Supply Chain Risk Management

Supply Chain
Supply Chain Risk

AA SS II SS II N
N TT EE RR N
N AA TT II O
O N
N AA LL
Risk Management:
Management: A
Supply Chain Risk Management:
A Compilation
Compilation of
A
A Compilation
Compilation of
of Best
Best Practices
Practices
of Best
ANSI/ASIS
ANSI/ASIS SCRM.1-2014
SCRM.1-2014
Best Practices
Practices
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2818
Virginia 22314-2818
22314-2818
USA
USA
USA
ANSI/ASIS
ANSI/ASIS
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org
SCRM.1-2014
SCRM.1-2014
S TA N D A R D
S T
S T A
A N
N D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
D A
and
and guidelines
guidelines development
development
A R
R D
D
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
an American National Standard
SUPPLY CHAIN RISK MANAGEMENT:

A COMPILATION OF BEST PRACTICES
Approved March 28, 2014

American National Standards Institute, Inc.
ASIS International
Abstract
This Standard, developed in collaboration with the Supply Chain Risk Leadership Council, provides a framework for
collecting, developing, understanding, and implementing current best practices for supply chain risk management
(SCRM). It is a practitioner’s guide to SCRM and associated processes for the management of risks within the
organization and its end-to-end supply chain. This Standard provides some guidelines and possible approaches for an
organization to consider, including examples of tools other organizations have used. It can serve as a baseline for
helping enterprises assess and address supply chain risks and for documenting evolving practices.
NOTICE AND DISCLAIMER

The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that
there is unanimous agreement among the participants in the development of this document.
ASIS International standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication.
While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it
does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of
any information or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its
members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the
authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public,
because its works are not obligatory and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether
special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied,
as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that
the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not
undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of
this standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services
for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate,
seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances. Information and other standards on the topic covered by this publication may be available from other
sources, which the user may wish to consult for additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS
has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any
activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any
practices, products, materials, designs, or installations for compliance with its standards. It merely publishes
standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any
certification or other statement of compliance with any information in this document should not be attributable to
ASIS and is solely the responsibility of the certifier or maker of the statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written
consent of the copyright owner.
Copyright © 2014 ASIS International

ISBN: 978-1-934904-56-5
ii
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.
About ASIS
ASIS International (ASIS) is the leading organization for security professionals, with more than 38,000 members
worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by
developing educational programs and materials that address broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security
management profession to business, the media, government entities, and the public. By providing members and the
security community with access to a full range of programs and services, and by publishing the industry’s No. 1
magazine – Security Management - ASIS leads the way for advanced and improved security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and
Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited
Standards Development Organization (SDO), ASIS actively participates in the International Organization for
Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security
management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based
process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security
professionals, and the global security industry.
About the SCRLC

The SCRLC (http://www.scrlc.com) is a cross-industry organization including world-class manufacturing and
services supply-chain organizations and academic institutions that work together to develop and share current best
practices in supply-chain risk management. Its mission is to create supply-chain risk management standards,
processes, capabilities, and metrics that reflect current best practices and can be widely adopted.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818.
Commission Members
Charles A. Baley, Farmers Insurance Group, Inc.
Jason L. Brown, Thales Australia
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William J. Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance
Eugene F. Ferraro, CPP, PCI, CFE, Convercent
F. Mark Geraci, CPP, Purdue Pharma L.P.
Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
iii
Robert W. Jones, Socrates Ltd

Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Michael E. Knoke, CPP, Express Scripts, Inc.
Bryan Leadbetter, CPP, CISSP
Marc H. Siegel, Ph.D., ASIS International, European Bureau
Jose Miguel Sobron, United Nations
Roger D. Warwick, Pyramid International
Allison Wylde, Researcher and Consultant
At the time it approved this document, the SCRM Standards Committee, which is responsible for the development of
this Standard, had the following members:
Committee Members
Committee Co-Chair: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Committee Co-Chair: John J. Brown, P.E., ARM-E, Thomson Reuters
Commission Liaison: Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
Committee Secretariat: Susan Carioti, ASIS International
Frank Amoyaw, LandMark Security Limited

Raymond Andersson, Australian Government - Department of Human Services
Edgard Ansola, CISA, CISSP, CEH, CCNA, Asepeyo
Ravi Anupindi, University of Michigan
Dennis Arter, ASQ Fellow, Certified Quality Auditor, American Society for Quality
Abrar Ashraf, CPP, PSP, Secure Options Group
Craig Babcock, Procter & Gamble
William Badertscher, CPP, PMP, GSEC, Georgetown University
Pradeep Bajaj, Professional Industrial Security Management Academy
Jay Beighley, CPP, CFE, Nationwide Mutual Insurance Company
Dennis Blass, CPP, PSP, CISSP, CFE, CSHP, Children's of Alabama
Michael Bouchard, CPP, Security Dynamics Group LLC
John Brown, CPP, Independent
Michael Brzozowski, PSP, Symcor
Terry Carrico, McKesson Corp.
John Casas, PSP, John Casas & Associates, LLC
Jim Castle, MSc, Corporate & Executive Solutions Ltd
Hugues Costes, DESS Information and Security - University Marne la Vallée, ArcelorMittal
John Coughlin, LoJack Supply Chain Integrity
Robert Day, CPP, PCI, CSP, CRSP, CHRP, Grad IOSH, CPMSIA, Office of Regulatory Change Management
Anthony DiSalvatore, CPP, PSP, PCI, Rocky Gap Casino Resort
Brian Dooley, CCP, CCSP, Brian T. Dooley & Associates
Jack Dowling, CPP, PSP, JD Security Consultants, LLC
Johan Du Plooy, CPP, TEMI Group
Meliha Dzirlo-Ayvaz, PMP, CBCP, CEM, Deloitte & Touche LLP
iv
Mike Edgerton, CPP, Good Harbor Consulting, LLC

Thomas Engells, CPP, CPM, The University of Texas Medical Branch at Galveston
Richard J. Ferraro, Centanni Maritime, Inc.
Windom Fitzgerald, FitzgeraldTechnology Group
Charles Forsaith, Purdue Pharma
Thomas Frank, CPP, AbbVie Inc.
Jeremiah Frazier, CPP, Coca-Cola
Peter French, CPP, SSR Personnel
Robert Grieman, CPP, Securitas Security Services, USA, Inc.
Jeffrey Gruber, CPP, CHS-IV, Department of Defense, Department of the Army Civilian
Hector Grynberg, CPP, NOKIA
Phillip Guffey, CPP, Roche
Carlos Guzman, Security 101 Denver
Jon Hallaway, Harris Health Systems
Mark Hankewycz, CPP, The Protection Engineering Group, Inc.
Lloyd Hardy, JSI Logistics
Tom Holmes, Edinburgh International
Zahid Iqbal, MSc psn, Microsoft Corporation
Calvin Jaeger, PhD, Sandia National Laboratories
Ben Jakubovic, CPP, PSP, Avante International Technology
Mitchell Kemp, CPP, Cummins Filtration
David Kimmerly, CSC, AVSEC PM, WSP Middle East
Tami Kitajima, Competitive Insights, LLC
Timothy Klass, CPP, Amazon Web Services
Gerold Knight, The Coca-Cola Company
Otto Kocsis, Zurich Insurance Group
Stephen Krill, PMP, CEM, CBCP, SRA International
Alessandro Lega, CPP, Independent Consultant
Steven Lente, CPP, Securitas Security Services, USA, Inc.
Timothy Lindsey, CPP, Sidwell Protection Services
Charles Littler, American Bus Association
Anthony Macisco, CPP, The Densus Group
Charlie Maclean-Bristol, CPP, PlanB Consulting
Christopher Mark, American Sugar Refining/Domino Brands
Ronald Martin, CPP, Open Security Exchange
Pascal Matthey, PSP, XL Insurance Services Ltd
Jim McMahon, CPP, CISSP, McMahon & Associates
William Miller, MaCT USA
Michael Miller, American Broadcasting Companies, Inc.
David Moore, AcuTech Consulting Group
Rashon Moore, West-Ward Pharmaceutical
Joseph Nelson, CPP, State Street
v
Augustine Okereke, CPP, PZ Cussons Nigeria PLC

Philip Oppenheim, CBCP, Continuity Information Support Services
Russ Phillips, MMTS Group
Russell Price, Continuity Forum
Daniel Puente Pérez, Sociedad de Prevención de Asepeyo
Joseph Rector, CPP, PSP, PCI, USAF/11th Security Force Group
James Rice, MIT Center for Transportation and Logistics
Mark Riesinger, CPP, West Bend Mutual Insurance
Eric Rojo, USDOE, DOD, Magination Consulting International
John Schettino, CFS, DIAGEO
Gavriel Schneider, CPP, MTSEC, Dynamic Alternatives
Richard Sharpe, Competitive Insights, LLC
Jeffrey Slotnick, CPP, PSP, Setracon Inc.
Kevin Smith, CPP, Allied Insurance
Jose Miguel Sobron, United Nations
Jerzy W. Sobstel, SOSTEL
Scott Soltis, CPP, Actavis
Scott Taylor, CPP, Exact Security
Jason Teliszczak, CPP, JT Environmental Consulting, Inc.
Rajeev Thykatt, ISO 27001 Lead Auditor, BS 25999 Lead Auditor, Infosys BPO Ltd
Yoriko Tobishima, InterRisk Research Institute & Consulting, Inc.
Shawn VanDiver, CPP, AEM, CHS-V, CTT+, CHSM, CAS-PSM, VanDiver Consulting
Stephane Veilleux, CPP, Pharmascience
Carlos Velez, Johnson & Johnson
Erika Voss, CBCP, MBCI, Microsoft Corporation
Doug Weeks, PSP, Chevron
Renee Wentworth, Commonwealth of Virginia
Robert Weronik, CPP, Alexion
Nick Wildgoose, Zurich Insurance Group
Hunter Wright, CPP, Vestas Wind Systems
A. Dale Wunderlich, CPP, A. Dale Wunderlich & Associates, Inc.
Allison Wylde, University of Roe Hampton Business School
Working Group Members

Working Group Co-Chairs:
Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
John J. Brown, P.E., ARM-E, Thomson Reuters
Frank Amoyaw, LandMark Security Limited

Ravi Anupindi, University of Michigan
Craig Babcock, Procter & Gamble
vi
Pradeep Bajaj, Professional Industrial Security Management Academy

Dennis Blass, CPP, PSP, CISSP, CFE, CSHP, Children's of Alabama
John Casas, PSP, John Casas & Associates, LLC
Anthony DiSalvatore, CPP, PSP, PCI, Rocky Gap Casino Resort
Meliha Dzirlo-Ayvaz, PMP, CBCP, CEM, Deloitte & Touche LLP
Windom Fitzgerald, FitzgeraldTechnology Group
Charles Forsaith, Purdue Pharma
Thomas Frank, CPP, AbbVie Inc.
Robert Grieman, CPP, Securitas Security Services, USA, Inc.
Jeffrey Gruber, CPP, CHS-IV, Department of Defense, Department of the Army Civillian
Hector Grynberg, CPP, NOKIA
Lloyd Hardy, JSI Logistics
Tom Holmes, Edinburgh International
Zahid Iqbal, MSc psn, Microsoft Corporation
Calvin Jaeger, PhD, Sandia National Laboratories
Gerold Knight, The Coca-Cola Company
Alessandro Lega, CPP, Independent Consultant
Steven Lente, CPP, Securitas Security Services, USA, Inc.
Anthony Macisco, CPP, The Densus Group
Charlie Maclean-Bristol, CPP, PlanB Consulting
Pascal Matthey, PSP, XL Insurance Services Ltd
Jim McMahon, CPP, CISSP, McMahon & Associates
Philip Oppenheim, CBCP, Continuity Information Support Services
Russ Phillips, MMTS Group
Russell Price, Continuity Forum
Joseph Rector, CPP, PSP, PCI, USAF/11th Security Force Group
Eric Rojo, USDOE, DOD, Magination Consulting International
John Schettino, CFS, DIAGEO
Richard Sharpe, Competitive Insights, LLC
Jeffrey Slotnick, CPP, PSP, Setracon Inc.
Kevin Smith, CPP, Allied Insurance
Jerzy W. Sobstel, SOSTEL
Jason Teliszczak, CPP, JT Environmental Consulting, Inc.
Rajeev Thykatt, ISO 27001 Lead Auditor, BS 25999 Lead Auditor, Infosys BPO Ltd
Shawn VanDiver, CPP, AEM, CHS-V, CTT+, CHSM, CAS-PSM, VanDiver Consulting
Stephane Veilleux, CPP, Pharmascience
Doug Weeks, PSP, Chevron
Renee Wentworth, Commonwealth of Virginia
Hunter Wright, CPP, Vestas Wind Systems
Allison Wylde, University of Roe Hampton Business School
vii
This page intentionally left blank.
viii
TABLE OF CONTENTS
0 INTRODUCTION .............................................................................................................................................. XI
0.1 SUPPLY CHAIN RISK MANAGEMENT: AN OVERVIEW ...................................................................................................... XI
0.2 THE NEED FOR SUPPLY-CHAIN RISK MANAGEMENT ...................................................................................................... XI
1. SCOPE ........................................................................................................................................................... 1
2. NORMATIVE REFERENCES ............................................................................................................................. 1
3. TERMS AND DEFINITIONS ............................................................................................................................. 1
4. CHARACTERISTICS OF SUPPLY CHAIN RISK MANAGEMENT ........................................................................... 4
4.1 GENERAL ...............................................................................................................................................................4
4.2 LEADERSHIP AND TEAM COMPOSITION ........................................................................................................................5
4.3 SCRM BUSINESS CASE .............................................................................................................................................6
4.4 CHANGE MANAGEMENT IN SCRM .............................................................................................................................8
5. RISK MANAGEMENT PRINCIPLES AND PROCESS ........................................................................................... 9
5.1 GENERAL ...............................................................................................................................................................9
5.2 RISK COMMUNICATION AND CONSULTATION ..............................................................................................................11
5.3 ESTABLISHING THE CONTEXT ....................................................................................................................................11
5.3.1 General......................................................................................................................................................11
5.3.2 Internal Context ........................................................................................................................................13
5.3.3 External Context .......................................................................................................................................14
5.3.4 Mapping the Supply Chain ........................................................................................................................15
5.4 RISK ASSESSMENT PROCESS .....................................................................................................................................18
5.4.1 General......................................................................................................................................................18
5.4.2 Risk Criteria ...............................................................................................................................................18
5.4.3 Risk Appetite .............................................................................................................................................19
5.4.3 Risk Identification .....................................................................................................................................19
5.4.4 Risk Analysis ..............................................................................................................................................22
5.4.5 Risk Evaluation ..........................................................................................................................................25
6. RISK TREATMENT ........................................................................................................................................ 29
6.1 GENERAL .............................................................................................................................................................29
6.2 PROTECTING AND SECURING THE SUPPLY CHAIN ..........................................................................................................30
6.3 RESPONDING TO EVENTS.........................................................................................................................................33
6.4 MAINTAINING RESILIENCE OF BUSINESS OPERATIONS POST INCIDENT ..............................................................................37
7. PERFORMANCE EVALUATION AND CONTINUAL MONITORING ................................................................... 39
7.1 GENERAL .............................................................................................................................................................39
7.2 TESTING AND ADJUSTING THE PLAN ..........................................................................................................................41
7.3 TRACKING CHANGE ................................................................................................................................................43
7.4 MONITORING AND REVIEWING THE RISK MANAGEMENT PROGRAM ................................................................................45
A. INFORMATION AND COMMUNICATION TECHNOLOGIES (ICT) SECURITY .................................................... 47
A.1 INTRODUCTION .....................................................................................................................................................47
A.2 IMPLEMENTING ICT SCRM .....................................................................................................................................48
A.3 CONVERGENCE AND SCRM MANAGEMENT PRACTICES ................................................................................................49
B. ORGANIZATIONAL RESILIENCE PROCEDURES .............................................................................................. 51
B.1 GENERAL .............................................................................................................................................................51
ix
B.2 PREVENTION AND MITIGATION PROCEDURES ...............................................................................................................51

B.3 RESPONSE PROCEDURES..........................................................................................................................................52
B.4 CONTINUITY PROCEDURES.......................................................................................................................................53
B.5 RECOVERY PROCEDURES .........................................................................................................................................54
C. SAMPLE RISKS BY CATEGORY AND TYPE ..................................................................................................... 61
D. GENERIC ELEMENTS FOR SUPPLY-CHAIN SECURITY AGREEMENTS .............................................................. 67
D.1 ELEMENTS TO CONSIDER FOR SUPPLIER AGREEMENTS: .................................................................................................67
E. SAMPLE SUPPLY-CHAIN SECURITY SELF-AWARENESS QUESTIONNAIRE FOR SUPPLIERS OR OTHER SUPPLY-
CHAIN PARTNERS .......................................................................................................................................... 70
F. ELEMENTS OF SUPPLY-CHAIN SECURITY CONTRACT LANGUAGE FOR EXTERNAL AND THIRD-PARTY
LOGISTICS SERVICE PROVIDERS ..................................................................................................................... 80
G. SAMPLE CRISIS-MANAGEMENT PROGRAM ELEMENT REVIEW ................................................................... 84
H. SAMPLE SITE CRISIS PLAN ........................................................................................................................... 87
H.1 PURPOSE .............................................................................................................................................................87
H.2 INTRODUCTION .....................................................................................................................................................87
H.3 ROLES, RESPONSIBILITIES AND CONTACTS ..................................................................................................................87
H.4 PROCESS .............................................................................................................................................................87
I. SUPPLEMENTARY FORMS ............................................................................................................................ 99
J. SAMPLE REGULATORY IMPACT ASSESSMENT ............................................................................................ 107
K. THE SUPPLY CHAIN RISK LEADERSHIP COUNCIL’S (SCRLC) MATURITY MODEL .......................................... 109
L. BIBLIOGRAPHY .......................................................................................................................................... 117
TABLE OF FIGURES
FIGURE 1: RISK MANAGEMENT PROCESS (BASED ON ISO 31000) ............................................................................................10
FIGURE 2: EXAMPLE OF INTERNAL AND EXTERNAL CONTEXTS FOR A FOOD/BEVERAGE COMPANY ....................................................15
FIGURE 3: NOTIONAL SUPPLY-CHAIN PROCESS FLOWS ............................................................................................................17
FIGURE 4: DETERMINING THE LEVEL OF RISK .........................................................................................................................23
FIGURE 5: BOW-TIE METHOD FOR LINKING TREATMENT TO CAUSE AND CONSEQUENCE ...............................................................24
FIGURE 6: RISK EVALUATION FUNNEL ...................................................................................................................................27
FIGURE 7: CONCEPTUAL RISK “FRONTIER” ............................................................................................................................28
FIGURE 8: “HEAT” MAP ....................................................................................................................................................29
FIGURE 9: NOTIONAL CRISIS MANAGEMENT STRUCTURE AND ENGAGEMENT MODEL ...................................................................35
FIGURE 10: CRISIS MANAGEMENT TEAM ACTIVATION AND WORK CYCLE ...................................................................................36
FIGURE 11: IDEAL CRISIS RESPONSE PROCESS........................................................................................................................37
FIGURE 12: FRAMEWORK FOR EXERCISES AND TESTING...........................................................................................................42
FIGURE 13: INTEGRATING RISK MANAGEMENT INTO BUSINESS OPERATIONS ...............................................................................46
FIGURE 14: ACTIVATING A CRISIS RESPONSE PLAN ..................................................................................................................88
TABLE OF TABLES
TABLE 1: EXAMPLES OF SOURCES OF RISK TO AN ORGANIZATION AND ITS SUPPLY CHAIN ...............................................................21
TABLE 2: OVERVIEW OF KEY PROPERTIES OF THE FOUR EXERCISE AND TESTING SCENARIOS ............................................................40
x
0 INTRODUCTION
0.1 Supply Chain Risk Management: An Overview

