Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

9. Operation and Implementation

9.1 Operational Control

9.1.1 General
The organization shall identify the activities that are associated with the identified significant risks and consistent with its ORMS policy, risk assessment, objectives, and targets, in order to ensure that they are carried out under specified conditions, which will enable it to:

  • Comply with legal, regulatory, and contractual requirements, and voluntary commitments;

  • Accomplish the mission while protecting the organization’s reputation;

  • Ensure the security, well-being, and rights of both persons working on its behalf as well as those impacted by its activities;

  • Implement risk management controls to pursue opportunities and minimize the likelihood and consequences of an undesirable or disruptive event; and

  • Achieve its risk management, security and resilience objectives and targets.

The organization shall establish, implement, and maintain documented procedures to control situations where their absence could lead to deviation from the ORMS policy, objectives, and targets.

9.1.2 Establishing Norms of Behavior and Codes of Ethical Conduct
The organization shall establish, implement, and maintain a Code of Ethics for norms of behavior for all persons working on its behalf, including employees, subcontractors, and outsource partners. The Code of Ethics shall be documented and clearly communicate the importance of compliance with legal, regulatory, contractual obligations, and voluntary commitments. The Code of Ethics shall ensure that all persons working on its behalf understand their responsibilities within the context of managing and reporting risks and non-conformances.

The organization shall communicate and document its Code of Ethics to all persons working on its behalf, as well as appropriate stakeholders.

9.2 Resources, Roles, Responsibility, and Authority

9.2.1 General
Top management shall make available resources essential to establish, implement, maintain, and improve the ORMS. Resources shall include information, management tools, human resources (including people with specialist skills and knowledge), and financial support.

Roles, responsibilities, and authorities shall be defined, documented, and communicated in order to facilitate effective ORMS, including control, coordination, and command responsibility with a defined line of succession.

To effectively pursue opportunities and deal with undesirable and disruptive events, the organization shall establish planning, security, incident management, response and/or recovery team(s) with defined roles, appropriate authority, adequate resources, and rehearsed operational plans and procedures.

9.2.2 Personnel
The organization shall retain sufficient personnel with the appropriate competence to fulfill its contractual obligations. Personnel shall be provided with adequate pay and remuneration arrangements, including insurance, commensurate to their responsibilities. The organization shall protect the confidentiality of this information as appropriate and provide personnel with relevant documents in language that is readily comprehensible for all parties.

The organization shall maintain documented information on all personnel:

  • As required by legal, regulatory, and contractual obligations;
  • To maintain contact with individuals and their immediate families;
  • To assist in personnel recovery in event of an incident; and
  • Needed for family notification of injury or death.

9.2.3 Response Structure
The organization shall establish, document, and implement procedures and a management structure to anticipate, prevent, prepare for, mitigate, and respond to an undesirable or disruptive event using personnel with the necessary authority, experience, and competence.
The response structure shall:

  • Identify incident indicators and impact thresholds that justify initiation of a formal response;

  • Assess the nature and extent of a potential undesirable or disruptive event and its impacts;

  • Initiate an appropriate response to avoid, protect, mitigate, or manage a potential undesirable or disruptive event;

  • Have plans, processes, and procedures for the activation, operation, coordination, and communication of the response;

  • Have resources available to support the plans, processes and procedures to manage a disruptive event or work to minimize impact before realized;

  • Communicate with stakeholders and authorities, as well as the media; and

  • Post-incident analysis to identify opportunities for improvement.

9.2.4 Selection, Background Screening, and Vetting of Personnel
The organization shall establish, document, implement, and maintain procedures for background screening and vetting of all persons working on its behalf to ensure they are fit and proper for the tasks they will conduct. Wherever possible and consistent with jurisdictional laws, regulations, and contractual requirements, screening processes shall include:

  • Consistency with legal, regulatory, and contractual requirements;
  • Identity, minimum age and personal history verification;
  • Education and employment history review;
  • Personal references;
  • Military and security services records check;
  • Review of possible criminal records;
  • Evaluation for substance abuse;
  • Physical and mental evaluation for fitness with assigned activities; and
  • Evaluation for suitability to perform their duties.

Background screening involves the disclosure of highly sensitive information; therefore, the organization shall develop procedures to appropriately and strictly secure the confidentiality of information both internally and externally. Records shall be maintained consistent with relevant statutes of limitations.

Selection of qualified personnel shall be based on defined competencies including knowledge, skills, abilities, and attributes. Both the screening and selection measures shall be consistent with legal, regulatory, and contractual requirements.

