ATTENTION: This page is intended to be viewed online and may not be printed or copied.
7.1 Legal and Other Requirements
The organization shall establish, implement, and maintain procedures to:
Identify legal, regulatory, contractual and other requirements in the jurisdictions in which it operates that are relevant to its personnel, facilities, activities, functions, products, services, supply chain, subcontractors, the environment, and stakeholders;
Identify relevant contractual and voluntary obligations; and
- Determine how these requirements apply to its operations.
The organization shall document this information and keep it up to date. It shall communicate relevant information on legal and other requirements to persons working on its behalf and other relevant third parties, including subcontractors.
Any legal, regulatory, contractual, and other requirements applicable to the organization’s activities shall be identified and incorporated into the management of the organization’s activities. Statutory requirements will vary between countries and jurisdictions. Organizations have an overriding duty-of-care obligation to minimize risk to human and public safety, and abide by jurisdictional laws, contractual, and voluntary obligations.
The organization shall consider applicable legal, regulatory, contractual, and other requirements as well as voluntary obligations in developing, implementing and maintaining its ORMS.
7.2 Risk Assessment
The organization shall establish, implement and maintain a formal and documented risk assessment process for its activities, functions and operations, including its relevant supply chain and subcontractor activities.
7.2.2 Internal and External Risk Communication and Consultation
The organization shall establish, implement, and maintain a formal and documented communication and consultation process with internal and external stakeholders in the risk assessment process to ensure that:
Objectives and interests of internal and external stakeholders are understood;
Risks are adequately identified and communicated;
Risk appetite of internal and external stakeholders are understood;
Dependencies and linkages with subcontractors and within the supply chain are understood;
Security and resilience processes interface with other management disciplines; and
Risk assessment is being conducted within the appropriate internal and external context and parameters relevant to the organization and its contractors and supply chain.
7.2.3 Risk Assessment Process
The organization shall establish, implement and maintain a formal and documented risk assessment process, including its relevant supply chain partners and subcontractor activities. The risk assessment process shall include:
Asset identification, valuation and characterization - identify people, assets and services that provide tangible and intangible value. Valuation and characterization includes criticality in achieving objectives and mission of the organization. Consideration is given to financial, operational, temporal, and reputational characteristics of tangible and intangible assets, activities, functions and services;
Risk identification – identify sources of strategic, operational, tactical, and reputational risk to assess threats and opportunities; vulnerabilities and capabilities; and consequences and criticalities due to intentional, unintentional and natural events that have a potential for direct or indirect consequences on the organization’s activities, assets, operations, functions and impacted stakeholders, as well as its ability to abide by principles articulated in its ORMS policy;
Risk analysis – systematically analyze risk (likelihood and consequence analysis, including supply chain risk analysis) to determine those risks that have a significant impact on activities, functions, services, products, supply chain, subcontractors, stakeholder relationships, local populations and the environment; and
- Risk evaluation – systematically evaluate and prioritize risk controls and treatments, and their related costs to determine how to bring risk within an acceptable level consistent with risk criteria.
Note 1: Additional information on conducting a risk assessment can be found in the ANSI/ASIS/RIMS RA.1-2015, Risk Assessment Standard.
Note 2: Many methodologies exist for conducting risk assessments. The method selected should align with the organization’s management, complexity of the risks needing to be assessed, and be applicable to the organizational culture. For example, the criticality analysis includes estimating allowable downtimes, potential impacts over time, and recovery time objectives; therefore, the organization may integrate a business impact analysis (BIA) into its risk assessment process. Where major variations in recovery priorities and/or complex interdependencies are present, the organization should consider conducting the BIA as a separate analysis.
The organization shall:
Integrate and implement the risk assessment outcomes in the ORMS processes;
Ensure that top management reviews the inputs and outputs of the risk assessment;
Document and keep this information up-to-date and secure;
Monitor, assess, evaluate and respond to changes in the risk environment;
Periodically review whether the ORMS scope, policy, risk criteria and risk assessment are still appropriate given the organization’s internal and external context;
Re-evaluate risks within the context of changes within the organization or made to the organization’s operating environment, procedures, functions, services, partnerships, and supply chains;
- Evaluate the direct and indirect benefits and costs of options to manage risk, exploit opportunities, and enhance reliability and resilience;
Evaluate the actual effectiveness of risk treatment options post-incident and after exercises;
Ensure that the prioritized risks and impacts are taken into account in establishing, implementing, and operating its ORMS; and
Monitor and evaluate the effectiveness of risk controls and treatments.
The risk assessment shall identify activities, operations, and processes that need to be managed, outputs shall include:
- A prioritized risk register identifying treatments to manage risk;
- Justification for risk acceptance;
- Identification of critical control points (CCP); and
- Requirements for supplier, distributor, outsourcing and subcontractor controls.
7.3 Objectives and Plans to Achieve Them
The organization shall establish, implement, and maintain documented objectives and targets to manage risks in order to pursue opportunities, as well as to anticipate, avoid, prevent, deter, mitigate, respond to, and recover from undesirable or disruptive events. Documented objectives and targets shall establish internal and external expectations for the organization, its contractors, and supply chain that are critical to mission accomplishment, product and service delivery, and functional operations.
Objectives shall be derived from and consistent with the ORMS policy and risk assessment, including the commitments to:
- Minimize risk by reducing likelihood and consequence;
- Respecting jurisdictional laws, contractual requirements, and human rights;
- Financial, operational, and business requirements (including contractor and supply chain commitments); and
- Continual improvement.
When establishing and reviewing its objectives and targets, an organization shall consider:
- Consistency with the ORMS policy;
- Significant risks;
- Creation of value;
- Brand, reputational and human rights impacts;
- Integrity of information;
- Financial, operational, and business requirements;
- Legal, regulatory, contractual and other requirements;
- Technological options; and
- Views of stakeholders and other interested parties.
Targets shall be measurable qualitatively and/or quantitatively. Targets shall be derived from and consistent with the ORMS objectives and shall be:
To an appropriate level of detail;
Commensurate to the risk assessment;
Specific, measurable, achievable, relevant, and time-based (where practicable);
Identify what will be done by whom, including how this will be accomplished using what resources and in what timeframe;
Communicated to all appropriate persons working on behalf of the organization and third parties including subcontractors and supply chain partners with the intent that these persons are made aware of their individual obligations; and
Monitored and reviewed periodically, and when any significant changes occur, to ensure that they remain relevant and consistent with the ORMS objectives and amended accordingly.
7.4 Actions to Achieve Risk and Business Management Objectives
The organization shall establish, implement, and maintain security and resilience programs for achieving its objectives and risk management goals. The programs shall be optimized and prioritized in order to control and treat risks associated with its operations, subcontractors, and supply chain. The organization shall establish, implement, and maintain a formal and documented risk treatment process, which considers the various risk treatment options:
- Pursuing an opportunity;
- Removing the risk source, where possible;
- Removing or reducing the likelihood of an event and its consequences;
- Removing, reducing or mitigating consequences of an event with a negative outcome;
- Spreading the risk across assets and functions;
- Sharing the risk with other parties, including risk insurance;
- Accepting risk through informed decision; and
- Avoiding activities that give rise to the risk.
Top management shall:
Review and approve selected risk treatment options to determine if they meet risk appetite objectives;
Assess the benefits and costs of options to remove, reduce, or retain risk;
Evaluate its security and resilience programs to determine if these measures have introduced new risks; and
Periodically review the risk treatment to reflect changes to the external environment, including legal, regulatory, contractual, and other requirements, and changes to the organization's policy, facilities, information management system(s), activities, functions, products, services, and supply chain.
Next: Structural Requirements