This Standard defines supply chain risk as the uncertainty in achieving an organization’s
objectives throughout its supply chain. Organizations of all types and sizes face internal and
external factors and influences that make it uncertain whether and when they will achieve their
objectives. The effect this uncertainty has on an organization's objectives is "risk". Supply chain
risk management (SCRM) involves the assessment and control of risk events at all points in an
end-to-end supply chain, from sources of raw materials to end use by customers and
consumers. SCRM is the systematic assessment and treatment of potential risk events across
operations with the objective to exploit opportunities and/ or to reduce negative impacts on the
performance of the organization and its supply chain. This includes the coordinated activities
and practices an organization uses to manage its operational risks related to its end-to-end
supply chain. Potential risk events can occur within and outside the supply chain. Risk events
may be caused by:
a) Natural disasters;
b) Intentional acts (e.g., criminal acts, terrorism, industrial espionage, labor and social
unrest, regulatory actions, etc.); and
c) Unintentional acts (e.g., accidents, process breakdowns, wrong materials, personnel
issues, etc.).
SCRM is part of an integrated and multifaceted business management strategy, and therefore
also takes into consideration the organization’s image, reputation, and marketing, as well as the
management of quality; environment, health and safety; purchasing; logistics; facilities;
communications; human resources; and materials. SCRM integrates several different risk and
resilience related disciplines, including, but not limited to security, cyber-security, crisis,
business continuity, and emergency management, as well as asset conservation, insurance, and
technology recovery. SCRM seeks to anticipate, prevent, protect, mitigate, manage, respond,
and recover from potentially undesirable and disruptive events, as well as identify
opportunities. The best strategy for addressing risk events will be determined by the
organization’s context of operations, its risk appetite, and results of risk assessments.
Supply chain risk management is a holistic component of the overall risk management
framework for an organization. Therefore, this Standard should be used as a complement to
existing risk management programs for enterprise or fiduciary risk. Adoption of this Standard
should build on rather than supplant existing specialized risk programs.
0.2 The Need for Supply Chain Risk Management

SCRM is vital for organizations that increasingly rely on extended operations, both internal and
external, for their success. This is primarily due to the advantages organizations have found in
utilizing strategies such as globalization, outsourcing, off-shoring, specialized manufacturing,
xi
supply-base rationalization, just-in-time deliveries, supplier consolidation and lean inventories.

While these strategies offer many benefits in efficiency and effectiveness, they also make supply
chains increasingly prone to risk and can increase the likelihood of supply-chain disruption.
Historic and recent events have proven the need to identify and manage supply chain risks.1
These past events illustrate that a single event can disrupt multiple elements of supply chains
around the world. Disruptions can impact any aspect of the supply chain, including critical
infrastructure, communications, logistics, supply, manufacturing, and distribution. Therefore,
to protect itself, an organization needs to develop proactive risk management strategies and
plans. Additionally, they need to be fully cognizant of potential adverse consequences,
opportunities, and impacts on financial performance.
SCRM is essential for all public or private organizations to manage risks associated with their
dependencies and interdependencies in order to survive and thrive. Operational maturity
levels vary between organizations. Some organizations have yet to realize the importance of
SCRM while others have emerging or advanced SCRM programs2 This Standard provides
guidance on some current best practices that can be applied to any organization. An
organization may select and use the appropriate guidance based on the maturity of its SCRM
program.
In a globalized economy SCRM is critical for decision making and business planning of
international operations and expansion of business. It is important that those responsible for
analysis of international operations conduct a robust assessment of risk and resilience in their
planning processes prior to domestic or international expansion, taking into account the local
context and environment of operations. In the planning process the organization needs to
understand the levels of control, exposure, and visibility it will have of the various tiers of its
supply chain from end-to-end.
This guidance Standard is a compilation of evolving SCRM current best practices. It presents a
generic approach to risk and resilience management that is intended to be applicable to all types
of risk and all types of organizations. An organization’s approach to SCRM should be tailored
to meet its needs, context of operation, risk appetite, risk criteria, and its unique supply chain
characteristics. There is no single path to success; therefore, this Standard offers a collection of
SCRM current best practices, tools and approaches that any organization can review, and use or
customize to meet its unique needs. Illustrative examples of SCRM current best practices have
been included. Organizations should modify and adapt the concepts and examples included in
this Standard to fit their distinctive requirements, characteristics, and culture.
1 In 2011 and 2012 alone, economic losses around the world have been reported in the hundreds of billions of dollars
in disruptive losses from natural disasters (e.g., Tohoku earthquake and tsunami, Thailand floods, Hurricane Sandy,
droughts and other extreme weather events, etc.) and man-made catastrophes (political instability, power outages,
cyber-crime, etc.).
2 See Annex K for an example of the Supply Chain Risk Leadership Council’s (SCRLC) maturity model.
xii
This Standard addresses operational risks in the supply chain and includes risks to tangible
assets (e.g., human, physical, and financial) as well as intangible assets (e.g., brand, reputation,
competitive position or intellectual property). Each organization should define the scope of its
SCRM program consistent with its risk criteria. It presents SCRM current best practices as
models and/or options to improve operational risk management performance in the
organization and its supply chain based on empirical experience.
SCRM is an evolving field. The challenges faced by organizations and their supply chains are
constantly changing, therefore SCRM is a dynamic discipline that in order to achieve maximum
effectiveness should be integrated into business management and business planning processes
of the organization.3 The contents of this Standard should be seen as a snapshot in time reflecting
a collection of current best practices. Continual monitoring of risks is essential due to their
dynamic nature and the manner in which they may impact the operations of organizations and
their supply chains. When using this Standard, organizations should consider the concepts for
their organization against their current operating environment to determine how best to
structure SCRM to promote resiliency within their organization and its supply chain.
3 See Figure 13
xiii
This page intentionally left blank.
xiv
AN AMERICAN NATIONAL STANDARD ANSI/ASIS SCRM.1-2014

A Compilation of Best Practices
1 SCOPE
This Standard provides guidance and current best practices for developing and embedding a
framework and process of risk management in supply chain management. It can be applied to
any type of organization, and its supply chain, regardless of size. This Standard adopts the risk
management framework and process described in the ISO 31000:2009 - Risk management --
Principles and guidelines as the framework and process of Supply Chain Risk Management
(SCRM). It provides current best practices to:
a) Identify internal and external environments (including dependencies and
interdependencies);
b) Define risk criteria;
c) Assess risk (identify, analyze, and evaluate);
d) Consider and implement risk treatments and controls; and
e) Continually monitor and review risks and their treatment.
2 NORMATIVE REFERENCES
The following standard(s) contain provisions which, through reference in this text, constitute
fundamental knowledge for the use of this American National Standard. At the time of
publication, the edition(s) indicated were valid. All standards are subject to revision, and parties
to agreements based on this American National Standard are encouraged to investigate the
possibility of applying the most recent edition(s) of the standard(s) indicated below.
a) ISO 31000:2009, Risk management -- Principles and guidelines.
3 TERMS AND DEFINITIONS

For the purposes of this Standard, the following terms and definitions apply:
Term Definition
3.1 consequence Outcome of an event affecting objectives.
NOTE 1: An event can lead to a range of consequences.
NOTE 2: A consequence can be certain or uncertain and can have
positive or negative effects on objectives.
NOTE 3: Consequences can be expressed qualitatively or
quantitatively.
NOTE 4: Initial consequences can escalate through cumulative effects
1
Term Definition
from one event setting off a chain of events.
[ISO Guide 73:2009]
3.2 hazard Source of potential harm.
NOTE: Hazard can be a risk source.
[ISO Guide 73:2009]
3.3 likelihood Chance of something happening.
NOTE 1: In risk management terminology, the word
“likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined
objectively or subjectively, qualitatively or quantitatively, and
described using general terms or mathematically (such as a
probability or a frequency over a given time period).
NOTE 2: The English term “likelihood” does not have a direct
equivalent in some languages; instead, the equivalent of the
term “probability” is often used. However, in English,
“probability” is often narrowly interpreted as a mathematical
term. Therefore, in risk management terminology, “likelihood”
is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages
other than English.
[ISO Guide 73:2009]
3.4 resilience The adaptive capacity of an organization in a complex and changing
environment.
NOTE 1: Resilience is the ability of an organization to resist
being affected by an event or the ability to return to an
acceptable level of performance in an acceptable period of
time after being affected by an event.
NOTE 2: Resilience is the capability of a system to maintain
its functions and structure in the face of internal and external
change and to degrade gracefully when it must.
[ANSI/ASIS SPC.1-2009]
3.5 residual risk Risk remaining after risk treatment.
NOTE 1: Residual risk can contain unidentified risk.
NOTE 2: Residual risk can also be known as “retained risk.”
[ISO Guide 73:2009]
3.6 risk Effect of uncertainty on objectives.
NOTE 1: An effect is a deviation from the expected — positive
and/or negative.
NOTE 2: Objectives can have different aspects (e.g., financial,
health and safety, and environmental goals) and can apply at
different levels (e.g., strategic, organization-wide, project,
product, and process).
NOTE 3: Risk is often characterized by reference to potential
events and consequences, or a combination of these.
NOTE 4: Risk is often expressed in terms of a combination of
the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence.
[ISO Guide 73:2009]
3.7 risk appetite Amount and type of risk that an organization is prepared to pursue,
retain or take. [ISO Guide 73:2009]
NOTE: The risk appetite of an organization reflects its
philosophy towards managing risk.
2
Term Definition
3.8 risk assessment Overall process of risk identification, risk analysis, and risk evaluation.
[ISO Guide 73:2009]
3.9 risk analysis Process to comprehend the nature of risk and to determine the level of
risk.
NOTE 1: Risk analysis provides the basis for risk evaluation
and decisions about risk treatment.
NOTE 2: Risk analysis includes risk estimation.
[ISO Guide 73:2009]
3.10 risk criteria Terms of reference against which the significance of a risk is evaluated.
NOTE 1: Risk criteria are based on organizational objectives,
and external and internal context.
NOTE 2: Risk criteria can be derived from standards, laws,
policies, and other requirements.
[ISO Guide 73:2009]
3.11 risk evaluation Process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude are acceptable or
tolerable.
NOTE: Risk evaluation assists in the decision about risk
treatment.
[ISO Guide 73:2009]
3.12 risk identification Process of finding, recognizing and describing risks.
NOTE 1: Risk identification involves the identification of risk
sources, events, their causes, and their potential
consequences.
NOTE 2: Risk identification can involve historical data,
theoretical analysis, informed and expert opinions, and
stakeholders’ needs.
[ISO Guide 73:2009]
3.13 risk management Coordinated activities to direct and control an organization with
regard to risk.
[ISO Guide 73:2009]
3.14 risk treatment Process to modify risk.
NOTE 1: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with
the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood;
— changing the consequences;
— sharing the risk with another party or parties (including
contracts and risk financing); and
— retaining the risk by informed choice.
NOTE 2: Risk treatments that deal with negative
consequences are sometimes referred to as “risk mitigation,”
“risk elimination,” “risk prevention,” and “risk reduction.”
NOTE 3: Risk treatment can create new risks or modify
existing risks.
[ISO Guide 73:2009]
3.15 supply chain A two-way relationship of organizations, people, activities, logistics,
information, technology, and resources engaged in activities and
3
Term Definition
creating value from point of origin to point of consumption, including
transforming materials/components to products and services for end
users.
3.16 supply chain management Management of a network of interconnected organizations and their
activities related to the provision of goods and services from point of
origin to point of consumption.
3.17 threat Potential cause of an unwanted incident, which may result in harm to
individuals, assets, a system or organization, the environment, or the
community.
[ANSI/ASIS SPC.1-2009]
3.18 tiers The degrees of separation or stages of nodes of businesses,
organizations, and logistic channels that make up the supply chain
network involved in the provision of products and services.
NOTE 1: Tier number begins at the organization conducting
the supply chain analysis. For example, a tier one company
supplies products and services to the organization conducting
the supply chain analysis; tier two companies supply
companies in tier one; tier three supplies tier two, and so on.
NOTE 2: Product and service flow between tiers can be either
uni-directional or bi-directional.
3.19 uncertainty Outcomes are not clearly identified, defined, or known and may be
subject to change.
NOTE: The state, even partial, of deficiency of information
related to, understanding or knowledge of, an event, its
consequence, or likelihood. [ISO Guide 73:2009, ISO
31000:2009]
3.20 vulnerability Intrinsic properties of something resulting in susceptibility to a risk
source that can lead to a consequence.
[ISO Guide 73:2009]
4 CHARACTERISTICS OF SUPPLY CHAIN RISK MANAGEMENT
4.1 General
SCRM is an integrated and holistic management approach focused on ensuring the
sustainability and resilience of the organization and its supply chain incorporating governance,
change management, and continual improvement. SCRM expands the organization’s risk and
resilience management approach to its supply chain in a synchronized fashion. Efforts to
implement SCRM generally start by addressing four underlying concepts: leadership, the
development of a business case, change management, and continual improvement.4
4 It should be noted that this does not connote uniformity in risk management throughout the supply chain. It is
important to recognize that individual organizations within a supply chain will have different levels of maturity in
managing risk. See Annex K and ANSI/ASIS SPC.4 - Maturity Model for the Phased Implementation of the Organizational
Resilience Management System for guidance on enhancing levels of maturity.
4
4.2 Leadership and Team Composition

As with any significant initiative, a successful SCRM program requires a mandate, support, and
commitment from top management. Top management support can be in the form of resources,
engagement, encouragement, and guidance. An integrated and engaged top management team
should communicate a clear mandate for SCRM throughout the organization, set the risk
criteria (including the risk appetite), help identify risks, decide on risk treatments, and
participate in process review and improvement. A multi-disciplinary SCRM Leadership Team
should work in a concerted effort to prevent, mitigate, respond, and recover from any events
that might occur. Ultimate accountability, leadership, reporting, and ownership of supply chain
risk rests with top management. Effective engagement of leadership promotes a SCRM culture
throughout the organization.
The multi-disciplinary SCRM team should be headed by a SCRM representative or champion,
and include representatives from functions such as:
a) Accounting and finance;
b) Business continuity and crisis management;
c) Engineering, process control, and product design;
d) Environmental, health, and safety;
e) Facilities management;
f) Human resources;
g) Import/export compliance;
h) Information and communications technology;
i) Internal auditing;
j) Legal and regulatory compliance;
k) Procurement and purchasing;
l) Production and manufacturing;
m) Quality;
n) Risk management;
o) Sales;
p) Security and information security management;
q) Supplier management;
r) Top management;
s) Transportation and logistics;
t) Training and awareness;
u) Warehousing and storage; and
5
v) Other stakeholders (e.g., unions, associations, civil society groups, regulators, first
responders, customs officials, etc.).
Appropriate functions should have ongoing representation on both the management level
leadership team and the implementation team.
There should be a designated management representative with the defined responsibility and
authority for overseeing, implementing, and maintaining SCRM. Several factors may influence
the choice of a person or persons who serve as representative(s) and SCRM champion(s).
Characteristics of the champion(s) include:
a) Respect for both leadership and staff;
b) Knowledge of operations, processes, manufacturing, services, and intangible assets;
c) Knowledge of assessing and managing risk;
d) Familiarity with high risk operation areas;
e) Understanding the operations and value chain;
f) Capability to coordinate information flow from various sources;
g) Appreciation for the dynamic and interdisciplinary nature of operations; and
h) Understanding the organizational culture and change management.
Team members should meet periodically to coordinate efforts and ensure that SCRM processes
are being integrated into their ongoing operational processes. They should coordinate with
change management to ensure risk treatment. Additionally, SCRM leadership should report to
executive management on a periodic basis.
Top management should integrate the SCRM process into governance and all other
management processes of the organization. By fully integrating SCRM into the decision making
processes of the organization, it becomes part of the organization’s culture. The organization
should develop clear governance and operating procedures, including clear definitions of roles,
authorities, and responsibilities. The SCRM Leadership Team should gather information and
support from discipline specialists (e.g., security, crisis, information security, and business
continuity managers) in order to ensure a comprehensive SCRM strategy is in place and to
acquire the resources from top management necessary to support the SCRM program. By
integrating SCRM monitoring in its day-to-day process activities (including product and service
delivery, meetings, training, and performance reviews) a SCRM culture can be instilled in the
organization.
4.3 SCRM Business Case

A business case provides the justification for implementing and improving SCRM in terms of
evaluating the benefits, costs, risk of alternatives, and the rationale for the preferred solution.
The business case serves as a documented, structured proposal for a program or improvement
process. It provides a basis for a selection decision by organizational decision makers. It
identifies the requirements that are to be satisfied, an analysis of proposed alternative solutions
6
(with reasons for rejecting or carrying forward each option), assumptions, constraints, a risk-
adjusted cost-benefit analysis, and preliminary action plan. The business case should provide
the information necessary to make financial decisions regarding prioritizing enterprise
expenditures based on the value of the proposed project versus other projects.
Typically, business cases contain the following components:
a) Background description of the business need/issue;
b) Explanation of the identified benefits of addressing that need;
c) Identification of significant assumptions and constraints related to relative solutions;
d) Alignment of project benefits with organizational objectives;
e) Justification for undertaking the project;
f) Description of performance goals and measures;
g) Definition of success for the proposed project;
h) Analysis of alternative solutions, including the possibility of continuing with no change,
identification of a preferred solution, and explanation of why the preferred solution is
recommended;
i) Estimation of required resources such as funding, human resources, materials, etc. for
both the project and ongoing support and maintenance of any related or ongoing project
efforts;
j) Estimation of potential costs of risks (including human, financial, reputational, and
environmental implications);
k) Benefits (tangible and intangible) and cost of executing the project;
l) Competitive advantage from dampened impact and faster recovery from risk events;
m) Potential opportunities related to risk events;
n) Estimation of return on investment, break-even point, operational/ongoing costs, etc.;
and
o) Explanation of project risks/issues and strategies to address them.
Disruptions will have financial implications. A common approach has been to:
a) Identify risks for priority nodes and tiers in the supply chain;
b) Prioritize the identified risks;
c) Determine, with top management approval, the risk treatment strategies needed to meet
organizational and supply chain objectives; and
d) Evaluate cost avoidance and opportunities for improvement to help justify SCRM
investments.
7
SCRM can also offer intangible benefits. These include avoiding damage to reputation or brand
that may accompany an undesirable and disruptive event in the supply-chain, as well as
breaking down organizational silos, which is not only necessary for SCRM but can also help
organizations in other initiatives required for a comprehensive enterprise-wide risk
management program.
A business case can be constructed using various metrics from the disciplines within SCRM.
For example, reducing the number of disruptions, thereby preventing losses, can be achieved
through adaptive and preemptive measures. The case can be made that the organization is less
susceptible to various risk scenarios (single or multiple). Reduced response times when
incidents occur, (thereby protecting the organization’s tangible and intangible assets), can be
demonstrated through fewer losses and mitigation of the consequences of an event. Other
organizations make the business case based on reduced times for recovery of priority supply
chain activities, services and products. By identifying, assessing, and mitigating the
consequences of risks, the organization targets specific reductions in recovery times. In all these
examples, the organization can predict and compare the loss with and without appropriate risk
treatments. Historic data from previous events provide a good starting point for comparisons.
4.4 Change Management in SCRM

