Supply Chain Risk Management
Supply Chain Risk Management
Risk Management:
Management: A
Supply Chain Risk Management:
A Compilation
Compilation of
A
A Compilation
Compilation of
of Best
Best Practices
Practices
of Best
ANSI/ASIS
ANSI/ASIS SCRM.1-2014
SCRM.1-2014
Best Practices
Practices
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2818
Virginia 22314-2818
22314-2818
USA
USA
USA
ANSI/ASIS
ANSI/ASIS
ANSI/ASIS SCRM.1-2014
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org
SCRM.1-2014
SCRM.1-2014
S TA N D A R D
S T
S T A
A N
N D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
D A
and
and guidelines
guidelines development
development
A R
R D
D
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
ANSI/ASIS SCRM.1-2014
ASIS International
Abstract
This Standard, developed in collaboration with the Supply Chain Risk Leadership Council, provides a framework for
collecting, developing, understanding, and implementing current best practices for supply chain risk management
(SCRM). It is a practitioner’s guide to SCRM and associated processes for the management of risks within the
organization and its end-to-end supply chain. This Standard provides some guidelines and possible approaches for an
organization to consider, including examples of tools other organizations have used. It can serve as a baseline for
helping enterprises assess and address supply chain risks and for documenting evolving practices.
ANSI/ASIS SCRM.1-2014
ASIS International standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication.
While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it
does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of
any information or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its
members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the
authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public,
because its works are not obligatory and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether
special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied,
as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that
the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not
undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of
this standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services
for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate,
seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances. Information and other standards on the topic covered by this publication may be available from other
sources, which the user may wish to consult for additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS
has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any
activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any
practices, products, materials, designs, or installations for compliance with its standards. It merely publishes
standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any
certification or other statement of compliance with any information in this document should not be attributable to
ASIS and is solely the responsibility of the certifier or maker of the statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written
consent of the copyright owner.
ii
ANSI/ASIS SCRM.1-2014
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.
About ASIS
ASIS International (ASIS) is the leading organization for security professionals, with more than 38,000 members
worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by
developing educational programs and materials that address broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security
management profession to business, the media, government entities, and the public. By providing members and the
security community with access to a full range of programs and services, and by publishing the industry’s No. 1
magazine – Security Management - ASIS leads the way for advanced and improved security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and
Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited
Standards Development Organization (SDO), ASIS actively participates in the International Organization for
Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security
management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based
process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security
professionals, and the global security industry.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818.
Commission Members
Charles A. Baley, Farmers Insurance Group, Inc.
Jason L. Brown, Thales Australia
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William J. Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance
Eugene F. Ferraro, CPP, PCI, CFE, Convercent
F. Mark Geraci, CPP, Purdue Pharma L.P.
Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
iii
ANSI/ASIS SCRM.1-2014
At the time it approved this document, the SCRM Standards Committee, which is responsible for the development of
this Standard, had the following members:
Committee Members
Committee Co-Chair: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Committee Co-Chair: John J. Brown, P.E., ARM-E, Thomson Reuters
Commission Liaison: Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
Committee Secretariat: Susan Carioti, ASIS International
v
ANSI/ASIS SCRM.1-2014
vii
ANSI/ASIS SCRM.1-2014
viii
ANSI/ASIS SCRM.1-2014
TABLE OF CONTENTS
0 INTRODUCTION .............................................................................................................................................. XI
0.1 SUPPLY CHAIN RISK MANAGEMENT: AN OVERVIEW ...................................................................................................... XI
0.2 THE NEED FOR SUPPLY-CHAIN RISK MANAGEMENT ...................................................................................................... XI
1. SCOPE ........................................................................................................................................................... 1
2. NORMATIVE REFERENCES ............................................................................................................................. 1
3. TERMS AND DEFINITIONS ............................................................................................................................. 1
4. CHARACTERISTICS OF SUPPLY CHAIN RISK MANAGEMENT ........................................................................... 4
4.1 GENERAL ...............................................................................................................................................................4
4.2 LEADERSHIP AND TEAM COMPOSITION ........................................................................................................................5
4.3 SCRM BUSINESS CASE .............................................................................................................................................6
4.4 CHANGE MANAGEMENT IN SCRM .............................................................................................................................8
5. RISK MANAGEMENT PRINCIPLES AND PROCESS ........................................................................................... 9
5.1 GENERAL ...............................................................................................................................................................9
5.2 RISK COMMUNICATION AND CONSULTATION ..............................................................................................................11
5.3 ESTABLISHING THE CONTEXT ....................................................................................................................................11
5.3.1 General......................................................................................................................................................11
5.3.2 Internal Context ........................................................................................................................................13
5.3.3 External Context .......................................................................................................................................14
5.3.4 Mapping the Supply Chain ........................................................................................................................15
5.4 RISK ASSESSMENT PROCESS .....................................................................................................................................18
5.4.1 General......................................................................................................................................................18
5.4.2 Risk Criteria ...............................................................................................................................................18
5.4.3 Risk Appetite .............................................................................................................................................19
5.4.3 Risk Identification .....................................................................................................................................19
5.4.4 Risk Analysis ..............................................................................................................................................22
5.4.5 Risk Evaluation ..........................................................................................................................................25
6. RISK TREATMENT ........................................................................................................................................ 29
6.1 GENERAL .............................................................................................................................................................29
6.2 PROTECTING AND SECURING THE SUPPLY CHAIN ..........................................................................................................30
6.3 RESPONDING TO EVENTS.........................................................................................................................................33
6.4 MAINTAINING RESILIENCE OF BUSINESS OPERATIONS POST INCIDENT ..............................................................................37
7. PERFORMANCE EVALUATION AND CONTINUAL MONITORING ................................................................... 39
7.1 GENERAL .............................................................................................................................................................39
7.2 TESTING AND ADJUSTING THE PLAN ..........................................................................................................................41
7.3 TRACKING CHANGE ................................................................................................................................................43
7.4 MONITORING AND REVIEWING THE RISK MANAGEMENT PROGRAM ................................................................................45
A. INFORMATION AND COMMUNICATION TECHNOLOGIES (ICT) SECURITY .................................................... 47
A.1 INTRODUCTION .....................................................................................................................................................47
A.2 IMPLEMENTING ICT SCRM .....................................................................................................................................48
A.3 CONVERGENCE AND SCRM MANAGEMENT PRACTICES ................................................................................................49
B. ORGANIZATIONAL RESILIENCE PROCEDURES .............................................................................................. 51
B.1 GENERAL .............................................................................................................................................................51
ix
ANSI/ASIS SCRM.1-2014
TABLE OF FIGURES
FIGURE 1: RISK MANAGEMENT PROCESS (BASED ON ISO 31000) ............................................................................................10
FIGURE 2: EXAMPLE OF INTERNAL AND EXTERNAL CONTEXTS FOR A FOOD/BEVERAGE COMPANY ....................................................15
FIGURE 3: NOTIONAL SUPPLY-CHAIN PROCESS FLOWS ............................................................................................................17
FIGURE 4: DETERMINING THE LEVEL OF RISK .........................................................................................................................23
FIGURE 5: BOW-TIE METHOD FOR LINKING TREATMENT TO CAUSE AND CONSEQUENCE ...............................................................24
FIGURE 6: RISK EVALUATION FUNNEL ...................................................................................................................................27
FIGURE 7: CONCEPTUAL RISK “FRONTIER” ............................................................................................................................28
FIGURE 8: “HEAT” MAP ....................................................................................................................................................29
FIGURE 9: NOTIONAL CRISIS MANAGEMENT STRUCTURE AND ENGAGEMENT MODEL ...................................................................35
FIGURE 10: CRISIS MANAGEMENT TEAM ACTIVATION AND WORK CYCLE ...................................................................................36
FIGURE 11: IDEAL CRISIS RESPONSE PROCESS........................................................................................................................37
FIGURE 12: FRAMEWORK FOR EXERCISES AND TESTING...........................................................................................................42
FIGURE 13: INTEGRATING RISK MANAGEMENT INTO BUSINESS OPERATIONS ...............................................................................46
FIGURE 14: ACTIVATING A CRISIS RESPONSE PLAN ..................................................................................................................88
TABLE OF TABLES
TABLE 1: EXAMPLES OF SOURCES OF RISK TO AN ORGANIZATION AND ITS SUPPLY CHAIN ...............................................................21
TABLE 2: OVERVIEW OF KEY PROPERTIES OF THE FOUR EXERCISE AND TESTING SCENARIOS ............................................................40
x
ANSI/ASIS SCRM.1-2014
0 INTRODUCTION
xi
ANSI/ASIS SCRM.1-2014
1 In 2011 and 2012 alone, economic losses around the world have been reported in the hundreds of billions of dollars
in disruptive losses from natural disasters (e.g., Tohoku earthquake and tsunami, Thailand floods, Hurricane Sandy,
droughts and other extreme weather events, etc.) and man-made catastrophes (political instability, power outages,
cyber-crime, etc.).
2 See Annex K for an example of the Supply Chain Risk Leadership Council’s (SCRLC) maturity model.
xii
ANSI/ASIS SCRM.1-2014
This Standard addresses operational risks in the supply chain and includes risks to tangible
assets (e.g., human, physical, and financial) as well as intangible assets (e.g., brand, reputation,
competitive position or intellectual property). Each organization should define the scope of its
SCRM program consistent with its risk criteria. It presents SCRM current best practices as
models and/or options to improve operational risk management performance in the
organization and its supply chain based on empirical experience.
SCRM is an evolving field. The challenges faced by organizations and their supply chains are
constantly changing, therefore SCRM is a dynamic discipline that in order to achieve maximum
effectiveness should be integrated into business management and business planning processes
of the organization.3 The contents of this Standard should be seen as a snapshot in time reflecting
a collection of current best practices. Continual monitoring of risks is essential due to their
dynamic nature and the manner in which they may impact the operations of organizations and
their supply chains. When using this Standard, organizations should consider the concepts for
their organization against their current operating environment to determine how best to
structure SCRM to promote resiliency within their organization and its supply chain.
3 See Figure 13
xiii
ANSI/ASIS SCRM.1-2014
xiv
AN AMERICAN NATIONAL STANDARD ANSI/ASIS SCRM.1-2014
1 SCOPE
This Standard provides guidance and current best practices for developing and embedding a
framework and process of risk management in supply chain management. It can be applied to
any type of organization, and its supply chain, regardless of size. This Standard adopts the risk
management framework and process described in the ISO 31000:2009 - Risk management --
Principles and guidelines as the framework and process of Supply Chain Risk Management
(SCRM). It provides current best practices to:
a) Identify internal and external environments (including dependencies and
interdependencies);
b) Define risk criteria;
c) Assess risk (identify, analyze, and evaluate);
d) Consider and implement risk treatments and controls; and
e) Continually monitor and review risks and their treatment.
2 NORMATIVE REFERENCES
The following standard(s) contain provisions which, through reference in this text, constitute
fundamental knowledge for the use of this American National Standard. At the time of
publication, the edition(s) indicated were valid. All standards are subject to revision, and parties
to agreements based on this American National Standard are encouraged to investigate the
possibility of applying the most recent edition(s) of the standard(s) indicated below.
a) ISO 31000:2009, Risk management -- Principles and guidelines.
Term Definition
3.1 consequence Outcome of an event affecting objectives.
NOTE 1: An event can lead to a range of consequences.
NOTE 2: A consequence can be certain or uncertain and can have
positive or negative effects on objectives.
NOTE 3: Consequences can be expressed qualitatively or
quantitatively.
NOTE 4: Initial consequences can escalate through cumulative effects
1
ANSI/ASIS SCRM.1-2014
Term Definition
from one event setting off a chain of events.
[ISO Guide 73:2009]
3.2 hazard Source of potential harm.
NOTE: Hazard can be a risk source.
[ISO Guide 73:2009]
3.3 likelihood Chance of something happening.
NOTE 1: In risk management terminology, the word
“likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined
objectively or subjectively, qualitatively or quantitatively, and
described using general terms or mathematically (such as a
probability or a frequency over a given time period).
NOTE 2: The English term “likelihood” does not have a direct
equivalent in some languages; instead, the equivalent of the
term “probability” is often used. However, in English,
“probability” is often narrowly interpreted as a mathematical
term. Therefore, in risk management terminology, “likelihood”
is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages
other than English.
[ISO Guide 73:2009]
3.4 resilience The adaptive capacity of an organization in a complex and changing
environment.
NOTE 1: Resilience is the ability of an organization to resist
being affected by an event or the ability to return to an
acceptable level of performance in an acceptable period of
time after being affected by an event.
