Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A.9 Operation and Implementation

A.9.1 Operational Control

A.9.1.1 General
An organization should evaluate those of its operations that are associated with its identified significant risks, and ensure that they are conducted in a way that will enable the pursuit of opportunities, and control or reduce the likelihood and adverse consequences associated with them in order to fulfill the requirements of its ORMS policy and meet its objectives and targets. This should include all parts of its operations including subcontractor, supply chain, and maintenance activities.

As this part of the ORMS provides direction on how to take the system requirements into day-to-day operations, it requires the use of documented procedures to control situations where the absence of documented procedures could lead to deviations from the ORMS policy, objectives, and targets.

To minimize the likelihood of an undesirable or disruptive event, these procedures should include administrative, operational and technological controls. Where existing arrangements are revised or new arrangements introduced that could impact on operations and activities, the organization should consider the associated risks before their implementation.

A.9.1.2 Establishing Norms of Behavior and Codes of Ethical Conduct
The organization should establish, implement, and maintain a Code of Ethical Conduct for its employees, subcontractors, and outsource partners. The Code of Ethical Conduct should clearly communicate respect for the rights and dignity of people, as well as the prohibition of discriminatory practices, harassment, bribery, fraud, conflicts of interest, corruption, and other crimes. The Code of Ethical Conduct should ensure that all persons working on behalf of the organization understand their responsibilities to abide by legal, regulatory and contractual obligations as well as voluntary commitments.

The organization should clearly communicate and provide training on the Code of Ethical Conduct to all persons working on behalf of the organization. The organization should document and maintain records of communication, training, and sign-off acknowledgement.

A.9.2 Resources, Roles, Responsibility, and Authority

A.9.2.1 General
The successful implementation of an ORMS calls for a commitment and sense of shared purpose from all persons working for the organization or on its behalf. The roles, responsibilities, and authorities of individuals should be clearly defined to ensure implementation of the ORMS, prevent misunderstandings (particularly during an undesirable or disruptive event), and avoid missed tasks.

Top management should also ensure that appropriate resources are provided to ensure that the ORMS is established, implemented, and maintained. It is also important that the key ORMS roles and responsibilities are well-defined and communicated to all persons working for or on behalf of the organization.

Roles, responsibilities, and authorities should also be defined, documented, and communicated for coordination with external stakeholders. This should include interactions with subcontractors, supply chain, partners, suppliers, public authorities, and local communities. The organization should define and communicate the responsibilities and authorities of all persons engaged in ORMS regardless of their other roles in the organization. The resources provided by top management should enable the fulfillment of the roles and responsibilities assigned. The roles, responsibilities, and authorities should be reviewed when a change in the operational context of the organization occurs.

To demonstrate its commitment, top management should establish and communicate the organization’s ORMS policy and ensure the necessary resources for the implementation of the ORMS. Therefore, top management should designate a specific management representative with defined responsibilities and authority for implementing the ORMS, who:

  • Champions the ORMS;
  • Ensures that the ORMS is established and implemented;
  • Reports on ORMS performance over time; and
  • Works with others to modify the ORMS as needed.

A.9.2.2 Personnel
The organization should retain and train personnel with the skill, knowledge, and ability to meet its contractual obligations. All persons working on the organization’s behalf should be adequately compensated and provided sufficient insurance protection corresponding with their responsibilities. Personnel, competence, and training needs are an output of the context of the organization and its contractual requirements, as well as the risk assessment and definition of objectives.

Organizations should establish procedures for the welfare of persons working on their behalf, consistent with the protections provided by applicable labor and other laws including:

  • Providing personnel, a copy of any contract to which they are party to, in a language they understand;

  • Providing personnel with adequate pay and remuneration arrangements commensurate to their responsibilities and working conditions;

  • Adopting operational safety and health policies;

  • Ensuring personnel unrestricted access to their own travel documents; and

  • Preventing unlawful discrimination in employment.

The privacy and confidentiality of information about individuals should be protected. Background and operational information about individuals can be highly sensitive. It is essential that the organization establish and maintain procedures to appropriately and strictly secure the confidentiality of information both internally and externally. The organization should retain relevant documents in a secure manner for a period of time that complies with applicable laws and regulations, contractual requirements, and the organization’s records policies.

At a minimum, the following information should be documented for all personnel:

  • Name, address, and contact information;
  • Contact information for immediate family and persons to notify in event of injury or death;
  • Personal identification information; and
  • Information required by legal, regulatory, contractual and other requirements.