Establishing or improving SCRM in most enterprises represents a major change. Consequently,
organizations that are implementing SCRM need to pay particular attention to the tenets of
successful change management. These include a compelling case for change, unwavering top
management support, a visible executive champion, and a clear vision of the implications of the
change(s). They also include development of an action plan for implementation as well as
ongoing monitoring and refinement to reflect lessons learned.
Change management requires ongoing monitoring, analysis, and amendments. It also requires
stakeholders to be psychologically and emotionally prepared to effect the change. Therefore a
change management strategy should include:
a) Ongoing monitoring and analysis of the changes that may be required in assessing the
risks to the supply chain;
b) Training sessions to keep the team members aware of potential opportunities and to
understand the need, rationale, and approach for change, with a view to ensure smooth
change management; and
c) Linking SCRM and other organizational and supply chain objectives such as quality,
environmental, sustainability, and occupational health and safety management.
Lastly, and perhaps most critically, they require sustained and transparent communication with
key stakeholders throughout the change, including:
a) Proactive education and training so that personnel have the skills to execute the change;
b) Incentives aligned with the desired outcomes of the change; and
c) Adequate resources to successfully manage and implement the change.
8
Because resistance is natural and to be expected with a major change, those implementing
SCRM also need to pay attention to the psychological and emotional aspects of the change.
Linking SCRM to other organizational and supply chain objectives such as quality,
environmental, sustainability, and occupational health and safety management is
recommended.
4.5 Continual Improvement

Continual improvement in SCRM supports the overall business management strategy to
identify and exploit opportunities for improvement. An integral part of the overall assessment
of the organization’s performance is the assessment of its SCRM. The organization sets
organizational performance goals and by measuring and benchmarking its performance
identifies modifications to processes, systems, capabilities, resources, and competencies to
enhance performance.
5 RISK MANAGEMENT PRINCIPLES AND PROCESS
5.1 General
This Standard provides an approach to managing the risk in an organization’s supply chain.
The process, based on ISO 31000, covers elements of defining contexts, risk assessment, and risk
treatment (Figure 1). ISO 31000 is a key building block to this approach; while adapting it to the
organization’s needs and purposes, the Standard recognizes the need to avoid replicating
standards documents but rather to optimize current best practices that help promote and
sustain organizational resiliency.
9
Figure 1: Risk Management Process (based on ISO 31000)
As described in ISO 31000:2009, the foundation of any risk management program is based on:
a) Establishing the context;
b) Risk assessment involving:
i. Risk identification – recognizing what risks exist;
ii. Risk analysis – considered in terms of likelihood and consequence, after
considering current controls; and
iii. Risk evaluation - deciding how to prioritize the risks.
c) Risk treatment – using the results of the risk assessment to determine how to treat the
risks;
d) Communication and consultation with internal and external stakeholders throughout
the risk management process; and
e) Ongoing monitoring and review conducted throughout the risk management process.
Risk management is an integral part of an overall business management strategy which
specifically assesses and addresses the effect of uncertainty on the organization’s objectives.
10
Therefore, in managing risk it is important to understand the significance, influence, types, and
sources of uncertainty. Factors to consider include (but are not limited to):
a) Completeness of information;
b) Availability and reliability of information sources;
c) Dependability and effect of risk treatments and controls;
d) Assumptions made in assessing and treating risk;
e) Degree of certainty of likelihood and consequence predictions;
f) Volatility of internal and external context;
g) Context of time and perceptions of time;
h) Results of sensitivity studies; and
i) Effectiveness of risk monitoring and change management.
Risk management is an ongoing activity that involves continual monitoring and assessment of
the risk landscape. The internal and external context of an organization and its supply chain are
dynamic. Therefore the risk assessment process should be able to evaluate a wide variety of
risks over time, as well as monitor, review, and adapt to a dynamic context of its operations.
5.2 Risk Communication and Consultation

The organization should establish and maintain a formal and documented communication and
consultation process with its internal and external stakeholders in all steps of the risk
management process to ensure that:
a) Objectives, needs, and interests of the internal and external stakeholders are understood
(including persons, organizations, communities, and upstream and downstream supply
chain partners);
b) Risks are adequately identified and communicated within the organization and
throughout the supply chain;
c) Dependencies and linkages with subcontractors and within the supply chain are
understood;
d) Risk assessment process interfaces with other management disciplines; and
e) Risk assessment is being conducted within the appropriate internal and external context
and parameters relevant to the organization and its contractors and supply chain.
5.3 Establishing the Context

5.3.1 General
The process begins with identifying the internal and external context and environment that may
influence supply chain risk.
11
To conduct the risk assessment and manage risks, the organization needs to first understand the
internal and external environment in which it operates. This includes identifying all relevant
stakeholders that can affect risk or be impacted by risk. Defining the context provides the basis
for defining the scope and stakeholders involved in the risk management process.
In establishing the context, the organization should identify its objectives and value drivers.
What are the value generators and drivers for the organization, as well as its implicit and
explicit goals and values? Understanding the activities that are instrumental in the organization
providing its goods and services will provide a basis for prioritizing and evaluating risk. The
organization needs to assess and evaluate what is key to the organization achieving its
objectives and creating value.
Risks exist at all levels and entities within an organization. Process risks exist at production
sites. Supplier risks exist at direct or indirect supplier sites. Distribution risks exist at suppliers
and in upstream and downstream transportation and logistics systems. Legislative, compliance,
intellectual property, sovereign, and regulatory risks exist at the country or regional level for
multinational enterprises. Finally, operational risks exist at the agency, department, division,
branch, unit, or corporate level.
Organizations should identify, own, prioritize, and manage risks at the point at which they
occur. Organizations should also aggregate and report risks across the organization and
vertically through business reporting structures. Organizations should give risks that exist
within multiple entities common, coordinated treatments. When managing risks it is important
to be aware of cumulative effects from one event setting off a chain of events, and the impact of
one risk treatment method on other areas of risk.
Ownership of an identified risk is not always clearly defined. Defining risk ownership is
necessary to treat the risk and assure that it does not adversely affect the organizations in the
supply chain. Such risks may arise when franchises make, for local consumption, a final product
whose performance will affect reputation of whole franchise. For example, risks may arise when
a supplier uses lead paint on toys ultimately assembled for firms with strong brand‐name
recognition. Governance controls and guidance to manage such risks may include corporate
leadership setting policies, standards, procedures, and contractual and auditing requirements
for suppliers to follow. When organizations cannot impose on franchises and supply chain
partners how to operate their facilities, they should provide guidance and evaluate impacts of
risks due to nonconformance.
The presence of differing risks at multiple levels of an organization underscores the importance
of defining the context within which a risk-management program is implemented. This includes
suppliers, production and services, logistics (e.g., transportation, warehousing, and
distribution), customers, and other elements that can affect the supply chain. These elements
will vary by industry, as will the efforts an organization can make to address them. For
example, a manufacturing plant may have more control over assembly risks, while a business
unit may be tasked with controlling supply-chain risks posed by legislative and regulatory
issues as well as managing some procurement risks.
12
Defining the scope is a key decision in developing an SCRM program. The scope defines what
activities of the organization and its supply chain will be included in the SCRM program.
Organizations may initially focus on a Tier 1 entity, or even prioritize among Tier 1 supply
chain entities. A Tier 1 entity is the main customer, contractor, or supplier that provides goods
or services directly to or from the organization. In most cases, the scope should include
suppliers and customers based on their role in the value chain. In determining how much of the
supply chain to include beyond the first tier, managers may wish to characterize inputs by the
number of suppliers and number of customers. For example, if many possible suppliers exist for
a common commodity, it may be unnecessary to go beyond the first tier when considering
supply chain risks. For materials with few or sole sources, it will probably be necessary to
consider risks at the second tier. Between these two extremes, organizations need to assess how
critical a particular component is or how easily a supplier can be replaced and, if necessary,
consider supply risks in the second tier for priority components or suppliers. A key node is
when the supply chain map funnels to a point when one or two deeper sub-tier suppliers
provide the sources for all suppliers above. An example of this occurred with the Xirallic paint
pigment supplier (Tier 3) that was the only source of glitter effect auto pigment in the world,
affecting many auto manufacturers.
Understanding the activities that are instrumental in the organization providing its goods and
services will provide a basis for prioritizing and evaluating risk. Distribution risks exist at
suppliers and in upstream and downstream transportation and logistics systems. Legislative,
compliance, intellectual property, sovereign, and regulatory risks exist at the country or
regional level for multinational enterprises. Finally, strategic risks exist at the agency,
department, division, branch, unit, or corporate level. When managing risks it is important for
the organizations concerned to be aware of cumulative effects from one event setting off a chain
of events, as well as the impact of one risk treatment method on other areas of risk.
By repeating this process for increasing numbers of tiers of suppliers and customers,
organizations can identify the portions of the supply chain that have the greatest risks to
operations. Specific knowledge of an organization and its supply chain, context of operation,
and risks is necessary to guide decisions; and to this end, the initial risk assessment should look
at all tiers without pre-prioritization of individual risks. The level of each risk should be
validated.
5.3.2 Internal Context

Understanding the internal environment enables the risk management program to be in sync
with the organization’s management style, processes, organizational structure, culture, and
business strategy. Every organization is unique and each risk management application is a
tailor made process. Examples of factors that should be considered in understanding the
internal environment include (but are not limited to):
a) Governance, accountabilities, decision making processes, and organizational structure;
b) Resources and capabilities (human and physical);
13
c) Cultural characteristics (including differences in education and social interactions and

communications);
d) Business model (including evaluation and performance criteria);
e) Policies;
f) Strategic initiatives;
g) Processes and activities;
h) Information systems, information security, and flow;
i) Internal stakeholders;
j) Organizational culture; and
k) Communication and consultation protocols.
5.3.3 External Context

Understanding the external context, including its supply chain dependencies and
interdependencies, should provide the basis for understanding the sources of uncertainty
outside of the organization that may influence the achievement of objectives. The external
context includes factors that the organization can and cannot directly control or influence, but
are essential for understanding the risk environment (see Figure 2). Examples of factors that
should be considered in understanding the external environment include (but are not limited
to):
a) Supply chain, dependencies and interdependencies (including critical infrastructure);
b) Legal, regulatory and contractual obligations;
c) Economic, social, political and cultural factors;
d) Government and public relationships;
e) Crime statistics;
f) Meteorological and geological factors;
g) Financial and competitive environment;
h) Communication, transportation and logistics factors;
i) Community resources, capacities, and capabilities;
j) Market, brand and reputational factors;
k) Perceptions of risk and values by external stakeholders;
l) Transparency and integrity of external governance institutions;
m) External stakeholders (including the media, interest groups, and first responders); and
n) Communication and consultation protocols and capabilities.
14
Figure 2: Example of Internal and External Contexts for a Food/Beverage Company
5.3.4 Mapping the Supply Chain

The ongoing process of supply chain mapping is an essential decision making tool to ensure an
organization identifies risks and how best to prioritize and manage them. Supply chain
mapping should emphasize the importance of critical paths and value creation. To achieve
desired objectives and outcomes, supply chain value mapping identifies priority processes for
the organization. Understanding value propositions of different tiers of the supply chain will
help the organization focus its risk management approach. Supply chain mapping should
reflect the overall strategy of the organization in creating value and achieving its objectives.
Therefore, the supply chain map should clearly identify supply chain partners, their
contributions and value added, the various flow types, and the way the business is organized.
A supply chain map should document, by node, aspects affecting operations such as:
a) Supply chain partners with highest spending levels or that affect major value flows;
b) Dependencies and interdependencies (including utilities and other critical
infrastructure);
15
c) Single source suppliers;

d) Upstream and downstream partners who support business functions;
e) Logistics, storage, and transportation;
f) Labor suppliers;
g) Contractual and compliance requirements;
h) Image and visibility;
i) Access to highly sensitive internal information; and
j) Partners in high risk businesses and/or locations.
Mapping supply chain processes provides a better understanding of the potential risks that
exist as well as the organizations involved. Figure 3 presents a notional map. Upstream, it starts
with raw materials, services, parts, assemblies, and packaging going directly to the organization
or via its suppliers. Distribution systems, including trucks, trains, ships, aircraft, and the
internet move items and information from suppliers to their customer inventory. These same
distribution systems may move goods and services to end-user customers. Several factors are
common to all these elements and can be the source of risks throughout the supply chain.
These include infrastructure such as buildings, equipment and network security, dependencies
and interdependencies (e.g., electricity, water, telecommunications, internet, etc.); process
functions such as production planning or sales and operational planning; and all persons
working on behalf of the organization. Not all of these nodes will have risks for all operations,
but all should be considered.
The supply chain mapping process should identify the parties involved and the associated risks
in the value chain, including, but not limited to, the following processes:
a) Planning;
b) Procurement;
c) Production;
d) Packing;
e) Storage;
f) Loading/unloading;
g) Transportation;
h) Product and service delivery;
i) Document preparation; and
j) Reverse logistics.
16
Figure 3: Notional Supply-Chain Process Flows
Information flows should also be documented with clear communication channels. Information
can flow both upstream, downstream, and sideways. In particular, information flows on
downstream conditions can help upstream processes provide the correct quantity and quality of
materials needed. Sideways flow of information should be accompanied by responsibility to
ensure the correctness of the flow of materials. Any abnormalities can be brought up to
minimize and manage the risks.
Various analytical tools exist for identifying and prioritizing risks in the supply chain. The
process of developing a supply chain or value stream map enables a better understanding of the
product, material and information flows, value stream metrics, and the interaction of processes.
For example, Pareto analysis5 can help firms identify the proportion of goods and suppliers on
which it is most dependent in terms of cost, value creation, production, and failure, and hence
the goods and services that can pose the most risk to the supply chain. Pareto analysis is
designed for users to identify which small set of practices, functions, suppliers, staff, etc. have
the greatest impact. More sophisticated portfolio analysis can help firms identify goods by both
their value and the risk of supply continuity and lead firms to focus their SCRM first on
5 Pareto Analysis is a simple technique for prioritizing possible changes by identifying the problems that will be
resolved by making these changes.
17
strategic or critical goods of high value and high supply continuity risk. These may include
scarce or high-value items, major assemblies, or unique parts which may have natural scarcity,
few suppliers, and difficult specifications.
Accurate supply chain mapping will improve decision making processes and drive preventive
actions that can avoid and mitigate undesirable and potentially disruptive events. This will
allow an organization to be more preemptive in managing its supply chain and subsequently
gain a competitive advantage.
5.4 Risk Assessment Process

5.4.1 General
Risk assessment is a dynamic process that should take a holistic, end-to-end approach. Using
its supply chain map, the organization should also identify risks associated with its Tier 1
supply chain partners, expanding this analysis to additional tiers as necessary to develop a
complete picture of the risk profile. Given the dynamic nature of risk, on-going monitoring of
the risk criteria, profile, and assessment process are necessary for effective risk management.
Also, the tangible and intangible costs of risk and risk treatment should be considered when
conducting a risk assessment.
The risk assessment process should distinguish between risks that should be included in the
risk management program and those that require treatment. Risks that could potentially
prevent the organization from achieving its objectives should be considered. The organization
should consider not only risks that are internal to the organization, but also those associated
with its supply chain, dependencies and interdependencies. The organization should assess
risks that could potentially cause undesirable and/or disruptive events.
5.4.2 Risk Criteria

Setting the risk criteria should be done prior to conducting the risk assessment. The risk criteria
establish the organization’s approach to and parameters for assessing, accepting, pursuing,
retaining, or treating risk. The risk criteria provide the basis for establishing the scope. The
definition of the risk criteria will determine how risk is analyzed and evaluated. To prioritize
and address risks, organizations need to define risk criteria for determining the method they
will use to determine the acceptable level of risk to its operations and supply chain. Risk
criteria provide a basis for evaluating the significance of risk within the bounds of the amount
of risk the organization is willing to accept.
The risk criteria are set to understand the impact of uncertainty on the organization achieving
its objectives. It sets the benchmarks for how the organization will measure and evaluate
consequences and likelihood. Will level of risk be described qualitatively or quantitatively?
How will the scales be expressed? Risk criteria should also be considered for the perceived and
actual level of risk that will be tolerated by supply chain partners. Setting the risk criteria is a
dynamic and iterative process and should be revisited and revised to reflect the changing
landscape of risk.
18
By understanding the organization and its context, the organization can set the scope for its
SCRM process, document its methodology, and justify its assumptions. Setting the scope is also
a dynamic process and should be revisited based on the analyses conducted during the SCRM
process.
5.4.3 Risk Appetite

Clearly defining the organization’s risk appetite internally and within its supply chain is a
keystone to good governance and effective risk management, yet it is one of the more difficult
tasks of top management. Risk appetite is the amount and type of risk that an organization is
willing to pursue, accept, or tolerate. Understanding risk appetite is an indicator of maturity of
the risk management program. Clearly defining the risk appetite sets the boundaries that
enable an organization to increase its opportunities by optimizing risk taking and accepting
calculated levels of risk within an appropriate level of authority.
When establishing risk appetite, top management should consider strategic, tactical, and
operational aspects. An understanding of the culture of the organization is necessary for
evaluating both pursuing and tolerating risk. The thoroughness, integrity, and reliability of
information should be evaluated when establishing risk appetite. When establishing risk
appetite, it is important to understand both the real and perceived risks of internal and external
stakeholders in the organization and its supply chain, as well as interested parties perceiving
themselves as impacted by the activities of the organization and its supply chain.
5.4.3 Risk Identification