NOTE 2: Resilience is the capability of a system to maintain
its functions and structure in the face of internal and external
change and to degrade gracefully when it must.
[ANSI/ASIS SPC.1-2009]
3.5 residual risk Risk remaining after risk treatment.
NOTE 1: Residual risk can contain unidentified risk.
NOTE 2: Residual risk can also be known as “retained risk.”
[ISO Guide 73:2009]
3.6 risk Effect of uncertainty on objectives.
NOTE 1: An effect is a deviation from the expected — positive
and/or negative.
NOTE 2: Objectives can have different aspects (e.g., financial,
health and safety, and environmental goals) and can apply at
different levels (e.g., strategic, organization-wide, project,
product, and process).
NOTE 3: Risk is often characterized by reference to potential
events and consequences, or a combination of these.
NOTE 4: Risk is often expressed in terms of a combination of
the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence.
[ISO Guide 73:2009]
3.7 risk appetite Amount and type of risk that an organization is prepared to pursue,
retain or take. [ISO Guide 73:2009]
NOTE: The risk appetite of an organization reflects its
philosophy towards managing risk.
2
ANSI/ASIS SCRM.1-2014
Term Definition
3.8 risk assessment Overall process of risk identification, risk analysis, and risk evaluation.
[ISO Guide 73:2009]
3.9 risk analysis Process to comprehend the nature of risk and to determine the level of
risk.
NOTE 1: Risk analysis provides the basis for risk evaluation
and decisions about risk treatment.
NOTE 2: Risk analysis includes risk estimation.
[ISO Guide 73:2009]
3.10 risk criteria Terms of reference against which the significance of a risk is evaluated.
NOTE 1: Risk criteria are based on organizational objectives,
and external and internal context.
NOTE 2: Risk criteria can be derived from standards, laws,
policies, and other requirements.
[ISO Guide 73:2009]
3.11 risk evaluation Process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude are acceptable or
tolerable.
NOTE: Risk evaluation assists in the decision about risk
treatment.
[ISO Guide 73:2009]
3.12 risk identification Process of finding, recognizing and describing risks.
NOTE 1: Risk identification involves the identification of risk
sources, events, their causes, and their potential
consequences.
NOTE 2: Risk identification can involve historical data,
theoretical analysis, informed and expert opinions, and
stakeholders’ needs.
[ISO Guide 73:2009]
3.13 risk management Coordinated activities to direct and control an organization with
regard to risk.
[ISO Guide 73:2009]
3.14 risk treatment Process to modify risk.
NOTE 1: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with
the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood;
— changing the consequences;
— sharing the risk with another party or parties (including
contracts and risk financing); and
— retaining the risk by informed choice.
NOTE 2: Risk treatments that deal with negative
consequences are sometimes referred to as “risk mitigation,”
“risk elimination,” “risk prevention,” and “risk reduction.”
NOTE 3: Risk treatment can create new risks or modify
existing risks.
[ISO Guide 73:2009]
3.15 supply chain A two-way relationship of organizations, people, activities, logistics,
information, technology, and resources engaged in activities and
3
ANSI/ASIS SCRM.1-2014
Term Definition
creating value from point of origin to point of consumption, including
transforming materials/components to products and services for end
users.
3.16 supply chain management Management of a network of interconnected organizations and their
activities related to the provision of goods and services from point of
origin to point of consumption.
3.17 threat Potential cause of an unwanted incident, which may result in harm to
individuals, assets, a system or organization, the environment, or the
community.
[ANSI/ASIS SPC.1-2009]
3.18 tiers The degrees of separation or stages of nodes of businesses,
organizations, and logistic channels that make up the supply chain
network involved in the provision of products and services.
NOTE 1: Tier number begins at the organization conducting
the supply chain analysis. For example, a tier one company
supplies products and services to the organization conducting
the supply chain analysis; tier two companies supply
companies in tier one; tier three supplies tier two, and so on.
NOTE 2: Product and service flow between tiers can be either
uni-directional or bi-directional.
3.19 uncertainty Outcomes are not clearly identified, defined, or known and may be
subject to change.
NOTE: The state, even partial, of deficiency of information
related to, understanding or knowledge of, an event, its
consequence, or likelihood. [ISO Guide 73:2009, ISO
31000:2009]
3.20 vulnerability Intrinsic properties of something resulting in susceptibility to a risk
source that can lead to a consequence.
[ISO Guide 73:2009]
4.1 General
SCRM is an integrated and holistic management approach focused on ensuring the
sustainability and resilience of the organization and its supply chain incorporating governance,
change management, and continual improvement. SCRM expands the organization’s risk and
resilience management approach to its supply chain in a synchronized fashion. Efforts to
implement SCRM generally start by addressing four underlying concepts: leadership, the
development of a business case, change management, and continual improvement.4
4 It should be noted that this does not connote uniformity in risk management throughout the supply chain. It is
important to recognize that individual organizations within a supply chain will have different levels of maturity in
managing risk. See Annex K and ANSI/ASIS SPC.4 - Maturity Model for the Phased Implementation of the Organizational
Resilience Management System for guidance on enhancing levels of maturity.
4
ANSI/ASIS SCRM.1-2014
5
ANSI/ASIS SCRM.1-2014
v) Other stakeholders (e.g., unions, associations, civil society groups, regulators, first
responders, customs officials, etc.).
Appropriate functions should have ongoing representation on both the management level
leadership team and the implementation team.
There should be a designated management representative with the defined responsibility and
authority for overseeing, implementing, and maintaining SCRM. Several factors may influence
the choice of a person or persons who serve as representative(s) and SCRM champion(s).
Characteristics of the champion(s) include:
a) Respect for both leadership and staff;
b) Knowledge of operations, processes, manufacturing, services, and intangible assets;
c) Knowledge of assessing and managing risk;
d) Familiarity with high risk operation areas;
e) Understanding the operations and value chain;
f) Capability to coordinate information flow from various sources;
g) Appreciation for the dynamic and interdisciplinary nature of operations; and
h) Understanding the organizational culture and change management.
Team members should meet periodically to coordinate efforts and ensure that SCRM processes
are being integrated into their ongoing operational processes. They should coordinate with
change management to ensure risk treatment. Additionally, SCRM leadership should report to
executive management on a periodic basis.
Top management should integrate the SCRM process into governance and all other
management processes of the organization. By fully integrating SCRM into the decision making
processes of the organization, it becomes part of the organization’s culture. The organization
should develop clear governance and operating procedures, including clear definitions of roles,
authorities, and responsibilities. The SCRM Leadership Team should gather information and
support from discipline specialists (e.g., security, crisis, information security, and business
continuity managers) in order to ensure a comprehensive SCRM strategy is in place and to
acquire the resources from top management necessary to support the SCRM program. By
integrating SCRM monitoring in its day-to-day process activities (including product and service
delivery, meetings, training, and performance reviews) a SCRM culture can be instilled in the
organization.
6
ANSI/ASIS SCRM.1-2014
(with reasons for rejecting or carrying forward each option), assumptions, constraints, a risk-
adjusted cost-benefit analysis, and preliminary action plan. The business case should provide
the information necessary to make financial decisions regarding prioritizing enterprise
expenditures based on the value of the proposed project versus other projects.
Typically, business cases contain the following components:
a) Background description of the business need/issue;
b) Explanation of the identified benefits of addressing that need;
c) Identification of significant assumptions and constraints related to relative solutions;
d) Alignment of project benefits with organizational objectives;
e) Justification for undertaking the project;
f) Description of performance goals and measures;
g) Definition of success for the proposed project;
h) Analysis of alternative solutions, including the possibility of continuing with no change,
identification of a preferred solution, and explanation of why the preferred solution is
recommended;
i) Estimation of required resources such as funding, human resources, materials, etc. for
both the project and ongoing support and maintenance of any related or ongoing project
efforts;
j) Estimation of potential costs of risks (including human, financial, reputational, and
environmental implications);
k) Benefits (tangible and intangible) and cost of executing the project;
l) Competitive advantage from dampened impact and faster recovery from risk events;
m) Potential opportunities related to risk events;
n) Estimation of return on investment, break-even point, operational/ongoing costs, etc.;
and
o) Explanation of project risks/issues and strategies to address them.
Disruptions will have financial implications. A common approach has been to:
a) Identify risks for priority nodes and tiers in the supply chain;
b) Prioritize the identified risks;
c) Determine, with top management approval, the risk treatment strategies needed to meet
organizational and supply chain objectives; and
d) Evaluate cost avoidance and opportunities for improvement to help justify SCRM
investments.
7
ANSI/ASIS SCRM.1-2014
SCRM can also offer intangible benefits. These include avoiding damage to reputation or brand
that may accompany an undesirable and disruptive event in the supply-chain, as well as
breaking down organizational silos, which is not only necessary for SCRM but can also help
organizations in other initiatives required for a comprehensive enterprise-wide risk
management program.
A business case can be constructed using various metrics from the disciplines within SCRM.
For example, reducing the number of disruptions, thereby preventing losses, can be achieved
through adaptive and preemptive measures. The case can be made that the organization is less
susceptible to various risk scenarios (single or multiple). Reduced response times when
incidents occur, (thereby protecting the organization’s tangible and intangible assets), can be
demonstrated through fewer losses and mitigation of the consequences of an event. Other
organizations make the business case based on reduced times for recovery of priority supply
chain activities, services and products. By identifying, assessing, and mitigating the
consequences of risks, the organization targets specific reductions in recovery times. In all these
examples, the organization can predict and compare the loss with and without appropriate risk
treatments. Historic data from previous events provide a good starting point for comparisons.
8
ANSI/ASIS SCRM.1-2014
Because resistance is natural and to be expected with a major change, those implementing
SCRM also need to pay attention to the psychological and emotional aspects of the change.
Linking SCRM to other organizational and supply chain objectives such as quality,
environmental, sustainability, and occupational health and safety management is
recommended.
5.1 General
This Standard provides an approach to managing the risk in an organization’s supply chain.
The process, based on ISO 31000, covers elements of defining contexts, risk assessment, and risk
treatment (Figure 1). ISO 31000 is a key building block to this approach; while adapting it to the
organization’s needs and purposes, the Standard recognizes the need to avoid replicating
standards documents but rather to optimize current best practices that help promote and
sustain organizational resiliency.
9
ANSI/ASIS SCRM.1-2014
As described in ISO 31000:2009, the foundation of any risk management program is based on:
a) Establishing the context;
b) Risk assessment involving:
i. Risk identification – recognizing what risks exist;
ii. Risk analysis – considered in terms of likelihood and consequence, after
considering current controls; and
iii. Risk evaluation - deciding how to prioritize the risks.
c) Risk treatment – using the results of the risk assessment to determine how to treat the
risks;
d) Communication and consultation with internal and external stakeholders throughout
the risk management process; and
e) Ongoing monitoring and review conducted throughout the risk management process.
Risk management is an integral part of an overall business management strategy which
specifically assesses and addresses the effect of uncertainty on the organization’s objectives.
10
ANSI/ASIS SCRM.1-2014
Therefore, in managing risk it is important to understand the significance, influence, types, and
sources of uncertainty. Factors to consider include (but are not limited to):
a) Completeness of information;
b) Availability and reliability of information sources;
c) Dependability and effect of risk treatments and controls;
d) Assumptions made in assessing and treating risk;
e) Degree of certainty of likelihood and consequence predictions;
f) Volatility of internal and external context;
g) Context of time and perceptions of time;
h) Results of sensitivity studies; and
i) Effectiveness of risk monitoring and change management.
Risk management is an ongoing activity that involves continual monitoring and assessment of
the risk landscape. The internal and external context of an organization and its supply chain are
dynamic. Therefore the risk assessment process should be able to evaluate a wide variety of
risks over time, as well as monitor, review, and adapt to a dynamic context of its operations.
11
ANSI/ASIS SCRM.1-2014
To conduct the risk assessment and manage risks, the organization needs to first understand the
internal and external environment in which it operates. This includes identifying all relevant
stakeholders that can affect risk or be impacted by risk. Defining the context provides the basis
for defining the scope and stakeholders involved in the risk management process.
In establishing the context, the organization should identify its objectives and value drivers.
What are the value generators and drivers for the organization, as well as its implicit and
explicit goals and values? Understanding the activities that are instrumental in the organization
providing its goods and services will provide a basis for prioritizing and evaluating risk. The
organization needs to assess and evaluate what is key to the organization achieving its
objectives and creating value.
Risks exist at all levels and entities within an organization. Process risks exist at production
sites. Supplier risks exist at direct or indirect supplier sites. Distribution risks exist at suppliers
and in upstream and downstream transportation and logistics systems. Legislative, compliance,
intellectual property, sovereign, and regulatory risks exist at the country or regional level for
multinational enterprises. Finally, operational risks exist at the agency, department, division,
branch, unit, or corporate level.