A.9.2.3 Response Structure
It is necessary that an appropriate administrative structure be put in place to effectively deal with incident management during an undesirable or disruptive event. Clear definitions should exist for a management structure, authority for decisions, and responsibility for implementation. An organization should have an “Incident Management Team” to lead event response under the clear direction of top management or its representatives. The team should be comprised of such functions as:

  • Planning;
  • Incident response and management;
  • Human resource management;
  • Health, safety, and medical response;
  • Information management;
  • Security;
  • Legal;
  • Communications/media relations; and
  • Other critical support functions.

The Incident Management Team may be supported by as many teams as appropriate taking into account such factors as organization size and type, number of employees, location, etc. Teams should develop response plans to address various aspects of potential crises – such as damage assessment and control, communications, human resources, information technology, and administrative support. Incident response and management plans should be consistent with and included within the overall ORMS. Individuals should be recruited for membership on incident management teams based upon their skills, level of commitment, and vested interest.

The response structure should include provisions/threshold criteria to activate response plans, and identify who has the authority to do the activation. The response structure provides for:

  • A determination of the nature and extent of the undesirable or disruptive incident to establish the scope of the response required, and define actions that might be necessary based on impact and/or potential impact;

  • A response to protect people, assets, and stakeholders’ interests;

  • Communication with stakeholders and authorities, as well as the media, using pre-established message templates; and

  • Coordination with initial responders, first responders, and government agencies.

In some organizations, certain divisions, departments, and activities are better situated to address specific aspects of incident response, continuity, and recovery. These organizations may use a tiered approach, establishing multiple teams to focus on specific aspects of managing the disruptive incident (e.g., communications and media response team). The teams should coordinate their activities to assure a seamless response, and be appropriate to the size and nature of the organization. The response structure should avoid vesting authority of the mobilization of a response in a single individual.

A.9.2.4 Selection, Background Screening, and Vetting of Personnel
The organization should establish a documented procedure for pre-employment background checks and vetting of individuals working on behalf of the organization. The organization should establish, document, implement, and maintain procedures that screen out personnel who do not meet minimum qualifications established for positions, and select appropriately qualified personnel based on their knowledge, skills, abilities, and other attributes. The screening and selection procedures should be consistent with legal, regulatory and contractual obligations as well as voluntary commitments. The screening and vetting process should be based on the nature of the job for which the candidate is being considered, the person’s level of authority, and the area of specialization. The screening and vetting should take place before the candidate is offered a position and commences work. Candidates should sign appropriate authorizations and consents prior to performing background screening. A decision to retain the services of an individual should be based on the totality of the candidate’s qualifications and the results of the background screening and vetting.

Wherever possible, the screening and vetting process should include:

  • Identity verification;
  • Personal history verification; and
  • Credentialing.

Exclusions should be documented when information is unavailable, unreliable, or unsuitable.

Identity verification should include verification of the validity of personal history and minimum age of the prospective employee. Personal history, validated by personal history searches when available, should consider (but not be limited to):

  • Home addresses;
  • Employment records;
  • Electronic media;
  • Criminal and civil record history;
  • Records of human rights violations;
  • Military service records;
  • Motor vehicle records;
  • Credit reports;
  • Sexual offender indices;
  • Government and industry sanctions lists; and
  • Industry specific licensing records.

Credentialing involves verifying the experience and qualifications that are presented by the candidate. The organization should look for unexplained gaps. Credentialing provides information on, but is not limited to:

  • Education verification;
  • Employment verification;
  • Licensure/certification/registration verification;
  • Personal references;
  • Supervisor and coworker interviews; and
  • Military history verification.

The organization should also establish clearly defined criteria for the screening and vetting of individuals based on:

  • Substance abuse;
  • Physical and mental fitness for activities;
  • Suitability to carry weapons or handle hazardous materials; and
  • Ability to operate in stressful and adverse conditions.

The privacy and confidentiality of information about individuals should be protected. Personal documents, such as passports, licenses, and original birth certificates should be returned to personnel within a reasonable timeframe.

A.9.2.5 Selection, Background Screening, and Vetting of Subcontractors
The organization should only retain the services, on a temporary or continuing basis, of competent subcontractors capable of operating in a manner consistent with this Standard. The organization is responsible and liable for the subcontractor’s work. The organization should establish, maintain, and document clearly defined criteria for the screening and vetting of subcontractors to be used in contracting. Contractual agreements with subcontractors should be documented and retained in accordance with applicable laws and contractual obligations with the client.