Risk identification should consider the questions of what can happen, when, where, how, and
why, as well as possible outcomes. Risk analysis will expand and further define these aspects.
The outcome of risk identification is a prioritized list of risks associated with the organization
achieving its objectives. Risk identification should be a well-structured process since a risk not
identified cannot be analyzed. Risk identification comprises:
a) Criticality analysis – Asset and activity valuation and potential impacts of undesirable
and disruptive events (“what”, “where,” and outcomes);
b) Threat and/or hazard analysis – Anything that has the potential to disrupt the
achievement of objectives and the activities and processes that support them
(“who/what”, “why,” and “when”); and
c) Vulnerability analysis – Susceptibility of an event successfully materializing that has the
potential to disrupt the achievement of objectives and the activities and processes that
support them (“how”).
The risk identification process should not only consider negative consequences of a risk event
but also the opportunities it may create. Many methods exist for conducting risk identification
(e.g., previous risk assessments, exercises and modeling, surveys, historical data analysis,
business impact analysis, logic trees/diagrams, brainstorming sessions, checklists, and “worst-
case” scenario workshops). Regardless of the method or methods used, risk identification
19
should be comprehensive, documented, and repeatable. It should consider (but not be limited
to):
a) Reliability and degree of uncertainty of information;
b) Biases that may influence results (including the effect of assumptions);
c) Root causes and triggers of risk;
d) Broad consultations with internal and external stakeholders;
e) Supply chain relationships, dependencies and interdependencies;
f) Priority business functions and activities and the impact of their loss (including time
dependencies);
g) The value of assets to the organization, its supply chain partners, competitors, and
adversaries;
h) Single, multiple and compounded weaknesses including overlapping and multiple
effects of risks;
i) Likelihood of success of a risk event occurring as well as causing an undesirable and/or
disruptive event; and
j) The interactions between threat, criticality, and vulnerability analysis.
It may be helpful to categorize the risks by type. It is important to remember that risk
assessments are dynamic and risk management should include continuous identification and
analysis of all risks related to the organization’s business.
Table 1 presents examples of risks an organization may wish to consider in its risk identification
process. Annex C presents a longer but not exhaustive list. Note that risks can overlap
categories.
20
Table 1: Examples of Sources of Risk to an Organization and its Supply Chain

GENERAL – GLOBAL RISKS (END-TO-END RISKS - INTERNAL AND EXTERNAL)
Physical, meteorological, and geological phenomena Social responsibility, environmental, health and safety
Legal and regulatory (including compliance) Human resources
Operational, organizational, and transparency Competition and market dynamics
Political, social, community and cultural Economic and financial (including exchange rates)
Information technology and information integrity Demographics and labor
Brand and reputation Leadership and planning
Lawsuits and liability Crime (e.g., terrorism, theft, corruption, industrial espionage,
sabotage, fraud, counterfeiting, etc.)
Critical infrastructure dependencies and availability Organizational and community interdependencies
Logistics Transportation
UPSTREAM RISKS
Physical, non-compliance, and regulatory Production and performance
Financial losses and premiums Management
Upstream dependencies (including timeframes and excess Single sourcing, multi-sourcing, and competing obligations
capacity)
DOWNSTREAM RISKS
Physical, non-compliance, and regulatory Customer satisfaction
Labor availability and disruption Cargo damage or theft
Logistic, distribution and warehouse capacity Information system security and capacity
Long, multi-party supply pipelines Reverse logistics
INTERNAL ENTERPRISE RISKS
Operational Political, legal and regulatory uncertainty
Demand variability Personnel and labor competence, availability and reliability
Design uncertainty Planning and objective uncertainties
Financial uncertainty Facility availability and capacity
Testing capacity Enterprise underperformance
Supplier relationship management Management practices
Examples of points to consider in identifying risk include (but are not limited to):
a) Number and location of suppliers. For example, are there suppliers in countries with
social unrest, terrorist or drug activity, or high levels of corruption and other crime?
21
b) Number and origin of shipments. For example, have increased quantities or values of
shipments posed additional risks?
c) Contractual terms defining responsibility for shipping. For example, companies may
specify security controls and procedures for their suppliers. (Annex D provides sample
contractual terms and conditions for supply-chain security.)
d) Compliance requirements, recall, and reverse logistics. For example, companies may
have specific requirements for the handling and packaging of products as well as the
return of damaged, expired, and recalled products.
e) Brand and reputation protection. For example, some companies require measures for
brand protection related social responsibility and legal obligations, including
environmental, health, and safety issues.
f) Modes of information transfer. For example, information protection and encryption
may be required for data files and transmissions.
g) Modes of transport and routes for shipments. For example, companies may ask their
suppliers to follow certified security procedures for ocean-container or truck-trailer
shipments.
h) Risks related to logistics providers or partners involved in the supply chain who handle
shipments (e.g., packaging companies, warehousing, trucking companies, freight
forwarders, and air or ocean carriers). For example, firms may require that logistics
providers meet all certification standards from an official supply-chain security
program.
Risk identification is a function of local conditions and may vary from facility to facility within
the same organization as well as between elements within a supply chain. It is essential to
identify the risks associated with the locations of functions and choke points in the supply
chain. For example, the administrative headquarters of a supplier may not be the same as the
production location. Therefore, the risks may be very different, so the assumption should not
be made that identifying the risks at the administrative headquarters will be representative of
the risks throughout the supply chain.
The organization should periodically review the status of their risks in a catalogue of risks (e.g.,
a risk register), incorporating new risks as they develop and revising risk ranking. The
catalogue of risks serves as the central repository for all risks identified by organization and
includes (but is not limited to) information on risk criteria, likelihood, consequences, treatments,
anticipated outcomes, and risk owners. Risk management activities should be documented,
tracked, traceable, and non-repudiatory.
5.4.4 Risk Analysis

Risk analysis is a process to understand the nature and level of risk to determine its significance.
The organization takes the information generated during the risk identification process and
evaluates this within the context of its operations and the risk criteria. The risk analysis process
should estimate the likelihood and consequence of risks facing an organization and accordingly
22
prioritize them for ultimate treatment. To begin, organizations may choose to rank risk events
with varying degrees of detail, depending on the risk, and the information, data, and resources
available.
As seen in Figure 4, the output from risk identification provides the input to risk analysis.
Figure 4: Determining the Level of Risk
Likelihood and consequence can be expressed qualitatively or quantitatively (or a combination

of methods). The decision on which approach works best for an organization is based on the:
a) Availability and reliability of information;
b) Scales and level of detail of the risk identification process;
c) Methods for determining threats and impacts to tangible and intangible assets, as well as
tangible and intangible impacts (intangible assets and impacts may not lend themselves
to numeric evaluations);
d) Other risk analysis processes and methodologies used by the organization; and
e) Most effective method for communicating level of risk to decision-makers.
Regardless of the method used to determine the level of risk, care should be taken to assure a
consistent approach and consider the level of confidence, particularly for aggregated data.
23
Units and scales of measuring risk determined during the definition of risk criteria should be
used consistently throughout the analysis. The risk analysis method used should meet the
needs of the risk evaluation and treatment decision making process.
One method of risk analysis which uses a cause and effect analysis is the bow-tie method (for
more information on this and other methods, see ISO 31010:2009). The bow-tie method
provides a simple, qualitative approach to help fully understand the characteristics of a risk
event. An event can have multiple causes and multiple consequences—the two dimensions of
risk—and existing treatments. Risk treatments can be reviewed to understand their
effectiveness and efficiency. It enables the evaluation of risk treatment methods to better
understand inherent risk (i.e., risk in the absence of any treatment) and residual risk (i.e., level
of risk remaining after treatment). The bow-tie risk analysis method clearly ties treatment
actions against each dimension of risk event. The bow-tie method is a good way of visualizing
risk and communicating the effectiveness of the treatment methods in place to manage risks.
Figure 5 shows an example of the bow-tie method.
Figure 5: Bow-Tie Method for Linking Treatment to Cause and Consequence
The bow-tie method can be used to help simplify risk analysis and provide a subjective estimate
of the level of risk by allowing the conceptualization of the interaction of causes, treatments,
24
and consequences of a risk. The steps involved in conducting a risk analysis using the bow-tie
method are as follows:
a) Based on the risk identification, describe a risk event that may provide an opportunity
or result in an undesirable or disruptive event;
b) Determine the foreseeable possible causes of the risk event (left side);
c) Identify the potential consequences of the risk event (right side);
d) Evaluate what preventive and protective measures are in place to modify the likelihood;
e) Evaluate what mitigation, response, and recovery measures are in place to reduce the
consequences;
f) Evaluate the effects of multiple layers of protection, as well as cascading and multiple
impacts; and
g) Determine the level of risk.
5.4.5 Risk Evaluation

Risk evaluation uses the risk criteria and outputs from the risk identification and risk analysis
steps to determine what risks are acceptable with existing risk treatments and which require
additional risk treatment. The level of risk determined during risk analysis will indicate the
priorities for risk treatment. Evaluating the level of risk before and after treatment combined
with value driver analysis provides the basis for determining if the residual risk levels fall
within an acceptable level of risk set by the risk criteria. Risk treatment prioritization should
also be predicated on an understanding of the risk tolerance. If the level of residual risks is
found to be greater than the acceptable level of risk set by the risk criteria, then the organization
should consider alternative or additional risk treatments to reduce the level of residual risk.
Initial treatment decisions will be driven by tolerance, not just addressing residual risk. Risk
evaluation considers the cost and benefits of different treatment options. Care should be taken
during the risk evaluation stage to make sure treating one risk is not creating another risk.
Risk evaluation considerations include:
a) Objectives of projects and opportunities;
b) Tangible and intangible impacts;
c) Legal, regulatory, and contractual requirements;
d) Tolerability of risks to others;
e) Whether a risk needs treatment;
f) Deciding whether risk can be tolerated;
g) Whether an activity should be undertaken; and
h) Priorities for treatment.
25
Acceptable risk levels will be unique to each organization and supply chain. They may vary by
project, commodity, product, or service, as well as over time. The organization may have
varying levels of risk-tolerance for different divisions, subsidiaries, and partners. It may not be
practical to eliminate all risk due to costs. It may be desirable to accept risk to gain an
opportunity. To achieve as low as reasonably practical risk, a typical target of risk evaluation is
to determine the most cost effective treatments.
Examples of reasons an organization may tolerate risk (by informed decision) include:
a) The level of the risk is so low that specific treatment is not appropriate within the
constraints of available resources;
b) The risk is such that there is no treatment available. For example, the risk causes may
not be within the control of an organization;
c) The cost of treatment, including insurance costs, is so manifestly excessive compared to
the benefit that toleration is the only option. This applies particularly to lower ranked
risks;
d) The opportunities presented outweigh the threats to such a degree that the risk is
justified; and
e) Organizations may also determine to accept a risk by informed decision-making or to
maximize a business opportunity.
Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as
reasonably possible, it is important to understand that this is an iterative process where the risk
manager can pick multiple layers of risk treatment measures including:
a) Eliminating the risk exposure;
b) Isolating the risk source or potential targets;
c) Technical modifications and substitutions;
d) Administrative and procedural controls;
e) Protective, preventive, and mitigation measures; and
f) Accepting or exploiting risk by informed decision.
During the risk evaluation process, the proposed risk treatment processes should be evaluated
to consider the cost-benefit of the measure to reduce risk and whether the risk treatment
changes or introduces new risk to the organization and its supply chain. Figure 6 illustrates
how the output from the risk identification and analysis steps can be represented by a funnel
approach where intolerable risk must be treated at any reasonable cost. Treatment measures
are applied to bring the risk to a level that is as low as reasonably possible where further task
treatments are disproportionate to the cost/benefit. Risks reach a tolerable level where risk is
within the level of tolerance of the risk criteria. Contingency measures might be considered for
risks that remain after treatment.
26
Figure 6: Risk Evaluation Funnel
One way an organization may wish to assess its risk tolerance is through a risk “frontier” graph,
plotting the likelihood of events by their consequence (Figure 7). Organizations may find some
risks to be of such low likelihood or to have such limited consequence that they do not warrant
any further treatment or consideration. For those of greater likelihood or consequence, the
organization may wish to reduce, through resource management, an extra level of supplies or
"safety stock" or development of a risk distribution strategy (e.g., use of multiple sourcing) or
other mechanisms of risk avoidance or elimination. Such mechanisms may seek to reduce the
likelihood, duration, or consequence of a risk event. Organizations may also determine to
accept a risk by informed decision-making to maximize a business opportunity.
27
Figure 7: Conceptual Risk “Frontier”
Another means of representing the relationship between likelihood and consequences is to use a
“heat” map showing risk-events on a matrix defining likelihood and consequence levels. This
technique allows managers to easily see the relative likelihood and consequence of differing
risks. To use this method effectively, it is critical to have well-defined and consistently used
criteria for the different likelihood and consequence levels. Various scales are used by different
organizations; the gradations, scaling, and terms used should be based on what is best
understood by the users and the decision makers. Figure 8 shows a “heat” map illustrating the
concept.
28
almost certain Moderate Major Critical Critical Critical

LIKELIHOOD
likely Moderate Major Major Critical Critical
possible Moderate Moderate Major Major Critical
unlikely Minor Moderate Moderate Major Critical
rare Minor Minor Moderate Moderate Major
insignificant minor moderate major critical
CONSEQUENCE
Figure 8: “Heat” Map
The “heat” map shows how firms may wish to prioritize risks by likelihood and consequence.
An example of an alternative scale would be:
a) For consequence categories: Low, Moderate, Serious, Severe, Major, and Extremely
Serious; and
b) For likelihood categories: Very Unlikely, Unlikely, Possible, Probable, and Regular.
6 RISK TREATMENT
6.1 General
Once an organization understands its supply chain and has analyzed its potential risks, it can
begin the process to modify and reduce risk. It is important to keep in mind when developing a
risk treatment strategy that risk treatments have the potential to create new risks or modify
existing risks.
After an organization has identified and prioritized the risks that it faces, it can devise risk
treatment plans. Plans include developing strategies and measures to protect supply chains
from sources of risks, responding to events that these risks may cause, and continuing
operations and recovering from undesirable and disruptive events. Risk treatments seek to:
a) Remove the risk source, where possible;
b) Remove or reduce the likelihood of the risk event occurring;
c) Remove or reduce negative consequences;
d) Share the risk with other parties, including risk insurance;
e) Accept risk through informed decision or to exploit an opportunity; and/or
29
f) Avoid activities that give rise to the risk.

For organizations to cost-effectively manage risk, they should develop balanced strategies to
adaptively, proactively, and reactively address minimization of both the likelihood and
consequences of undesirable and/or disruptive events. Furthermore, the selection of risk
treatment controls should be integrated with the overall supply-chain risk management
program with its partners, that is, its suppliers, carriers, and logistics providers. Such a
program should have at least three elements: protecting the supply chain, responding to events,
and continuing business operations while recovering from events. Plans should also involve
determining ways to measure risks as well as testing the effectiveness of the plan itself and its
ability to limit risks. The organization should establish, implement, and maintain procedures to
prevent and manage undesirable and disruptive events to prevent negative consequences and
exploit positive ones to the organization, its key stakeholders including supply chain partners,
and the environment. Procedures should be concise and accessible to those responsible for their
implementation. Plans and procedures should be acknowledged by all different management
areas and risk disciplines to avoid a silo approach (e.g., a business continuity plan needs to take
into consideration how security measures within an incident response will impact continuity of
operations). Examples of risk treatment procedures are provided in Annex B.
6.2 Protecting and Securing the Supply Chain

An effective supply-chain risk management program dictates how an organization and its
partners implement appropriate measures to secure all upstream and downstream processes,
from the procurement of goods and services, to the provision of finished goods and services, to
the returning or receiving of returned products. The importance of SCRM programs can be
viewed from six perspectives. Organizations should:
a) Protect assets from an all-risk perspective;
b) Prevent loss from theft or damage;
c) Protect the integrity of products and services and prevent unauthorized intrusion into
shipments that could enable insertion of illicit contraband which could include but not
be limited to: weapons, drugs, and counterfeit or diverted goods;
d) Prevent the potential loss of intellectual property and/or the corruption of technology
associated with intellectual property;
e) Protect the integrity and reliability of information, communications, and
telecommunication networks; and
f) Protect brand and reputation.
Effective supply chain security includes not only conveyance security but also physical security
of areas where services are delivered or goods are manufactured, stored, or distributed. Aspects
such as physical security of facilities can include: access controls; surveillance systems;
personnel security; procedural security; information technology security; and education,
awareness, and training.
30
To ensure maximum effectiveness, organizations and their partners should develop plans
and/or programs to audit their supply chain security programs for compliance with written
policies and procedures. Such audits should be conducted on a regular basis. This Standard
illustrates below some benchmarks for each of these criteria. Plans and/or programs developed
should reflect all supply chain risks, including any aspects that may be unique to a particular
organization or industry; including, for example, tangible and intangible assets, and any assets
which may have different intrinsic values either to an organization or an adversary.
When developing security plans and programs the organization should consider:
a) Physical security. That part of security concerned with physical measures designed to
safeguard people; to prevent unauthorized access to equipment, facilities, material, and
documents; and to safeguard them against a security incident. Logistics partners such
as manufacturers, distributors, and transportation entities should have established
physical security programs to prevent unauthorized access to their facilities while goods
are in storage or transit. Such features should include (but not limited to): perimeter
controls such as fencing and/or gated entry points; access controls to prevent
unauthorized entry into/within facilities or vehicles; penetration alarms to notify
authorities of illicit access attempts; and video surveillance systems to display, record,
and play back access activities (for more information on physical security methods, see
ANSI/ASIS PAP.1-2012, Security Management: Physical Asset Protection).
b) Personnel security. Organizations and their partners should screen prospective persons
working on behalf of the organization (in ways consistent with local regulations) and
verify employment application information prior to employment. This can include drug
tests and background checks on educational and employment background and possible
criminal records, with periodic subsequent checks performed for cause or sensitivity of a
person’s position. Organizations and their partners should also have procedures in
place to remove badges, uniforms, and facility and IT-system access for persons working
on behalf of the organization who voluntarily or involuntarily leave employment.
c) Awareness, education, and training. The attitudes and behaviors of individuals,
organizations, and institutions should be developed to support and enhance a security
culture. Organizations and their partners should establish and maintain a security
training program to educate and build awareness of proper supply chain security
procedures for all persons working on behalf of the organization to address intentional,
unintentional, and natural events. Current best practices within supply chain security
consist of training persons who work in areas of risk to anticipate, prevent, protect from,
and mitigate potentially undesirable and disruptive events. Persons should be aware of
their role in the protection from the threat of malicious acts including theft; the potential
introduction of illicit contraband, counterfeit, or diverted products into shipments; and
the importance of maintaining the integrity of intellectual property within one’s own
supply chain. Education and training should also include documented procedures for
persons working on behalf of the organization to report security incidents or suspicious
behavior.
d) Procedural security. Organizations and their supply chain partners should establish,
31
document, provide training, and audit supply chain security programs and procedures.
Procedural controls should complement physical, technical, and engineering measures
by introducing work practices or procedures that reduce risk. Procedures can be
documented in specific security Standard Operating Procedures and/or employee
manuals or handbooks. Procedural supply chain security should address, but not be
limited to: awareness of warning signs of potential events; how to inspect shipments;
methods of secure storage and stowage of goods; tamper evident ways to package/seal
goods in shipment; detecting suspicious shipments/packaging; detecting suspicious
persons; and procedures for selecting secure warehousing and/or transportation options.
e) Information security. Information security protects information in all forms.
Information security practices and procedures provide the guidance to ensure that
organization sensitive information is adequately protected. Information security
measures should ensure information and telecommunications systems are protected
from unauthorized access and that information related to product integrity, intellectual
property, logistics, routing, and personnel is protected. This should include password
protection (including periodic changing of passwords) and accountability (including a
system to identify any improper access or alteration).
f) Business-partner security. Organizations should have a documented business partner
selection process which includes a pre-contractual security assessment to cover all
aspects of security related risks. An effective supply-chain security program dictates that
any supply chain partner, as well as any further sub-contracted suppliers or logistics
service providers, employ consistent security practices throughout the supply chain.
Firms should have binding contractual agreements with all business partners and sub-
contracted entities within their respective supply chains that address such things as:
screening and selection; the use of further sub-contracted entities; acceptable methods of
storage and/or transportation; and reporting theft, damage, or suspicious incidents. All
contractual agreements should have a documented “audit function/schedule” built into
them.
g) Logistic security. Transportation, particularly drayage (inland truck support), may be
the most vulnerable point of the supply chain. Areas that should be addressed
procedurally within conveyance security (storage containers such as trailers, ocean
freight containers, aircraft unit load devices, and railcars) should include: procedures for
packing and sealing; inspections for integrity; availability of tracking; atmospheric
sensitivity; individual storage; and routing including predefined back-up routes. The
security conditions for all in-transit locations where the shipment is at any given time,
despite the time of storage, should be addressed. Several airports, terminal, and ocean
warehouses that are not in a secured area are critical points for potential pilferages and
cargo thefts.
h) Product security. For organizations that involve any type of product, product security is
paramount to the success of the organization and the effectiveness of the supply chain.
Product security involves the specific security measures to protect a product from
certain risks such as adulterated products, counterfeited products, and diversion of
32
goods. Product security also involves the use of special signs, chemical mark
components within the product, holograms, and cover and over marks to ensure that the
final consumers get the intended product. Product security requires close teamwork
between manufacturing, packaging, brand protection, security, quality, and legal
departments as well as direct involvement with law enforcement.
6.3 Responding to Events