Organizations should identify, own, prioritize, and manage risks at the point at which they
occur. Organizations should also aggregate and report risks across the organization and
vertically through business reporting structures. Organizations should give risks that exist
within multiple entities common, coordinated treatments. When managing risks it is important
to be aware of cumulative effects from one event setting off a chain of events, and the impact of
one risk treatment method on other areas of risk.
Ownership of an identified risk is not always clearly defined. Defining risk ownership is
necessary to treat the risk and assure that it does not adversely affect the organizations in the
supply chain. Such risks may arise when franchises make, for local consumption, a final product
whose performance will affect reputation of whole franchise. For example, risks may arise when
a supplier uses lead paint on toys ultimately assembled for firms with strong brand‐name
recognition. Governance controls and guidance to manage such risks may include corporate
leadership setting policies, standards, procedures, and contractual and auditing requirements
for suppliers to follow. When organizations cannot impose on franchises and supply chain
partners how to operate their facilities, they should provide guidance and evaluate impacts of
risks due to nonconformance.
The presence of differing risks at multiple levels of an organization underscores the importance
of defining the context within which a risk-management program is implemented. This includes
suppliers, production and services, logistics (e.g., transportation, warehousing, and
distribution), customers, and other elements that can affect the supply chain. These elements
will vary by industry, as will the efforts an organization can make to address them. For
example, a manufacturing plant may have more control over assembly risks, while a business
unit may be tasked with controlling supply-chain risks posed by legislative and regulatory
issues as well as managing some procurement risks.
12
ANSI/ASIS SCRM.1-2014
Defining the scope is a key decision in developing an SCRM program. The scope defines what
activities of the organization and its supply chain will be included in the SCRM program.
Organizations may initially focus on a Tier 1 entity, or even prioritize among Tier 1 supply
chain entities. A Tier 1 entity is the main customer, contractor, or supplier that provides goods
or services directly to or from the organization. In most cases, the scope should include
suppliers and customers based on their role in the value chain. In determining how much of the
supply chain to include beyond the first tier, managers may wish to characterize inputs by the
number of suppliers and number of customers. For example, if many possible suppliers exist for
a common commodity, it may be unnecessary to go beyond the first tier when considering
supply chain risks. For materials with few or sole sources, it will probably be necessary to
consider risks at the second tier. Between these two extremes, organizations need to assess how
critical a particular component is or how easily a supplier can be replaced and, if necessary,
consider supply risks in the second tier for priority components or suppliers. A key node is
when the supply chain map funnels to a point when one or two deeper sub-tier suppliers
provide the sources for all suppliers above. An example of this occurred with the Xirallic paint
pigment supplier (Tier 3) that was the only source of glitter effect auto pigment in the world,
affecting many auto manufacturers.
Understanding the activities that are instrumental in the organization providing its goods and
services will provide a basis for prioritizing and evaluating risk. Distribution risks exist at
suppliers and in upstream and downstream transportation and logistics systems. Legislative,
compliance, intellectual property, sovereign, and regulatory risks exist at the country or
regional level for multinational enterprises. Finally, strategic risks exist at the agency,
department, division, branch, unit, or corporate level. When managing risks it is important for
the organizations concerned to be aware of cumulative effects from one event setting off a chain
of events, as well as the impact of one risk treatment method on other areas of risk.
By repeating this process for increasing numbers of tiers of suppliers and customers,
organizations can identify the portions of the supply chain that have the greatest risks to
operations. Specific knowledge of an organization and its supply chain, context of operation,
and risks is necessary to guide decisions; and to this end, the initial risk assessment should look
at all tiers without pre-prioritization of individual risks. The level of each risk should be
validated.
13
ANSI/ASIS SCRM.1-2014
14
ANSI/ASIS SCRM.1-2014
15
ANSI/ASIS SCRM.1-2014
16
ANSI/ASIS SCRM.1-2014
Information flows should also be documented with clear communication channels. Information
can flow both upstream, downstream, and sideways. In particular, information flows on
downstream conditions can help upstream processes provide the correct quantity and quality of
materials needed. Sideways flow of information should be accompanied by responsibility to
ensure the correctness of the flow of materials. Any abnormalities can be brought up to
minimize and manage the risks.
Various analytical tools exist for identifying and prioritizing risks in the supply chain. The
process of developing a supply chain or value stream map enables a better understanding of the
product, material and information flows, value stream metrics, and the interaction of processes.
For example, Pareto analysis5 can help firms identify the proportion of goods and suppliers on
which it is most dependent in terms of cost, value creation, production, and failure, and hence
the goods and services that can pose the most risk to the supply chain. Pareto analysis is
designed for users to identify which small set of practices, functions, suppliers, staff, etc. have
the greatest impact. More sophisticated portfolio analysis can help firms identify goods by both
their value and the risk of supply continuity and lead firms to focus their SCRM first on
5 Pareto Analysis is a simple technique for prioritizing possible changes by identifying the problems that will be
resolved by making these changes.
17
ANSI/ASIS SCRM.1-2014
strategic or critical goods of high value and high supply continuity risk. These may include
scarce or high-value items, major assemblies, or unique parts which may have natural scarcity,
few suppliers, and difficult specifications.
Accurate supply chain mapping will improve decision making processes and drive preventive
actions that can avoid and mitigate undesirable and potentially disruptive events. This will
allow an organization to be more preemptive in managing its supply chain and subsequently
gain a competitive advantage.
18
ANSI/ASIS SCRM.1-2014
By understanding the organization and its context, the organization can set the scope for its
SCRM process, document its methodology, and justify its assumptions. Setting the scope is also
a dynamic process and should be revisited based on the analyses conducted during the SCRM
process.
19
ANSI/ASIS SCRM.1-2014
should be comprehensive, documented, and repeatable. It should consider (but not be limited
to):
a) Reliability and degree of uncertainty of information;
b) Biases that may influence results (including the effect of assumptions);
c) Root causes and triggers of risk;
d) Broad consultations with internal and external stakeholders;
e) Supply chain relationships, dependencies and interdependencies;
f) Priority business functions and activities and the impact of their loss (including time
dependencies);
g) The value of assets to the organization, its supply chain partners, competitors, and
adversaries;
h) Single, multiple and compounded weaknesses including overlapping and multiple
effects of risks;
i) Likelihood of success of a risk event occurring as well as causing an undesirable and/or
disruptive event; and
j) The interactions between threat, criticality, and vulnerability analysis.
It may be helpful to categorize the risks by type. It is important to remember that risk
assessments are dynamic and risk management should include continuous identification and
analysis of all risks related to the organization’s business.
Table 1 presents examples of risks an organization may wish to consider in its risk identification
process. Annex C presents a longer but not exhaustive list. Note that risks can overlap
categories.
20
ANSI/ASIS SCRM.1-2014
Political, social, community and cultural Economic and financial (including exchange rates)
Lawsuits and liability Crime (e.g., terrorism, theft, corruption, industrial espionage,
sabotage, fraud, counterfeiting, etc.)
Logistics Transportation
UPSTREAM RISKS
Upstream dependencies (including timeframes and excess Single sourcing, multi-sourcing, and competing obligations
capacity)
DOWNSTREAM RISKS
Logistic, distribution and warehouse capacity Information system security and capacity
Examples of points to consider in identifying risk include (but are not limited to):
a) Number and location of suppliers. For example, are there suppliers in countries with
social unrest, terrorist or drug activity, or high levels of corruption and other crime?
21
ANSI/ASIS SCRM.1-2014
b) Number and origin of shipments. For example, have increased quantities or values of
shipments posed additional risks?
c) Contractual terms defining responsibility for shipping. For example, companies may
specify security controls and procedures for their suppliers. (Annex D provides sample
contractual terms and conditions for supply-chain security.)
d) Compliance requirements, recall, and reverse logistics. For example, companies may
have specific requirements for the handling and packaging of products as well as the
return of damaged, expired, and recalled products.
e) Brand and reputation protection. For example, some companies require measures for
brand protection related social responsibility and legal obligations, including
environmental, health, and safety issues.
f) Modes of information transfer. For example, information protection and encryption
may be required for data files and transmissions.
g) Modes of transport and routes for shipments. For example, companies may ask their
suppliers to follow certified security procedures for ocean-container or truck-trailer
shipments.
h) Risks related to logistics providers or partners involved in the supply chain who handle
shipments (e.g., packaging companies, warehousing, trucking companies, freight
forwarders, and air or ocean carriers). For example, firms may require that logistics
providers meet all certification standards from an official supply-chain security
program.
Risk identification is a function of local conditions and may vary from facility to facility within
the same organization as well as between elements within a supply chain. It is essential to
identify the risks associated with the locations of functions and choke points in the supply
chain. For example, the administrative headquarters of a supplier may not be the same as the
production location. Therefore, the risks may be very different, so the assumption should not
be made that identifying the risks at the administrative headquarters will be representative of
the risks throughout the supply chain.
The organization should periodically review the status of their risks in a catalogue of risks (e.g.,
a risk register), incorporating new risks as they develop and revising risk ranking. The
catalogue of risks serves as the central repository for all risks identified by organization and
includes (but is not limited to) information on risk criteria, likelihood, consequences, treatments,
anticipated outcomes, and risk owners. Risk management activities should be documented,
tracked, traceable, and non-repudiatory.
22
ANSI/ASIS SCRM.1-2014
prioritize them for ultimate treatment. To begin, organizations may choose to rank risk events
with varying degrees of detail, depending on the risk, and the information, data, and resources
available.
As seen in Figure 4, the output from risk identification provides the input to risk analysis.
23
ANSI/ASIS SCRM.1-2014
Units and scales of measuring risk determined during the definition of risk criteria should be
used consistently throughout the analysis. The risk analysis method used should meet the
needs of the risk evaluation and treatment decision making process.
One method of risk analysis which uses a cause and effect analysis is the bow-tie method (for
more information on this and other methods, see ISO 31010:2009). The bow-tie method
provides a simple, qualitative approach to help fully understand the characteristics of a risk
event. An event can have multiple causes and multiple consequences—the two dimensions of
risk—and existing treatments. Risk treatments can be reviewed to understand their
effectiveness and efficiency. It enables the evaluation of risk treatment methods to better
understand inherent risk (i.e., risk in the absence of any treatment) and residual risk (i.e., level
of risk remaining after treatment). The bow-tie risk analysis method clearly ties treatment
actions against each dimension of risk event. The bow-tie method is a good way of visualizing
risk and communicating the effectiveness of the treatment methods in place to manage risks.
Figure 5 shows an example of the bow-tie method.
The bow-tie method can be used to help simplify risk analysis and provide a subjective estimate
of the level of risk by allowing the conceptualization of the interaction of causes, treatments,
24
ANSI/ASIS SCRM.1-2014
and consequences of a risk. The steps involved in conducting a risk analysis using the bow-tie
method are as follows:
a) Based on the risk identification, describe a risk event that may provide an opportunity
or result in an undesirable or disruptive event;
b) Determine the foreseeable possible causes of the risk event (left side);
c) Identify the potential consequences of the risk event (right side);
d) Evaluate what preventive and protective measures are in place to modify the likelihood;
e) Evaluate what mitigation, response, and recovery measures are in place to reduce the
consequences;
f) Evaluate the effects of multiple layers of protection, as well as cascading and multiple
impacts; and
g) Determine the level of risk.
25
ANSI/ASIS SCRM.1-2014
Acceptable risk levels will be unique to each organization and supply chain. They may vary by
project, commodity, product, or service, as well as over time. The organization may have
varying levels of risk-tolerance for different divisions, subsidiaries, and partners. It may not be
practical to eliminate all risk due to costs. It may be desirable to accept risk to gain an
opportunity. To achieve as low as reasonably practical risk, a typical target of risk evaluation is
to determine the most cost effective treatments.
Examples of reasons an organization may tolerate risk (by informed decision) include:
a) The level of the risk is so low that specific treatment is not appropriate within the
constraints of available resources;
b) The risk is such that there is no treatment available. For example, the risk causes may
not be within the control of an organization;
c) The cost of treatment, including insurance costs, is so manifestly excessive compared to
the benefit that toleration is the only option. This applies particularly to lower ranked
risks;
d) The opportunities presented outweigh the threats to such a degree that the risk is
justified; and
e) Organizations may also determine to accept a risk by informed decision-making or to
maximize a business opportunity.
Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as
reasonably possible, it is important to understand that this is an iterative process where the risk
manager can pick multiple layers of risk treatment measures including:
a) Eliminating the risk exposure;
b) Isolating the risk source or potential targets;
c) Technical modifications and substitutions;
d) Administrative and procedural controls;
e) Protective, preventive, and mitigation measures; and
f) Accepting or exploiting risk by informed decision.
