Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

10. Performance Evaluation

10.1 General

The organization shall assess the performance and effectiveness of the ORMS by evaluating plans, procedures, and capabilities through periodic assessments, testing, post-incident reports, lessons learned, performance evaluations, and exercises. Significant changes in these factors should be reflected immediately in the procedures.

Performance evaluation considers:

  • Elements of the ORMS to monitor and evaluate;
  • Evaluation metrics and methodologies to accurately reflect performance and identify opportunities for improvement;
  • Frequency of monitoring, assessments and evaluations; and
  • Changes in the risk environment.

The organization shall keep records of the results of the periodic evaluations.

10.2 Monitoring and Measurement

The organization shall establish, implement, and maintain performance metrics and procedures to monitor and measure, those characteristics of its operations that have material impact on its performance (including partnerships, subcontracts, and supply chain relationships). Procedures are responsive to changes in the risk environment. The procedures shall include the documenting of information to monitor performance, applicable operational controls, and conformity with the organization’s ORMS objectives and targets.

The organization shall evaluate and document the performance of the systems which protect its human, tangible and intangible assets, as well as its communications and information systems.

10.3 Evaluation of Compliance

Consistent with its commitment to compliance, the organization shall establish, implement, and maintain procedures for periodically evaluating compliance with applicable legal, regulatory, and contractual obligations and voluntary commitments. The organization shall evaluate any gaps in compliance and/or assess any changes in the compliance environment to develop a continual improvement strategy.

10.4 Exercises and Testing

The organization shall use exercises and other means to test the appropriateness and efficacy of its ORMS and risk treatment plans, processes, and procedures, including stakeholder relationships and subcontractor interdependencies. Exercises should be designed and conducted in a manner that limits disruption to operations and exposes people, assets and information to minimum risk.

Exercises shall be conducted regularly (at least annually), or following significant changes to the organization's mission and/or structure, or following significant changes to the risk environment. A formal report shall be written after each exercise. The report shall assess the appropriateness and efficacy of the organization’s ORMS plans, processes, and procedures including nonconformities, and should propose corrective and preventative action.

Actions shall be taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.

Post-exercise reports should form part of top management reviews.

10.5 Internal Audit

The organization shall establish, implement, and maintain a ORMS audit program and ensure that internal audits of the ORMS are conducted at planned intervals.

Internal audits shall assess whether the ORMS:

  • Meets the requirements of this Standard;

  • Meets relevant legal, regulatory, and contractual obligations as well as voluntary commitments;

  • Risk treatments and operational planning and controls have adequately and effectively addressed issues identified in the risk assessment;

  • Has been properly implemented, maintained and performing as expected;

  • Reflects the dynamic nature of the risk context and environment; and

  • Has been effective in achieving the organization’s ORMS policy and objectives.

The organization shall:

  • Plan, establish, implement, and maintain an audit program(s), taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits;

  • Define the audit criteria, scope, frequency, methods, responsibilities, planning requirements, and reporting;

  • Select auditors and conduct audits to ensure objectivity and the impartiality of the audit process (e.g., auditors should not audit their own work);

  • Ensure that the results of the audits are reported to the management responsible for the area being audited; and

  • Retain relevant documented information as evidence of the results.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.

NOTE: Additional information on conducting management system audits can be found in ANSI/ASIS SPC.2-2014, Auditing Management Systems: Risk, Resilience, Security, and Continuity—Guidance for Application.

10.6 Management Review

10.6.1 General
Management shall review the organization’s ORMS at documented specified intervals (at least annually) to confirm its continuing suitability, adequacy, and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ORMS, including the ORMS policy and objectives. The results of the reviews shall be clearly documented and records shall be maintained.

10.6.2 Review Input
The input to a management review shall include:

  • Results of ORMS audits and reviews;
  • Feedback from interested parties;
  • Techniques, products, or procedures that could be used in the organization to improve the ORMS performance and effectiveness;
  • Status of preventive and corrective actions;
  • Results of exercises and testing;
  • Risks not adequately addressed in the previous risk assessment;
  • Incident reports;
  • Results from effectiveness measurements;
  • Follow-up actions from previous management reviews;
  • Any changes that could affect the ORMS;
  • Adequacy of policy and objectives; and
  • Recommendations for improvement.

10.6.3 Review Output
The outputs from top management reviews shall include decisions and actions related to possible changes to policy, objectives, targets, and other elements of the ORMS, with the aim of promoting continuous improvement, including:

  • Improvement of the effectiveness of the ORMS;
  • Update of the risk assessment and risk management plans;
  • Modification of procedures and controls that effect risks, as necessary, to respond to internal or external events that may affect the ORMS;
  • Changes needed to promote risk management culture and maturity;
  • Resource needs; and
  • Improvement of how the effectiveness of controls is being measured.

Next: Continual Improvement

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References