ATTENTION: This page is intended to be viewed online and may not be printed or copied.
This Standard recognizes the complex risk landscape facing organizations and their supply chains requires an integrated, comprehensive and systematic risk-based approach for managing risks to enhance survivability, sustainability and resilience, as well as identify and pursue opportunities for improvements. The Standard emphasizes proactive risk and business management to support the pursuit of objectives and opportunities as well as a process of prevention, protection, preparedness, readiness, mitigation, response, continuity and recovery from undesirable and disruptive events. This Standard provides a single integrated management system to eliminate “siloing” of risk, enabling an organization to more efficiently anticipate and plan for naturally, accidentally, or intentionally caused events, using a single management system standard.
The Standard recognizes that organizations do not operate in isolation but rather as part of a complex and interconnected ecosystem. It is not sufficient to manage just internal organizational risks, but it is essential for organizations to take a systems approach and understand the risk characteristics and interactions with individuals, organisations, the community and society. To properly manage risk, organizations need to assess the internal and external context of their activities, functions, products and services. This includes the risk factors related to its end-to-end supply chain, interdependencies and dependencies.
This Standard takes a jurisdictional/country and discipline neutral approach to managing the uncertainties in achieving the organization’s strategic, operational, tactical, and reputational objectives. Risk management is viewed from a proactive and forward-looking perspective to protect and create value for the organization and its stakeholders. In order to build resilience, organizations need to continually integrate and optimize their risk and business management processes. By fully integrating its risk management processes throughout its enterprise-wide business management activities, the organization is empowered to make informed decisions based on best available information.
Resilience, as defined in this Standard is: “The absorptive and adaptive capacity of an organization in a complex and changing environment.” Therefore, resilience is about building capacity, rather than an end-point, and includes:
A convergence and integration of systems to manage its human, tangible and intangible assets (including addressing risks associated with information and communications technology products and services);
- Building a capacity for proactive risk management which identifies indicators of opportunities, change and adversity to enable an organization to take pre-emptive measures to pursue positive outcomes and minimize negative outcomes;
An agility and flexibility capacity in risk and business management processes aligned with time dependencies and needs for change;
An absorptive, resistive and carrying capacity to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event;
The capability of a system to maintain its functions and structure in the face of internal and external change in order to pursue opportunities and/or to manage degradation of activities and functions when it must;
Proactively planning to reduce the magnitude and/or duration of undesirable and disruptive events by enhancing its ability to anticipate, absorb, adapt to, and/or rapidly recover from events;
Empower people to respond to change, opportunities, or adversity in an informed manner; and
Viewing the organization from a multidimensional, multi-disciplinary systems approach to optimize its management of interactions within its risk environment.
0.2 Proactive Management of Risk to Build Resilience
Resilience takes a forward-looking view of risk, fully integrating business and risk management into the organization’s system of management. Risk is viewed as inevitable and having the potential for positive outcomes. People in a resilient organization ask themselves: “what are the positive changes we can make to strengthen the organization?” This means better understanding where you are to assist in knowing where you are going. It also means acknowledging weaknesses and threats in order to build strengths and opportunities.
Risk is the effect of uncertainty on the achievement of strategic, operational, tactical, and reputational objectives (ANSI/ASIS/RIMS RA.1-2015). All activities involve a certain amount of uncertainty. Uncertainty is the state where outcomes are unknown, undetermined, or undefined; or where there is a lack of sufficient information. Outcomes may be positive, negative, or neutral. Individuals, organizations, and communities must decide how much risk and uncertainty they are willing to accept or take in order to achieve their objectives and desired outcomes. Objectives may include short and long term strategic goals related to the whole or parts of the organization and its value chain (including its supply chains), as well as operational and tactical issues at all levels of the organization. The management of risks is a function of the organization’s objectives, appetite for risk, and its desire to exploit an opportunity or minimize a potential negative consequence. There is no simple formula or standardized approach to managing risk and building resilience. It must be tailored to the organization and it context.
Resilience promotes a perspective of enterprise-wide agility and adaptability in a dynamic and uncertain environment. Resilient organizations fully integrate a holistic and proactive risk management perspective into good business management practice to enhance their buffering and adaptive capacity. Resilience requires both the convergence of risk disciplines as well as the elimination of and/or collaboration among organizational siloes to have a coordinated plan for managing risk throughout the enterprise.