During the risk evaluation process, the proposed risk treatment processes should be evaluated
to consider the cost-benefit of the measure to reduce risk and whether the risk treatment
changes or introduces new risk to the organization and its supply chain. Figure 6 illustrates
how the output from the risk identification and analysis steps can be represented by a funnel
approach where intolerable risk must be treated at any reasonable cost. Treatment measures
are applied to bring the risk to a level that is as low as reasonably possible where further task
treatments are disproportionate to the cost/benefit. Risks reach a tolerable level where risk is
within the level of tolerance of the risk criteria. Contingency measures might be considered for
risks that remain after treatment.
26
ANSI/ASIS SCRM.1-2014
One way an organization may wish to assess its risk tolerance is through a risk “frontier” graph,
plotting the likelihood of events by their consequence (Figure 7). Organizations may find some
risks to be of such low likelihood or to have such limited consequence that they do not warrant
any further treatment or consideration. For those of greater likelihood or consequence, the
organization may wish to reduce, through resource management, an extra level of supplies or
"safety stock" or development of a risk distribution strategy (e.g., use of multiple sourcing) or
other mechanisms of risk avoidance or elimination. Such mechanisms may seek to reduce the
likelihood, duration, or consequence of a risk event. Organizations may also determine to
accept a risk by informed decision-making to maximize a business opportunity.
27
ANSI/ASIS SCRM.1-2014
Another means of representing the relationship between likelihood and consequences is to use a
“heat” map showing risk-events on a matrix defining likelihood and consequence levels. This
technique allows managers to easily see the relative likelihood and consequence of differing
risks. To use this method effectively, it is critical to have well-defined and consistently used
criteria for the different likelihood and consequence levels. Various scales are used by different
organizations; the gradations, scaling, and terms used should be based on what is best
understood by the users and the decision makers. Figure 8 shows a “heat” map illustrating the
concept.
28
ANSI/ASIS SCRM.1-2014
CONSEQUENCE
The “heat” map shows how firms may wish to prioritize risks by likelihood and consequence.
An example of an alternative scale would be:
a) For consequence categories: Low, Moderate, Serious, Severe, Major, and Extremely
Serious; and
b) For likelihood categories: Very Unlikely, Unlikely, Possible, Probable, and Regular.
6 RISK TREATMENT
6.1 General
Once an organization understands its supply chain and has analyzed its potential risks, it can
begin the process to modify and reduce risk. It is important to keep in mind when developing a
risk treatment strategy that risk treatments have the potential to create new risks or modify
existing risks.
After an organization has identified and prioritized the risks that it faces, it can devise risk
treatment plans. Plans include developing strategies and measures to protect supply chains
from sources of risks, responding to events that these risks may cause, and continuing
operations and recovering from undesirable and disruptive events. Risk treatments seek to:
a) Remove the risk source, where possible;
b) Remove or reduce the likelihood of the risk event occurring;
c) Remove or reduce negative consequences;
d) Share the risk with other parties, including risk insurance;
e) Accept risk through informed decision or to exploit an opportunity; and/or
29
ANSI/ASIS SCRM.1-2014
30
ANSI/ASIS SCRM.1-2014
To ensure maximum effectiveness, organizations and their partners should develop plans
and/or programs to audit their supply chain security programs for compliance with written
policies and procedures. Such audits should be conducted on a regular basis. This Standard
illustrates below some benchmarks for each of these criteria. Plans and/or programs developed
should reflect all supply chain risks, including any aspects that may be unique to a particular
organization or industry; including, for example, tangible and intangible assets, and any assets
which may have different intrinsic values either to an organization or an adversary.
When developing security plans and programs the organization should consider:
a) Physical security. That part of security concerned with physical measures designed to
safeguard people; to prevent unauthorized access to equipment, facilities, material, and
documents; and to safeguard them against a security incident. Logistics partners such
as manufacturers, distributors, and transportation entities should have established
physical security programs to prevent unauthorized access to their facilities while goods
are in storage or transit. Such features should include (but not limited to): perimeter
controls such as fencing and/or gated entry points; access controls to prevent
unauthorized entry into/within facilities or vehicles; penetration alarms to notify
authorities of illicit access attempts; and video surveillance systems to display, record,
and play back access activities (for more information on physical security methods, see
ANSI/ASIS PAP.1-2012, Security Management: Physical Asset Protection).
b) Personnel security. Organizations and their partners should screen prospective persons
working on behalf of the organization (in ways consistent with local regulations) and
verify employment application information prior to employment. This can include drug
tests and background checks on educational and employment background and possible
criminal records, with periodic subsequent checks performed for cause or sensitivity of a
person’s position. Organizations and their partners should also have procedures in
place to remove badges, uniforms, and facility and IT-system access for persons working
on behalf of the organization who voluntarily or involuntarily leave employment.
c) Awareness, education, and training. The attitudes and behaviors of individuals,
organizations, and institutions should be developed to support and enhance a security
culture. Organizations and their partners should establish and maintain a security
training program to educate and build awareness of proper supply chain security
procedures for all persons working on behalf of the organization to address intentional,
unintentional, and natural events. Current best practices within supply chain security
consist of training persons who work in areas of risk to anticipate, prevent, protect from,
and mitigate potentially undesirable and disruptive events. Persons should be aware of
their role in the protection from the threat of malicious acts including theft; the potential
introduction of illicit contraband, counterfeit, or diverted products into shipments; and
the importance of maintaining the integrity of intellectual property within one’s own
supply chain. Education and training should also include documented procedures for
persons working on behalf of the organization to report security incidents or suspicious
behavior.
d) Procedural security. Organizations and their supply chain partners should establish,
31
ANSI/ASIS SCRM.1-2014
document, provide training, and audit supply chain security programs and procedures.
Procedural controls should complement physical, technical, and engineering measures
by introducing work practices or procedures that reduce risk. Procedures can be
documented in specific security Standard Operating Procedures and/or employee
manuals or handbooks. Procedural supply chain security should address, but not be
limited to: awareness of warning signs of potential events; how to inspect shipments;
methods of secure storage and stowage of goods; tamper evident ways to package/seal
goods in shipment; detecting suspicious shipments/packaging; detecting suspicious
persons; and procedures for selecting secure warehousing and/or transportation options.
e) Information security. Information security protects information in all forms.
Information security practices and procedures provide the guidance to ensure that
organization sensitive information is adequately protected. Information security
measures should ensure information and telecommunications systems are protected
from unauthorized access and that information related to product integrity, intellectual
property, logistics, routing, and personnel is protected. This should include password
protection (including periodic changing of passwords) and accountability (including a
system to identify any improper access or alteration).
f) Business-partner security. Organizations should have a documented business partner
selection process which includes a pre-contractual security assessment to cover all
aspects of security related risks. An effective supply-chain security program dictates that
any supply chain partner, as well as any further sub-contracted suppliers or logistics
service providers, employ consistent security practices throughout the supply chain.
Firms should have binding contractual agreements with all business partners and sub-
contracted entities within their respective supply chains that address such things as:
screening and selection; the use of further sub-contracted entities; acceptable methods of
storage and/or transportation; and reporting theft, damage, or suspicious incidents. All
contractual agreements should have a documented “audit function/schedule” built into
them.
g) Logistic security. Transportation, particularly drayage (inland truck support), may be
the most vulnerable point of the supply chain. Areas that should be addressed
procedurally within conveyance security (storage containers such as trailers, ocean
freight containers, aircraft unit load devices, and railcars) should include: procedures for
packing and sealing; inspections for integrity; availability of tracking; atmospheric
sensitivity; individual storage; and routing including predefined back-up routes. The
security conditions for all in-transit locations where the shipment is at any given time,
despite the time of storage, should be addressed. Several airports, terminal, and ocean
warehouses that are not in a secured area are critical points for potential pilferages and
cargo thefts.
h) Product security. For organizations that involve any type of product, product security is
paramount to the success of the organization and the effectiveness of the supply chain.
Product security involves the specific security measures to protect a product from
certain risks such as adulterated products, counterfeited products, and diversion of
32
ANSI/ASIS SCRM.1-2014
goods. Product security also involves the use of special signs, chemical mark
components within the product, holograms, and cover and over marks to ensure that the
final consumers get the intended product. Product security requires close teamwork
between manufacturing, packaging, brand protection, security, quality, and legal
departments as well as direct involvement with law enforcement.
33
ANSI/ASIS SCRM.1-2014
vii. Implementing and maintaining a crisis communication system that can help
identify the nature of a crisis and provide instructions when needed.
c) Response includes the mobilization of essential personnel to support crisis response
activities. This includes onboarding an effective leadership team quickly to coordinate
and manage efforts as they grow beyond essential personnel. The leader and team
should implement a disciplined, iterative set of response plans allowing initial
coordinated responses during crises.
d) Recovery efforts are focused on actions needed to restore operations to predetermined
levels in order to meet customer needs and identify opportunities for improvement. This
may include re-employment of personnel, rebuilding destroyed property, and the repair
of other essential infrastructure after a crisis. It differs from the response phase in that it
focuses on issues and decisions that should be made after immediate needs following a
crisis are addressed.
e) Lessons learned and post incident review – this process critically examines the cause of
the incident and the response that was applied. By learning and sharing internally, an
organization can strengthen its crisis response capability, as well as identify
opportunities for improvement and adaptation.
These processes are intended to enhance existing organizational crisis management capabilities
by establishing a crisis management structure that will provide integrated and coordinated
planning and response activities at all levels within an organization. They will also establish a
common and consistent set of notification and activation thresholds. The structure and
processes are designed to complement, not supersede, emergency response plans and
procedures at various functional organization units and facilities. When an incident occurs,
these units and facilities will follow established local response plans and procedures.
Figure 9 presents a notional hierarchy for a crisis management team in a large global
organization. Should a local crisis response team (LCRT) not be able to manage a crisis, it
would activate a broader crisis management team (CMT) that considers the impact of the crises
throughout the supply chain and the rest of the organization. Other teams to be activated as
needed, and focusing primarily on sustaining business operations, are a corporate crisis
management team (CCMT) and an executive crisis management team (ECMT). Ultimately the
size, nature, and scope of an organization’s operation will determine the most appropriate
levels of response.
34
ANSI/ASIS SCRM.1-2014
Incidents with high severity can quickly require the focus of crisis teams throughout a global
organization. For example, the H1N1 swine flu pandemic, which originated in Mexico, led to
simultaneous activation of the LCRT and relevant CCMT for one leading organization. Within
three days, the CCMT was activated and held regular briefings with the ECMT. Crisis
management bridges activities that respond to an emergency (any incident that can threaten
human life, health, property, or the environment if not controlled, contained, or eliminated
immediately through local level response) and those supporting the organization’s recovery
(prioritized actions to return the organization’s processes and support functions to operational
stability) and resumption (restarting defined business processes and operations to a
predetermined level) of operations.
Figure 10 presents a more generic process of how a CMT might approach an incident. Members
of the CMT continually monitor the supply chain for potential risks. Should an event occur,
members assess its consequence by making direct contact with suppliers in a region or through
direct feedback from suppliers, partners, or customers.
35
ANSI/ASIS SCRM.1-2014
Monitors global
events for
potential SC risk
As required,
contacts
suppliers or core
team members to
assist in assessing
risk
A crisis-response process includes the following steps, as depicted in Figure 11. Crisis response
uses a measured approach commensurate with the severity of the incident. (Annex G provides
a core-elements checklist for a crisis management program.)
1. Crisis Occurs/Crisis Identified – Incident identification and escalation protocols need to
exist in order to enable detailed assessment to occur. This involves defining trigger
levels and their resource requirements. This enables a team to then evaluate if the
incident could significantly affect the organization and the nature of the required
additional resources to support local efforts.
2. Gather Facts – Gather sufficient factual information to prepare an incident analysis.
3. Risk Assessment – Assess the severity and impact of the event.
4. Active Crisis Team – Assemble the appropriate internal and external teams to provide
strategic and tactical support to mitigate or resolve the event. At this point, the team
may decide that the event can be adequately addressed with local resources and return
event control to the local crisis response team.
5. Stakeholder Communication – Establish a schedule to provide periodic communications
to persons working on behalf of the organization, customers, suppliers, financial
organizations, stockholders, and news media.
36
ANSI/ASIS SCRM.1-2014
Maintenance,
Crisis Gather Risk
Training & Crisis Occurs
Identified Facts Assessment
Preparation
Post Incident
Review
Resolve Locally
Yes
No
No
37
ANSI/ASIS SCRM.1-2014
activities within an acceptable time. These plans should be coordinated and tested alongside
those of suppliers, customers, and other key stakeholders.
