate approaches to be used in managing and treating risks. It identifies those risks that should be addressed as a priority by the organization’s ORMS. The risk assessment provides the foundation for setting objectives, targets and programs within the management system, as well as measuring the efficacy of the ORMS.

The organization should apply the ANSI/ASIS/RIMS RA.1-2015: Risk Assessment.

Figure 2.png

Figure 2: Process for Managing Risk (based in ISO 31000)

The risk assessment process is conducted within the internal and external context of the organization. Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation:

  • Risk Identification: The process of identifying, grading and documenting risks by means of threat/opportunity analysis, criticality/impact analysis, vulnerability/capability analysis and supply chain analysis. The process considers the causes and sources of risks, as well as events, situations and circumstances that could impact the organization and its stakeholders.

    The identification should include of all sources of risk that may present an opportunity and/or deter the organization from achieving its strategic, operational, tactical, and reputational objectives, including the rights, security and safety of internal and external stakeholders.

  • Risk Analysis: The process of developing an understanding of risk and level of risk. It provides the basis for determining which risks should be treated and the most appropriate method for treating them. It considers the sources of risk, their consequences, and the likelihood that the incident and associated consequences can occur.

    An organization should determine what the consequences of an event upon stakeholders will be if a threat materializes. The level of risk is a function of threat/opportunity analysis, criticality/impact analysis, vulnerability/capability analysis and supply chain analysis as well as the efficacy of existing controls. The level of risk determination considers the likelihood of an event, the likelihood of consequences, and the magnitude of the consequences. It provides the basis for prioritizing the risks that need to be treated;

  • Risk Evaluation: The process of comparing the estimated levels of risk with the risk criteria defined when the context was established. It determines the significance of the level and type of risk. The risk evaluation uses the understanding of the risk obtained in the risk analysis to make decisions about the strategies required for risk prioritization, control and treatment.

The risk assessment provides an understanding of risks, their causes, likelihood and consequences. Therefore, an organization should conduct a comprehensive risk assessment within the scope of its ORMS, taking into account the inputs and outputs (both intended and unintended) associated with:

  • Its activities, products, and services;
  • Interactions with the environment and community;
  • Relations with internal and external stakeholders (e.g., clients, subcontractors, local government); and
  • Infrastructure and interdependencies.

The risk assessment should include a detailed analysis and evaluation of the uncertainties associated with the successful achievement of the organization’s strategical, tactical, operational and reputational objectives – for example (but not limited to):

  • Tactical risks related to the activities, functions and operations;

  • Risks related to the reputation of the organization and stakeholders;

  • Political and social implications of the organization’s activities;

  • Threats, vulnerabilities, and consequences affecting persons working on behalf of the organization;

  • Threats, vulnerabilities, and consequences affecting local communities and other stakeholders, and the potential impact of operations;

  • Risks related to business relationships, such as the use of subcontractors, outsource partners and interactions with other organizations; and

  • The interrelationships between tactical and operational risks and the need to respect human life and rights.

Many methodologies exist for risk assessments. The organization should establish, implement, and maintain a formal methodology that is documented and repeatable. Assumptions, scope, evaluation criteria, and results should be clearly defined and reviewed by top management.

Since an organization might have many risks, it should establish and document criteria and a methodology to determine those that it will consider significant. There is no single method for determining significant risks. The method used should provide consistent results and include the establishment and application of evaluation criteria, such as those related to exploiting opportunities, protection of life and human rights, the severity of adverse impacts, its leverage to prevent or mitigate adverse impacts, criticality of activities and functions, downtimes and time frames for recovery, legal issues and the concerns of internal and external stakeholders. An organization should analyze likelihood, severity and consequences of undesirable and disruptive events to its operations and stakeholders, and identify critical operations that are given high priority for developing response and recovery times and objectives.

When assessing consequences, the organizations should consider the following.

  • Human cost: Physical and psychological harm to clients, persons working on its behalf, suppliers, local communities, and other stakeholders;

  • Financial cost: Equipment and property replacement, downtime, overtime pay, stock devaluation, lost sales/business, lawsuits, regulatory fines/penalties, etc.;

  • Image cost: Reputation, standing in the community, negative press, loss of clients, etc.;

  • Human rights impacts: Actual and potential adverse human rights impacts on specific people and groups, in particular vulnerable or marginalized groups, within the specific context of operations;

  • Indirect impacts: On the regional economy and reduction in the regional net economy, etc.; and

  • Environmental impacts: Degradation to the quality of the environment or to endangered species.