Resilience is not something that is inherent to an organization but develops as organizations mature, learn from successes and mistakes, improve their management and decision making skills, and gain better insights and more knowledge about the internal and external factors that may impact performance. Resilience also comes from supportive relationships, cultural perspectives, and individuals’ ability to cope with stress and adversity. Therefore, resilience is a function of a variety of behaviours, thoughts, and actions that can be learned and developed over time.
Resilience in organizations is similar to resilience in people in that it is not a trait but rather a perspective of living with risk. Resilient organizations:
Recognize that change is constant;
Consider the organization’s dependencies and interdependencies in assessing risk to the organization and its risks on others;
Integrate proactive risk management into all their decision-making processes;
Position the organization to identify and exploit opportunities emphasizing that adaption before a potential event provides efficiencies;
Promote situational awareness and monitoring with an emphasis on identifying indicators of change;
Develop a process of managing adversity to pre-emptively adapt, better absorb a blow, learn from its experiences and that of others to persevere and evolve into a stronger organization;
Cultivate problem-solving skills throughout the organization considering future outcomes and where the organization wants or needs to go;
- Use a systems approach to management understanding the relationships between all the elements, disciplines and divisions that make up the whole;
Recognize that not all uncertainties and their outcomes can be identified or quantified, so they determine the criticality of assets, activities and services necessary to facilitate sustainable operations;
View recovery as an opportunity considering the context of the changed environment, determining where the organization can be best positioned; and
Foster meaning and purpose for their stakeholders to work for the common benefit of all.
Being a resilient organization means efficiently tapping into its human, tangible, and intangible resources. All organizations have resource and capability limitations. Understanding risk management within the context of these resource limitations enables an organization to better identify its strengths and leverage them. Resilient organizations develop strong networks and relationships with stakeholders, their supply chains, other organizations, and the community. The organization understands its position in the bigger picture and learns from observing others, sharing appropriate information, and knowing where to seek help when needed. Resilient organizations are resourceful and recognize that relationships with stakeholders are among their most important resources.
Improving communication and consultation skills is essential to building resilience. Risk is best managed with ongoing consultation and interactive communication among stakeholders. A resilient organization will build the mechanisms needed to support both a top-down and bottom-up flow of information.
Empowering people at all levels of the organization fosters the sense of inclusiveness and ownership that encourages the sharing of ideas. It helps to promote a risk culture where risk makers and risk takers understand that they are also risk owners and risk managers. An effective flow of information based on a sense of inclusion promotes informed decision making. By communicating that continual innovation, creativity, and information/knowledge acquisition are core values of the organization, persons working on behalf of the organization will be empowered to proactively identify and address concerns thereby enhancing agility and an adaptive capacity. People will sense that they are part of the solution and not the problem.
Being resilient does not mean an organization will not suffer the consequences of change and adversity, rather the organization is better positioned to quickly identify, learn, and adapt to change and adversity. It is an evolutionary process. Recognizing new opportunities and possibilities does not require abrupt or impulsive change; it requires a measured approached based on best available information.
0.3 An Integrated Management Systems Approach
The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. A management system provides the framework for continual improvement to increase the likelihood of achieving strategic, operational, tactical, and reputational objectives while enhancing the resilience of an organization and its supply chain. It provides confidence to both the organization and its stakeholders that the organization is able to manage its risks and meet legal, regulatory, and contractual requirements, as well as voluntary commitments.
For additional information on an integrated management systems approach, please see Annex E.
Figure 1: Management System for Security and Resilience in Organizations and their Supply Chains
This Standard specifies requirements for an integrated management system for organizations and their supply chains. The organizational resilience management system (ORMS) enables an organization to identify, assess, and manage risks related to the achievement of its strategic, operational, tactical, and reputational objectives in the organization and its supply chains. It provides a holistic framework to develop and implement policies, objectives, and programs taking into account:
- Context of the organization and its supply chains;
- Legal, regulatory, and contractual obligations and voluntary commitments;
- Needs of internal and external stakeholders;
- Uncertainties in achieving its objectives; and
- Protection of human, tangible and intangible assets.
This Standard applies to risks and/or their impacts that the organization identifies as those it can control, influence, reduce, or exploit. It does not itself state specific performance criteria.