To be effective, business continuity planning (also referred to as business continuity
management) should be an integrated management process supported from top management
and managed at both organizational and operational levels. A business continuity management
team should ensure that there are established organization risk tolerance levels and recovery
priorities, validated business recovery strategies, designated team members for activities and
functions, planning and documentation to achieve recovery time objectives, periodic testing and
exercising, and periodic evaluation of the business continuity planning program as based on
performance objectives.
Specific business continuity planning programs should be closely aligned to the risks identified
in the tiers of the supply chain including employee assistance, emergency response, crisis
management, and technology recovery to support restoration of operations.
Employee assistance programs help protect the most important assets and top priority of a firm:
its employees. Employee assistance programs, typically offered with a health-insurance plan,
can help persons working on behalf of the organization deal with personal problems that might
adversely affect their work, health, and well-being. Such plans generally include assessment,
short-term counseling, and referral services for persons working on behalf of the organization
and their household members. They may also offer housing assistance and salary advances.
Emergency response planning outlines procedures to follow immediately after any emergency.
Its objective is to protect people and property potentially impacted by events as identified in the
risk assessment process. Among other elements, it should include procedures for reporting
emergencies; activating the plan; evacuating and accounting for people; activating an
emergency operations center; updating lists of emergency contacts; emergency protocols for
data access, storage, and telecommunication; assessing damage, repairing and restoring
facilities; and testing emergency procedures. Business continuity planning and emergency
response planning are clearly separate plans utilized at different phases of a response. The
emergency response plan may not necessitate activation of the crisis management team or
business continuity plan. However, the emergency response plan should identify escalation
triggers that activate that CMT and business continuity plan.
Technology recovery planning should include information on who needs to act, what needs to
be done where, and when tasks need to be done to help resume operations. For example, for
data center operations, the technology recovery plan should describe steps needed to recover
and restore information technology infrastructure and services in case of site disaster. Disasters
can destroy communications centers necessitating their re-establishment. This should include
data backup and hardware redundancy or replacement plans. The plan should identify and
rank applications that support priority business activities. Mission critical data, for example,
should be backed up daily and stored offsite weekly, at a minimum. In addition, all
communications networks and platforms (to include infrastructure and devices) should be
available and periodically tested. This includes, but is not limited to, radio devices, mobile
telephones, Wi-Fi systems, and social networks.
38
ANSI/ASIS SCRM.1-2014
Depending on the nature of an incident, certain plans may need to be activated while others
may not. For example, technology recovery plans may be activated during certain events (e.g.,
power outage) while other plans (e.g., business continuity plans or emergency response plans)
may not be activated if there is no major impact on business operations and/or threat to
personnel safety.
7.1 General
Once an organization has established a SCRM program including processes for identifying and
treating risks, it should implement a monitoring program and evaluate plans, procedures, and
capabilities through periodic review, testing, post-incident reports, and other exercises. It
should check the conformity and effectiveness of the program, and establish, implement, and
maintain procedures for monitoring and taking corrective action as necessary. This includes
reviewing other organizational changes that may affect SCRM.
As the first step of performance evaluation, self-assessment is effective. Self-assessment can
provide an overall view of the performance of an organization and degree of maturity of the
management and it can be also applied to SCRM. It can also give the metric of performance
level. Furthermore, it can help identify areas for improvement and/or innovation and to
determine priorities for subsequent actions. Therefore, the organization should do self-
assessment as performance evaluation. A maturity model self-assessment tool is given in Annex
K.
Above all, organizations should test their plans periodically. People learn best by doing, hence
regular testing of risk treatment (security, crisis, and continuity) plans is necessary to ensure
they will work when needed. Organizations may test plans in four ways, including:
1. An orientation or “walk-through” to acquaint teams with the plan and their roles and
responsibilities in it.
2. A “tabletop” exercise to reinforce the logic and content of the plan and to integrate its
decision-making processes and provide “hands-on” experience. This may entail
presenting a team with a scenario and related events and posing problems to solve. The
exercise is designed to provoke constructive discussion and familiarize participants with
the plan, their roles and responsibilities, and possible gaps in the plan.
3. A functional test that creates simulations involving group interaction in actual
disruptions in order to validate the key planning components and strategies. Such tests
may include evacuation procedures.
4. A full-scale test to evaluate the plan and response through interaction of suppliers and
supply-chain partners.
39
ANSI/ASIS SCRM.1-2014
Table 2 provides an overview of key properties of the four testing scenarios. The design of the
exercise and test should be based on risks identified in the risk assessment process.
Table 2: Overview of Key Properties of the Four Exercise and Testing Scenarios
Type Orientation (Introductory, Overview or Tabletop (Practical or Simulated Exercise)
Education Sessions)
Goal Provides overview of plan to motivate Presents limited simulation of a scenario
and familiarize participants with team (presented in narrative format) to evaluate plans,
roles, responsibilities, expectations, and procedures, coordination, and assignment of
procedures. Useful when implementing resources. Addresses one issue at a time and
new plan or adding new staff/leadership. allows breaks for discussion. Familiarizes
participants with specific roles.
Benefits Informal, easy to conduct and low stress. Practices team building and problem solving.
Issues Somewhat detailed with a medium stress level.
Needs 30 days planning cycle 2-3 months planning cycle, 2-4 hours duration
1 hour duration. and 30-60 minutes debriefing.
SCRM plans should be tested at least annually to achieve desired SCRM objectives (not limited
to those elements required by regulation). Exercising and testing should incorporate changes in
plans or operating conditions.
Plans, like risks necessitating them, and risk treatments should be monitored over time. Risk
management is a dynamic process addressing operations in an ever changing environment.
Therefore, the adequacy and appropriateness of plans needs to be continually monitored and
adapted to changing conditions.
40
ANSI/ASIS SCRM.1-2014
41
ANSI/ASIS SCRM.1-2014
The first step in testing, evaluating, and adjusting SCRM programs should be setting of goals
and expectations. Testing can keep response teams and persons working on behalf of the
organization effective in their duties, clarify their roles, and reveal weaknesses in the SCRM
program that should be corrected. In addition to testing the efficacy of risk treatment processes
and identifying opportunities for improvement, goals of the exercise and testing regime may
include:
a) Awareness and training of persons working on behalf of the organization;
b) Capacity testing;
c) Reducing the time necessary to accomplish a SCRM process (enhanced response times);
d) Team building;
e) Solicit stakeholder input and testing assumptions of risk assessment process;
f) Identification of persons for leadership roles in SCRM procedures; and
g) Improved coordination with first responders and other stakeholders.
In defining goals and expectations, it is important to consider that the scope of testing should be
planned to develop over time. Early tests could include evaluating individual components of
risk treatment plans. As the exercises and tests evolve, they should become increasingly
42
ANSI/ASIS SCRM.1-2014
complex, covering the entire scope of SCRM plans and the interactions of components as well as
including external participation by public safety and emergency responders.
Top management commitment and participation is essential for a successful exercise and testing
program in planning, staging, and debriefing. A commitment to the exercise and testing
program lends credibility and authority to the entire SCRM process. Exercises should be
planned considering the risks to the organization as identified in the risk assessment as well as
the inherent risks of the exercise itself. Timelines, metrics, and feasibility also should be
considered during the planning process.
There are multiple roles that exercise and test participants perform. All participants should
understand their roles in the exercise and the exercise should involve all participants. As part
of the exercise, participants should be allowed to interact and discuss issues and lessons.
Documentation and communication protocols should be clearly established for the exercise to
provide the necessary data for evaluation. Emergency communications should also be
developed if problems arise during the conduct of the exercise.
After completion, the exercise should be critically evaluated with the participation of top
management. The evaluation should include, among other things, an assessment of how well
the goals and objectives of the test were achieved, the effectiveness of participation, and
whether the SCRM plans will function as anticipated in the case of a real crisis. An after action
report should be created as a reference to catalog measures of success, opportunities for
improvement, and lessons learned for subsequent exercises. Future exercising and testing, as
well as the SCRM program itself, should be modified as necessary based on the exercise results.
The exercise should be a driver for continual improvement of the SCRM program.
43
ANSI/ASIS SCRM.1-2014
compliance and shipment-delay risks if reporting is not done properly. The high-security bolt
requirement can also add risk of delays or even rejection of a shipment should shippers fail to
comply. Compliance failure in any of these or other regulations could also result in financial
penalties, embarrassing news coverage, or even loss of license to do business.
To summarize, failure to monitor, shape, and respond to new regulations can pose significant
risks for the supply chain. Below are some guidelines and current best practices for an
organization seeking to minimize such risks. Like all recommendations in this Standard, these
are meant primarily as guidelines to provoke thought, and from which organizations may wish
to select for adaptation to their own circumstances. An effective risk-mitigation program for
legislative and regulatory requirements should help an organization monitor proposed or
pending regulations, participate in the process shaping final regulations, plan and respond to
changes in regulation, avoid compliance penalties, and ensure the smooth flow of incoming and
outgoing shipments.
In monitoring risks, organizations should seek to become aware early of proposed legislative
and regulatory initiatives, understand how they might affect their business, and share with
internal decision makers to determine a response. Some means to do this include establishing a
“government affairs” function or assigning individual responsibility to monitor proposed
legislation and regulations, creating an internal network of individuals who monitor regulatory
issues, joining trade associations that monitor these and subscribe to their newsletters and
bulletins, and developing other external contacts to monitor legislative and regulation changes.
Monitoring should include assessing the risk of emerging regulation, tracking compliance with
existing regulations, and identifying the points of the supply chain that will be affected by
regulations. Annex J provides some sample regulatory and compliance requirements, points
along the supply chain they may affect, and what control, if any, an organization may have over
them.
To shape regulations, organizations should seek to participate in the legislative and rulemaking
process. They may develop an internal process for tracking and responding to regulatory
notices, using this process to identify the consequences of new regulations and to offer
preferred alternatives. They might establish an internal capacity, or hire an external consultant
or lobbyist, to represent the organization in the development of legislation or regulations.
Joining and participating in industry associations provides another means for interacting with
political or government-agency leaders who shape legislation and regulations. Organizations
may seek opportunities for volunteering to participate on industry advisory committees or
other outreach events that government agencies use in developing and seeking feedback on
regulatory changes.
In responding to regulations, organizations should prepare in advance to avoid or mitigate the
risks, including costs, delays, and penalties inherent in new regulations. While monitoring and
seeking to shape pending regulatory requirements, organizations should develop, with early
executive support and funding, an internal process or team of cross-functional representatives
to analyze pending regulations and plan how to address each one. For new regulations,
organizations should communicate details to partners and help them prepare to support the
new requirements. New requirements may also require organizations to update their
44
ANSI/ASIS SCRM.1-2014
contractual terms and conditions with their supply chain partners. Developing and
implementing plans to monitor the supply chain as new regulations go into effect can ensure
that compliant processes are in place and working.
New regulations, like other evolving areas with which an organization should contend, can
create significant risks for supply chains. These risks may range from costs to delays to
compliance penalties to still other areas. To be resilient, a supply chain should have the
capacity to monitor, shape, and respond to evolving areas such as new regulations.
45
ANSI/ASIS SCRM.1-2014
46
ANSI/ASIS SCRM.1-2014
Annex A
(informative)
A.1 Introduction
An organization will be better able to achieve its objectives by understanding and incorporating
the convergence of risk management (including security, crisis, continuity, and recovery
management) with information technology systems in all of the elements of its SCRM. The
benefits information and communications technologies provided to supply chain management
can be significant (e.g., in implementation, operability, replacement, and overall cost efficiency);
however, this creates additional risks as well as associated threats and vulnerabilities to the
individual and collective systems.
The architecture of an organization’s information and communication system plays a critical
role in its supply chain and the management of supply chain risk. An information system is a set
of information resources organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information. This definition includes the environment in which the
information system operates (i.e., people, processes, technologies, facilities, and cyberspace).6
Information systems also include specialized systems such as industrial control systems (ICS),
distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems,
telephone switching and private branch exchange (PBX) systems, and environmental control
systems.
A growing threat to the supply chain is the compromise of critical information (documents,
voice, and data). Another threat to the supply chain involves cyber threats to the supply chain’s
information and communication technologies. Therefore, ICT risk management is an integral
part of a holistic SCRM strategy.
The need to protect information cannot be understated, nor considered separate from protection
of tangible assets. Frequently it is much harder to recover from the loss of intangible assets than
the loss of tangible assets. Understanding of the need to protect information in all its forms is
critical to comprehensive SCRM. ICT systems provide opportunities for great efficiency, but
they are vulnerable to various forms of loss and attack. The integration of ICT into all supply
chain activities is related to the provision of goods and services from point of origin of raw
6 Committee on National Security Systems (CNSS) Instruction number 4009 dated April 26, 2010. See:
http://www.cnss.gov/assets/pdf/cnss_4009.pdf.