Criteria for subcontracting should include the subcontractor’s capacity to:

  • Meet the requirements of this Standard;

  • Carry out its activities in compliance with relevant laws;

  • Protect the image and reputation of the contracting body;

  • Provide adequate resources and expertise, including competent personnel, to meet operational objectives;

  • Ensure transparency, accountability, and appropriate supervision in the implementation of assigned duties;

  • Take into account the financial and economic obligations (including appropriate remuneration of their personal and insurance coverage);

  • Obtain requisite registrations, licenses, or authorizations;

  • Maintain accurate and up to date personnel and property records; and

  • Acquire, use, return, and dispose of materials in accordance with applicable laws and contractual obligations.

A.9.2.6 Resources
An organization should provide resources, capabilities, structures, and support mechanisms necessary to:

  • Achieve its risk management policy, objectives, and targets;
  • Meet the changing requirements of the organization;
  • Communicate that the ORMS matters, internally and externally; and
  • Provide for the ongoing operation and continual improvement of the ORMS to improve the organization’s performance in managing risk.

Top management plays a key role by providing resources needed to implement the ORMS. The management of an organization should determine and make available appropriate resources to establish, implement, maintain, and improve the ORMS. These resources should be provided in a timely and efficient manner.

When identifying the resources needed to establish, implement, and maintain the ORMS, an organization should consider:

  • People and people-related resources (which may include):
    • The time necessary to perform ORMS requirements
    • Security
    • Transportation logistics (including parking)
    • Welfare needs
    • Emergency expenses
  • Facilities:
    • Emergency Operations Centers
    • Site hardening
    • Lodging
    • Recovery locations
    • Infrastructure
  • Technology:
    • Applications
    • Technology Services Methods to manage and control documentation and records
  • Communications:
    • Landline, cellular, mobile, wireless, and satellite telephone
    • Smart device
    • Land-based radio
    • HAM radio
    • Social media
  • Information (which may include):
    • Policies
    • iStandard operating procedures
    • Work instructions
    • Internal and external contact information
    • Financial (e.g., payroll) details
    • Customer account records
    • Supplier and stakeholder details
    • Legal documents (e.g., contracts, insurance policies, title deeds, etc.)
    • Other services documents (e.g., contracts and service level agreements)
  • Supplies

Resources and their allocation should be reviewed periodically, and in conjunction with the management review, to ensure their adequacy. In evaluating adequacy of resources, consideration should be given to planned changes and/or new facilities, projects, or operations.

A.9.3 Competence, Training, and Awareness
The organization should identify the awareness, knowledge, understanding, and skills needed by any person with the responsibility and authority to perform tasks on its behalf. The organization should establish training and awareness programs for internal and external stakeholders who may be affected by an undesirable or disruptive event. The organization should require that subcontractors working on its behalf are able to demonstrate that their employees have the requisite competence and/or appropriate training. Management should determine the level of experience, competence, and training necessary to ensure the capability of personnel having documented responsibility for carrying out specialized ORMS management activities. Monitoring and reassessing the level of training should be conducted on an ongoing basis to identify opportunities for improvement.

It is the organization’s responsibility that all persons working on behalf of the organization are sufficiently trained, both prior to any deployment and on an ongoing basis, in the performance of their functions and to respect relevant laws, regulations and contractual obligations and voluntary commitments. Defined training objectives should be based on the risk assessment and facilitate uniformity and standardization of training requirements. Training should specifically include:

  • Respect for human rights;
  • Positive behaviors to support a common vision for the achievement of objectives; and
  • Skill sets needed to perform function and activities in routine and atypical situations.

The organization should identify and assess any differences between the competence needed to perform a risk-related task or activity and that possessed by the individual required to perform the activity. This difference can be rectified through additional education, training, or skills development program which may include the following steps:

  • Identification of competence and training needs;
  • Design and development of a training plan to address defined competence and training needs;
  • Selection of suitable methods and materials;
  • Verification of conformity with ORMS training requirements;
  • Training of target groups;
  • Documentation and monitoring of training received;
  • Evaluation of training received against defined training needs and requirements; and
  • Improvement of the training program, as needed.

