Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

4. General Principles

The goal of an ORMS is to support the achievement of strategic, operational, tactical, and reputational objectives. Organizations need to anticipate and manage circumstances related to human, technical, or naturally caused events that may have positive or negative outcomes for the organization and its supply chains. Organizations need to manage risks to its stakeholders, including persons working on its behalf, supply chain partners, clients, shareholders, and affected communities. They have a duty-of-care responsibility to enhance human safety and security as well as the protection of tangible and intangible assets while maintaining respect for laws and obligations as well as rights and interests of stakeholders. This is accomplished by fully integrating the management of risks into decision-making and business management processes throughout the organization and its supply chain.

The intent is to:

  • Provide an information-driven approach to decision-making and management;

  • Identify and pursue potential opportunities;

  • Minimize the likelihood and consequences of an undesirable or disruptive event by prevention, when possible; mitigating the impact of an event; through effectively and efficiently responding when an event occurs; by maintaining an agreed level of performance; by assuring accountability and implementing lessons learned after the event; and by taking measures to prevent a recurrence; and

  • Promote a culture in the organization that recognizes the role and responsibility of every person working on behalf of the organization in managing risks.

An ORMS is achieved by developing, designing, documenting, deploying and evaluating fit-for-purpose proactive management strategies needed to achieve current objectives and identify indicators for potential needs for changes. The elements for the management system are detailed in clauses 5-11 and the annexes of this Standard. In developing, applying and improving a ORMS, top management/decision-makers should apply the following general principles.

4.1 Leadership and Vision

Top management (which refers to the person or persons responsible for decision making, that have authorization for the implementation of the decisions) establishes the vision, sets objectives, and provides direction for the organization. They promote a culture of ownership within the organization where everyone views managing the risks as part of their contribution to achieving the organization’s goals and objectives. They encourage a top-down/bottom-up approach to identify needs for change to pursue opportunities as well as to prevent and manage undesirable and disruptive events. Top management demonstrates a commitment to promote a culture of respect for relevant jurisdictional laws, contractual obligations, and the rights of individuals, as well as effective leadership in the implementation and maintenance of this Standard.

4.2 Governance

Enhanced security and resilience is viewed as part of an overall good governance strategy and an enterprise-wide responsibility. Transparency and inclusiveness of risk management processes provide the foundation for good governance. Decision-making and the provision of goods and services in line with compliance with relevant jurisdictional laws, contractual obligations, protection of human rights and the creation of value are part of the organization’s ethos and values. The protection of human life and safety in the course of achieving the mission’s objectives is a primary concern of managing the risks of undesirable and disruptive events.

4.3 Factual Basis for Decision Making

Identifying, assessing and managing risks provides the basis for making informed decisions at all levels of the organization and its supply chain. Assessing and managing risk drives decision making, and dictates the actions that will be taken based on factual analysis – balanced with experience and accepted industry best practices. The ORMS increases the ability to review, challenge, and change opinions and decisions; enhances problem-solving capacity; increases the ability to demonstrate effectiveness of past decisions through reference to factual records; and ensures that data and information are accurate, reliable, and timely – in line with company policy.

4.4 Outcomes Oriented

A management system is more than a set of management processes; it is a tool to achieve desired outcomes. The desired outcome of the ORMS is to enhance security and resilience of the organization and its supply chain to facilitate the achievement of strategic, operational, tactical, and reputational objectives. Key Performance Indicators (KPI) are defined to support achievement of objectives. KPIs drive a culture of management by measurement for continual monitoring and performance improvement.

4.5 Needs Oriented Taking Human and Cultural Factors into Account

In order to create and protect value, the ORMS identifies, understands and is responsive to the needs and expectations of internal and external stakeholders – such as persons working on behalf of the organization, supply chain partners, affected communities, and its clients and customers. Objectives of the organization are linked to internal and external stakeholder needs and expectations. Stakeholder relationships are systematically managed using a balanced approach between the needs of the organization and its stakeholders. This requires an understanding of the security and resilience needs and expectations of individuals, organizations, industry sectors, communities and society that may impact and be impacted by the organization. The ORMS considers and takes into account the variability of human and cultural factors that impact and may be impacted by its activities. Understanding bias, human, cultural and temporal factors are essential for understanding and adequately managing risk.