47
ANSI/ASIS SCRM.1-2014
48
ANSI/ASIS SCRM.1-2014
passage of supply chain products and services risk management becomes an imperative of
the organization.
49
ANSI/ASIS SCRM.1-2014
All of these standards can be applied simultaneously in a single converged management system
standard using the ANSI/ASIS SPC.1 organizational resilience standard.
The application of security convergence should establish:
a) A cost effective strategy that protects people, information, and property across
functions;
b) Governance that ensures top management commitment and allocates ownership and
accountability to the converged security risk management program;
c) A cross-discipline and cross-functional risk assessment and management framework
that identifies, analyzes, evaluates, and treats all security risks within a singular
managed process;
d) A risk management process that monitors all security risks controls and reports
weaknesses, vulnerabilities, attacks, and systems failures collectively;
e) A process for ongoing monitoring of changes in communications and information
technology risks;
f) Systems that measure and assess the asset protection and SCRM performance
individually, collectively, and as an entirety of the organization’s risk controls;
g) A security risk management framework that functions in synergy with the
organization’s collective risk considerations;
h) Strategies that co-ordinate a unified response to disruptive events (attacks), mitigate
their consequences, and evaluate and report both the incident and response in order to
improve controls to further reduce the likelihood and impacts of an event; and
i) A framework that integrates procedures for the protection of all tangible and intangible
assets.
50
ANSI/ASIS SCRM.1-2014
Annex B
(informative)
B.1 General
Building a resilient organization is part of any good business management strategy. In order to
thrive and survive, organizations need to adapt to an ever changing environment. To be agile
and resilient in order to achieve the organization’s objectives, the organization needs to leverage
all the disciplines that contribute to managing risk. For organizations to cost-effectively manage
risk, they must develop balanced strategies to adaptively, proactively, and reactively address
maximizing opportunities and minimizing the likelihood and consequences of potential,
undesirable, and disruptive events (see ANSI/ASIS SPC.1-2009).
The organization should establish, implement, and maintain procedures to prevent and manage
disruptive events which have the potential to harm the organization, its key stakeholders
including supply chain partners, and the environment.
Procedures should be concise and accessible to those responsible for their implementation. Flow
charts, diagrams, tables, and lists of action should be used rather than expansive text.
The purpose and scope of each procedure should be agreed by top management and
understood by those responsible for its implementation. Dependencies and interdependencies
should be identified and the relationships between procedures, including those of the
emergency services and local authorities, should be stated and understood. The following
sections provide more information on selected procedures. At the end of this annex are some
templates for different plans.
Prevention procedures should describe how the organization will take proactive steps to protect
its assets by establishing architectural, administrative, design, operational, and technological
approaches to avoid, eliminate or reduce the likelihood of risks materializing, including the
protection of assets from unforeseen threats and hazards.
Mitigation procedures should describe how the organization will take proactive steps to protect
its assets by establishing immediate, interim, and long-term approaches to reduce the
51
ANSI/ASIS SCRM.1-2014
consequences of risks before they materialize, including the protection of assets from
unforeseen threats and hazards.
Organizations may choose to have a single procedure with sections and/or annexes dealing
with different types of incident. Alternatively, separate procedures may be written for each type
of incident.
Response procedures should describe how the organization will respond to one or more types
of disruptive events. Organizations may choose to have a single procedure with sections and/or
52
ANSI/ASIS SCRM.1-2014
annexes dealing with different types of incidents. Alternatively, separate procedures may be
written for each type of incident.
Some response procedures may be implemented in advance of a disruptive event, for example
in the expectation of harm from a forthcoming tropical cyclone, bush fire or malicious attack on
the organization or a supply chain partner. In such circumstances, emphasis will be given to
protecting and/or removing priority assets and to communicating the risk of harm to staff and
to external organizations and authorities.
53
ANSI/ASIS SCRM.1-2014
Continuity procedures should describe how the organization will maintain and/or re-establish
critical activities in the period immediately following the response/emergency phase.
Organizations may choose to have a single procedure with sections and/or annexes dealing
with different types of incident. Alternatively, separate procedures may be written for each type
of incident.
Recovery procedures should describe how the organization will re-establish all necessary
operational and support activities, replace damaged and/or destroyed assets and information,
rebuild the brand and reputation of the organization, and assist staff to recover from the event.
54
ANSI/ASIS SCRM.1-2014
Organizations may choose to have a single procedure with sections and/or annexes dealing
with different types of incident. Alternatively, separate procedures may be written for each type
of incident.
NOTE 2: Recovery procedures are sometimes referred to as recovery and restoration procedures.
55
ANSI/ASIS SCRM.1-2014
Function/Activity:
Mitigation Procedure
The Assets to be
Protected
Objectives and
Measures of Success
Implementation Steps
and Frequency
Roles, Responsibilities
and Authorities
Communications
Requirements
Resource, Competency
and Training
Requirements
56
ANSI/ASIS SCRM.1-2014
Function/Activity:
Priority Assets to be
Protected
Priority Activities to
be Maintained
Measures to Limit
Damage
Situation /Conditions
in Which Plan Will be
Implemented
Roles and
Responsibilities of
57
ANSI/ASIS SCRM.1-2014
Individuals and
Groups
Organization
Structure to be Used,
Including Incident
Command & External
Links
Procedures for
Communication
within the
Organization
58
ANSI/ASIS SCRM.1-2014
Function/Activity:
Priority Assets to be
Protected
Priority Activities to
be Maintained
Activities to be
Restored as a Priority
After an Event
Measures to Limit
the Damages Caused
by the Event
Situation /Conditions
in Which Plan Will
be Implemented
Criteria for
Indicating the End of
The Continuity Plan
Roles and
Responsibilities of
Individuals and
Groups
59
ANSI/ASIS SCRM.1-2014
Organization
Structure to be Used,
Including Incident
Command &
External Links
Procedures for
Communication
Within the
Organization
60
ANSI/ASIS SCRM.1-2014
Annex C
(informative)
Earthquakes Volcanoes
Physical theft, tampering, and destruction of Fraud, graft, bribery, corruption, and
property counterfeiting
Compliance issues
o Regulatory financial reporting (e.g., Sarbanes-Oxley)
o Operations
o Logistics/trade
o Trade restrictions (e.g., Buy American Act)
o Regulatory audit history
o Regulatory approvals - marketing approvals
o Public health
o Environmental
Boycotts
61
ANSI/ASIS SCRM.1-2014
Lawsuits
Environmental
Intellectual property
Technological Trends
Obsolescence
Production Problems
62
ANSI/ASIS SCRM.1-2014
63
ANSI/ASIS SCRM.1-2014
Theft, product diversion, and sabotage Fraud, IP theft, and industrial espionage
Demand Variability/Volatility
64
ANSI/ASIS SCRM.1-2014
Design Uncertainty
Planning Failures
Financial Uncertainty/Losses
Testing Unavailability/Inferiority/Capacity
Liability Substitutability
65
ANSI/ASIS SCRM.1-2014
66
ANSI/ASIS SCRM.1-2014
Annex D
(informative)
67
ANSI/ASIS SCRM.1-2014
68
ANSI/ASIS SCRM.1-2014
a) Use individually assigned accounts that require a periodic change of password for
all automated systems.
b) Maintain a system to identify the abuse of IT resources including but not limited to
improper access, tampering or altering of business data and will discipline violators.
7) Procedural security: maintain, document, implement, and communicate the following
security procedures to ensure the security measures in this clause are followed and
should include:
a) Procedures for the issuance, removal, and changing of access devices.
b) Procedures to identify and challenge unauthorized or unidentified persons
c) Procedures to remove identification, facility, and system access for terminated
individuals.
d) Procedures for IT security and standards.
e) Procedures for control of personal containers.
f) Procedures to verify application information for potential persons working on behalf
of the organization.
g) Procedures for persons working on behalf of the organization to report security
incidents and/or suspicious behavior.
h) Procedures for the inspection of ocean containers or truck trailers prior to stuffing.
i) Procedures to control, manage, and record the issuance and use of high security bolt
seals for ocean containers and truck trailers. Such procedures should stipulate how
seals are to be controlled and affixed to loaded containers and should include
procedures for recognizing and reporting compromised seals or containers to
Customs or the appropriate authority and Buyer.
j) Procedures for logging incidents and storing incident reports.
C. Upon request, complete a Supply Chain Security Self-Assessment Questionnaire.
D. Seller and its subcontractors should be subject to periodic site visits by Buyer during
normal hours of operation to confirm compliance with the terms contained within this
clause.
E. Maintain procedures for persons working on behalf of the organization to report security
incidents and/or suspicious behavior. Immediately notify Buyer of any actual or suspected
breach of security involving Buyer’s assets (e.g., cargo) or material to supporting Buyer’s
services.
69
ANSI/ASIS SCRM.1-2014
Annex E
(informative)
General Information
Contact Name:
Company Name:
Primary Location/Address:
Street:
Country:
Phone:
If you have multiple locations from which you ship to (your company), please list additional sites:
Please list your company contacts for Security and Transportation below.
Name:
70
ANSI/ASIS SCRM.1-2014
Title:
Phone Number:
Email Address:
Name:
Title:
Phone Number:
Email Address:
Physical Security
1a If yes, describe how they are positioned and the hours of coverage and areas of coverage within your
facility that they provide.
Additional Comments:
71
ANSI/ASIS SCRM.1-2014
Additional Comments:
Additional Comments:
Additional Comments
Additional Comments
7a If yes, describe who is monitoring the alarm and where the alarm sensors are located at.
Additional Comments
72
ANSI/ASIS SCRM.1-2014
Additional Comments:
9a If yes, describe what physical barriers are used and what personnel is allowed access.
Additional Comments:
10a If yes, describe where the shipments are stored and who has access to them.
Additional Comments:
Describe any aspects of physical security at your facility that you feel were not addressed above.
Access Control
1a If yes, describe the badge system (electronic, color coded, how many badges are needed to gain access,
etc.)
1b If no, but you use another method to identify and track persons working on behalf of the organization,
describe.
Additional Comments:
73
ANSI/ASIS SCRM.1-2014
2a If yes, describe what access controls are used at each point of access into your facility.
Additional Comments:
3a If yes, describe how vehicle access is controlled and what vehicles are allowed access.
Additional Comments:
4a If yes, describe the method of screening (driver ID checks, vehicle inspections, etc.)
Additional Comments:
5a If yes, what method is used and how are the records kept?
Additional Comments:
Explain any access controls at your facility that you feel were not addressed above.
A. Are there access controls for personal belongings (computing and data storage devices, containers,
phones, cameras, etc.)?
Personnel Security
74
ANSI/ASIS SCRM.1-2014
Additional Comments:
Additional Comments:
3a If yes, are employment and criminal background checks completed prior to access being allowed?
Additional Comments:
Explain any personnel controls at your facility that you feel were not addressed above
75
ANSI/ASIS SCRM.1-2014
Procedural Security
1a If yes, what is the person’s name and how many security personnel are utilized?
Additional Comments:
Additional Comments:
Additional Comments:
Additional Comments:
Additional Comments
Additional Comments:
76
ANSI/ASIS SCRM.1-2014
Additional Comments
Additional Comments:
Additional Comments:
If ocean and/or truck trailer containers are used, please answer questions 10 - 12.
Additional Comments:
Additional Comments:
12a If yes, how are bolt seals controlled (e.g., storage and procedures to assure no fraudulent use)?
77
ANSI/ASIS SCRM.1-2014
Additional Comments:
Additional Comments:
Additional Comments:
15 Describe the materials used for packing products that are being sent (e.g., cardboard box, container,
etc.).
Additional Comments:
Explain any procedural controls at your facility that you feel were not addressed above
1b If yes, how often are persons working on behalf of the organization required to take this training and
awareness program?
78
ANSI/ASIS SCRM.1-2014
Additional Comments:
2a If yes, indicate in which program you have certification in, when it was obtained, and who provided
the certification.
Additional Comments:
Additional Comments:
Additional Comments:
79
ANSI/ASIS SCRM.1-2014
Annex F
(informative)
80
ANSI/ASIS SCRM.1-2014
81
ANSI/ASIS SCRM.1-2014
a) Ocean Container and Truck Trailer Seals: Properly seal and secure shipping
containers and trailers at the point of stuffing. Affix a high security seal to all
access doors on truck trailers and ocean containers. Such seals should meet or
exceed the current PAS ISO 17712 standard for high security seals.
b) Ocean Container and Truck Trailer Storage: Empty or stuffed ocean containers
and truck trailers should be stored in a secure area to prevent unauthorized
access and/or manipulation.
