Skip to content
Menu
menu

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex C

(informative)

C. Examples of Risk Treatment Procedures the Enhance Resilience of the Organization

C.1 General

Building a resilient organization is part of any good business management strategy. In order to thrive and survive, organizations need to adapt to an ever-changing environment. To be agile and resilient in order to achieve the organization’s objectives, the organization needs to leverage all the disciplines that contribute to managing risk. For organizations to cost-effectively manage risk, they must develop balanced strategies to adaptively, proactively, and reactively address maximizing opportunities and minimizing the likelihood and consequences of potential undesirable and disruptive events.

The organization should establish, implement, and maintain procedures to prevent and manage disruptive events which have the potential to harm the organization, its key stakeholders including supply chain partners, and the environment.

Procedures should be concise and accessible to those responsible for their implementation. Flow charts, diagrams, tables, and lists of action should be used rather than expansive text.

The purpose and scope of each procedure should be agreed by top management and understood by those responsible for its implementation. Dependencies and interdependencies should be identified and the relationships between procedures, including those of the emergency services and local authorities, should be stated and understood. The following sections provide more information on selected procedures. At the end of this annex are some templates for different plans.

C.2 Prevention and Mitigation Procedures

The purpose of a prevention or mitigation procedure is to define the measures to be taken by the organization to minimize the likelihood of a disruptive event or to minimize the potential for the severity of the consequences of the event.

Prevention procedures should describe how the organization will take proactive steps to protect its assets by establishing architectural, administrative, design, operational, and technological approaches to avoid, eliminate, or reduce the likelihood of risks materializing including the protection of assets from unforeseen threats and hazards.

Mitigation procedures should describe how the organization will take proactive steps to protect its assets by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before they materialize including the protection of assets from unforeseen threats and hazards.

Organizations may choose to have a single procedure with sections and/or annexes dealing with different types of incidents. Alternatively, separate procedures may be written for each type of incident.

Each procedure should specify as a minimum:

  • The purpose and scope of the procedure;
  • Assets to be protected from the disruptive event;
  • Objectives and measures of success;
  • Implementation steps and the frequency with which the procedure is carried out;
  • Roles, responsibilities, and authorities;
  • Communication requirements and procedures;
  • Internal and external interdependencies and interactions;
  • Resource, competency, and training requirements; and
  • Information flow and documentation processes.

The organization should nominate a primary “owner” of each prevention and mitigation procedure and should state who is responsible for reviewing, amending, and updating the procedure. The process of reviewing, amending, updating, and distributing procedures should be controlled.

Examples of prevention and mitigation procedures include the following:

  • Eliminate the risk by complete removal of the threat or risk exposure;
  • Reduce the risk by modifying activities, processes, equipment or materials;
  • Isolation or separation of the risk from assets (human or physical);
  • Engineering controls to deter, detect, and delay a potential threat;
  • Administrative controls such as work practices or procedures that reduce risk; and
  • Protection of the asset if the risk cannot be eliminated or reduced.

C.3 Response Procedures

The purpose of a response procedure is to define the initial measures to be taken by the organization in response to a disruptive event.

Response procedures should describe how the organization will respond to one or more types of disruptive events. Organizations may choose to have a single procedure with sections and/or annexes dealing with different types of incidents. Alternatively, separate procedures may be written for each type of incident.

Some response procedures may be implemented in advance of a disruptive event; for example, in the expectation of harm from a forthcoming tropical cyclone, wildfire, or malicious attack on the organization or a supply chain partner. In such circumstances, emphasis will be given to protecting and/or removing priority assets and to communicating the risk of harm to staff and to external organizations and authorities.

Each procedure should specify as a minimum:

  • The purpose and scope of the procedure;

  • Prioritize assets to be protected during the disruptive event;

  • Prioritize activities to be maintained during the disruptive event;

  • Measures to limit the form and extent of environmental damage caused by the disruptive event;

  • Situations/conditions in which each procedure will be implemented;

  • Criteria that will determine whether the disruptive event is to be classed as an incident, accident, emergency, crisis, and/or a disaster;

  • Criteria that will indicate the end of the response phase;

  • Roles and responsibilities of individuals and groups required to implement the procedure;

  • The organizational structure to be used, including the establishment of an incident command center, and links with external agencies such as the emergency services and occupational health and safety bodies;

  • Procedures for communicating within the organization to key external stakeholders including supply chain partners, the emergency services, local authorities, and the media; and

  • Contact details of all individuals responsible for implementing the procedure and others who need to be notified that the procedure is to be, or has been, implemented.