Training may include general and task- and context-specific topics, preparing personnel for performance under the specific contract and in the specific environment. General topics include, but are not limited to:

  • The individual’s role within the ORMS;
  • Identifying opportunities for improvement;
  • Situational awareness and assessing risk;
  • Addressing undesirable and disruptive events;
  • Human rights and respect for law;
  • Religious, gender, and cultural issues, and respect for the local community;
  • Handling complaints, including transmitting them to the appropriate authority; and
  • Measures against fraud, bribery, corruption, and other related crimes.

Examples of task and context specific topics may include:

  • Emergency response;
  • Evacuation procedures;
  • Personal protection measures;
  • Media and other stakeholder communications;
  • Tactical driving;
  • Interview techniques;
  • Land navigation;
  • Electronic communications;
  • Medical aid;
  • Casualty evacuation; or
  • Other specified and implied tasks under the terms of the contract or services offered by the organization.

The organization should use practical, scenario-driven training that will require persons trained to make decisions in situations that reflect conditions that may be faced by personnel in the performance of their activities, and will require them to react to the consequences of those decisions.

A training and awareness program may include:

  • A consultation process with staff throughout the organization concerning the implementation of the ORMS program;

  • Discussion of ORMS in the organization’s newsletters, briefings, induction program, or journals (including new employee orientation);

  • Inclusion of ORMS on relevant web pages or intranets;

  • Online training modules housed in the organization’s learning management system;

  • Learning from internal and external incidents through after action reports;

  • ORMS as an item at management team meetings;

  • Conferences, classroom and individualized training; and

  • First aid and other hands-on training.

All personnel should receive training to perform their individual ORMS-related responsibilities. They should receive briefs and training on the key components of the ORMS. Such training could include procedures for prevention and mitigation measures, response, documentation and accountability requirements, the handling of local community, client, and media inquiries.

Event response teams should receive education and training about their responsibilities and duties, including interactions with first responders and other internal and external stakeholders. Team members should be trained at regular intervals (at least annually). New members should be trained when they join the organization. These teams should also receive training on prevention of undesirable events. The organization should include relevant external stakeholders and resources in their competence, awareness, and training programs.

A.9.4 Communication

Arrangements should be made for communication and consultation, internally and externally, during routine and atypical conditions. Effective communication is one of the most important ingredients in preventing, managing, and reporting an undesirable or disruptive event. Proactive communications and consultation planning should be conducted with internal and external stakeholders in order to convey day-to-day, alert, disruptive event, and organizational and community response information. To provide the best communications and suitable messages for various groups, it may be appropriate to segment the audiences. In this way, messages may be tailored that can be released to specific groups such as employees, clients, the local community, or the media.

The communication and consultation procedures and processes should consider:

  • Internal communication between the various levels and activities of the organization and with supply chain partners, subcontractors, clients, and partner entities;

  • Receiving, documenting, and responding to relevant communications from external stakeholders (including local communities);

  • Proactive planning of communications with external stakeholders (including the media);

  • Preemptive communication of response and reporting plans to applicable stakeholders facilitating communication and assuring stakeholders that proper planning is in place;

  • Facilitating structured communication with emergency responders; and

  • Availability of communication channels (including redundancies) during a disruptive situation.

Operational communication plans are necessary to provide adequate control, coordination, and visibility over ongoing activities. Such plans should include a description of how relevant threat information will be shared between persons working on behalf of the organization and other internal and external stakeholders (including public authorities). Information should be exchanged in a way that can be understood at each level of performance.

The organization should implement a procedure for receiving, documenting, and responding to relevant communications from stakeholders and interested parties, both internal and external. This procedure can include a dialogue with interested parties and consideration of their relevant concerns. In some circumstances, responses to concerns of interested parties may include relevant information about the risks and impacts associated with the organization’s activities and operations. These procedures should also address necessary communications with public authorities regarding emergency planning and other relevant issues.

A.9.4.1 Risk Communication
The organization should also identify and establish relationships with the community, public sector agencies, organizations, and officials responsible for intelligence, warnings, prevention, response, and recovery related to potential undesirable and disruptive events. The organization should formally plan its prevention, mitigation, and response communications strategy, taking into account the decisions made specific to relevant target groups, the appropriate messages and subjects, and the choice of means. When considering communication about hazards, threats, risks, impacts, and control procedures, organizations should take into consideration the views and information needs of all stakeholders, as well as the sensitivity of information.

