Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A.8 Structural Requirements

A.8.1 Organizational Structure

A clearly defined management structure is necessary to establish the roles, responsibilities, and accountability of the contract. The organization entering into a contract should be a legal entity and signatures for the organization should be clearly authorized to enter into contracts on the organization’s behalf.

A.8.2 Insurance

The organization should seek insurance coverage sufficient to meet any liability for damages to any person with respect to personal injury, death, or damage to property consistent with its risk assessment. The limit of such coverage should at least be at the minimum level as prescribed by the client or recognized as best industry practice. Insurance should include employer’s liability and public liability coverage. Personnel should be provided with health and life insurance policies appropriate to their wage structure and the level of risk of their service as required by law or regulations.

When seeking insurance coverage, the organization should consider:

  • The policies and limits to be held by the organization should be specified in the contract;
  • The jurisdiction of the policy and in the event of a dispute;
  • The territorial limitations;
  • Limitations of indemnity;
  • Coverage of all activities, including use of weapons;
  • Medical coverage and treatment of persons working on behalf of the organization and impacted communities;
  • Activities of subcontractors; and
  • Contractual obligations.

Examples of the types of coverage to consider include (but are not limited to):

  • Liability;
  • Workers compensation;
  • Accident;
  • Property damage;
  • Kidnapping, ransom and/or captive;
  • Sensitive risk (e.g. evacuations); and
  • Key personnel.

A.8.3 Financial and Administrative Procedures

It is necessary that the organization put in place appropriate administrative and financial structures to effectively support the ORMS, before, during, and after an undesirable or disruptive event. Procedures should be established and documented to ensure transparency with regard to authorizations, consistent with generally accepted accounting procedures and industry good practices. Therefore, a management structure, authorities, and responsibility delegation for decision-making – including spending limitations, authorities, and responsibility for implementation – should be clearly defined.

A.8.4 Outsourcing and Subcontracting

A contract should provide the legal basis for the relationship between the contractor and subcontractor. The organization is responsible for all activities outsourced to another entity. The contract should specify the responsibilities, terms, and conditions under which the subcontractor is to perform, including a clearly defined:

  • Commitment to abide by the same obligations as held by the organization and described in the Standard;

  • Specification of the appropriate flow-down of conformance to applicable provisions of the Standard;

  • Confidentiality and conflict of interest requirements;

  • Process for reporting of risks, as well as the occurrence and response to undesirable and disruptive events;

  • Definition of the support relationship between the contractor and the subcontractor; and

  • Description of the service performed by subcontractor personnel.

For transparency, the organization should understand commitments to first, second and third parties, including how they relate to organizational priorities.

A.8.5 Documented Information

The level of detail of the documentation should be sufficient to describe the ORMS and how the parts work together. The documentation should also provide direction on where to obtain more detailed information on the operation of specific parts of the ORMS. This documentation may be integrated with documentation of other management systems implemented by the organization. It does not have to be in the form of a manual.

The extent of the ORMS documentation can differ from one organization to another due to the:

  • Size and type of organization and its activities, products, or services;
  • Complexity of processes and their interactions; and
  • Competence of personnel.

Examples of documents include:

  • Policy, objectives, and targets;
  • Statement of conformance;
  • Information on significant risks and impacts;
  • Procedures;
  • Process information;
  • Organizational charts;
  • Internal and external standards;
  • Incident response, mitigation, emergency, and crisis plans; and
  • Records.

Any decision to document procedures should be based on the:

  • Consequences, including those to tangible and intangible assets, of not doing so;
  • Need to demonstrate compliance with legal, regulatory, and contractual obligations as well as voluntary commitments;
  • Need to ensure that the activity is undertaken consistently; and
  • Requirements of this Standard.

The advantages of effective documentation include:

  • Easier implementation through communication and training;
  • Easier maintenance and revision;
  • Less risk of ambiguity and deviations; and
  • Demonstrability and visibility.

Documents originally created for purposes other than the ORMS may be used as part of this management system, and (if so used) should be referenced in the system.

A.8.5.1 Records

In addition to the records required by this Standard, records can include (among others):

  • Compliance records;
  • Roles, responsibilities, and authorities;
  • Accountability for serialized and sensitive equipment;
  • Reports for fuel, and training materials;
  • Authorization and tracking of controlled materials, vehicles, and hazardous materials;
  • Contract compliance audit reports;
  • Export/import compliance reports;
  • Audit trail documentation;
  • Licensing;
  • Exercise and testing results;
  • Access control records; and
  • Subcontractor documentation.

A.8.5.2 Control of Documented Information

The organization should create and maintain documents in a manner sufficient to implement the ORMS. The primary focus of the organization should be on the effective implementation of the ORMS and on ORMS performance and not on a complex document control system.

Proper account should be taken of confidential information. Procedures should be established, communicated, and maintained for the handling of classified information. This information should be clearly graded and labeled to protect the:

  • Sensitivity of the information;
  • Privacy, life, and safety of individuals; and
  • Image and reputation of the client.

The organization should ensure the integrity of records by rendering them tamperproof; securely backed-up; accessible only to authorized personnel; and protected from damage, deterioration, or loss.

The organization should consult with the appropriate legal authority within their organization to determine the appropriate period of time the documents should be retained and establish, implement, and maintain the processes to effectively do so. Records should be retained as required or limited by law, regulatory and/or contractual requirements.

Next: Annex A - Operation and Implementation

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References