4.6 Overall Organizational Risk and Business Management Strategy

Security and resilience assurance are part of an organization’s overall risk and business management strategy. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize negative outcomes. Therefore, the risk management process requires a clear understanding of the organization’s internal and external contexts to proactively identify opportunities and minimize the uncertainty in achieving its strategic, operational, tactical, and reputational objectives. Risk management is viewed as integral to business management, decisions, activities, functions and change-making processes throughout the organization. Assessing and understanding an organization’s acceptable level of risk is critical for the organization to develop a preemptive and effective risk management strategy that matches the needs and expectations of its internal and external stakeholders within the context of the operating environment's level of risk.

4.7 Systems Approach

A ORMS requires a multi-dimensional, dynamic and iterative approach. Identifying, understanding, and managing interrelated processes and elements contribute to the organization's effective and efficient control of its risks. The systems approach examines the linkages and interactions between the elements that compose the entirety of the system. Component parts of a system can best be understood in the context of their interrelationships, rather than in isolation, and must be treated as a whole.

4.8 Adaptability and Flexibility

The ORMS is aligned with internal and external factors (context), and therefore, is tailored to the needs and risk profile of the organization and its supply chain. Organization’s need to recognize that they operate in dynamic environments that are subject to change. Organizations need to conduct on-going monitoring of the risk and market environment to identify changes and implement effective change control strategies. Organizations need to be agile and adaptable: able and willing to evolve – continually responding and adapting to reflect the changing operating environment. The ORMS should be seen as a management framework, rather than a set of activities. As missions, budgets, priorities, and staff continue to change, the structure of the framework will remain predictable when particular applications change.

4.9 Managing Uncertainty

The management of risks explicitly takes account of uncertainty, the nature of that uncertainty, and how it should be addressed. It promotes the concept that decision-making is based on best available information. Management is not always based on predictable threats and quantifiable risks. Estimates and assumptions need to be understood in analyzing the positive and negative outcomes of sources of risk, both known and unknown, within a changing environment.

4.10 Cultural Change and Communication

In order to support a security and resilience culture in the organization and its supply chain, it is essential for top management to establish a well-defined strategy, including communications, training, and awareness programs to ensure all levels of management and persons working on its behalf, understand the goals of the management system. The ORMS supports cultural and perceptual change in the organization where risk makers and risk takers are the risk owners at all levels. Communicating a shared vision, purpose and core values supporting strategic, operational, tactical, and reputational objectives provides direction for decision-making at all levels. Stakeholders are empowered to participate in inclusive consultative processes to identify, assess and proactively manage risk to pursue opportunities and improvements as well as mitigate potential weaknesses and vulnerabilities. Cultivating leadership skills at all levels enhances resilience, builds trust and contributes to protecting the image and reputation of the organization. The ORMS must be fully understood and supported at the top level in the enterprise and communicated to all persons who work on behalf of the organization as part of the core culture of the organization.

4.11 Continual Improvement

Recognizing the dynamic risk, market and operating environment coupled with resource availability considerations an ORMS is an on-going process of continual improvement. All organizations need to be cognizant of their resource constraints in order to prioritize the allocation of resources when managing risks. The ORMS provides a framework for understanding the context, assessing risks, and prioritizing the allocation of resources to facilitate the achievement of objectives. The ORMS provides the basis for monitoring, measurement, review, and subsequent modification of ORMS processes, procedures, capabilities, and information within a continual improvement cycle. Formal, documented reviews are conducted regularly. The findings of such reviews are considered by top management, and action taken where necessary to identify opportunities for improvement.

Next: Establishing the Framework

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References