9.2.5 Selection, Background Screening, and Vetting of Subcontractors
When the organization subcontracts activities, functions, and operations on a temporary or continuing basis, this work shall be placed with a competent subcontractor. The organization is responsible for the subcontractor’s work and is liable, as appropriate and within applicable law, for the conduct of these subcontractors. The organization shall:

  • Ensure appropriate written contractual agreements with the subcontractor;
  • Advise and obtain consent in writing from stakeholders, when appropriate;
  • Maintain a register of all subcontractors it uses;
  • Communicate the responsibilities of this Standard to the subcontractor; and
  • Maintain a record of evidence of conformance with this Standard for work subcontracted.

9.2.6 Internal and External Complaint and Grievance Procedures
The organization shall establish procedures to document and address grievances received from internal and external stakeholders (including, supply chain partners, clients and other affected parties). The procedures shall be communicated to internal and external stakeholders to facilitate reporting by individuals of potential and actual nonconformances with this Standard, or violations of laws, voluntary obligations or human rights. The organization shall investigate allegations expeditiously and impartially, with due consideration to confidentiality and restrictions imposed by jurisdictional laws. The organization shall establish and document procedures for:

  • Receiving and addressing complaints and grievances;
  • Establishing hierarchical steps for the resolution process;
  • The investigation of the grievances, including procedures to;
    • Cooperate with official external investigation mechanisms;
    • Prevent the intimidation of witnesses or inhibiting the gathering of evidence; and
    • Protect individuals submitting a complaint or grievance in good faith from retaliation.
  • Identification of the root causes;
  • Corrective and preventative actions taken, including disciplinary action commeasurable with any infractions;
  • Document the outcomes of the investigation; and
  • Communications with appropriate authorities.

Grievances alleging criminal acts, violations of human rights, or imminent danger to individuals shall be dealt with immediately by the organization, and other authorities as appropriate.

9.2.7 Procurement and Management of Materials
The organization shall establish documented procedures and records for procurement and management of materials required for its processes to manage risks, based on jurisdictional legal, regulatory, and contractual requirements, as well as mission objectives and risks identified. Management of materials may include:

  • Compliance with registrations, certifications, and permits;
  • Acquisition;
  • Secure storage;
  • Controls over their identification, issue, use, maintenance, return, and loss;
  • Records regarding to whom and when materials are issued;
  • Identification and accounting of materials; and
  • Proper disposal with verification.

9.3 Competence, Training, and Awareness

9.3.1 General
The organization shall ensure that all persons performing tasks on its behalf, including employees, subcontractors, and outsource partners, who have the potential to prevent, cause, respond to, mitigate, or be affected by identified risks are competent (on the basis of appropriate education, training, and experience), and shall retain associated records.

The organization shall identify competencies and training needs associated with ORMS, particularly the performance of each individual’s functions, consistent with respect for legal, regulatory, and contractual requirements, and voluntary commitments. It shall provide training or take other action to meet these needs, and shall retain associated records.

9.3.2 Competence Identification
The organization shall identify competencies, level of competency and training needs associated with its activities, operations and the management of risks. The organization shall establish, implement, and maintain procedures to ensure all persons performing tasks on its behalf are aware of:

  • The ORMS policy;

  • The parameters of performance of their functions;

  • The benefits of conformance to the ORMS and improved performance;

  • Their roles and responsibilities in achieving conformity with the requirements of the ORMS;

  • Assessing risks;

  • Managing risks identified in the risk assessment and associated with their work;

  • Applicable jurisdictional laws, regulations and voluntary commitments including but not limited to:

    • Compliance issues related to their activities and functions;
    • Prohibition of degrading treatment of others;
    • Prohibition and awareness of discriminatory and exploitative practices;
    • Recognition and prevention of verbal and physical abuse; and
    • Measures against bribery, corruption, fraud and similar crimes.
  • The procedures to reduce the likelihood and/or consequences of an undesirable or disruptive event, including procedures to respond to and report events;

  • Communications protocols and procedures;

  • Incident reporting and documentation procedures;

  • First-aid, health, environmental, safety and security procedures;

  • The culture, such as customs and religion, of the environment in which they are operating;

  • Receiving and reporting complaints; and

  • The potential consequences of departure from specified procedures.

9.3.3 Training and Competence Evaluation
The organization shall provide for training and establish a means to measure degrees of proficiency or levels of competency. Persons working on behalf of the organization shall be trained to demonstrate the level of competence and proficiency required.
The organization shall:

  • Establish competence-based metrics for its training programs;

  • Promote a ORMS culture by instilling an understanding that risk management, security and resilience cultures are part of the organization’s core values and governance;

  • Identify other competencies that require periodic refresher training to maintain the required level of performance or to incorporate new requirements; and

  • Provide training on the importance of conformity with the ORMS policy and procedures and with the requirements of the ORMS, as well as potential consequences of departure from specified procedures for the ORMS, operations and the management of risk.