The organization should establish procedures to communicate and consult with internal and external stakeholders specific to its risks, their impacts, and control procedures. These procedures should consider the specific stakeholder group, the type of information to be communicated, the type of undesirable or disruptive event and its consequences, the availability of methods of communication, and the individual circumstances of the organization. Methods for external communication can include:

  • News or press releases;
  • Media;
  • Financial reports;
  • Newsletters;
  • Websites, apps and social media;
  • Phone calls, emails, and text messages (manually delivered and/or via automated emergency notification systems);
  • Voice mails;
  • HAM radio (H = Hertz, A = Armstrong, M = Marconi); and
  • Community meetings.

The organization should conduct preplanning of communication for a disruptive event. Draft message templates, scripts, and statements can be crafted in advance for threats identified in the risk assessment, for distribution to one or more stakeholder groups identified in the risk assessment. Procedures to ensure that communications can be distributed on short notice should also be established. Communications should occur over as many platforms as necessary to ensure receipt by appropriate stakeholders.

The organization should designate and publicize the name of a primary spokesperson (with back-ups identified) who should manage/disseminate crisis communications to the media and others.

These individuals should receive training in media relations in preparation for a crisis, and on an ongoing basis. All information should be funneled through a single team to assure the consistency of messages. Top management should stress that all organization personnel should be informed quickly regarding where to refer calls from the media and that only authorized company spokespeople may speak to the media. In some situations, an appropriately trained site spokesperson may also be necessary.

A.9.4.2 Communicating Complaint and Grievance Procedures
The organization should establish and communicate to relevant stakeholders internal and external complaints and grievances procedures. The procedures should assure privacy and confidentiality and be tailored to the culture, language, education, and technology requirements of the target audience. Procedures should be established for creating a reporting mechanism for anonymous and non-anonymous complaints and grievances.

A.9.4.3 Whistleblower Policy
Whistleblowing occurs when a person working on behalf of the organization raises a concern about danger, unethical conduct, or illegality that affects others, internally or externally. Persons working on the organization’s behalf may be fearful that raising the alarm will lead to retribution from their colleagues or employer. The organization should encourage persons working on its behalf to voice their concerns over malpractice and inappropriate acts against any internal or external stakeholder. A whistleblower policy will help the organization deal with a concern internally and in an appropriate manner, rather than publicly, causing potential damage to the organization and its client. A whistleblower policy can also serve as a deterrent to those who may be considering an illegal, improper, or unethical practice. A good whistleblower policy will help the organization to reduce problems and improve working conditions and operational effectiveness.

Effective whistleblower policies provide individuals with an alternative route other than their direct line management through which to raise their concerns. Therefore, organizations should establish and communicate a whistleblower policy that provides for a clear internal mechanism for anonymously reporting non-conformances and concerns about danger, unethical conduct, or illegality that affects others, internally or externally. The policy should also designate circumstances and conditions where external disclosures are acceptable and protected. Whistleblowers should receive protection for raising concerns so long as they have acted in good faith and have reasonable grounds for raising a concern.

A.9.5 Prevention and Management of Undesirable or Disruptive Events

A.9.5.1 General
The organization should establish, implement, and maintain procedures to prevent, prepare for, and respond to undesirable and disruptive events to ensure the integrity its operations and human, tangible and intangible assets.

The organization should establish, document, and implement procedures for a command and control structure to prevent, prepare for, and manage a disruptive event. This command and control structure should provide for cross-discipline and cross-functional teams with the necessary resources, authority, experience, and competence to:

  • Determine and confirm the nature and extent of a disruptive event, and trigger appropriate control measures;

  • Execute a coordinated response between different business functions and disciplines (e.g., coordination with risk management, information technology, and business continuity teams);

  • Implement plans, processes, and procedures for the activation, operation, coordination, and communication of the prevention, protection, mitigation response, and recovery measures;

  • Communicate with internal and external stakeholders -- including supply chain partners, local authorities, and the media; and

  • Evaluate the level of response with the authority to identify actions of each phase of the disruption -- including declaring the end of the situation.