The risk assessment is an inclusive process taking into account the input of internal and external stakeholders. The risk and impact identification, analysis, and evaluation processes are framed within the operating environment of the organization; therefore, they should take into account the internal and external context and legal and other requirements.

To achieve results that accurately reflect the risk profile of the organization, data for the risk assessment should be gathered by a competent and experienced team. The sampling techniques for the collection of administrative, financial, technical, and physical data should be selected to assure representative samples. The risk assessment is not an exact science; therefore, assumptions and reliability of information should be documented. All operational units of the organization within scope of the ORMS should be directly consulted during the data-gathering process. Results of the risk assessment should be reported and reviewed by top management in order to establish the ORMS objectives, targets, and strategies. The organization should define the scope of the risk assessment based on:

  • ORMS scope (products, services, and activities);
  • Client expectations and obligations;
  • Legal, regulatory, and contractual requirements;
  • Respect for human rights;
  • Impacted communities’ expectations;
  • Risk appetite;
  • Interdependencies and infrastructure requirements; and
  • Data/information requirements.

The risk assessment process should consider routine and atypical operating conditions, as well as reasonably foreseeable disruptive situations, in order to better understand and control undesirable and disruptive events. It should be kept in mind that it is not possible to foresee all undesirable and disruptive situations, so the organization should also consider the consequences of an event on critical assets, activities, and functions, as well as impacted communities, regardless of the nature of an event in order to preemptively manage its risks.

The risk assessment should:

  • Use a documented quantitative and/or qualitative methodology to estimate likelihood or probability of the identified potential risks and significance of their consequences if an event materializes;

  • Be based on reasonable and defined criteria;

  • Consider the reliability and confidence of information sources;

  • Give due consideration to all potential risks it recognizes to its operations;

  • Consider its dependencies on others and others dependencies on the organization, including client, community, and supply chain dependencies and obligations;

  • Evaluate the consequences of legal and other obligations which govern the organization’s activities;

  • Consider risks associated with stakeholders, contractors, suppliers, and other affected parties;

  • Analyze information on risks, and select those risks which may cause significant consequences and/or those risks whose consequence is hard to be determined in terms of significance;

  • Analyze and evaluate the costs, benefits, and resources needed to manage risks; and

  • Evaluate risks and impacts it can control and influence.

NOTE: It is the organization that determines the degree of control and its strategies for risk acceptance, avoidance, management, minimization, tolerance transfer, and/or treatment.

In some locations, critical infrastructure, community assets, and cultural heritage may be an important element of the surroundings in which an organization operates, and therefore should be taken into account in the understanding of its risks and impact on surroundings.

When developing information relating to its significant risks, the organization should consider the need to retain the information for historical purposes, as well as how to use it in designing and implementing its ORMS.

The process of identification and evaluation of risks should take into account the location of activities, cost and time of undertaking the analysis, and the availability of reliable data. Information already developed for business planning, regulatory, or other purposes may be used in this process.

The organization should revisit its risk assessment to address changing operating conditions and processes after response to events. Changes that may elicit a revisit of the reassessment include changes in:

  • Risk landscape;
  • Leadership and partnerships;
  • Contractual and industry trends;
  • Regulatory requirements;
  • Political environment;
  • Conditions due to an event; and
  • Performance based test/exercise results.

This process of identifying and evaluating risks is not intended to change or increase an organization’s legal obligations.

A.7.4 Objectives and Plans to Achieve Them

Objectives and targets are established to meet the goals and commitments of the organization’s ORMS policy. By setting the security and resilience objectives and targets, the organization can translate the policy into action plans it describes in the risk treatment strategies. The objectives and targets should be specific and measurable in order to track progress and ascertain how the ORMS is performing in improving overall management of risk and organizational resilience.

ORMS “objectives” are overriding considerations such as minimizing accidents. ORMS “targets” are specific metrics for the reduction of accidents. Objectives and targets should be proportionate to the risk, cost effective, realistic, and informed by the risk assessment. The objectives and targets should reflect what the organization does, what it wants to achieve, and how effective the entity is in managing risk. Appropriate levels of management should define the objectives and targets. Objectives and targets should be periodically reviewed and revised.