This Standard is applicable to any organization that wishes to:
- Establish, implement, maintain, and improve an ORMS;
- Assure itself of its conformity with its stated ORMS;
- Demonstrate conformity with this Standard by:
- Making a self-determination and self-declaration; or
- Seeking confirmation of its conformance by parties having an interest in the organization (such as customers); or
- Seeking confirmation of its self-declaration by a party external to the organization; or
- Seeking certification/registration of its ORMS by an external organization.
All the requirements in this Standard are intended to be incorporated into any type of organization’s management system. It provides all the elements required to integrate management, technology, facilities, processes, and people into the security and resilience culture, risk management, and ORMS of an organization. The extent of the application will depend on factors such as the risk appetite and policy of the organization; the nature of its activities, products, and services; and the location where, and the conditions in which, it functions.
This Standard provides generic requirements as a framework, applicable to all types of organizations (or parts thereof) regardless of size and nature of operation. It is applicable to all types of activities and decision-making processes. It provides guidance for organizations to develop their own specific performance criteria, enabling the organization to tailor and implement an ORMS appropriate to its needs and those of its stakeholders.
The Standard emphasizes resilience, the absorptive and adaptive capacity of an organization in a complex and changing environment. Risks are managed in a forward-looking proactive perspective to enable the organization to identify current and emerging threats and opportunities in its operations and in its supply chain. Applying this Standard enhances the organization’s absorptive and adaptive capacity to avoid, prevent, withstand and emerge stronger from all manner of intentional, unintentional, and/or naturally-caused events.
This Standard enables an organization to:
- Develop an ORMS policy;
- Establish objectives, procedures, and processes to achieve the policy commitments;
- Develop processes to assure competency, awareness, and training;
- Set metrics to measure performance and demonstrate success;
- Take action as needed to improve performance;
- Demonstrate conformity of the system to the requirements of this Standard; and
- Establish and apply a process for continual improvement.
Annex A provides informative guidance on system planning, implementation, testing, maintenance, and improvement.
2. Normative References
The following document contains information which, through reference in this text, constitutes foundational knowledge for the use of this American National Standard. At the time of publication, the editions indicated were valid. All material is subject to revision, and parties are encouraged to investigate the possibility of applying the most recent editions of the material indicated below.
- ANSI/ASIS/RIMS RA.1-2015 – Risk Assessment
3. Terms and Definitions
For the purposes of this document, the terms and definitions given in ANSI/ASIS/RIMS RA.1-2015, Risk Assessment, and the following apply:
Maximum elapsed time between a disruption and restoration of needed operational capacity or capability.
Process or set of processes undertaken by an organization (or on its behalf) that produces or supports one or more products or services.
NOTE: Examples of such processes include accounting, call center, information services, manufacturing, distribution, and other services.
A work location, other than the primary location, to be used when the primary location is not accessible. [ASIS International Business Continuity Guideline: 2004]
A person with the competence to conduct an audit.
|3.5||business continuity||Ability of an organization to operate at predefined levels following a disruptive event.|
|3.6||business continuity management (BCM)||
Proactive set of planning, preparedness and related activities which are intended to restore an organization's critical business functions to pre-determined levels enabling the organization to operate despite serious disruptive events and recover to an operational state expeditiously.
|3.7||business continuity plan (BCP)||
A collection of procedures and information which is developed, tested and maintained in preparation for use in a disruptive event to continue operations at predefined levels following the event.
Recurring process of enhancing the security, preparedness, and continuity (SPC) management system in order to achieve improvements in overall SPC management performance consistent with the organization’s SPC management policy
NOTE: The process need not take place in all areas of activity simultaneously.
Fulfillment of a requirement.
An unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property, or the environment.
Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience, with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities -- as well as effectively restoring operational capabilities.
NOTE: Crisis management also involves the management of preparedness, mitigation response, continuity or recovery in the event of an incident -- as well as management of the overall program through training, rehearsals, and reviews to ensure the preparedness, response, and continuity plans stays current and up-to-date.
|3.12||crisis management team||
Group of individuals functionally responsible for directing the development and execution of the response and operational continuity plan, declaring an operational disruption or emergency/crisis situation and providing direction during the recovery process, both pre-and post-disruptive incident.
NOTE: The crisis management team may include individuals from the organization as well as immediate and first responders, stakeholders, and other interested parties.
Event that causes significant damage to assets or loss of life.
An event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake).
NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations or processes.
Period of time when something is not in operation.