Even with the best laid plans, organizations may still confront undesirable and disruptive
events which have the potential to impact their supply chains. This Standard characterizes
“crises” as events that threaten the organization, apply intense time pressures, create high
stress, and drive the need for rapid, but careful, decision making.
A crisis is an unstable condition involving an impending abrupt or significant change that
requires urgent attention and action to protect life, assets, property, critical information,
operations, or income, the environment, and an organization’s reputation. Crisis events can
include natural disasters, major infrastructure failures, major fires, political and social unrest,
labor disputes, organized protests, pandemics, information technology failures, or security
threats.
Managing an event comprises the overall strategic and tactical responses of an organization to
recognize and respond effectively, efficiently, and comprehensively to the identified threats
before, during, and after they have occurred. It incorporates proactive measures to detect,
respond to, and recover from an undesirable or disruptive event. Activities related to managing
an event are characterized by several phases:
a) Prevention and mitigation constitute efforts to prevent threats from developing into
disasters altogether or to reduce the effects of disasters and is a natural outflow of the
risk identification and analysis processes of a risk management program.
b) Preparedness is a continual cycle of planning, managing, equipping, training, exercising,
evaluating, and improving activities to ensure effective coordination and the
enhancement of crisis management capabilities within organizations. Common
preparedness measures include, but are not limited to:
i. Establishing a communications, command, and control system with defined and
tested roles, responsibilities, and capabilities;
ii. Establishing communication plans with easily understandable terminology and
methods;
iii. Creating management plans, protocols, and tools that can assist in guiding the
crisis team in resolving an incident;
iv. Developing exercise and training methodologies;
v. Creating support documents including emergency shelter and evacuation plans
and ensuring alignment with business continuity plans;
vi. Evacuation planning (including logistics, visas, and relocation planning); and
33
vii. Implementing and maintaining a crisis communication system that can help
identify the nature of a crisis and provide instructions when needed.
c) Response includes the mobilization of essential personnel to support crisis response
activities. This includes onboarding an effective leadership team quickly to coordinate
and manage efforts as they grow beyond essential personnel. The leader and team
should implement a disciplined, iterative set of response plans allowing initial
coordinated responses during crises.
d) Recovery efforts are focused on actions needed to restore operations to predetermined
levels in order to meet customer needs and identify opportunities for improvement. This
may include re-employment of personnel, rebuilding destroyed property, and the repair
of other essential infrastructure after a crisis. It differs from the response phase in that it
focuses on issues and decisions that should be made after immediate needs following a
crisis are addressed.
e) Lessons learned and post incident review – this process critically examines the cause of
the incident and the response that was applied. By learning and sharing internally, an
organization can strengthen its crisis response capability, as well as identify
opportunities for improvement and adaptation.
These processes are intended to enhance existing organizational crisis management capabilities
by establishing a crisis management structure that will provide integrated and coordinated
planning and response activities at all levels within an organization. They will also establish a
common and consistent set of notification and activation thresholds. The structure and
processes are designed to complement, not supersede, emergency response plans and
procedures at various functional organization units and facilities. When an incident occurs,
these units and facilities will follow established local response plans and procedures.
Figure 9 presents a notional hierarchy for a crisis management team in a large global
organization. Should a local crisis response team (LCRT) not be able to manage a crisis, it
would activate a broader crisis management team (CMT) that considers the impact of the crises
throughout the supply chain and the rest of the organization. Other teams to be activated as
needed, and focusing primarily on sustaining business operations, are a corporate crisis
management team (CCMT) and an executive crisis management team (ECMT). Ultimately the
size, nature, and scope of an organization’s operation will determine the most appropriate
levels of response.
34
Figure 9: Notional Crisis Management Structure and Engagement Model
Incidents with high severity can quickly require the focus of crisis teams throughout a global
organization. For example, the H1N1 swine flu pandemic, which originated in Mexico, led to
simultaneous activation of the LCRT and relevant CCMT for one leading organization. Within
three days, the CCMT was activated and held regular briefings with the ECMT. Crisis
management bridges activities that respond to an emergency (any incident that can threaten
human life, health, property, or the environment if not controlled, contained, or eliminated
immediately through local level response) and those supporting the organization’s recovery
(prioritized actions to return the organization’s processes and support functions to operational
stability) and resumption (restarting defined business processes and operations to a
predetermined level) of operations.
Figure 10 presents a more generic process of how a CMT might approach an incident. Members
of the CMT continually monitor the supply chain for potential risks. Should an event occur,
members assess its consequence by making direct contact with suppliers in a region or through
direct feedback from suppliers, partners, or customers.
35
 Monitors global
events for
potential SC risk
 As required,
contacts
suppliers or core
team members to
assist in assessing
risk
Figure 10: Crisis Management Team Activation and Work Cycle
A crisis-response process includes the following steps, as depicted in Figure 11. Crisis response
uses a measured approach commensurate with the severity of the incident. (Annex G provides
a core-elements checklist for a crisis management program.)
1. Crisis Occurs/Crisis Identified – Incident identification and escalation protocols need to
exist in order to enable detailed assessment to occur. This involves defining trigger
levels and their resource requirements. This enables a team to then evaluate if the
incident could significantly affect the organization and the nature of the required
additional resources to support local efforts.
2. Gather Facts – Gather sufficient factual information to prepare an incident analysis.
3. Risk Assessment – Assess the severity and impact of the event.
4. Active Crisis Team – Assemble the appropriate internal and external teams to provide
strategic and tactical support to mitigate or resolve the event. At this point, the team
may decide that the event can be adequately addressed with local resources and return
event control to the local crisis response team.
5. Stakeholder Communication – Establish a schedule to provide periodic communications
to persons working on behalf of the organization, customers, suppliers, financial
organizations, stockholders, and news media.
36
6. Crisis Management Event Control/Crisis Contained – Assess remaining risk, provide

necessary resources, and communicate with stakeholders until such time as the crisis is
contained. This phase encompasses business recovery and resumption.
7. Post Incident Review – Review and analyze the organization’s response to the event.
This may consist of two stages, a "hotwash" performed immediately after the event to
gather information and initially debrief stakeholders, followed by a detailed evaluation
as soon as practical after the incident to determine the lessons learned and the required
corrective actions. Conduct a root cause analysis of the incident to determine if the risk
was previously identified and plans were in place.
8. Maintenance, Training, and Preparation – Provide training on the SCRM plans and test
them periodically to ensure that the organization is prepared for future events.
Incorporate lessons learned into its crisis-management plan and distribute the updated
plan to crisis team members and appropriate stakeholders.
Maintenance,
Crisis Gather Risk
Training & Crisis Occurs
Identified Facts Assessment
Preparation
Post Incident
Review
Resolve Locally
Yes
No
Crisis Crisis Management Stakeholder Activate Crisis Team

Contained Event Control Communication Yes
No
Figure 11: Ideal Crisis Response Process
6.4 Maintaining Resilience of Business Operations Post Incident

Business continuity planning comprises those activities, programs, and systems developed and
implemented prior to an incident that are used to respond to, mitigate, and recover from supply
chain disruptions, disasters, or emergencies. It is an ongoing process, not a one-time project. A
complete and tested plan gives an organization the framework to respond effectively to an
emergency, focus on protecting persons working on behalf of the organization and property,
communicating to key stakeholders, and recovering and restoring the priority business
37
activities within an acceptable time. These plans should be coordinated and tested alongside
those of suppliers, customers, and other key stakeholders.
To be effective, business continuity planning (also referred to as business continuity
management) should be an integrated management process supported from top management
and managed at both organizational and operational levels. A business continuity management
team should ensure that there are established organization risk tolerance levels and recovery
priorities, validated business recovery strategies, designated team members for activities and
functions, planning and documentation to achieve recovery time objectives, periodic testing and
exercising, and periodic evaluation of the business continuity planning program as based on
performance objectives.
Specific business continuity planning programs should be closely aligned to the risks identified
in the tiers of the supply chain including employee assistance, emergency response, crisis
management, and technology recovery to support restoration of operations.
Employee assistance programs help protect the most important assets and top priority of a firm:
its employees. Employee assistance programs, typically offered with a health-insurance plan,
can help persons working on behalf of the organization deal with personal problems that might
adversely affect their work, health, and well-being. Such plans generally include assessment,
short-term counseling, and referral services for persons working on behalf of the organization
and their household members. They may also offer housing assistance and salary advances.
Emergency response planning outlines procedures to follow immediately after any emergency.
Its objective is to protect people and property potentially impacted by events as identified in the
risk assessment process. Among other elements, it should include procedures for reporting
emergencies; activating the plan; evacuating and accounting for people; activating an
emergency operations center; updating lists of emergency contacts; emergency protocols for
data access, storage, and telecommunication; assessing damage, repairing and restoring
facilities; and testing emergency procedures. Business continuity planning and emergency
response planning are clearly separate plans utilized at different phases of a response. The
emergency response plan may not necessitate activation of the crisis management team or
business continuity plan. However, the emergency response plan should identify escalation
triggers that activate that CMT and business continuity plan.
Technology recovery planning should include information on who needs to act, what needs to
be done where, and when tasks need to be done to help resume operations. For example, for
data center operations, the technology recovery plan should describe steps needed to recover
and restore information technology infrastructure and services in case of site disaster. Disasters
can destroy communications centers necessitating their re-establishment. This should include
data backup and hardware redundancy or replacement plans. The plan should identify and
rank applications that support priority business activities. Mission critical data, for example,
should be backed up daily and stored offsite weekly, at a minimum. In addition, all
communications networks and platforms (to include infrastructure and devices) should be
available and periodically tested. This includes, but is not limited to, radio devices, mobile
telephones, Wi-Fi systems, and social networks.
38
Depending on the nature of an incident, certain plans may need to be activated while others
may not. For example, technology recovery plans may be activated during certain events (e.g.,
power outage) while other plans (e.g., business continuity plans or emergency response plans)
may not be activated if there is no major impact on business operations and/or threat to
personnel safety.
7 PERFORMANCE EVALUATION AND CONTINUAL

MONITORING
7.1 General
Once an organization has established a SCRM program including processes for identifying and
treating risks, it should implement a monitoring program and evaluate plans, procedures, and
capabilities through periodic review, testing, post-incident reports, and other exercises. It
should check the conformity and effectiveness of the program, and establish, implement, and
maintain procedures for monitoring and taking corrective action as necessary. This includes
reviewing other organizational changes that may affect SCRM.
As the first step of performance evaluation, self-assessment is effective. Self-assessment can
provide an overall view of the performance of an organization and degree of maturity of the
management and it can be also applied to SCRM. It can also give the metric of performance
level. Furthermore, it can help identify areas for improvement and/or innovation and to
determine priorities for subsequent actions. Therefore, the organization should do self-
assessment as performance evaluation. A maturity model self-assessment tool is given in Annex
K.
Above all, organizations should test their plans periodically. People learn best by doing, hence
regular testing of risk treatment (security, crisis, and continuity) plans is necessary to ensure
they will work when needed. Organizations may test plans in four ways, including:
1. An orientation or “walk-through” to acquaint teams with the plan and their roles and
responsibilities in it.
2. A “tabletop” exercise to reinforce the logic and content of the plan and to integrate its
decision-making processes and provide “hands-on” experience. This may entail
presenting a team with a scenario and related events and posing problems to solve. The
exercise is designed to provoke constructive discussion and familiarize participants with
the plan, their roles and responsibilities, and possible gaps in the plan.
3. A functional test that creates simulations involving group interaction in actual
disruptions in order to validate the key planning components and strategies. Such tests
may include evacuation procedures.
4. A full-scale test to evaluate the plan and response through interaction of suppliers and
supply-chain partners.
39
Table 2 provides an overview of key properties of the four testing scenarios. The design of the
exercise and test should be based on risks identified in the risk assessment process.
Table 2: Overview of Key Properties of the Four Exercise and Testing Scenarios
Type Orientation (Introductory, Overview or Tabletop (Practical or Simulated Exercise)
Education Sessions)
Goal Provides overview of plan to motivate Presents limited simulation of a scenario
and familiarize participants with team (presented in narrative format) to evaluate plans,
roles, responsibilities, expectations, and procedures, coordination, and assignment of
procedures. Useful when implementing resources. Addresses one issue at a time and
new plan or adding new staff/leadership. allows breaks for discussion. Familiarizes
participants with specific roles.
Benefits Informal, easy to conduct and low stress. Practices team building and problem solving.
Issues Somewhat detailed with a medium stress level.
Needs 30 days planning cycle 2-3 months planning cycle, 2-4 hours duration
1 hour duration. and 30-60 minutes debriefing.
Type Functional (walk-through or specialized Full Scale (live or real-life exercise)

exercise)
Goal Simulates a scenario as realistically as Deploys personnel, equipment, and resources to
possible in a controlled environment a specific location for the real time, real-life
(short of moving personnel, equipment, simulation of a scenario. Incorporates as many
and resources to an actual site), requiring risk and resilience management functions as
the actual performance of response possible to test the entire risk management plan.
functions. Tests communications,
preparedness, and availability of
resources.
Benefits Decisions and actions occur in real time Evaluates operational capabilities in an
and generate real responses and interactive manner; facilitates communication
consequences. Involves more and coordination across organization and public-
participants, simulators, and evaluators private sector.
such as local emergency services and
media.
Issues Typically detailed and high stress level. Detailed, expensive and highly stressful.
Needs 3-4 months planning cycle, 4-6 hours 6-8 months planning cycle, 6-8 hours duration
duration plus 30-60 minutes debriefing. plus 60-90 minutes debriefing.
Source: ASIS International Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis
Management, and Disaster Recovery, 2004.
SCRM plans should be tested at least annually to achieve desired SCRM objectives (not limited
to those elements required by regulation). Exercising and testing should incorporate changes in
plans or operating conditions.
Plans, like risks necessitating them, and risk treatments should be monitored over time. Risk
management is a dynamic process addressing operations in an ever changing environment.
Therefore, the adequacy and appropriateness of plans needs to be continually monitored and
adapted to changing conditions.
40
7.2 Exercising and Testing, and Adjusting the Plan

The goals and expectations of tests and exercises should include:
a) Validating effectiveness of SCRM plans and opportunities for improvement;
b) Testing capacity (e.g., abilities of an emergency communication system, generator
capacity, or back up information technology systems);
c) Reducing time to accomplish a crisis response process (e.g., repeating exercises so as to
shorten the incident management cycle such as response and recovery times);
d) Increasing awareness and knowledge among persons working on behalf of the
organization about the risk-management plan; and
e) Incorporating lessons learned from previous tests and actual incidents.
Testing should occur at regularly scheduled intervals. It should evolve over time, starting as a
relatively simple program. Future scenarios should increase in complexity as exercising and
testing needs develop further. These can consist of individual or group drills, table top
exercises, and fully functional hands on exercises. Testing of this nature should involve
suppliers, customers, and other stakeholders as appropriate. Exercise and testing requirements
should be embedded within the procurement contract terms and integrated into the supplier
management processes.
Figure 12 provides a framework for exercises and testing. Testing, like the SCRM process,
begins with establishing the context, and, like the SCRM process, is a cyclical process. Both
involve planning, following through on the plans, checking their performance, acting to
improve their performance, and reconsideration of how the results, as well as considering
changes in the organizational context and how they might reshape the context, scope, and
boundaries of SCRM for an organization.
41
Figure 12: Framework for Exercises and Testing
The first step in testing, evaluating, and adjusting SCRM programs should be setting of goals
and expectations. Testing can keep response teams and persons working on behalf of the
organization effective in their duties, clarify their roles, and reveal weaknesses in the SCRM
program that should be corrected. In addition to testing the efficacy of risk treatment processes
and identifying opportunities for improvement, goals of the exercise and testing regime may
include:
a) Awareness and training of persons working on behalf of the organization;
b) Capacity testing;
c) Reducing the time necessary to accomplish a SCRM process (enhanced response times);
d) Team building;
e) Solicit stakeholder input and testing assumptions of risk assessment process;
f) Identification of persons for leadership roles in SCRM procedures; and
g) Improved coordination with first responders and other stakeholders.
In defining goals and expectations, it is important to consider that the scope of testing should be
planned to develop over time. Early tests could include evaluating individual components of
risk treatment plans. As the exercises and tests evolve, they should become increasingly
42
complex, covering the entire scope of SCRM plans and the interactions of components as well as
including external participation by public safety and emergency responders.
Top management commitment and participation is essential for a successful exercise and testing
program in planning, staging, and debriefing. A commitment to the exercise and testing
program lends credibility and authority to the entire SCRM process. Exercises should be
planned considering the risks to the organization as identified in the risk assessment as well as
the inherent risks of the exercise itself. Timelines, metrics, and feasibility also should be
considered during the planning process.
There are multiple roles that exercise and test participants perform. All participants should
understand their roles in the exercise and the exercise should involve all participants. As part
of the exercise, participants should be allowed to interact and discuss issues and lessons.
Documentation and communication protocols should be clearly established for the exercise to
provide the necessary data for evaluation. Emergency communications should also be
developed if problems arise during the conduct of the exercise.
After completion, the exercise should be critically evaluated with the participation of top
management. The evaluation should include, among other things, an assessment of how well
the goals and objectives of the test were achieved, the effectiveness of participation, and
whether the SCRM plans will function as anticipated in the case of a real crisis. An after action
report should be created as a reference to catalog measures of success, opportunities for
improvement, and lessons learned for subsequent exercises. Future exercising and testing, as
well as the SCRM program itself, should be modified as necessary based on the exercise results.
The exercise should be a driver for continual improvement of the SCRM program.
7.3 Tracking Change

