Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

6. Leadership

6.1 General

Top management shall provide evidence of active leadership for the ORMS by overseeing its establishment and implementation, and motivating individuals to integrate security and resilience as a central part of the mission of the organization and its culture.

6.2 Management Commitment

Top management shall provide evidence of its mandate and commitment to the development and implementation of the ORMS to achieve intended outcomes and continually improving its effectiveness by:

  • Identifying strategic, operational, tactical, and reputational objectives;

  • Establishing the ORMS policy;

  • Articulating a shared sense of joint purpose and values underlying decision-making processes;

  • Instilling a sense of ownership in the ORMS to persons working on behalf of the organization and recognizing their contributions;

  • Establishing risk criteria including risk appetite;

  • Reviewing risk assessment and performance assessment outcomes;

  • Communicating to the organization the importance of meeting ORMS objectives and conforming to the ORMS policy;

  • Communicating to persons working on behalf of the organization the importance of adhering to legal obligations and voluntary commitments;

  • Providing sufficient resources to establish, implement, operate, monitor, review, maintain, and improve the ORMS. Internal and external resources include but are not limited to people with specialized skills, equipment, infrastructure, technology, information, and financial resources;

  • Encouraging and supporting management at all levels and other persons working on behalf of the organization to integrate a security, risk, and resilience culture and awareness into their areas of responsibilities;

  • Aligning organizational incentives in a manner consistent with ORMS objectives;

  • Conducting at planned intervals, management reviews of the ORMS; and

  • Promoting the need for continual improvement.

6.3 Policy

Top management shall establish a ORMS policy. The policy shall:

  • Provide a clarity of purpose and shared vision for the ORMS;

  • Provide a framework for setting and reviewing ORMS objectives, targets, and programs;

  • Be consistent with the organization’s other policies;

  • Empower persons working on behalf of the organization to recognize their role in the ORMS and achievement of objectives;

  • Provide a commitment to comply with applicable legal, regulatory, and contractual requirements as well as voluntary commitments;

  • Include a commitment to human rights and public safety as a top priority;

  • Provide a commitment to avoid, prevent, and reduce the likelihood and consequences of undesirable or disruptive events;

  • Be documented, implemented, and maintained;
  • Be communicated to all appropriate people working for or on behalf of the organization;

  • Be available to stakeholders;

  • Be visibly endorsed by top management;

  • Include a commitment to continual improvement; and

  • Be reviewed at planned intervals and when significant changes occur.

6.4 Organizational Roles, Responsibilities, and Authorities for the ORMS

Top management shall ensure that the responsibilities and authorities for relevant ORMS roles are designated and communicated within the organization.

The organization shall appoint one or more individuals within the organization who – irrespective of other responsibilities – shall have defined competencies, roles, responsibilities, and authority for:

  • Ensuring that a ORMS is established, communicated, implemented, and maintained in accordance with the requirements of this Standard;

  • Identifying and monitoring the needs and expectations of the organization's internal and external stakeholders, and take appropriate action to manage these needs and expectations;

  • Ensuring that adequate resources are made available;

  • Promoting awareness of ORMS requirements throughout the organization; and

  • Reporting on the performance of the ORMS to top managers for review and as a basis for continuous improvement.

Top management shall ensure those responsible for the ORMS have the authority and competence to be accountable for the implementation and maintenance of the management system.

Next: Planning

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References