7) Information Technology (IT) Security: maintain IT security measures to ensure all
automated systems are protected from unauthorized access.
a) Use individually assigned accounts that require a periodic change of password
for all automated systems.
b) Maintain a system to identify the abuse of IT resources, including but not limited
to improper access, tampering, or altering of business data and discipline of
violators.
8) Procedural Security: maintain, document, implement, and communicate the
following security procedures to ensure the security measures in this clause are
followed and should include procedures:
a) For the issuance, removal, and changing of access devices.
b) To identify and challenge unauthorized or unidentified persons
c) To remove identification, facility, and system access for terminated individuals.
d) For IT security and standards.
e) To verify application information for potential persons working on behalf of the
organization.
f) For persons working on behalf of the organization to report security incidents
and/or suspicious behavior.
g) For the inspection of ocean containers or truck trailers prior to stuffing.
h) To control, manage, and record the issuance and use of high security bolt seals
for ocean containers and truck trailers. Such procedures should stipulate how
seals are to be controlled and affixed to loaded containers and should include
procedures for recognizing and reporting compromised seals or containers to
Customs or the appropriate authority and (your company).
10) Security Awareness Program: A Security Awareness Program will be implemented
by Service Provider and provided to persons working on behalf of the organization
including awareness and understanding of the supply chain security program,
recognizing internal conspiracies, maintaining cargo integrity, and determining and
addressing unauthorized access. The Security Awareness Program should
encourage active participation in security controls. Service Provider should ensure
that key personnel receive regular training which should be no less than once per
year on security procedures and requirements. Service Provider should submit
evidence of such Security Awareness training upon request.
F. Questionnaire: Service Provider will, upon request, complete a Supply Chain Security
Questionnaire provided to Service Provider by (your company).
82
ANSI/ASIS SCRM.1-2014
G. Detailed Mapping: Service Provider will, upon request, promptly provide a detailed
mapping for planned routings and any Subcontractors involved in the transport of (your
company) shipments.
H. Site Visits: Service Provider and its subcontractors should be subject to periodic site
visits during normal operating hours to confirm compliance with supply chain security
standards.
I. Breach of Security: Service Provider and its subcontractors should immediately notify
(your company) of any actual or suspected breach of security involving (your company)
cargo. This may include cargo theft, tampering, unauthorized access, or other activities
that involve suspicious actions or circumstances related to (your company) cargo.
83
ANSI/ASIS SCRM.1-2014
Annex G
(informative)
PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
84
ANSI/ASIS SCRM.1-2014
PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
communications protocol?
85
ANSI/ASIS SCRM.1-2014
PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
86
ANSI/ASIS SCRM.1-2014
Annex H
(informative)
H.1 Purpose
The overall purpose of the workbook is to provide a consistent and complete Crisis
Management Plan for the COMPANY SITE facility. This Plan builds upon the information
contained in the COMPANY Crisis Manual and includes Business Continuity/Disaster Recovery
Plans that are pertinent to each Business Site and Functional Unit located in this complex of
facilities.
H.2 Introduction
A crisis is characterized as an extreme threat to important values, with intense time pressures,
high stress, and the need for rapid but careful decision making. It is often a turning point in
which a situation of impending danger to the organization runs the risk of escalating in
intensity, interfering with normal business operations, jeopardizing the organization’s public
image, and damaging the bottom line. Either a sudden event or a long smoldering issue may
trigger a crisis. It is essential to maintain an established and validated process to manage any
conceptualized crisis, so as to limit the intensity of a negative threat or event to persons working
on behalf of the organization, and to COMPANY’s products, services, financial condition, and
reputation.
The SITE facility will first attempt to contain and manage crises on a local basis, escalating in
accordance with the COMPANY’S Crisis Manual.
H.4 Process
SITE will follow the crisis processes outlined below.
87
ANSI/ASIS SCRM.1-2014
Contain Notify
Crisis Key COMPANY Activate
Y Region/Global
Problem Resolved Communicate
COMPANY level
to Employees &
Crisis Team
Media Holding Statement
Local
G.
Deploy Emergency Procedures
Initiate / Revise
Debrief Crisis Plan
Below is a list of Crisis Management tools and templates. These tools and templates can be
viewed and downloaded from the SCRLC web site.
Worksheet 1: Roles and Contact Information
Identify the roles and personnel to be on call considering that sometimes a crisis can affect the
organization but does not disrupt the regular operations or affect just one single area. Below
you’ll find a description of the roles and responsibilities that each title may function within.
88
ANSI/ASIS SCRM.1-2014
Business/Modality Leader Lead the Individual Business Process Recovery Team which is
responsible for ensuring the rapid recovery of business
functions for their particular area in the event of a business
interruption or disaster
Human Resources (HR) Ensure health and safety requirements are met
Work with communications manager to provide all emergency
employee communications
Lead the Human Resources Recovery Team which provides
support to personnel issues that are critical to controlling the
recovery effort
89
ANSI/ASIS SCRM.1-2014
90
ANSI/ASIS SCRM.1-2014
Create a list of COMPANY policies, procedures, and training so that the team can follow
company standards in handling issues during the crisis management phase. Some of these
include:
a) Crisis Management Policy;
b) Company Global Security Policy;
c) Website;
d) Workplace Violence Guidelines; and
e) Crisis Management Training.
Worksheet 3: Initial Assessment Checklist
An initial assessment checklist enables the crisis response team to capture the facts of the
incident at a high level. Assigning a case number allows the team to collate other tools and
templates to the same case.
Worksheet 4: Extent of Damage Report
An Extent of Damage Report can be used during the initial analysis as well as later during the
most in depth review. Using the report at multiple points in the crisis management process
enables the team to assess how well the initial and on-going assessments were captured.
Worksheet 5: Site Damage Evaluation
A Site Damage Evaluation goes into more depth than an Extent of Damage Report and can be
used for each item captured on the Extent of Damage Report.
Worksheet 6: Site Security
A Site Security Report is an assessment tool to determine if security gaps exist as a result of the
incident.
Worksheet 7: Crisis Management Team Task Checklist
A Crisis Management Team Task Checklist is a tool for the team to use to identify if specific
tasks have been completed, by whom, and when.
Worksheet 8: Priority Process Checklist
A Priority Process Checklist allows the team to assess which priority processes have or will be
impacted by the incident.
Worksheet 9: Business Critical Telephone Numbers
A Business Critical Telephone Number List allows the team to have easy access to corporate
profile information for services (e.g., healthcare, software support, etc.)
Worksheet 10: Business Crisis Management Team
A Business Crisis Management Team worksheet identifies the key information for enterprise
level leadership who need to be kept apprised of the situation.
91
ANSI/ASIS SCRM.1-2014
92
ANSI/ASIS SCRM.1-2014
The following crisis management diagrams (1 – 5) identify process flows to guide a Crisis
Management team in managing incident response. (NOTE: In each diagram, bold text reflects
differences between preceding diagrams.) The following scenarios represent, respectively:
1. Potential harm to humans rather than physical assets;
2. Potential harm to physical rather than human assets;
3. Facility incapacitated but people OK;
4. Facility incapacitated with harm to people; and
5. Business disrupted but people OK.
93
ANSI/ASIS SCRM.1-2014
94
ANSI/ASIS SCRM.1-2014
95
ANSI/ASIS SCRM.1-2014
Locate employees HR
Notify families
Contact HQ CEO
96
ANSI/ASIS SCRM.1-2014
Business Co-Leader
Processes Out or Contact Core
Serious Adverse Team
Product Event / Initial Risk
People Ok Assessment
What do we What We Will Do
know?
Emergency
Holding Statement
or Crisis? Activate Crisis Team CM Core Team
Q&A
Contact Mission Critical
Fact Sheet
Proc Own.
Emergency Call-in
message updated
Initiate BCP Operations Leader
97
ANSI/ASIS SCRM.1-2014
98
ANSI/ASIS SCRM.1-2014
Annex I
(informative)
Fire
Severe Weather
Medical Emergency
Hazardous Spills
All calls will be answered by the security officer at the Main Guardhouse. You will need to provide the following
information:
1) Your Name
2) Type of Emergency (Fire, Medical, Spill, etc.)
3) Your Locations (Building, Floor & Column Number)
99
ANSI/ASIS SCRM.1-2014
Wearing of safety glasses and protective footwear are required at all times in designated areas.
Cameras are prohibited on COMPANY premises without prior approval of the security department.
All on-site injuries, no matter how slight, should be reported. Medical facilities are available on site.
If medical assistance is required, notify your COMPANY contact person or dial NNNNN from any phone.
In the event of a facility evacuation, all visitors/vendors are to use any external door convenient to your location (See
map on inside of passport).
In the event of a severe weather emergency, proceed to the nearest shelter area. (See map on inside of passport and
maps posted throughout the facility for severe weather shelter areas.)
Pedestrians on the shop floor should ALWAYS be aware of motorized equipment such as forklifts and hand trucks.
All chemicals brought into the facility should have prior site approval. Contact the COMPANY person in advance
with a Material Safety Data Sheet.
The rules and regulations contained in this booklet are general and subject to change. Specific safety rules,
regulations and procedures will be brought to your attention as the need arises.
COMPANY insists on full cooperation and observance of all safety rules and regulations. Everyone will benefit from
good safety practices.
100
ANSI/ASIS SCRM.1-2014
Should the Primary Crisis Room for any reason be inaccessible (power failure, physical damage, etc.), the Secondary
is pre-designated as the alternate Crisis Room. The room and all of its equipment are configured so that it can become
fully operational at any time 24/7. Provisions are in place to supply ventilation, power and computer network access
24/7.
Primary and Secondary locations are used as regular conference rooms to maximize the cost efficiency of the space.
Because a crisis could occur at any time and because the primary purpose of the room is for crisis purposes, all staff
booking the room should understand they could be pre-empted at any time and on very short notice.
NOTE: All crisis-related equipment (phones, display walls, other equipment) is secured and designed so that all of
this equipment can be unlocked, put in place and activated as quickly as possible.
The general parameters for the equipment in the Crisis Room are:
Fax machine;
Copier;
Printer; and
Facilities for refreshments.
In the case of a crisis, the room should be staffed with at least two to three support personnel to handle phone calls,
copying, fax, and IT support. The maintenance and activation protocol is established along the following guidelines:
101
ANSI/ASIS SCRM.1-2014
Communications Plan
Facility Plan
If this is a multi-tenant site, the site is managed by XXXXX. XXXXX are employed by the YYYYY through their Agent
ZZZZZ. The reporting lines are that XXXXX will contact their own Management & YYYYY first with tenants notified
immediately afterwards.
The security response procedure is provided to the security officer though their assignment instructions:
102
ANSI/ASIS SCRM.1-2014
Response:
Communication Systems:
103
ANSI/ASIS SCRM.1-2014
BELOW ARE THE OPTIONS FOR THE LOCAL SITE FOR COMMUNICATION AND INFORMATION
DISSEMINATION.
b) Web: Instant Messaging Service, Web Meeting, in COMPANY and web page information in addition to local
radio.
c) Local radio net (hand held): will be used for emergency and urgent communications with response teams
(medical, spill, fire, security).
d) Cell phones: Will be used for both emergency communications as well as more routine communications.
This may become primary with a local telephone system failure.
e) Runners: With local failures of multiple communications systems, “runners” may become necessary to keep
command and control of resources.
f) Other: Access to other systems including community radios (fire/police), federal radio (National Guard),
HAM radio, etc. may vary widely and be unavailable.
g) External communications will be carefully channeled through the CML team communications team.
Medical staff will not directly communicate with press or external community organizations without the
knowledge and approval of the CML communications team. This is a critical element of the response plan
to assure that all communications are accurate, coordinated and timely.
104
ANSI/ASIS SCRM.1-2014
State Laboratories:
State Laboratory:
Passcode:
105
ANSI/ASIS SCRM.1-2014
Date____________________
I. Facility/Location___________________________________________
On-site EHS/phone/Email_____________________________________
Plant Manager/phone/Email____________________________________
EAP Contact/phone/Email_____________________________________
_________________________________________________________________
EMS contact_______________________________________________
Phone______________________________________________
Phone______________________________________________
ER Contact/phone______________________________________
Local Pharmacy/Phone________________________________________
106
ANSI/ASIS SCRM.1-2014
Annex J
(informative)
107
ANSI/ASIS SCRM.1-2014
You may then want to identify which organization is impacted and needs to address such requirements.