Some risks, such as those posed by hurricanes and tornadoes, may not change much over time
other than frequency and perhaps intensity. Other risks that organizations face, such as those
inherent in their processes, suppliers, or their regulatory environment, can change. As a result,
firms need to monitor risks and how to address them over time. The example below reviews
the nature of regulatory risks and how organizations can respond to and monitor it.
While perhaps not obvious at first, regulations can create significant supply-chain risks. They
can affect import and export documentation and compliance requirements, as well as shipment
safety and security issues, thereby affecting shipment costs and creating the risk for delays and
financial penalties. Regulations can affect the countries or states in which an organization may
work, as well as those in which its suppliers may work.
Some recent examples of U.S. regulations affecting supply-chain processes include the
requirement of the Transportation Security Administration for screening of all cargo on
passenger jets, U.S. Customs and Border Protection's requirement for new data elements on the
Importer Security Filing (ISF) regulation for all ocean shipments, and Customs regulations
requiring use of a high-security bolt seal on all ocean shipments. The air-cargo screening
requirement adds costs for new screening facilities as well as new risks of delay at points where
adequate screening capacity might not exist. The ISF reporting requirement adds costs for
43
compliance and shipment-delay risks if reporting is not done properly. The high-security bolt
requirement can also add risk of delays or even rejection of a shipment should shippers fail to
comply. Compliance failure in any of these or other regulations could also result in financial
penalties, embarrassing news coverage, or even loss of license to do business.
To summarize, failure to monitor, shape, and respond to new regulations can pose significant
risks for the supply chain. Below are some guidelines and current best practices for an
organization seeking to minimize such risks. Like all recommendations in this Standard, these
are meant primarily as guidelines to provoke thought, and from which organizations may wish
to select for adaptation to their own circumstances. An effective risk-mitigation program for
legislative and regulatory requirements should help an organization monitor proposed or
pending regulations, participate in the process shaping final regulations, plan and respond to
changes in regulation, avoid compliance penalties, and ensure the smooth flow of incoming and
outgoing shipments.
In monitoring risks, organizations should seek to become aware early of proposed legislative
and regulatory initiatives, understand how they might affect their business, and share with
internal decision makers to determine a response. Some means to do this include establishing a
“government affairs” function or assigning individual responsibility to monitor proposed
legislation and regulations, creating an internal network of individuals who monitor regulatory
issues, joining trade associations that monitor these and subscribe to their newsletters and
bulletins, and developing other external contacts to monitor legislative and regulation changes.
Monitoring should include assessing the risk of emerging regulation, tracking compliance with
existing regulations, and identifying the points of the supply chain that will be affected by
regulations. Annex J provides some sample regulatory and compliance requirements, points
along the supply chain they may affect, and what control, if any, an organization may have over
them.
To shape regulations, organizations should seek to participate in the legislative and rulemaking
process. They may develop an internal process for tracking and responding to regulatory
notices, using this process to identify the consequences of new regulations and to offer
preferred alternatives. They might establish an internal capacity, or hire an external consultant
or lobbyist, to represent the organization in the development of legislation or regulations.
Joining and participating in industry associations provides another means for interacting with
political or government-agency leaders who shape legislation and regulations. Organizations
may seek opportunities for volunteering to participate on industry advisory committees or
other outreach events that government agencies use in developing and seeking feedback on
regulatory changes.
In responding to regulations, organizations should prepare in advance to avoid or mitigate the
risks, including costs, delays, and penalties inherent in new regulations. While monitoring and
seeking to shape pending regulatory requirements, organizations should develop, with early
executive support and funding, an internal process or team of cross-functional representatives
to analyze pending regulations and plan how to address each one. For new regulations,
organizations should communicate details to partners and help them prepare to support the
new requirements. New requirements may also require organizations to update their
44
contractual terms and conditions with their supply chain partners. Developing and
implementing plans to monitor the supply chain as new regulations go into effect can ensure
that compliant processes are in place and working.
New regulations, like other evolving areas with which an organization should contend, can
create significant risks for supply chains. These risks may range from costs to delays to
compliance penalties to still other areas. To be resilient, a supply chain should have the
capacity to monitor, shape, and respond to evolving areas such as new regulations.
7.4 Monitoring and Reviewing the Risk Management Program

A SCRM program is not a once off process; rather, it is an ongoing, dynamic, and living process.
As a result, the organization should establish and maintain a process for monitoring and
reviewing the SCRM program to:
a) Update risk assessments as needed;
b) Identify and evaluate the effect on the risk assessment and management of the changes
in context, assumptions, and other factors that may change over time due to internal and
external circumstances;
c) Evaluate the effectiveness of risk treatments; and
d) Evaluate the actual effectiveness after exercise and the manifestation of undesirable and
disruptive events.
The Plan-Do-Check-Act model provides a good method for ongoing monitoring, review, and
improvement of the risk assessment process.
Figure 13 shows one potential set of processes to ensure risk management becomes an integral
part of running any business. The key factors are to: include a review of risks and risk
treatments into on-going business meetings, incorporate risk information into annual business
planning, and ensure mechanisms are in place to identify new and emerging risks.
45
Figure 13: Integrating Risk Management into Business Operations
Effective SCRM is essential to a successful business. As globalization increases, so too do the

interdependencies and complexities between suppliers, logistics providers, and a successful
enterprise. A breakdown in any part of the supply chain connecting these entities can
potentially lead to catastrophic consequences.
The guidelines in this Standard are intended to assist in the crucial task of establishing an
effective SCRM program tailored to the unique characteristics of each organization. These
principles should be integrated into the other key corporate procedures and policies that
address procurement and general risk management including supplier-management routines.
While no risk management program can fully predict, mitigate, or prevent all risks or
consequences, organizations that proactively implement a supply chain risk-management
program will be more resilient and prepared for the day when a "risk" becomes "real."
46
Annex A
(informative)
A INFORMATION AND COMMUNICATION TECHNOLOGIES

(ICT) SECURITY
A.1 Introduction
An organization will be better able to achieve its objectives by understanding and incorporating
the convergence of risk management (including security, crisis, continuity, and recovery
management) with information technology systems in all of the elements of its SCRM. The
benefits information and communications technologies provided to supply chain management
can be significant (e.g., in implementation, operability, replacement, and overall cost efficiency);
however, this creates additional risks as well as associated threats and vulnerabilities to the
individual and collective systems.
The architecture of an organization’s information and communication system plays a critical
role in its supply chain and the management of supply chain risk. An information system is a set
of information resources organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information. This definition includes the environment in which the
information system operates (i.e., people, processes, technologies, facilities, and cyberspace).6
Information systems also include specialized systems such as industrial control systems (ICS),
distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems,
telephone switching and private branch exchange (PBX) systems, and environmental control
systems.
A growing threat to the supply chain is the compromise of critical information (documents,
voice, and data). Another threat to the supply chain involves cyber threats to the supply chain’s
information and communication technologies. Therefore, ICT risk management is an integral
part of a holistic SCRM strategy.
The need to protect information cannot be understated, nor considered separate from protection
of tangible assets. Frequently it is much harder to recover from the loss of intangible assets than
the loss of tangible assets. Understanding of the need to protect information in all its forms is
critical to comprehensive SCRM. ICT systems provide opportunities for great efficiency, but
they are vulnerable to various forms of loss and attack. The integration of ICT into all supply
chain activities is related to the provision of goods and services from point of origin of raw
6 Committee on National Security Systems (CNSS) Instruction number 4009 dated April 26, 2010. See:
http://www.cnss.gov/assets/pdf/cnss_4009.pdf.
47
materials to point of consumption. Therefore, consideration of ICT risks should be included in

all the risk assessments of activities and functions in a supply chain.
A.2 Implementing ICT SCRM

SCRM is a multidisciplinary practice with a number of interconnected enterprise processes
that, when performed correctly, can help manage the risk of utilizing ICT products and
services. Consideration of ICT should be included in all aspects of the risk management
process described in the ISO 31000 and as discussed above. As with any other risk, ICT
related risks needs to be considered with an understanding of the objectives of the
organization and its internal and external context.
When establishing the context of the organization and its supply chain, organizations should
include an understanding of ICT supply chain risks in their supply chain mapping exercises.
This can be accomplished by understanding:
a) Cost and scheduling constraints;
b) Integration of information security requirements into the acquisition language;
c) Use of applicable baseline security controls as a source for security requirements;
d) Robustness of software quality control processes; and
e) Availability of multiple delivery routes for priority system elements.
When evaluating ICT risk the organization should be considered risk from three perspectives:
a) Uncertainty related to the organization achieving its overall objectives;
b) Business processes supporting the mission of the organization; and
c) The tactical level of ICT implementation.
The risk assessment should consider all three of these perspectives to support risk treatment
decisions for SCRM. ICT risk needs to be considered in both the existing risk related to inherent
in the supply chain, as well as in the design of the ICT for the supply chain.
During the risk identification phase of the risk assessment, threat, vulnerability, and criticality
analysis should consider:
a) Planning cycles and investment planning;
b) Complexity of systems;
c) Life-cycle of ICT architecture and systems;
d) Criticality/sensitivity of the information and information systems;
e) Age of software systems and updating policies; and
f) Access of supplier data systems to the public internet.
Implementing an ICT SCRM program is not unlike non-ICT risk management initiatives
except that ICT is subject to a variety of cyber security threats. An ICT facilitates the
48
passage of supply chain products and services risk management becomes an imperative of
the organization.
A.3 Convergence and SCRM Management Practices

Security convergence is a managed process that applies the principles of security risk
management to the convergence of individual SCRM physical and information security systems
and their integration into an organization’s enterprise security systems and enterprise risk
management processes. This creates a single managed integrated process aligned to meet the
organization’s overall security requirements which is integral to the success of SCRM and the
overall risk management program. (For additional information, see ANSI/ASIS-PAP.1, Security
Management Standard: Physical Asset Protection.)
SCRM should take advantages of all business practices which have developed during the years
for physical and cyber security. The experiences and the advantages which have been
developed through the growth of both domains provide significant advantages in SCRM.
Enterprise Security Risk Management (ESRM) is recognized as a progressive security
management practice. Combined with security convergence, ESRM can be useful in setting up
SCRM processes.
In many organizations, different aspects of security risk management (e.g., supply chain risk
management, physical asset protection, human resource security, information security,
communications security, and continuity management) are managed as separate activities. The
recognition of the interdependence of these business functions and processes has led to the
development of a more holistic approach to SCRM management.
SCRM has become highly dependent on information technology networks, often sharing a
common infrastructure and technology platform. Security systems should not be integrated
into an enterprise’s computer network unless the enterprise can clearly secure the systems both
physically and logically from intentional or unintentional interference. ICT systems can become
the weak point an attacker can exploit to obtain critical information about an organization or
disable security systems. Rather than having asset protection and security solutions managed
by different business functions applying subjective risk controls to their threat specific
vulnerabilities, convergence provides a common platform where these solutions are assessed
and treated from the perspective of a shared risk environment. The benefits that information
and communications technologies provide to SCRM can be significant (e.g., in implementation,
operability, replacement, and overall cost efficiency); however, this creates additional risks and
vulnerabilities to the individual and collective systems. Security convergence applies a
comprehensive view to the converged security risks, enabling a broad strategic approach that
encompasses all areas of security risk as well as providing for integration with technological
advancements.
The ISO/IEC 27001 standard on information security outlines strategies and controls for
information security. It provides a management systems approach and therefore can be used
seamlessly with this Standard. Likewise, the ANSI/ASIS/BSI BCM.01 business continuity
standard can also be used with this Standard to manage the consequences of a disruptive event.
49
All of these standards can be applied simultaneously in a single converged management system
standard using the ANSI/ASIS SPC.1 organizational resilience standard.
The application of security convergence should establish:
a) A cost effective strategy that protects people, information, and property across
functions;
b) Governance that ensures top management commitment and allocates ownership and
accountability to the converged security risk management program;
c) A cross-discipline and cross-functional risk assessment and management framework
that identifies, analyzes, evaluates, and treats all security risks within a singular
managed process;
d) A risk management process that monitors all security risks controls and reports
weaknesses, vulnerabilities, attacks, and systems failures collectively;
e) A process for ongoing monitoring of changes in communications and information
technology risks;
f) Systems that measure and assess the asset protection and SCRM performance
individually, collectively, and as an entirety of the organization’s risk controls;
g) A security risk management framework that functions in synergy with the
organization’s collective risk considerations;
h) Strategies that co-ordinate a unified response to disruptive events (attacks), mitigate
their consequences, and evaluate and report both the incident and response in order to
improve controls to further reduce the likelihood and impacts of an event; and
i) A framework that integrates procedures for the protection of all tangible and intangible
assets.
50
Annex B
(informative)
B EXAMPLES OF ORGANIZATIONAL RESILIENCE

PROCEDURES
B.1 General
Building a resilient organization is part of any good business management strategy. In order to
thrive and survive, organizations need to adapt to an ever changing environment. To be agile
and resilient in order to achieve the organization’s objectives, the organization needs to leverage
all the disciplines that contribute to managing risk. For organizations to cost-effectively manage
risk, they must develop balanced strategies to adaptively, proactively, and reactively address
maximizing opportunities and minimizing the likelihood and consequences of potential,
undesirable, and disruptive events (see ANSI/ASIS SPC.1-2009).
The organization should establish, implement, and maintain procedures to prevent and manage
disruptive events which have the potential to harm the organization, its key stakeholders
including supply chain partners, and the environment.
Procedures should be concise and accessible to those responsible for their implementation. Flow
charts, diagrams, tables, and lists of action should be used rather than expansive text.
The purpose and scope of each procedure should be agreed by top management and
understood by those responsible for its implementation. Dependencies and interdependencies
should be identified and the relationships between procedures, including those of the
emergency services and local authorities, should be stated and understood. The following
sections provide more information on selected procedures. At the end of this annex are some
templates for different plans.
B.2 Prevention and Mitigation Procedures

The purpose of a prevention or mitigation procedure is to define the measures to be taken by
the organization to minimize the likelihood of a disruptive event or to minimize the potential
for the severity of the consequences of the event.
Prevention procedures should describe how the organization will take proactive steps to protect
its assets by establishing architectural, administrative, design, operational, and technological
approaches to avoid, eliminate or reduce the likelihood of risks materializing, including the
protection of assets from unforeseen threats and hazards.
Mitigation procedures should describe how the organization will take proactive steps to protect
its assets by establishing immediate, interim, and long-term approaches to reduce the
51
consequences of risks before they materialize, including the protection of assets from
unforeseen threats and hazards.
Organizations may choose to have a single procedure with sections and/or annexes dealing
with different types of incident. Alternatively, separate procedures may be written for each type
of incident.
Each procedure should specify as a minimum:
a) The purpose and scope of the procedure;

b) Assets to be protected from the disruptive event;
c) Objectives and measures of success;
d) Implementation steps and the frequency with which the procedure is carried out;
e) Roles, responsibilities, and authorities;
f) Communication requirements and procedures;
g) Internal and external interdependencies and interactions;
h) Resource, competency, and training requirements; and
i) Information flow and documentation processes.
The organization should nominate a primary ‘owner’ of each prevention and mitigation
procedure and should state who is responsible for reviewing, amending, and updating the
procedure. The process of reviewing, amending, updating, and distributing procedures should
be controlled.
Examples of prevention and mitigation procedures include the following:
a) Eliminate the risk by complete removal of the threat, or risk exposure;

b) Reduce the risk by modifying activities, processes, equipment, or materials;
c) Isolation or separation of the risk from assets (human or physical);
d) Engineering controls to detect, deter, and delay a potential threat agent;
e) Administrative controls such as work practices or procedures that reduce risk; and
f) Protection of the asset if the risk cannot be eliminated or reduced.
B.3 Response Procedures

The purpose of a response procedure is to define the initial measures to be taken by the
organization in response to a disruptive event.
Response procedures should describe how the organization will respond to one or more types
of disruptive events. Organizations may choose to have a single procedure with sections and/or
52
annexes dealing with different types of incidents. Alternatively, separate procedures may be
written for each type of incident.
Some response procedures may be implemented in advance of a disruptive event, for example
in the expectation of harm from a forthcoming tropical cyclone, bush fire or malicious attack on
the organization or a supply chain partner. In such circumstances, emphasis will be given to
protecting and/or removing priority assets and to communicating the risk of harm to staff and
to external organizations and authorities.

b) Priority assets to be protected during the disruptive event;
c) Priority activities to be maintained during the disruptive event;
d) Measures to limit the form and extent of environmental damage caused by the
disruptive event;
e) Situations/conditions in which each procedure will be implemented;
f) Criteria that will determine whether the disruptive event is to be classed as an incident,
accident, emergency, crisis, and/or a disaster;
g) Criteria that will indicate the end of the response phase;
h) Roles and responsibilities of individuals and groups required to implement the
procedure;
i) The organizational structure to be used, including the establishment of an incident
command center, and links with external agencies such as the emergency services and
occupational health and safety bodies;
j) Procedures for communicating within the organization to key external stakeholders
including supply chain partners, the emergency services, local authorities, and the
media; and
k) Contact details of all individuals responsible for implementing the procedure and others
who need to be notified that the procedure is to be, or has been, implemented.
The organization should nominate a primary ‘owner’ of each response procedure and should
state who is responsible for reviewing, amending, and updating the procedure. The process of
reviewing, amending, updating, and distributing procedures should be controlled.
NOTE: Response procedures are sometimes referred to as emergency response procedures.
B.4 Continuity Procedures

The purpose of a continuity procedure is to define the measures to be taken by the organization
to maintain and/or re-establish priority activities of the organization and its supply chain
partners.
53
Continuity procedures should describe how the organization will maintain and/or re-establish
critical activities in the period immediately following the response/emergency phase.
of incident.

b) Priority assets to be protected during and immediately following the disruptive event;
c) Priority activities to be maintained during and immediately following the disruptive
event;
d) Activities to be restored as a priority following the disruptive event;
e) Measures to limit the form and extent of environmental damage caused by the
disruptive event;
f) Situations/conditions in which each continuity procedure will be implemented;
g) Criteria that will indicate the end of the continuity phase;
h) Roles and responsibilities of individuals and groups required to implement the
procedure;
i) The organizational structure to be used, including links with external agencies such the
emergency services and occupational health and safety bodies;
j) Procedures for communicating within the organization to key external stakeholders
including supply chain partners, the emergency services, local authorities, loss
adjusters/insurance companies, and the media; and
k) Contact details of all individuals responsible for implementing the procedure and others
who need to be notified that the procedure is to be implemented.
The organization should nominate a primary ‘owner’ of each continuity procedure and should
NOTE: Continuity procedures may run concurrently with response and recovery procedures.
B.5 Recovery Procedures

The purpose of a recovery procedure is to define the measures to be taken by the organization
to recover from a disruptive event and thus ensure it is able to meet its strategic and operational
objectives.
Recovery procedures should describe how the organization will re-establish all necessary
operational and support activities, replace damaged and/or destroyed assets and information,
rebuild the brand and reputation of the organization, and assist staff to recover from the event.
54
of incident.