When the objectives and targets are set, the organization should consider establishing measurable risk and business management performance indicators. These indicators can be used as the basis for performance evaluation system and can provide information on the ORMS and specific prevention, mitigation, response, and recovery strategies.

In establishing its objectives and targets the organization should consider:

  • Policy commitments;
  • Alignment with strategic objectives;
  • Outcomes of the risk assessment;
  • Risk appetite and tolerance;
  • Legal, regulatory, contractual, and other requirements;
  • Internal and external context;
  • Performance criteria;
  • Infrastructure requirements and interdependencies;
  • Interests of stakeholders (e.g., clients, communities, and supply chain partners);
  • Technology options;
  • Financial, operational, and other organizational considerations; and
  • Actions, resources, and timescales needed to achieve objectives.

When considering its technological options, an organization should consider the use of best available technologies where economically viable, cost-effective, and judged appropriate. Technology options should consider changes to the risk profile and if it introduces new risks.

The reference to the financial requirements of the organization is not intended to imply that organizations are obliged to use specific cost-accounting methodologies. The organization may choose to consider direct, indirect, and hidden costs.

A.7.5 Actions to Achieve Risk and Business Management Objectives

The risk management strategies and action plans are documented approaches to achieve the organization’s objectives and targets. Strategies should be coordinated or integrated with other organizational plans, strategies, and budgets. Action plans may be subdivided to address specific elements of the organization’s operations.

To ensure its success, the ORMS strategies and action plans should define:

  • Responsibilities for achieving goals (who will do it? where will it be done?);
  • Means and resources for achieving goals (how to do it?); and
  • Timeframe for achieving those goals (when will it be done?).

The strategies may be subdivided to address specific elements of the organization’s operations. The organization may use several action plans as long as the key responsibilities, tactical steps, resource needs, and schedules are adequately defined in each of the documented plans.

The strategies should include – where appropriate and practical – consideration of all stages of an organization’s activities related to planning, design, construction, commissioning, operation, retrofitting, production, marketing, outsourcing, and decommissioning. Strategy development may be undertaken for current activities and new activities, products, and/or services.

The organization should establish, implement, and maintain a formal and documented risk treatment and countermeasure selection process, which should consider:

  • Removing the risk source, where possible;
  • Removing or reducing the likelihood of an event and its consequences;
  • Removing or reducing harmful consequences;
  • Sharing or transferring the risk with other parties, including risk insurance;
  • Spreading the risk across assets and functions;
  • Retaining risk by informed decision; and
  • Avoiding the risk by temporarily halting activities that give rise to the risk.

The organization’s planning should take into account pursuing opportunities, the priority of activities, contractual obligations, internal and external stakeholder needs, and operational continuity.

Strategies should be dynamic and monitored and modified when:

  • Outcomes of the risk assessment change;
  • Objectives and targets are modified or added;
  • Relevant legal requirements are introduced or changed;
  • Substantial progress in achieving the objectives and targets has been made (or has not been made); or
  • Activities, products, services, processes, or facilities change or other issues arise.

Determining the risk management strategy enables the organization to evaluate a range of options. The organization may choose an appropriate approach for each activity, such that it can operate at an acceptable level. The most appropriate strategy or strategies should depend on a range of factors such as the:

  • Results of the organization’s risk assessment;
  • Costs of implementing a strategy or strategies; and
  • Consequences of inaction.

The organization should minimize the likelihood of implementing a solution that might be affected by the same event that causes a disruption.

Top management should approve documented strategies to confirm that the determination of risk treatment strategies has been properly undertaken, that they have addressed the likely causes and effects of an undesirable or disruptive event, and that the chosen strategies are appropriate to meet the organization’s objectives within the organizations risk appetite.

The strategies should also consider the organization’s relationships, interdependencies, and obligations with external stakeholders. These stakeholders include supply chain partners, clients, suppliers, and outsource partners – as well as public authorities and others in the community. The organization should establish and maintain strategies that first and foremost protect life and safety of stakeholders while respecting human rights and preserving the integrity of its delivery of products and services. In addition, interactions and coordination with public authorities and others in the community should be determined and included in strategy development. These strategic arrangements with external stakeholders should support the achievement of ORMS objectives and be clearly defined and documented.

Next: Annex A - Structural Requirements

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References