Responsible Organization
108
ANSI/ASIS SCRM.1-2014
Annex K
(informative)
1. Leadership 1A. Executive No SCRM leadership Functional SCRM has senior SCRM has senior SCRM has a senior
Leadership defined. managers have management management management defined
responsibility for support, but leadership leadership role and
leading risk leadership is found functionally defined active engagement of
management at functional levels. and is coordinated management is
within their across functions. enterprise-wide.
domain.
1B. Individuals assume SCRM activities are SCRM activities are SCRM activities are SCRM is coordinated
Line/Functional responsibility when led by affected pre- coordinated through led by a collaborative across the enterprise
Leadership an event is triggered. designated supply chain team of functional including multi-tier
functional manager(s) with managers with focus priority supply chain
managers. focus on on internal partners with defined
management within management roles and
the functions. including priority responsibilities.
supply chain partners.
1C. Governance No SCRM framework. Functional SCRM is SCRM is governed by SCRM framework is
managers use risk coordinated across a cross-functional well well-defined across the
management functional units defined framework enterprise including
frameworks with defined roles of including priority multi-tier priority
appropriate for key internal supply supply chain partners. supply chain partners.
their function with chain stakeholders.
no cross function
coordination.
109
ANSI/ASIS SCRM.1-2014
1D. Resources & No designated SCRM SCRM resources SCRM resources SCRM has committed SCRM is embedded
Commitment resources. are identified designated for resources with well- within the
within functional functional units. defined roles and organization's culture
units and risk Accountability and responsibilities on a and seen as a value
management is resource allocation cross-functional level added activity with
considered a within functional and considering appropriate resources
collateral duty. level. critical supply chain committed.
partners. Enterprise-wide
accountability and
resource allocation
considered as part of
regular fiscal allocations.
1E. Program No defined internal or Informal SCRM Formal SCRM Integrated SCRM Enterprise-wide
Communication external SCRM communications communications communications and communication and
communication. occur within the occur within consultation across consultation includes
functional units. functional units. functional units and multi-tier priority
Supply chain includes priority supply chain partners.
partner supply chain partners.
communications
occur as they relate
to individual
functions.
2. Planning 2A. Supply No supply chain Informal supply Formal process for Supply chain End to end supply chain
Chain Mapping mapping. chain mapping supply chain mapping completed mapping conducted
occurs. mapping within on critical products across priority products
product lines. and includes priority on an ongoing basis, are
supply chain partners readily available and
and include priority
interdependencies interdependencies.
across product lines.
110
ANSI/ASIS SCRM.1-2014
2B. Context and No identification Informal process Formal process for Formal process for SCRM context and
Operating SCRM context or for identifying identifying SCRM identifying SCRM operating environment
Environment operating SCRM context and context and context and operating is understood
environment. operating operating environment across enterprise-wide as well
environment within environment within product lines and as by multi-tiered
product lines. product lines. includes critical priority supply chain
priority supply chain partners.
partners and
interdependencies.
2C. Stakeholder Internal and external Internal SCRM Formal process Key SCRM All SCRM stakeholders
Identification stakeholders not stakeholders established to stakeholders identified and actively
identified. identified within identify key SCRM identified including engaged in SCRM
product line. stakeholders. those related to planning process.
priority supply chain
partners and
interdependencies.
2D. Risk No risk criteria Risk criteria are SCR criteria are SCR criteria are SCR criteria are
Tolerance established. identified for established for established across the established across the
specific current and specific current and SC based upon SC based upon
past events. past events and organization's organization's
anticipated risks. objectives. objectives, continually
Functional leaders reviewed for relevance,
consulted in and endorsed by senior
establishing risk management.
criteria.
2E. Risk No risk categories Risk identified for Risks identified Risks identified Comprehensive
Categories identified for types of specific issues, internally for internally and identification of risk
risk. typically related to specific issues externally across categories covering risks
past events, or within product lines. supply chain. related to tangible and
warnings intangible risk assets.
highlighted by Identification is aligned
governments or the with the overall
media. enterprise objectives.
111
ANSI/ASIS SCRM.1-2014
2F. Business No formal process for Informal process Formal process for Formal process with Comprehensive and
Impact threat, vulnerability or for analyzing analyzing threat, internal and external integrated process for
criticality analysis. threat, criticality criticality and stakeholders for conducting threat,
and vulnerability. vulnerability analyzing threat, vulnerability and
utilized throughout criticality and criticality analyzes
internal supply vulnerability utilized. across the enterprise and
chain. its supply chain.
2G. Event No formal process for Informal process in Formal risk analysis Formal risk analysis Comprehensive
Likelihood and analyzing likelihood place for analyzing process in place for process in place for documented and
Consequence and consequence to likelihood and analyzing internal analyzing internal integrated process for
determine level of consequence to likelihood and and external analyzing likelihood
risk. determine level of consequence based likelihood and and consequence to
risk. upon risk criteria to consequence based determine level of risk
determine level of upon risk criteria to across the enterprise and
risk utilized. determine level of risk supply chain.
utilized.
2H. Risk No formal process to Informal process in Formal process in Formal process in Comprehensive and
Prioritization evaluate or prioritize place to evaluate or place to evaluate or place to evaluate or integrated process in
risk. prioritize risk. prioritize internal prioritize internal and place to evaluate or
risk. external risk. prioritize across the
enterprise aligned with
the business objectives
of the organization.
2I. Risk No formal process for Informal process in Formal process in Process in place to Comprehensive
Treatment determining risk place to determine place to determine determine risk documented and
treatment strategy. risk treatment risk treatment treatment strategy integrated process to
strategy, but shared strategy developed developed in determine risk treatment
within risk in collaboration with collaboration with strategy across the
management internal supply internal and external enterprise and its supply
function and/or chain stakeholders. supply chain chain.
specific product stakeholders.
line supply chain
stakeholders.
112
ANSI/ASIS SCRM.1-2014
2J. Stakeholder No consultation with Informal Formal process for Formal process for Formal and ongoing
Consultation stakeholders. consultation with communication and communication and communication and
limited specific consultation consultation consultation with
internal throughout internal throughout internal and external
stakeholders. organization. organization to stakeholders (including
include supply chain sub-tier supply chain
partners. partners).
Communication and
consultation with
external stakeholders
is conducted as part of
the risk assessment
process.
3. 3A. Risk No risk monitoring. Risk monitoring for Resources are Risks are actively Systematic approach for
Implementation Monitoring Events become known specific identified designated for monitored across early warning risk and
when impact to issues, typically specific functions to organization threat detection
business is realized. related to past monitor risks in including Tier-1 (includes supply chain
events, or warnings their functions and supply chain partner partners and
highlighted by escalate when base. Formal early interdependencies) to
governments or the appropriate. Formal warning detection communicate threats to
media. Risk is early warning system in place for the organization which
monitored in detection system in real time threats can trigger risk
individual place for real time across the supply treatment plans to
functions, but there threats within chain. prevent, mitigate or
is a lack of cross supply chain respond to the threat.
function functions.
monitoring and
warning.
113
ANSI/ASIS SCRM.1-2014
3B. Risk No formal risk Risk treatments Risk treatment Risk treatment Risk treatment processes
Treatment treatment processes. focus on addressing process emphasis process emphasis an emphasize an adaptive
issues identified response and integrated approach capacity and pre-
from past events. recovery. Proactive to anticipate, prevent, emptive measures
Risk treatment measures are protect, mitigate, within the organization
processes emphasis introduced to better response and recovery and its supply chain.
response and respond and by eliminating silos Risk treatment based
recovery but lack recover. and coordinating upon creating and
an effort to address Risk treatment disciplines in a single protecting value to the
root causes and approaches are coordinated risk organization.
taking pre-emptive siloed along management effort. Risk treatment is based
measures. disciplines with A pre-emptive upon a multi-
separate efforts for capacity using an disciplinary and
security, crisis, and approach to unsiloed approach.
business continuity anticipate, prevent,
management. These protect and mitigate
separate efforts potential undesirable
interface with tier or disruptive events,
one supply chain include supply chain
partners. partners, is being
developed.
3C. Event No communication Communication Two-way Integrated An integrated capacity
Communication procedures. and consultation communication and communication and using all available
Communication not procedures are consultation consultation technologies
coordinated with establish with procedures are procedures are communications and
internal or external internal establish with establish with internal consultation with
stakeholders and is stakeholders based internal and external and external external stakeholders
typically one-way on experiences with stakeholders stakeholders (supply chain,
communication which past incidents and (including key (including supply government and
is reactive in nature. identified needs for supply chain chain partners and community) is fully
Driven by demands information sharing partners and government) based on implemented and tested.
for information. and warnings. government). output from the risk Communication
Communication is Procedures are assessment. capacity tested and
not cross function. established for Communication verified and
communications protocols for normal contingencies are in
114
ANSI/ASIS SCRM.1-2014
with internal and and disruptive events place for internal and
external are established for external stakeholders in
stakeholders internal and external the event of a
including stakeholders. disruption.
information sharing
and warnings.
4. Evaluation 4A. Program No SCRM metrics to SCRM indicators SCRM indicators SCRM indicators and Supply Chain metrics
Metrics measure the impact of and metrics have and metrics are metrics are defined are integrated with the
an event to the been defined based defined based on based on the risk overall risk management
organization. on information past events and risk assessment process metrics of the
needs on previous assessment. Metrics and the organization's organization. Risk
events. Post event are function based overall objectives. assessment and risk
review of response and do not evaluate Metrics measure the treatment effectiveness
and recovery times impact to the effectiveness of risk is analyzed on a multi-
to specific events. enterprise. treatment programs tiered perspective to
and include critical determine the best
supply chain partners. return on investment for
adaptive, proactive and
reactive risk
management strategies.
Metrics highlight how
organizations can
minimize the likelihood
of an event or
consequences of an
event in the extended
supply chain.
4B. Performance No performance Performance Program Program performance Program performance
Review review conducted. review conducted performance metrics metrics are metrics are established
within functions. are established to established to assess to assess the
assess the the effectiveness of effectiveness of risk
effectiveness of risk risk programs across programs across the
programs within the enterprise to enterprise.
functions. Gaps include priority
between plan and supply chain partners.
115
ANSI/ASIS SCRM.1-2014
5B. Change No change Change Formal change Formal cross- Formal enterprise-wide
Management management system management management system functional change change management
in place. initiated after is in place within management system system is in place
disruptive events. functional units. is in place including including priority multi-
priority supply chain tier supply chain
partners. partners. Change
management is inherent
throughout
organization's culture to
promote opportunities
for improvement.
116
ANSI/ASIS SCRM.1-2014
Annex L
(informative)
L BIBLIOGRAPHY
117
ANSI/ASIS SCRM.1-2014
118
ANSI/ASIS SCRM.1-2014
Solomon, Lance, and Joe McMorrow, “Case Study: Chengdu Earthquake Crisis Response,”
Supply Chain Risk Leadership Council Newsletter, Fourth Quarter, 2008.
United States Customs and Border Protection C-TPAT: Customs-Trade Partnership Against
Terrorism, http://c-tpat.com/
Verstraete, Christian, “Share and Share Alike,” Supply Chain Quarterly, Quarter 2, 2008.
World Customs Organization, The SAFE Framework of Standards, 2012,
http://www.wcoomd.org/en/topics/facilitation/instrument-and-
tools/tools/~/media/55F00628A9F94827B58ECA90C0F84F7F.ashx
Zsidisin, George A., “Business and Supply Chain Continuity,” Critical Issues Report, January
2007.
Zsidisin, George A., Gary L. Ragatz, and Steven A. Melnyk, “Effective Practices for Business
Continuity Planning in Purchasing and Supply Management,” East Lansing, Mich.: Michigan
State University, July 21, 2003.
Zsidisin, George A., Alex Panelli, and Rebecca Upton, “Purchasing Organization Involvement
in Risk Assessments, Contingency Plans, and Risk Management: An Exploratory Study,”
Supply Chain Management, Vol. 5, No. 4, 2000, 187-198.
119
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
Supply Chain
Supply Chain Risk
AA SS II SS II N
N TT EE RR N
N AA TT II O
O N
N AA LL
Risk Management:
Management: A
Supply Chain Risk Management:
A Compilation
Compilation of
A
A Compilation
Compilation of
of Best
Best Practices
Practices
of Best
ANSI/ASIS
ANSI/ASIS SCRM.1-2014
SCRM.1-2014
Best Practices
Practices
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2818
Virginia 22314-2818
22314-2818
USA
USA
USA
ANSI/ASIS
ANSI/ASIS
ANSI/ASIS SCRM.1-2014
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org
SCRM.1-2014
SCRM.1-2014
S TA N D A R D
S T
S T A
A N
N D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
D A
and
and guidelines
guidelines development
development
A R
R D
D