9.4.1 General
The organization shall establish, implement, and maintain procedures for:

  • Communicating with persons working on its behalf;

  • Communicating with external stakeholders including its clients, subcontractors, supply chain partners, government authorities, local and emergency services authorities, members of the community in which it operates, and the media;

  • Receiving, documenting, and responding to communications from internal and external stakeholders;

  • Defining and assuring availability of the means of communication during atypical situations and disruptions; and

  • Regular testing of communications system for normal and abnormal conditions.

Communication procedures shall consider the sensitive nature of operational information and legal restrictions on information sharing.

9.4.2 Operational Communications
The organization shall develop standardized communication procedures to share information protecting its integrity and level of confidentiality, including information related to:

  • Its operations, functions and activities;
  • Its chain of command, organizational hierarchy, and custody of information;
  • Relevant risk and threat information;
  • Logistics and supply chain management;
  • Incident reporting, internally and externally; and
  • Requests for assistance.

The organization shall ensure that spoken and written communications can be received and understood by all levels and operators and that all levels can respond in a language or means that can be understood by appropriate, internal and external stakeholders.

9.4.3 Risk Communications
The organization shall decide, based on safeguarding life as a top priority and in consultation with stakeholders, whether to communicate externally about significant risks and impacts to stakeholders and document its decision. If the decision is to communicate, the organization shall establish and implement methods for this external communication, alerts, and warnings (including with the media).

9.4.4 Communicating Complaint and Grievance Procedures
Complaint and grievance procedures shall be communicated to internal and external stakeholders. Procedures shall minimize obstacles to access caused by language, educational level, or fear of reprisal, as well as consider needs for confidentiality and privacy.

9.4.5 Whistleblower Policy
The organization shall communicate to people working on its behalf, who have reasonable belief that a nonconformance of this Standard has occurred, their right to anonymously report the nonconformance internally, as well as externally to appropriate authorities. The organization shall not take any adverse action against any individual for the act of making a report in good faith.

9.5 Prevention and Management of Undesirable or Disruptive Events

9.5.1 General
The organization shall establish, implement, and maintain procedures (plans) to prevent and manage potential undesirable and disruptive events based on its risk assessment and its recovery time objectives. The procedures shall document how the organization will anticipate, prevent, prepare for, and respond to undesirable and disruptive events. In preparing incident prevention and management procedures, the organization considers each of the following actions:

  • Safeguard life and assure the safety of internal and external stakeholders;
  • Protect assets;
  • Prevent further escalation of the incident;
  • Minimize disruption to operations;
  • Restore critical operational continuity;
  • Recover normal operations (including evaluating improvements);
  • Notification of appropriate authorities;
  • Protect image and reputation (including media coverage and stakeholder relationships); and
  • Corrective and preventative actions (including root cause analysis to remediate the situation and prevent a recurrence).

The following costs are assessed when developing incident prevention and management plans:

  • Human cost: Physical and psychological harm to clients, persons working on its behalf, suppliers, local communities and other stakeholders.

  • Financial cost: Equipment and property replacement, downtime, overtime pay, stock devaluation, lost sales/business, lawsuits, regulatory fines/penalties, etc.

  • Image cost: Reputation, standing in the community, negative press, loss of clients, etc.

  • Human rights impacts: Actual and potential adverse human rights impacts on specific people and groups, in particular vulnerable or marginalized groups, within the specific context of operations.

  • Indirect impacts: On the regional economy and reduction in the regional net economy, etc.

  • Environmental impacts: Degradation to the quality of the environment or to endangered species.

9.5.2 Risk Treatment Functions
The organization shall establish, implement and maintain procedures to support pursuit of opportunities and the protection of people, tangible and intangible assets, and other risk-related functions, including but not limited to:

  • Managing risks identified in the risk assessment;
  • Specific functions required to conduct activities and functions; and
  • Supply chain tasks and context specific functions. Design of Controls and Countermeasures
The organization should establish, implement, and maintain procedures for controls and countermeasures to pursue opportunities and manage its risks that have the potential to harm the organization, its assets, supply chain and stakeholders, in order to:

  • Comply with legal, regulatory and contractual requirements, and voluntary commitments;
  • Meet its obligations to its internal and external stakeholders;
  • Deliver its ORMS programs (risk treatment and countermeasure action plans); and
  • Achieve its ORMS objectives and targets.