It is the responsibility of the organization to develop proactive risk treatment procedures that suit its particular needs. In developing its procedures, the organization should address its needs with regard to:

  • The protection of people;

  • The protection of tangible and intangible assets;

  • The most appropriate methods for mitigation and emergency response to a disruptive event to avoid its escalation to a crisis or disaster;

  • Procedures and authority to assess and declare an emergency situation, activate plans and actions, assess damage, and make financial decisions to assure the continuity of operations;

  • Internal and external communication plans -- including notification of appropriate authorities and stakeholders;

  • The actions required to secure physical and information assets;

  • The need for a process for post-event evaluation to establish and implement corrective and preventive actions;

  • Periodic testing of the ORMS under normal and abnormal conditions;

  • The potential impact on organization’s and its supply chain’s risk treatment plans by disruption of critical infrastructure (e.g., electricity, water, communications, transportation) and other dependencies and interdependencies (e.g., information technology systems); and

  • Procedures and actions required for recovery within the organization’s recovery time objective and the resources that it requires for recovery.

The organization should continually assess, and periodically review and revise, its incident prevention, response and management procedures -- in particular, after near misses or incidents that escalated or could have escalated into an emergency or crisis situation.

The organization should document this information and update it at regular intervals or as changes occur. Incident reports should be included in management review.

A.9.5.2 Risk Functions
It is the responsibility of each organization to develop incident prevention, preparedness, mitigation response, and recovery procedures that address its needs as elucidated by the risk assessment. In developing its procedures, the organization should include consideration of:

  • Safeguarding life and assuring the safety of internal and external stakeholders is the top priority;

  • Respect for human rights and human dignity;

  • The risk assessment should be used to identify the specifics of potential disruptive events, including any precursors and warning signs;

  • Risk management should be a systematic and holistic process that builds on the formal risk assessment to identify, measure, quantify, and evaluate risks to provide the optimal solution;

  • Risk treatment options can include avoidance, elimination, reduction, spreading, transfer, and acceptance strategies:

    • Avoidance and elimination can either evade activities that gives rise to the risk or remove the source of the risk.
    • Reduction lowers the risk or the severity of the loss.
    • Spreading distributes assets and/or the potential loss of capacity.
    • Sharing involves distributing the risk with another party or parties.
    • Acceptance is an informed decision to take a particular risk.
  • Notification of appropriate authorities and stakeholders.

The organization should establish monitoring and notification procedures to recognize when specific dangers are noticeable that necessitate the need for some level of reaction to avoid, prevent, mitigate, or respond to the potential of the undesirable event. A strong program of detection and avoidance policies and procedures should support this process.

A potential disruptive incident, once recognized, should be immediately reported to the designated authorities, a member of management, or another individual tasked with the responsibility of crisis notification and management internally and with external stakeholders. Specific notification criteria should be established, documented, and adhered to.

Problem assessment (an evaluative process of decision making that will determine the nature of the issue to be addressed) and severity assessment (the process of determining the severity of the disruption and what any associated consequences) should be made at the outset of an undesirable event. Factors to be considered include the size of the problem, its potential for escalation, and the possible impact of the situation on the organization and its stakeholders (e.g., local community and clients).

Prevention can include proactive steps to coordinate with internal and external stakeholders. Organizational culture, operational plans, and management objectives should motivate individuals to feel personally responsible for prevention, avoidance, deterrence, and detection.

Cost-effective mitigation strategies should be employed to prevent or lessen the consequences of potential events. The various resources that would contribute to the mitigation process should be identified.

Preparedness and response plans should be developed around a realistic "worst case scenario," with the understanding that the response can be scaled appropriately to match the actual crisis. Considerations include:

  • People are the most important aspect of any preparedness and response plan;

  • Delegation and lines of authority and decision-making roles;

  • How an organization’s human resources are managed will impact the success or failure of incident management;

  • Logistical decisions made in advance will impact the success or failure of a good preparedness and response plan; and

  • Existing funding and insurance policies should be examined.

The organization should establish documented procedures that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives.

A.9.5.3 Design of Controls and Countermeasure
The design of risk controls and countermeasures should be derived from and consistent with the ORMS policy and risk assessment necessary to achieve the organization’s ORMS objectives and targets. It should characterize the organization’s functions, consistent with the source of risk to the organization and the achievement of objectives. The organization should design risk controls and countermeasures through the process of:

  • Determining the objectives based on the threat/opportunity, vulnerability/capability, and criticality/impact analyses in the risk assessment to clearly identify potential consequences and outcomes;

  • Determining cross-functional and cross-disciplinary interdependencies in a team effort;

  • Identifying risk controls and countermeasures needed to protect assets by reducing the likelihood of a threat successfully materializing, mitigating the consequences should the threat materialize, and planning an appropriate response;