The organization should nominate a primary “owner” of each response procedure and should state who is responsible for reviewing, amending, and updating the procedure. The process of reviewing, amending, updating, and distributing procedures should be controlled.

NOTE: Response procedures are sometimes referred to as emergency response procedures.

C.4 Continuity Procedures

The purpose of a continuity procedure is to define the measures to be taken by the organization to maintain and/or re-establish priority activities of the organization and its supply chain partners.

Continuity procedures should describe how the organization will maintain and/or re-establish critical activities in the period immediately following the response/emergency phase. Organizations may choose to have a single procedure with sections and/or annexes dealing with different types of incident. Alternatively, separate procedures may be written for each type of incident.

Each procedure should specify as a minimum:

  • The purpose and scope of the procedure;

  • Priority assets to be protected during and immediately following the disruptive event;

  • Priority activities to be maintained during and immediately following the disruptive event;

  • Activities to be restored as a priority following the disruptive event;

  • Measures to limit the form and extent of environmental damage caused by the disruptive event;

  • Situations/conditions in which each continuity procedure will be implemented;

  • Criteria that will indicate the end of the continuity phase;

  • Roles and responsibilities of individuals and groups required to implement the procedure;

  • The organizational structure to be used including links with external agencies such as emergency services and occupational health and safety bodies;

  • Procedures for communicating within the organization, to key external stakeholders including supply chain partners, the emergency services, local authorities, loss adjusters/insurance companies, and the media; and

  • Contact details of all individuals responsible for implementing the procedure and others who need to be notified that the procedure is to be implemented.

The organization should nominate a primary “owner” of each continuity procedure and should state who is responsible for reviewing, amending, and updating the procedure. The process of reviewing, amending, updating, and distributing procedures should be controlled.

NOTE: Continuity procedures may run concurrently with response and recovery procedures.

C.5 Recovery Procedures

The purpose of a recovery procedure is to define the measures to be taken by the organization to recover from a disruptive event and thus ensure it is able to meet its strategic, operational, tactical, and reputational objectives.

Recovery procedures should describe how the organization will re-establish all necessary operational and support activities, replace damaged and/or destroyed assets and information, rebuild the brand and reputation of the organization, and assist staff to recover from the event. Organizations may choose to have a single procedure with sections and/or annexes dealing with different types of incidents. Alternatively, separate procedures may be written for each type of incident.

Each procedure should specify as a minimum:

  • The purpose and scope of the procedure;

  • Operational and support activities to be re-established and/or restored, and the priority of such restoration;

  • Assets including property, equipment, information, vehicles, and stores to be repaired and/or replaced, and the priority for such repair and replacement;

  • Assistance to staff affected, either physically or psychologically, by the disruptive event;

  • Actions to be taken to rebuild the organization’s brand and reputation;

  • Actions to be taken to mitigate any environmental damage;

  • Situations/conditions in which each recovery procedure will be implemented;

  • Criteria that will indicate the end of the recovery phase;

  • Roles and responsibilities of individuals and groups who will be required to implement the procedure. It may be necessary to modify the normal procurement procedures in order to rapidly restore the organization’s activities and assets;

  • The organizational structure to be used, including links with external agencies such occupational health and safety bodies, and loss adjusters/insurance companies; and

  • Procedures for communicating within the organization, to key external stakeholders including supply chain partners, the emergency services, local authorities, and the media.

The organization should nominate a primary “owner” of each recovery procedure, and should state who is responsible for reviewing, amending, and updating the procedure. The process of reviewing, amending, updating, and distributing procedures should be controlled.

NOTE 1: Recovery procedures may run concurrently with continuity procedures.
NOTE 2: Recovery procedures are sometimes referred to as recovery and restoration procedures.

Table 1 - Annex C.png

Table 2 - Annex C.png

Table 3 - Annex C.png

Next: Annex D

Table of Contents

ORM Standard Home

Introduction
  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
Leadership
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
Planning
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References

arrow_upward