Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

5. Establishing the Framework

5.1 General

The organization shall establish, document, implement, maintain, and continually improve a ORMS in accordance with the requirements of this Standard, and determine how it will fulfil these requirements. In developing the ORMS the organization shall consider its strategic, operational, tactical, and reputational objectives. The organization shall establish intended outcomes and performance metrics for an outcomes-driven ORMS. The organization shall continually improve its effectiveness in accordance with the requirements set out in this Standard.

Where the organization chooses to subcontract or outsource any process or an activity that affects the conformity with the requirements of this Standard, the organization shall ensure and accept control and accountability over the operations of subcontractors or outsource partners in the performance of such processes. Control of such subcontracted or outsourced process or activity shall be identified and managed within the ORMS. Subcontractors of outsourced processes or services are also responsible and accountable for all client, legal, regulatory, contractual, ethical, and industry obligations.

5.2 Context of the Organization

The design and implementation of a management system framework is based on an understanding of the organization and its internal and external context of operation. Therefore, the organization shall define and document its internal and external context, including its supply chain and subcontractors. These factors shall be taken into account when establishing, implementing, and maintaining the organization’s ORMS, and assigning priorities.

The organization shall evaluate internal and external factors that can influence the way in which the organization will manage risk.

5.2.1 Internal Context

The organization shall identify, evaluate, and document its internal context, including:

  • Mission, strategies, policies, objectives, plans, and guidelines to achieve objectives;
  • Governance, roles and responsibilities, and accountabilities;
  • Values, ethos, and culture;
  • Overall risk management strategy;
  • Information flow and decision-making processes;
  • Capabilities, resources, and assets;
  • Procedures and practices;
  • Activities, functions, services, and products; and
  • Brand and reputation.

The organization shall identify relevant internal stakeholders that may impact or be impacted by its activities, functions, goods and services, and thereby contribute to the risk profile.

5.2.2 External Context

The organization shall define and document its external context, including:

  • The cultural, social and political context;
  • Legal, regulatory, contractual, technological, economic, natural, and competitive environment;
  • Contractual agreements, including other organizations within the contract scope;
  • Infrastructure dependencies and operational interdependencies;
  • Perceptions of time and time sensitivities;
  • Supply chain, outsourcing, and contractor relationships and commitments;
  • Key issues and trends that may impact on the processes and/or objectives of the organization;
  • Perceptions, values, needs, and interests of external stakeholders (including local communities in areas of operation); and
  • Operational forces and lines of authority.

The organization shall identify relevant external stakeholders that may impact or be impacted by its activities, functions, goods and services, and thereby contribute to the risk profile. In establishing its external context, the organization shall ensure that the objectives and concerns of external stakeholders are considered when developing ORMS criteria.

5.2.3 Enterprise Value of Tangible and Intangible Assets and Services

In order to understand the organization’s value chain, it is necessary to identify people, assets and services that provide tangible and intangible value. The value of an asset and service shall be considered within the context of how the assets contribute to the organization’s achievement of its objectives. While organizations may have a myriad of assets, products and services, typically not all are critical. Therefore, in addition to considering the monetary value of assets, valuation shall consider how the asset fits within the value chain of the organization and its relative value in achieving objectives.

5.2.4 Supply Chain and Subcontractor Node Analysis

Managing risks in the supply chain, including subcontractors, requires an understanding of the organization’s culture and environment as well as the context of the global environment of its supply chain. Each upstream and downstream node of the organization’s supply chain involves a set of risks and management processes.

The organization shall identify and document its upstream and downstream supply chain, particularly its use of subcontractors, to identify significant risks that present opportunities or have the potential to cause an undesirable or disruptive event. Managing supply chain risk shall be included in an organization’s overall ORMS program where risks have been identified which have a potential to cause an undesirable or disruptive event, or provide an opportunity. The organization shall define and document the level in their supply chain and subcontractors to include in their ORMS program.

5.3 Needs and Requirements

Top management shall ensure that stakeholder needs and requirements are identified, evaluated, continually monitored, and met to achieve its objectives and minimize risks.

When identifying stakeholder needs and requirements, the organization shall determine:

  • Requirements and obligations specified by stakeholders (e.g. client, customers, etc.);
  • Legal, regulatory, and contractual obligations, as well as other voluntary commitments;
  • Human rights responsibilities and impacts relevant to its activities;
  • Needs of the local and impacted communities and other stakeholders,
  • Impact on and interactions with other organizations and stakeholders;
  • Records and documentation requirements for delivery of services and non-conformances; and
  • Risk management requirements, including stakeholder risk appetite.

5.4 Defining Risk Criteria

The organization shall define and document criteria to evaluate the significance of risk. The risk criteria shall reflect the organization’s values, objectives and resources. When defining the risk criteria, the organization shall consider:

  • Critical activities, functions, services, products, and stakeholder relationships;

  • The operating environment and inherent uncertainty in locations of operations;

  • The potential impact related to an undesirable or disruptive event;

  • Legal, regulatory, and contractual requirements, as well as other voluntary commitments to which the organization subscribes;

  • The organization’s overall risk management policy;

  • The nature and types of threats and consequences that can occur to its assets, business, and operations;

  • Time factors and time dependencies;

  • Dependencies and interdependencies;

  • How the likelihood, consequences, and level of risk will be determined;

  • Needs of and impacts on stakeholders – particularly life, safety, and human rights;

  • Reputational and perceived risk;
  • Risk appetite and perspective (pursue, retain, take or not accept risk) of the organization and its clients; and

  • How combinations and the sequence of multiple risks will be taken into account.

5.5 Scope of the Management System

The organization shall define and document the scope of its ORMS, including the boundaries of the organization to be included in the ORMS – i.e., the whole organization, or one or more of its constituent parts, locations, value chain, or functions. The organization shall define the scope of the ORMS in terms of and appropriate to its size, nature, and complexity from a perspective of continual improvement.

In defining the scope, the organization shall consider:

  • The organization’s objectives, activities, internal and external obligations (including those related to stakeholders), and legal responsibilities;

  • The internal and external context of its activities, functions and operations; and

  • The uncertainty in achieving its strategic, operational, tactical, and reputational objectives including factors that could adversely affect the operations and activities of the organization within the context of their potential likelihood and consequences.

The organization shall define the scope consistent with the need to manage risk and preserve the integrity of the organization. Where an organization chooses to subcontract or outsource any process that affects conformity with the requirements of this Standard, the organization shall ensure that such processes are controlled. The controls and responsibilities of such outsourced processes shall be identified within the scope of the ORMS. The organization retains responsibility to oversee compliance with jurisdictional, legal, and regulatory requirements as well as adherence to its voluntary commitments (e.g., human rights, labor practices) of its subcontract and outsourced partners.

A “Statement of Applicability” shall define the relevant risks that apply to the organization’s scope, legal, regulatory, and contractual obligations, and operating environment based on its risk assessment. The organization shall implement adaptive, proactive and/or reactive measures to manage risk that apply to the organization’s scope, legal, regulatory, and contractual obligations and operating environment. Specific exclusions and their justifications shall be documented.

Next: Leadership

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References