b) Operational and support activities to be re-established and/or restored and the priority
of such restoration;
c) Assets including property, equipment, information, vehicles, and stores to be repaired
and/or replaced, and the priority for such repair and replacement;
d) Assistance to staff affected, either physically or psychologically, by the disruptive event;
e) Actions to be taken to rebuild the organization’s brand and reputation;
f) Actions to be taken to mitigate any environmental damage;
g) Situations/conditions in which each recovery procedure will be implemented;
h) Criteria that will indicate the end of the recovery phase;
i) Roles and responsibilities of individuals and groups who will be required to implement
the procedure. It may be necessary to modify the normal procurement procedures in
order to rapidly restore the organization’s activities and assets;
j) The organizational structure to be used including links with external agencies such as
occupational health and safety bodies and loss adjusters/insurance companies; and
k) Procedures for communicating within the organization, to key external stakeholders
including supply chain partners, the emergency services, local authorities, and the
media.
The organization should nominate a primary ‘owner’ of each recovery procedure and should
NOTE 1: Recovery procedures may run concurrently with continuity procedures.
NOTE 2: Recovery procedures are sometimes referred to as recovery and restoration procedures.
55
PREVENTION AND MITIGATION TREATMENT PLAN
Function/Activity:
Risk: Risk Reference Number:
Mitigation Procedure
The Purpose and Scope

of the Procedure
The Assets to be
Protected
Objectives and
Measures of Success
Implementation Steps
and Frequency
Roles, Responsibilities
and Authorities
Communications
Requirements
Internal and External

Interdependencies and
Interactions
Resource, Competency
and Training
Requirements
Informational Flow and

Documentation
Received by: Date: Reviewed/Approved by: Date:
56
RESPONSE TREATMENT PLAN
Function/Activity:
Response Procedure Owner
The Purpose and

Scope
Priority Assets to be
Protected
Priority Activities to
be Maintained
Measures to Limit
Damage
Situation /Conditions
in Which Plan Will be
Implemented
Criteria for Classifying

an Event
Criteria for Indicating

the End of The
Response Plan
Roles and
Responsibilities of
57
RESPONSE TREATMENT PLAN
Individuals and
Groups
Organization
Structure to be Used,
Including Incident
Command & External
Links
Procedures for
Communication
within the
Organization
Contact Details of All

Individuals
58
CONTINUITY TREATMENT PLAN
Function/Activity:
Continuity Procedure Owner
The Purpose and

Scope
Priority Assets to be
Protected
Priority Activities to
be Maintained
Activities to be
Restored as a Priority
After an Event
Measures to Limit
the Damages Caused
by the Event
Situation /Conditions
in Which Plan Will
be Implemented
Criteria for
Indicating the End of
The Continuity Plan
Roles and
Responsibilities of
Individuals and
Groups
59
CONTINUITY TREATMENT PLAN
Organization
Structure to be Used,
Including Incident
Command &
External Links
Procedures for
Communication
Within the
Organization
Contact Details of All

Individuals Involved
60
Annex C
(informative)
C EXAMPLES OF RISKS BY CATEGORY AND TYPE

This annex provides a list of some examples of risk and sources of uncertainty.
EXTERNAL, END TO END SUPPLY CHAIN RISKS

Natural Disasters
 Epidemics  Tsunamis
 Earthquakes  Volcanoes
 Weather disasters (hurricanes, tornados,

storms, blizzards, floods, droughts)
Accidents
 Fires  Structural failures
 Explosions  Hazardous spills
Sabotage, Terrorism, Crime, and War

 Cyber attacks  Bombings
 Product tampering  Biological and chemical weapons
 Intellectual property theft  Blockades
 Physical theft, tampering, and destruction of  Fraud, graft, bribery, corruption, and
property counterfeiting
 Kidnapping and hostage taking  Industrial espionage
Government Compliance and Political Uncertainty

 Taxes, customs, and other regulations  Political stalemate
 Compliance issues
o Regulatory financial reporting (e.g., Sarbanes-Oxley)
o Operations
o Logistics/trade
o Trade restrictions (e.g., Buy American Act)
o Regulatory audit history
o Regulatory approvals - marketing approvals
o Public health
o Environmental
 Currency fluctuations  Corruption
 Political unrest  Transparency
 Boycotts
Labor Unavailability and Shortage of Skills
61
 Availability  Cost unrest
 Quality  Strikes and slowdowns
Industry-wide (i.e., Market) Challenges

 Capacity constraints  Process patents
 Unstable prices  Shrinking industry
 Lack of competition  Low supplier profitability
 Entry barriers  Certification
 Capital requirements  Cost trends
 Specific assets  Recessions/inflation
 Design patents  Language and cultural differences
Lawsuits
 Environmental
 Health and safety
 Intellectual property
Technological Trends
 Emerging technologies (pace/direction)
 Obsolescence
 Other technological uncertainty
SUPPLIER RISKS: EXTERNAL, CONTRACT MANUFACTURERS, OR INTERNAL BUSINESS UNIT

Physical and Regulatory Risks
 Key suppliers located in high risk areas
 Material unavailability/poor planning

o Raw materials
o Other materials
 Legal Noncompliance/ethical practices  Regulatory noncompliance

o Labor practices o Customs/trade
o Safety practices & performance o Security clearance requirements
o Environmental practices o History & outcomes of regulatory
o History & outcomes of lawsuits audits
o Tax practices o Regulatory certification requirements
(e.g., Food & Drug Administration,
Federal Aviation Administration)
o Critical disclosure – International
Traffic & Arms Regulations
Production Problems
 Capacity  Poor quality
62
o Too little, too much, or diminishing o Defects/contamination in manufactured

o Order and shipping times product
o Out of stock (i.e., no/low inventory) o Mislabeling of items
o Performance history, equipment age & o Lack of training or knowledge
downtime (manufacturing & testing
equipment)
o Repair cycle time
 Inflexible production capabilities (long setup  Lead times

times) o Backlogs
o Unresponsive
o Unreliable
o Variable
 Technological inadequacies or failures

o Incompatible information systems
o Slow adoption of new technology
Financial losses and premiums
 Degree of competition/profitability  Financial viability

o Downstream integration or too much o Inability to sustain in a downturn
competition o Bankruptcy
o Little/no competition - sole source o Withdrawal from the market
o Mergers & acquisitions
Management Risks
 Inadequate risk management planning  Management quality

o Lack of business continuity plans o High turnover
o Lack of requirements for supplier's o Dishonesty
supplier business continuity plans o Poor labor relations
o Poor metric scorecards
 Substituting inferior or illegal materials/parts  Poor communication

o Failing to perform required o Internal
treatments/tests o External
o Submitting inaccurate/false invoices o Transparency of data & operations
 Lack of continuous improvement  Upstream (i.e., subcontractors and their

o Unwillingness subcontractors) supply risks
o Cost escalation o Any of the above external/supplier risks
o Opaque processes o Lack of visibility into subcontractors
o Opportunistic behavior o No or poor relationships with
o Inflation of purchase costs subcontractors
o Diminishing sources of supply
o Transition “costs” for new suppliers
 Dependence on one or a few customer(s)
DISTRIBUTION RISKS/DISRUPTIONS: INBOUND OR OUTBOUND

 Infrastructure unavailability  Labor unrest/unavailability
o Roads o Truck drivers
63
o Rails o Rail operators

o Ports o Longshoremen
o Air capacity/availability o Pilots
 Assets - lack of capacity or accidents  Cargo damage/theft/tampering

o Containers o Physical damage
o Trucks o Theft and other security problems
o Rail cars o Tracking the damage
o Ships o Environmental controls (e.g., temperature,
o Airplanes humidity)
 Warehouse inadequacies  Long, multi-party supply pipelines

o Lack of capacity o Increased chance of all problems above
o Inaccessibility o Longer lead time
o Damage environmental controls (e.g.,
temperature, humidity)
o Lack of security
IT system inadequacies/failures
INTERNAL, ENTERPRISE RISKS

Operational risk
 Loss of inventory (damage, obsolescence)  Environmental performance to permits/other
 Equipment loss, mechanical failures  Poor Quality

o Defects in manufactured product
o Failure to maintain equipment
o Lack of training or knowledge
 Process issues  Capacity

o Process reliability o Too little, too much, or diminishing
o Process robustness o Order and shipping times
o Lead time variability o Out of stock (i.e., no/low inventory)
o Inflexible production capabilities (long set o Performance history, equipment age &
up times, etc.) downtime (manufacturing & testing
equipment)
o Repair cycle time
 Theft, product diversion, and sabotage  Fraud, IP theft, and industrial espionage
Government Compliance and Political

Uncertainty
 Taxes, customs, and other regulations  Political unrest
 Currency fluctuations  Boycotts
Demand Variability/Volatility
 Drawdown of the stockpile  Surges exceed production, repair, or distribution
 Exceeding maintenance replacement rate  Shortfalls
 Shelf life expiration
Personnel Availability/Skills Shortfalls
64
 Sufficient number  Union contract expiration
 Sufficient knowledge, skills, experience  High turnover rate
Design Uncertainty
 Changes to requirements  Reliability estimates of components
 Lack of technical detail  Access to technical data
 Lack of verification of product  Failure to meet design milestones
 Changes to product configuration  Poor specifications
 Design for supply chain (e.g., obsolescence,

standardization, and commonality)
Planning Failures
 Forecast reliability/schedule availability  Acquisition strategy
 Planning data accuracy  Manufacturability of a design
 Global visibility of plans & inventory positions  Program maturity
 Competition/bid process  Subcontracting agreements
Financial Uncertainty/Losses
 Funding availability  Knowledge of supplier costs
 Work scope/plan creep  Strategic risk
Facility Unavailability/Unreliability/ Capacity
 Facility breakdown  Sites located in high risk areas
 Mechanical failures  Adequate capacity
Testing Unavailability/Inferiority/Capacity
 Unreliable test equipment  Integration testing
 Operational test qualifications  Transition from first test to mass production
 Operational test schedule
Enterprise Underperformance/Lack of Value
 Customer satisfaction/loyalty  Uniqueness
 Liability  Substitutability
 Cost/profit  Systems integration
 Customer demand  Other application/product value
Supplier Relationship Management (SRM) Use
 Contract/supplier management availability and  Supplier development and continuous

expertise improvement
 In-house SRM expertise  Supplier communications - (EDI web, real time
65
demand, plans, forecasts, technology roadmaps)
 Lack of internal and external

communication/coordination
66
Annex D
(informative)
D EXAMPLES OF GENERIC ELEMENTS FOR SUPPLY-CHAIN

SECURITY AGREEMENTS
These recommendations are generic and may not fully satisfy specific national or international
supply chain requirements or recommended measures. The organization should consult legal
counsel to ensure that proper contractual terms and conditions are in place requiring your
suppliers and logistics partners to comply with proper supply chain security procedures. The
organization should take into consideration the following elements when entering into supply
chain security agreements which should be tailored to the organization’s needs and
jurisdictions of operation.
D.1 Elements to Consider for Supplier Agreements:

A. For services provided or purchased goods shipped directly to Buyer, Seller agrees to:
1) Comply with the following supply chain security requirements from the Point of Origin
(the site where goods are assembled, manufactured, packaged, and shipped).
2) Include this provision with applicable Subcontractors, defined as sub-tier manufacturers
or suppliers from which the shipment of goods is shipped directly from said
manufacturers or suppliers’ facilities to Buyer and those suppliers engaged in packaging
or transport of Buyer shipments (including but not limited to freight forwarders, third
party logistic companies, and packagers).
3) Be responsible to Buyer for any breach of such requirement by its subcontractor.
B. Supplier will maintain adequate security controls and procedures.
1) Seller subcontractor selection process: Seller should have documented processes for the
selection of its Subcontractors. The process should ensure that such Subcontractors
maintain adequate security controls and procedures and that appropriate governance
system for security control assurance are maintained.
2) Physical security: Facilities should be protected against unauthorized access including
but not limited to cargo handling and storage facilities which should have physical
security deterrents.
a) All entry and exit points for vehicles and personnel should be controlled.
b) Secure all external and internal windows, gates, and doors through which
unauthorized personnel could access the facility or cargo storage areas with locking
devices.
67
c) Provide adequate lighting inside and outside facilities to prevent unauthorized

access.
3) Access controls: Prevent unauthorized entry into facilities using access controls which
may include but are not limited to badge readers, locks, key cards, or security personnel.
a) Positively identify all persons at all points of entry to facilities.
b) Maintain appropriate access controls for the issuance and return of identification and
access badges.
c) Upon arrival, photo identification should be required for all visitors.
d) Authorized persons working on behalf of the organization should escort visitors at
all times.
4) Personnel security and verification: Screen prospective persons working on behalf of
the organization consistent with local regulations. Verify employment application
information prior to employment.
5) Ocean Container and Truck Trailer Security: Maintain container and trailer security to
protect against the introduction of unauthorized material and/or persons into
shipments. In the event containers are stuffed, inspections should be made of all ocean
containers or truck trailers prior to stuffing, including but not limited to the inspection
of the reliability of the locking mechanisms of all doors.
a) Ocean container and truck trailer seals: Properly seal and secure shipping containers
and trailers at the point of stuffing. Affix a high security seal to all access doors on
truck trailers and ocean containers. Such seals should meet or exceed the current
PAS ISO 17712 standard for high security seals.
b) Ocean container and truck trailer storage: Empty or stuffed ocean containers and
truck trailers should be stored in a secure area to prevent unauthorized access and/or
manipulation.
c) Security training to be provided to the drivers on recognizing and mitigating risks.
The training should include prevention, awareness, and response to promote safe
and secure actions.
d) Security measures should be commensurate with the value of goods and level of
risk. Enhanced security measures include but are not limited to vehicle alarm and
immobilization devices, secured truck cabin, vehicle tracking, concealed load
tracking, GPS technology, and overt or covert escort with real time communication
to local law enforcement agencies.
e) Retain a customs representative to witness all customs inspections on international
container shipments. After the container has cleared customs, it should be secured
with a seal and a padlock.
6) Information technology security: maintain IT security measures to ensure all automated
systems are protected from unauthorized access.
68
a) Use individually assigned accounts that require a periodic change of password for
all automated systems.
b) Maintain a system to identify the abuse of IT resources including but not limited to
improper access, tampering or altering of business data and will discipline violators.
7) Procedural security: maintain, document, implement, and communicate the following
security procedures to ensure the security measures in this clause are followed and
should include:
a) Procedures for the issuance, removal, and changing of access devices.
b) Procedures to identify and challenge unauthorized or unidentified persons
c) Procedures to remove identification, facility, and system access for terminated
individuals.
d) Procedures for IT security and standards.
e) Procedures for control of personal containers.
f) Procedures to verify application information for potential persons working on behalf
of the organization.
g) Procedures for persons working on behalf of the organization to report security
incidents and/or suspicious behavior.
h) Procedures for the inspection of ocean containers or truck trailers prior to stuffing.
i) Procedures to control, manage, and record the issuance and use of high security bolt
seals for ocean containers and truck trailers. Such procedures should stipulate how
seals are to be controlled and affixed to loaded containers and should include
procedures for recognizing and reporting compromised seals or containers to
Customs or the appropriate authority and Buyer.
j) Procedures for logging incidents and storing incident reports.
C. Upon request, complete a Supply Chain Security Self-Assessment Questionnaire.
D. Seller and its subcontractors should be subject to periodic site visits by Buyer during
normal hours of operation to confirm compliance with the terms contained within this
clause.
E. Maintain procedures for persons working on behalf of the organization to report security
incidents and/or suspicious behavior. Immediately notify Buyer of any actual or suspected
breach of security involving Buyer’s assets (e.g., cargo) or material to supporting Buyer’s
services.
69
Annex E
(informative)
E EXAMPLES OF SUPPLY-CHAIN SECURITY SELF-

AWARENESS QUESTIONNAIRE FOR SUPPLIERS OR OTHER
SUPPLY-CHAIN PARTNERS
This questionnaire helps to inform the user of some areas related to security, but a more
comprehensive assessment may be required.
General Information
Contact Name:
Company Name:
Primary Location/Address:
Street:
City, State/Province, Postal Code:
Country:
Phone:
If you have multiple locations from which you ship to (your company), please list additional sites:
Please list your company contacts for Security and Transportation below.
Contact for Security:
Name:
70
Title:
Phone Number:
Email Address:
Contact for Transportation:
Name:
Title:
Phone Number:
Email Address:
Type of products produced for (your organization) at your facility:
Physical Security
1 Does your facility utilize security Yes No

personnel?
1a If yes, describe how they are positioned and the hours of coverage and areas of coverage within your
facility that they provide.
Additional Comments:
2 Is your facility fully enclosed by perimeter Yes No

fencing or walls?
2a If yes, describe the type of materials used and the height.
71
3 Does your facility utilize security cameras Yes No

for monitoring perimeters, entries and exits,
loading bays, or other areas?
3a If yes, describe coverage provided and who monitors them
4 Does your facility have barriers and locks Yes No

on doors, windows and gates sufficient to meet
threats?
Additional Comments
5 Are the locks kept locked at all times to Yes No

prevent unauthorized personnel from entering?
5a If no, explain why.
Additional Comments
6 Do you have bars, screens, or other Yes No

materials over the windows?
6a If yes, describe what materials are used.
7 Do you have an alarm intrusion system? Yes No
7a If yes, describe who is monitoring the alarm and where the alarm sensors are located at.
Additional Comments
8 Is your facility exterior Yes No

lighted/illuminated at night?
8a If yes, describe what areas are illuminated.
72
9 Is the shipping/receiving area secure at all Yes No

times to prevent access by unauthorized
personnel?
9a If yes, describe what physical barriers are used and what personnel is allowed access.
10 Are outgoing shipments stored in a Yes No

separate area that is secure and prevents
unauthorized access?
10a If yes, describe where the shipments are stored and who has access to them.
Describe any aspects of physical security at your facility that you feel were not addressed above.
Access Control
1 Do you use an employee badge system for Yes No

entry and monitoring onsite activities?
1a If yes, describe the badge system (electronic, color coded, how many badges are needed to gain access,
etc.)
1b If no, but you use another method to identify and track persons working on behalf of the organization,
describe.
2 Do you have access controls in place at Yes No

entry points to your facility?
73
2a If yes, describe what access controls are used at each point of access into your facility.
3 Is vehicle access into your facility Yes No

controlled?
3a If yes, describe how vehicle access is controlled and what vehicles are allowed access.
4 Are vehicles and drivers screened or Yes No

inspected prior to entry to your facility?
4a If yes, describe the method of screening (driver ID checks, vehicle inspections, etc.)
5 Do you identify, record, and track all Yes No

visitors?
5a If yes, what method is used and how are the records kept?
Explain any access controls at your facility that you feel were not addressed above.
A. Are there access controls for personal belongings (computing and data storage devices, containers,
phones, cameras, etc.)?
Personnel Security
1 Are work history background checks Yes No

completed prior to hiring?
74
1a If yes, describe to what extent the background check is completed.
1b If no, describe if there is a local law that prohibits this action.
2 Are criminal background checks Yes No

completed prior to hiring?
2a If yes, describe to what extent the background check is completed.
2b If no, describe if there is a local law that Yes No

prohibits this action.
3 Are non-employee contractors allowed Yes No

routine access into your facility (janitorial service,
delivery drivers, food vendors)?
3a If yes, are employment and criminal background checks completed prior to access being allowed?
3b Is access restricted to these workers so Yes No