  • Evaluating potential points of failure in the system to determine the appropriate need for redundancies and layered protection methods;

  • Evaluating the competencies required to support effective design and deployment of risk controls and countermeasures by qualified, approved, and recognized professionals;

  • Evaluating the systems criteria to develop the design specifications (drawings, schedules, and schematics) for equipment, materials, hardware, and software requirements;

  • Estimating design costs and lifecycle costs, and developing budgets based on evaluation of cost-benefit options;

  • Ensuring a process of appropriateness, acceptance, approval, responsibility, and accountability;

  • Continually monitoring to analyze, assess, measure, and evaluate the effectiveness of the risk controls and countermeasures design and design processes; and

  • Maintaining the integrity of the organization and the functions and assets to which the system is to be applied.

The risk controls and countermeasures should integrate people, procedures, and equipment for the protection of the organization’s assets, its properties, facilities, and operations. The functions of risk controls and countermeasures are to prevent or deter the occurrence of an undesirable event, detect an undesirable event or adversary attack, delay adversaries from reaching their target, and provide a response to deny adversaries from reaching their target or succeeding in their objective. When designing the risk controls and countermeasures, the organization should consider layering the controls and countermeasures, including (but not limited to):

  • Environmental design;
  • Physical barriers and site hardening (which includes overhead penetrations and underground pathways);
  • Physical entry and access control;
  • Security lighting;
  • Intrusion detection;
  • Video surveillance;
  • Electronic and network controls;
  • Personnel; and
  • Administrative procedures (may include memoranda of understanding, mutual aid agreements, other external resources).

The organization should document all phases of the controls and countermeasures design process.

A.9.5.4 Incident Management Procedures and Plans
The risk treatments are reflected in documented approaches to achieve the organization’s objectives and targets. Risk treatments should be coordinated or integrated with other organizational plans, strategies, and budgets.

To ensure its success, the procedures should define:

  • Responsibilities for achieving goals (who will do it and what will be done?);
  • Means and resources for achieving goals (where and how to do it?); and
  • Timeframe for achieving those goals (when will it be done?).

The procedures may be subdivided to address specific elements of the organization’s operations. The organization may use several action plans as long as the key responsibilities, tactical steps, resource needs, and schedules are adequately defined in each of the documented plans.

The strategies should include – where appropriate and practical – consideration of all stages of an organization’s activities related to planning, design, construction, commissioning, operation, retrofitting, production, marketing, outsourcing, and decommissioning. Strategy development may be undertaken for current activities and new activities, products, and/or services.

Prevention, preparedness, and mitigation strategies should give priority to the safe removal of people and property at risk. Additional topics include:

  • E-location, retrofitting, and provision of protective systems or equipment;
  • Information, data, document, and cyber security;
  • Establishment of threat or hazard warning and communication procedures; and
  • Redundancy or duplication of systems, essential personnel, equipment, information, operations, or materials – including those from partner organizations.

The organization should plan for incident response and recovery, taking into account the priority of activities, contractual obligations, employee and neighboring community necessities, operational continuity, and environmental remediation. Organizations have different approaches to managing crises. Regardless of the approach, there are interrelated management response steps that require pre-emptive planning and implementation in case of an undesirable or disruptive incident:

  • Prevention: Measures are proactively taken to avoid the occurrence of an event and to mitigate potential consequences.

  • Response: The initial response to a disruptive incident usually involves the protection of people and property from immediate harm. An initial reaction by management may form part of the organization’s first response.

  • Continuity: Processes, controls, and resources are made available to ensure that the organization continues to meet its continuity and ORMS objectives.

  • Recovery: Processes, resources, and capabilities of the organization are re-established to meet ongoing operational requirements. This may often include the introduction of significant organizational improvements even to the extent of refocusing strategic, operational, tactical, and reputational objectives.

Strategies should be dynamic, performance-based, and modified when:

  • Outcomes of the risk assessment change;

  • Objectives and targets are modified or added;

  • Relevant legal, regulatory, or contractual requirements and voluntary commitments are introduced or changed;

  • Substantial progress in achieving the objectives and targets has been made (or has not been made); or

  • Products, services, processes, or facilities change or other issues arise.