The control procedures shall document how the organization will:

  • Exploit potential opportunities;

  • Provide adequate protection of assets (tangible and intangible) based on the risk assessment;

  • Avoid, remove or reduce the likelihood of an incident;

  • Reduce and manage the consequences of an incident;

  • Maintain continuity of operations and services based on predetermined levels of performance and recovery time objectives;

  • Ensure the integrity of the controls if an incident takes place; and

  • Recover from an incident.

The organization shall adopt a “protection-in-depth” or layered protection strategy to develop a cost-effective and robust approach to deter, detect, delay, and respond, from risks and threats to the organization and its assets. Based on its risk assessment, the organization should consider layered controls that:

  • Promote risk awareness and situational awareness;
  • Eliminate the risk by complete removal of the risk exposure;
  • Reduce the risk by modifying activities, processes, equipment, or materials;
  • Isolate or separate the assets from risk;
  • Deploy engineering controls to deter, detect, delay, and respond from a potential hazard or threat agent;
  • Apply administrative controls such as work practices or procedures that reduce risk; and
  • Provide protection of the asset if the risk cannot be eliminated or reduced.

The value of the asset, the output from the risk assessment, the organization’s risk appetite, and the relative cost-benefit of the control measures will determine the number and types of layers needed to adequately protect the asset. Evaluation of interdependencies is critical to a successful protection-in-depth strategy given the reliance and interactions of many countermeasures on human, physical, electronic, telecommunications and information systems. Incident Management Procedures and Plans
The organization shall establish, implement, and maintain procedures (plans) to identify undesirable and disruptive events that can impact the organization, its activities, services, stakeholders, human rights, and the environment. The procedures shall document how the organization will proactively prevent, mitigate, and respond to events.

Where existing arrangements are revised and new arrangements introduced that could impact operations and activities, the organization should consider the associated risks before their implementation, and the potential to create new or modify existing risks.

The operational control procedures shall define:

  • Purpose and scope;
  • Objectives and measures of success;
  • Implementation procedures (including phases and sequences);
  • Roles, responsibilities, and authorities;
  • Technology requirements (including maintenance and calibration);
  • Communication requirements and procedures;
  • Internal and external interdependencies and interactions;
  • Resource requirements; and
  • Information flow and documentation processes.

The incident management procedures shall ensure:

  • Supply and demand requirements (demand signals) are comprehended in capacity planning;

  • Contingencies and appropriate redundancies provide protection-in-depth and address single point failures;

  • Processes are in place to validate supply chain responses (e.g., validate site/process/product time to recover);

  • There is a feedback loop to know if past risk control and countermeasures are changing as part of design, engineering or process changes, or a decision to outsource certain activities;

  • That planned changes are controlled, and that unintended changes are reviewed and appropriate action is taken; and

  • Procedures are periodically reviewed and, where necessary the ORMS is revised and documented.

9.5.3 Occupational Health and Safety
The organization shall establish, implement, and maintain procedures to promote a safe and healthy working environment including reasonable precautions to protect people working on its behalf in high-risk, hazardous or life threatening operations consistent with jurisdictional laws and regulations, as well as contractual obligations. Procedures shall include:

  • Assessing occupational health and safety risks to people working on its behalf as well as the risks to external parties;

  • High risk environment training (if appropriate);

  • Provision of personal protective equipment;

  • Medical and psychological health awareness training, care, and support; and

  • Guidelines to identify and address workplace violence, misconduct, alcohol and drug abuse, sexual harassment, and other improper behavior.

9.5.4 Incident Monitoring, Reporting, and Investigations
The organization shall establish, implement, and maintain procedures for incident monitoring reporting, investigations, disciplinary arrangements, and remediation. Incidents involving any casualties, physical injuries, allegations of abuse, loss of sensitive information or equipment, substance abuse, or nonconformance with the principles of ORMS, as well as applicable laws and regulations, shall be reported and investigated with the following steps taken, including:

  • Documentation of the incident;
  • Notification of appropriate authorities;
  • Steps taken to investigate the incident;
  • Identification of the root causes;
  • Corrective and preventative actions taken; and
  • Any compensation and redress given to the affected parties.

The organization shall assure all persons working on its behalf are aware of their responsibilities and the mechanisms to monitor and report non-conformances and incidents.

Records of non-conformances and incidents shall be maintained and retained for a minimum of seven years or as specified by legal, regulatory, and contractual requirements.

Next: Performance Evaluation

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References