NOTE: The allowable period of downtime is determined by the organizations obligations (e.g., customer and regulatory requirements).
Serious, unexpected, and precarious situation requiring immediate action.
Organized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas. [ASIS International Business Continuity Guideline: 2004]
Evaluating management programs, rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony, administration) to demonstrate management competence and capability.
NOTE 1: Exercises include activities performed for the purpose of training and conditioning team members and personnel in appropriate responses with the goal of achieving maximum performance.
NOTE 2: An exercise can involve invoking response and operational continuity procedures, but is more likely to involve the simulation of a response and/or operational continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation.
Plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.
A member of an emergency service who is first on the scene at a disruptive incident
NOTE 1: Emergency services include any public or private service that deals with disruptions, such as the initial responding law enforcement officers, other public safety officials, emergency medical personnel, rescuers and/or other emergency response service providers.
Possible source of danger or conditions (physical or operational) that have a capacity to produce a particular type of adverse effect.
Systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the management system audit criteria set by the organization are fulfilled.
NOTE: In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited.
|3.23||key performance indicator (KPI)||
Metric used to evaluate factors that are crucial to the success of an organization or of a particular activity in which it engages.
NOTE: A KPI is a metric which indicates how an organization is performing against its objectives.
Being deprived of someone or something, of value.
Clearly defined and documented plan of action, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
Limitation of any negative consequence of a particular incident.
|3.27||mutual aid agreement||
Written agreement between agencies, organizations, or jurisdictions to lend assistance across jurisdictional boundaries.
Organizational resilience management system - Coordinated activities to direct and control an organization with regard to managing risk to enhance resilience and security in the organization and its supply chain.
NOTE: Direction and control with regard to ORMS generally includes establishment of the policy, planning, and objectives directing operational processes and continual improvement.
Something sought, or aimed for, related to managing risk to enhance resilience and security in the organization and its supply chain.
NOTE 1: Quality objectives are generally based on the organization's quality policy.
NOTE 2: Quality objectives are generally specified for relevant functions and levels in the organization.
Overall intentions and direction of an organization related to managing risk to enhance resilience and security in the organization and its supply chain as formally expressed by top management.
NOTE 1: Generally, the security and resilience policy is consistent with the overall policy of the organization, and provides a framework for the setting of security and resilience objectives.
NOTE 2: ORMS principles presented in this Standard can form a basis for the establishment of a quality policy.
Overall intentions and direction of an organization, as formally expressed by top management. [ANSI/ASIS/RIMS RA.1-2015]
Activities, programs, and systems developed and implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions, disasters, or emergencies.
A number between zero and one that shows how likely a certain event is.
An established or specified way to conduct an activity or a process. [ANSI/ASIS/RIMS RA.1-2015]
Actions, changes or steps taken in order to achieve a particular end.
Goods and services that are the result of a process.
NOTE: Typically, a product is an item or service that is produced to create value.
|3.37||recovery point objective||
Point in time to which data or capacity of a process is in a known and valid or integral state can be restored from. This should be less than the maximum amount of loss tolerance and may be defined in hours or days.
|3.38||recovery time objective (RTO)||
Time goal for the restoration and recovery of functions or resources based on the acceptable down time and acceptable level of performance in case of a disruption of operations.
Absorptive and adaptive capacity in a complex and changing environment.
Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used.
Documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident.
Group of individuals responsible for developing, executing, rehearsing, and maintaining the response plan, including the processes and procedures.
Freedom from danger, risk, or injury.
The condition of being protected against risks, hazards, threats, or loss.
NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside.
NOTE 2: The term security means that something not only is secure, but that it has been secured.
Something you are trying to do or achieve with defined metrics.
Activities performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in their duties, and to reveal weaknesses in the preparedness and response/continuity/recovery plans. [ASIS International Business Continuity Guideline: 2004]
Potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community.
Directors, managers, and officers of an organization that can ensure effective management systems -- including financial monitoring and control systems -- have been put in place to protect assets, earning capacity, and the reputation of the organization.
State of being susceptible to harm or injury.
NOTE: Susceptibility to negative outcomes of a risk.
Process of identifying and quantifying something that creates susceptibility to a source of risk that can lead to a consequence.
NOTE: The reader is encouraged to read through the terms and definitions provided in the ANSI/ASIS/RIMS RA.1-2015, prior to reading the body of this document.
Next: General Principles