Determining risk treatments enables the organization to evaluate a range of options. The organization may choose an appropriate response for each activity, such that it can continue to deliver activities at an acceptable level of operations and within an acceptable timeframe before, during and after an event. Options should be considered for the resumption of activity to pre-determined levels and timeframes. The most appropriate strategy or strategies should depend on a range of factors such as:

  • The results of the organization’s risk assessment;
  • The costs of implementing a strategy or strategies; and
  • The consequences of inaction.

Procedures and plans might be required for the following organizational resources:

  • Staff;
  • Premises;
  • Technology;
  • Information;
  • Supplies;
  • Stakeholders; and
  • Supporting Infrastructure.

The organization should establish documented plans that detail how the organization should manage an undesirable or disruptive event and how it should recover or maintain its activities to a predetermined level, based on management-approved recovery objectives.

Each plan should define:

  • Purpose and scope;
  • Objectives and measures of success;
  • Activation criteria and procedures;
  • Implementation procedures;
  • Roles, responsibilities, and authorities;
  • Communication requirements and procedures;
  • Internal and external interdependencies and interactions;
  • Resource requirements; and
  • Information flow, documentation, and record keeping processes.

The organization should periodically (at least annually) test, review, and revise its business continuity plans—in particular, after the occurrence of the disruptive event and its associated post-event review.

A.9.5.5 Occupational Health and Safety
The organization should provide a safe and healthy working environment, recognizing the possible inherent dangers and limitations presented by the local environment. Reasonable precautions should be taken to protect all persons working on behalf of the organization – or those in their care – in high-risk or life-threatening situations.

All personnel should receive initial and recurrent training in emergency response plans, first aid and casualty care, with special emphasis on immediate response to traumatic injury following an attack or accident. Training should be conducted to an accepted standard.

A.9.5.6 Incident Monitoring, Reporting, and Investigations
The organization should establish procedures for incident reporting, documenting any incident involving persons working on its behalf that involves injury to persons, threats to tangible or intangible assets, use of force, damage to equipment or property, malevolent or criminal acts, accidents, and any other such reporting as otherwise required by organizational policies, jurisdictional law, or a client. The organization should establish procedures for an internal inquiry to determine the following:

  • Time and location of the incident;
  • Identity of any persons involved including contact details;
  • Injuries/damage sustained;
  • Circumstances leading up to the incident;
  • Any measures taken by the organization in response to the incident;
  • Causes of internal and external casualties;
  • Notification of appropriate authorities;
  • Identification of root causes; and
  • Corrective and preventive actions taken.

Upon completion of the inquiry, the organization should produce in writing an incident report including the above information, copies of which should be provide to appropriate stakeholders (e.g., clients and jurisdictional authorities).

Persons working on behalf of the organization should be aware of the responsibilities and mechanisms for incident reporting, including evidence gathering and preservation. The incident reporting program should be included in the organization’s training program.

A.9.5.7 Internal and External Complaint and Grievance Procedures
The organization should establish a complaint and grievance procedure whereby any internal or external stakeholder who believes there are potential or actual nonconformance’s with this Standard, or violations of laws, or human rights may file a grievance. The procedure should state that the organization, or persons working on its behalf, may not retaliate against anyone who files a grievance or cooperates in the investigation of a grievance.

Complaint and grievance procedures are not for merely documenting grievances; they should be designed to resolve disputes by identifying root causes, improving accountability, and driving a culture of continual improvement. Once a complaint or grievance has been verified, corrective and preventive actions should be implemented in an expedited fashion.

When developing complaint and grievance procedures, one or more individuals should be designated with the authority to coordinate the efforts to investigate and resolve any complaints that the organization receives alleging any actions that threaten human life, rights, or safety; or are not in conformance with the requirements of the Standard, or as required by a client. The organization should adopt and publish its grievance procedures providing for prompt and equitable resolution of complaints.

The procedures should include, but are not limited to:

  • Mechanisms for submission of the complaint or grievance;
  • Information requirements of the submitter, including submission of corroborating information;
  • Timeframes for submission, investigations, and outcomes;
  • Provisions for confidentiality and privacy;
  • Hierarchical steps for the resolution process;
  • Investigation procedures, both internal and external;
  • Maintenance requirements of files and records related to the grievance and investigation;
  • Disciplinary actions;
  • Steps for resolution of complaint or grievance, including actions to prevent a recurrence;
  • Documentation and communication of outcomes; and
  • Notification to appropriate authorities.

Next: Annex A - Performance Evaluation

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References