that they may only access authorized areas?
3c Are these workers restricted from Yes No

accessing the shipping and receiving areas?
3d Are these workers required to wear Yes No

identification badges?
Explain any personnel controls at your facility that you feel were not addressed above
75
Procedural Security
1 Is there a Security Manager and staff? Yes No
1a If yes, what is the person’s name and how many security personnel are utilized?
2 Are physical security procedures Yes No

documented?
2a Are access control security procedures Yes No

documented?
2b Are IT security procedures documented? Yes No
2c Are personnel security procedures documented? Yes No
2d Are education/training of security procedures Yes No

documented?
3 Are there procedures for persons working Yes No

on behalf of the organization to report security
problems and address the situation?
4 Are there procedures for marking, Yes No

counting and weighing outgoing shipments?
5 Are there procedures for documenting Yes No

outgoing shipments?
Additional Comments
6 Are there procedures for storing and Yes No

identifying incoming and outgoing shipments?
76
7 Are there procedures in place for storing Yes No

shipment documentation (packing list, commercial
invoice, etc.)?
Additional Comments
8 Are procedures in place for securing Yes No

outgoing shipments against intrusion?
9 Does a third party physically pack these Yes No

shipments?
9a If yes, are security procedures flowed down to the packers?
If ocean and/or truck trailer containers are used, please answer questions 10 - 12.
If not, skip to question 13.
10 Are containers examined prior to loading Yes No

to ensure no explosives or other contraband is
present?
10a If yes, describe the process.
11 Describe how ocean containers (full and/or empty) are stored.
12 Are high security bolt seals used on ALL Yes No

ocean/truck trailer container entry doors?
12a If yes, how are bolt seals controlled (e.g., storage and procedures to assure no fraudulent use)?
77
13 What security considerations have been

established for selecting and screening carriers that
provide transportation services for outgoing
shipments?
14 Are there procedures for reporting Yes No

problems/delays in the movement of cargo?
14a If yes, describe the process.
15 Describe the materials used for packing products that are being sent (e.g., cardboard box, container,
etc.).
15a Are tamper-evident materials used? Yes No
Explain any procedural controls at your facility that you feel were not addressed above
Education and Training
1 Does your company provide a security Yes No

awareness program related to protecting product
integrity and facility security?
1a If yes, describe what is covered in this training and awareness program.
1b If yes, how often are persons working on behalf of the organization required to take this training and
awareness program?
78
2 Is your company certified in a supply Yes No

chain security or known shipper/consignor
program? (e.g., AEO, PIP, etc.)
2a If yes, indicate in which program you have certification in, when it was obtained, and who provided
the certification.
3 Do you require cargo integrity training for Yes No

persons working on behalf of the organization in
the shipping and receiving areas and opening
mail?
3a If yes, how often is this training required?
4 Do you require education on recognizing Yes No

internal conspiracies and protecting access controls
for all persons working on behalf of the
organization?
4a If yes, how often is this training required?
79
Annex F
(informative)
F EXAMPLES OF ELEMENTS OF SUPPLY-CHAIN SECURITY

CONTRACT LANGUAGE FOR EXTERNAL AND THIRD-PARTY
LOGISTICS SERVICE PROVIDERS
A. For those goods which are distributed, handled, warehoused, transported, or shipped by
Service Provider to (your company), Service Provider agrees to:
1) Comply with the provisions of this section. For purposes of this section, external
and third-party logistic providers means any outsourced Service Provider that
provides services (e.g., distribution, handling, warehousing, transportation, or
shipping) for (your company) shipments.
2) Ensure that Subcontractors comply with the terms of this section and should include
these terms and conditions in any Subcontractor contracts. For purposes of this
section, Subcontractors should be defined as those sub-tier service providers of
Service Provider which are involved in the distribution, handling, warehousing,
transportation, and shipping of (your company) shipments (including but not
limited to freight forwarders, third party logistic companies, packagers, and local
trucking/transport companies).
3) Be responsible for any breach of this section by its Subcontractors.
B. Supply Chain Security Compliance: Service Provider should ensure that all Service
Provider and applicable Subcontractor facilities involved in the distribution, handling,
warehousing, transporting, or shipping of (your company) goods meet all security
standards documented below and all applicable local regulations. Service Provider
should maintain certification in an official supply chain security program (C-TPAT,
AEO, etc.) and comply with those respective security standards throughout the period
of this Agreement. Service Provider's loss of certification or failure to sustain
appropriate security standards or breach of this section will be grounds for termination
of this Agreement.
C. Supply Chain Security Program Status: Prior to execution of this Agreement, Service
Provider will send a letter verifying its supply chain security certification in any official
program in which it participates. Service Provider will immediately notify (your
company) of any change to its certification status.
If not certified, Service Provider should complete a Security Questionnaire to confirm
that its procedures and security measures comply with minimum supply chain security
criteria. Service Provider will send copies of the aforementioned Security Questionnaire
to (your company).
80
D. C-TPAT Certification: Service Provider agrees to use certified Subcontractors to the

extent available. In the absence of certified Subcontractor, Service Provider may use
companies (including local cartage companies) that have agreed in writing to follow
these supply chain security guidelines and will promptly notify (your company) of such
usage. If no certified transport and handling providers or companies that have agreed
to follow these security guidelines are available to move (your company) shipments,
Service Provider will contact (your company) immediately for direction.
E. Service Provider will maintain adequate security controls and procedures as further
described in this section.
1) Supply Chain Security Program: Service Providers are encouraged to participate in
and will advise (your company) of its participation in national supply chain security
programs including, but not limited to, Partners in Protection (“PIP”) and
Authorized Economic Operator (“AEO”) and should list the countries and extent of
participation. Service Provider should provide prompt notice of any changes to its
supply chain security program status.
2) Service Provider Subcontractor Selection Process: Service Provider should have
documented processes for the selection of its Subcontractors. The process should
ensure that such Subcontractors maintain adequate security controls and procedures.
3) Physical Security: Facilities should be protected against unauthorized access
including but not limited to cargo handling and storage facilities which should have
physical security deterrents.
a) All entry and exit points for vehicles and personnel should be controlled.
b) Secure all external and internal windows, gates, and doors through which
unauthorized personnel could access the facility or cargo storage areas with
locking devices.
c) Provide adequate lighting inside and outside facilities to prevent unauthorized
access.
4) Access controls: Prevent unauthorized entry into facilities using access controls
which may include but are not limited to badge readers, locks, key cards, or security
personnel.
a) Positively identify all persons at all points of entry to facilities.
b) Maintain adequate controls for the issuance and removal of employee, visitor,
and vendor identification badges, if utilized.
c) Upon arrival, photo identification should be required for all non-employee
visitors.
5) Personnel Security and Verification: Screen prospective persons working on behalf
of the organization consistent with local regulations. Verify employment application
information prior to employment.
6) Ocean Container and Truck Trailer Security: Maintain container and trailer security
to protect against the introduction of unauthorized material and/or persons into
shipments. In the event containers are stuffed, inspections should be made of all
ocean containers or truck trailers prior to stuffing, including but not limited to the
inspection of the reliability of the locking mechanisms of all doors.
81
a) Ocean Container and Truck Trailer Seals: Properly seal and secure shipping
containers and trailers at the point of stuffing. Affix a high security seal to all
access doors on truck trailers and ocean containers. Such seals should meet or
exceed the current PAS ISO 17712 standard for high security seals.
b) Ocean Container and Truck Trailer Storage: Empty or stuffed ocean containers
and truck trailers should be stored in a secure area to prevent unauthorized
access and/or manipulation.
7) Information Technology (IT) Security: maintain IT security measures to ensure all
automated systems are protected from unauthorized access.
a) Use individually assigned accounts that require a periodic change of password
for all automated systems.
b) Maintain a system to identify the abuse of IT resources, including but not limited
to improper access, tampering, or altering of business data and discipline of
violators.
8) Procedural Security: maintain, document, implement, and communicate the
following security procedures to ensure the security measures in this clause are
followed and should include procedures:
a) For the issuance, removal, and changing of access devices.
b) To identify and challenge unauthorized or unidentified persons
c) To remove identification, facility, and system access for terminated individuals.
d) For IT security and standards.
e) To verify application information for potential persons working on behalf of the
organization.
f) For persons working on behalf of the organization to report security incidents
and/or suspicious behavior.
g) For the inspection of ocean containers or truck trailers prior to stuffing.
h) To control, manage, and record the issuance and use of high security bolt seals
for ocean containers and truck trailers. Such procedures should stipulate how
seals are to be controlled and affixed to loaded containers and should include
procedures for recognizing and reporting compromised seals or containers to
Customs or the appropriate authority and (your company).
10) Security Awareness Program: A Security Awareness Program will be implemented
by Service Provider and provided to persons working on behalf of the organization
including awareness and understanding of the supply chain security program,
recognizing internal conspiracies, maintaining cargo integrity, and determining and
addressing unauthorized access. The Security Awareness Program should
encourage active participation in security controls. Service Provider should ensure
that key personnel receive regular training which should be no less than once per
year on security procedures and requirements. Service Provider should submit
evidence of such Security Awareness training upon request.
F. Questionnaire: Service Provider will, upon request, complete a Supply Chain Security
Questionnaire provided to Service Provider by (your company).
82
G. Detailed Mapping: Service Provider will, upon request, promptly provide a detailed
mapping for planned routings and any Subcontractors involved in the transport of (your
company) shipments.
H. Site Visits: Service Provider and its subcontractors should be subject to periodic site
visits during normal operating hours to confirm compliance with supply chain security
standards.
I. Breach of Security: Service Provider and its subcontractors should immediately notify
(your company) of any actual or suspected breach of security involving (your company)
cargo. This may include cargo theft, tampering, unauthorized access, or other activities
that involve suspicious actions or circumstances related to (your company) cargo.
83
Annex G
(informative)
G EXAMPLE OF CRISIS-MANAGEMENT PROGRAM ELEMENT

REVIEW
The following tables contain questions for the crisis management program review.
REVIEW ELEMENT NO PROCESS OPPORTUNITIES FOR

IN PLACE (N) IMPROVEMENT
PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
1. Has the organization designated one person as

the company crisis leader?
2. If your organization includes more than one

business entity, has a cross-business crisis management
team been formed?
3. Does your crisis management team meet

periodically to review roles and responsibilities and the
effectiveness of crisis plans and procedures?
4. Does your crisis management team include

representation from top management, human resources,
legal, security, safety, communications, information
technology and medical (if such functions exist within
your organization)?
5. Does the organization have internal and

external crisis communications plans for use during
crisis situations? This plan should include one person
designated as the company spokesperson regardless of
number of sites impacted and business units impacted.
6. Has the crisis management communications

leader been trained in communicating with internal and
external stakeholders in time of crisis?
7. Does your crisis management team have an up-

to-date and accessible list of external responder contact
information, including response agencies in training and
exercises?
8. Are all crisis team leaders trained in roles and

responsibilities, crisis plans and procedures and
84

PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
communications protocol?
9. Does your crisis management team maintain an

up-to-date listing of all business sites, addresses,
primary points of contact (including after-hours contact
information)?
10. Does your organization have a designated crisis

management command center to assemble team
members during a crisis situation?
11. Does your organization have a designated

alternative crisis management command center in the
event the primary site is unsuitable?
12. Are the primary and alternate crisis

management command centers equipped and
operationally and routinely tested?
13. Does your organization have a designated crisis

management leader at all business sites and in all
priority functional areas (i.e., supply chain, legal, human
resources, etc.)?
14. Does your organization have a defined

emergency notification communications system (manual
or automated) to facilitate communication with persons
working on behalf of the organization during a crisis
situation?
15. Does your organization test the emergency

notification communication system periodically, but no
less than annually?
16. Does the organization have a written crisis

management plan including roles and responsibilities,
crisis management procedures and communications
protocols?
17. Does the organization have a documented and

communicated procedure for persons working on behalf
of the organization to report incidents and events to the
crisis team 24 hours a day?
18. Does your organization test the crisis

management plan periodically at the business leadership
level and all business sites, but no less than annually?
85

PARTIALLY (P)
OR FULLY (F)
IMPLEMENTED
19. Does the organization include the crisis

management program, emergency notification
communications system and incident and event
reporting in new employee orientation?
86
Annex H
(informative)
H EXAMPLES OF SITE CRISIS PLAN
H.1 Purpose
The overall purpose of the workbook is to provide a consistent and complete Crisis
Management Plan for the COMPANY SITE facility. This Plan builds upon the information
contained in the COMPANY Crisis Manual and includes Business Continuity/Disaster Recovery
Plans that are pertinent to each Business Site and Functional Unit located in this complex of
facilities.
H.2 Introduction
A crisis is characterized as an extreme threat to important values, with intense time pressures,
high stress, and the need for rapid but careful decision making. It is often a turning point in
which a situation of impending danger to the organization runs the risk of escalating in
intensity, interfering with normal business operations, jeopardizing the organization’s public
image, and damaging the bottom line. Either a sudden event or a long smoldering issue may
trigger a crisis. It is essential to maintain an established and validated process to manage any
conceptualized crisis, so as to limit the intensity of a negative threat or event to persons working
on behalf of the organization, and to COMPANY’s products, services, financial condition, and
reputation.
The SITE facility will first attempt to contain and manage crises on a local basis, escalating in
accordance with the COMPANY’S Crisis Manual.
H.3 Roles, Responsibilities and Contacts

SITE facility local crisis contacts are provided under Community Partnerships and Contacts (see
page 102).
H.4 Process
SITE will follow the crisis processes outlined below.
87
Crisis Identified & Escalated

Incident to Local Crisis Management Initial Risk Assessment
Occurs Team by Local Crisis Management Team
Contain Notify
Crisis Key COMPANY Activate
Y Region/Global
Problem Resolved Communicate
COMPANY level
to Employees &
Crisis Team
Media Holding Statement
Local
G.
Deploy Emergency Procedures
Initiate / Revise
Debrief Crisis Plan
What went right? Limited and/or Extensive Communicate

What went wrong? To Employees Notify
& Media Key
COMPANY
Recovery Y Y
Corrective and
Preventative Action Monitor and Assess N
Figure 14: Activating a Crisis Response Plan
Below is a list of Crisis Management tools and templates. These tools and templates can be
viewed and downloaded from the SCRLC web site.
Worksheet 1: Roles and Contact Information
Identify the roles and personnel to be on call considering that sometimes a crisis can affect the
organization but does not disrupt the regular operations or affect just one single area. Below
you’ll find a description of the roles and responsibilities that each title may function within.
88
Title Roles And Responsibilities
Business/Modality Leader  Lead the Individual Business Process Recovery Team which is
responsible for ensuring the rapid recovery of business
functions for their particular area in the event of a business
interruption or disaster
Communications Manager  Provide ALL communications liaisons with press

/Spokesperson  Coordinate with marketing for customer communications
 Lead the public relations team which is responsible for serving
as the sole source for dissemination of information related to
the disaster to the public, including news media
Crisis Management Leader  Mobilize and lead crisis response team

 Authorize move to crisis command center
 Co-ordinate all departments
 Gather facts
 Inform COMPANY President & CEO
EHS Manager  Ensure employee and on-site personnel safety

 Ensure health and safety requirements are met
 Communicate status with the crisis management leader
Facilities Manager  Assess security/secure the physical environment

 Communications liaison with emergency services
 Locate alternative facilities (as appropriate)
 Ensure open emergency exit passage ways
 Lead Facilities Assessment Team which:
o Conducts initial assessment of facilities damage
o Provides support to evacuated persons
 Lead the Site Evaluation and Restoration Team which:
o Assesses the impact of the disaster
o Gathers information regarding the restoration of damaged
facilities
Finance  Provide authorization for emergency purchases

 Lead the Accounting Recovery Team which manages monetary
needs associated with recovery operations
 Lead the Travel and Lodging Recovery Team which is
responsible for arranging all travel and lodging requirements
for the recovery operations
Human Resources (HR)  Ensure health and safety requirements are met
 Work with communications manager to provide all emergency
employee communications
 Lead the Human Resources Recovery Team which provides
support to personnel issues that are critical to controlling the
recovery effort
89
Title Roles And Responsibilities
IM Applications Support Manager Activate IM applications
IM Infrastructure Support Manager  Reinstate IM infrastructure

 Reinstate databases
 Redirect telephone lines
 Install PC’s and telephones at crisis command center
 Communicate status with the IM leader
 Lead Information Management (IM) Recovery Team, which is
responsible for the recovery of telecommunications and key IT
systems at the recovery location.
IM Leader  Ensure appropriate IM staff assigned

 Restore mission critical IM systems
 Implementation of crisis command center
 Secure the systems environment
Legal Manager  Provide legal guidance regarding crisis to Crisis Management

Leader and to COMPANY President & CEO
 Lead the Risk Management Recovery Team, which is
responsible for the coordination of legal and insurance issues
related to business interruption.
Marketing  In conjunction with the Communications Manager, develop

customer-oriented communications
Sales/Service  Communicate ONLY HQ-Authorized communications to

customers
 Reassure customers of proven effectiveness of COMPANY
business continuity plans
Security Manager  Ensure protection of tangible and intangible Assets.

 Liaise with law enforcement agencies and other first
responders
Sourcing Manager  Ensure viability of supply chain

 Manage or obtain suppliers’ support
Top Management  Initiate recovery plans for priority processes

 Assemble team for long term recovery strategy
 Provide leadership support to Crisis Management Leader
Worksheet 2: Distribution and Procedure List

Create a distribution list in your company address book of the roles and personnel identified in
Section 1.
90
Create a list of COMPANY policies, procedures, and training so that the team can follow
company standards in handling issues during the crisis management phase. Some of these
include:
a) Crisis Management Policy;
b) Company Global Security Policy;
c) Website;
d) Workplace Violence Guidelines; and
e) Crisis Management Training.
Worksheet 3: Initial Assessment Checklist
An initial assessment checklist enables the crisis response team to capture the facts of the
incident at a high level. Assigning a case number allows the team to collate other tools and
templates to the same case.
Worksheet 4: Extent of Damage Report
An Extent of Damage Report can be used during the initial analysis as well as later during the
most in depth review. Using the report at multiple points in the crisis management process
enables the team to assess how well the initial and on-going assessments were captured.
Worksheet 5: Site Damage Evaluation
A Site Damage Evaluation goes into more depth than an Extent of Damage Report and can be
used for each item captured on the Extent of Damage Report.
Worksheet 6: Site Security
A Site Security Report is an assessment tool to determine if security gaps exist as a result of the
incident.
Worksheet 7: Crisis Management Team Task Checklist
A Crisis Management Team Task Checklist is a tool for the team to use to identify if specific
tasks have been completed, by whom, and when.
Worksheet 8: Priority Process Checklist
A Priority Process Checklist allows the team to assess which priority processes have or will be
impacted by the incident.
Worksheet 9: Business Critical Telephone Numbers
A Business Critical Telephone Number List allows the team to have easy access to corporate
profile information for services (e.g., healthcare, software support, etc.)
Worksheet 10: Business Crisis Management Team
A Business Crisis Management Team worksheet identifies the key information for enterprise
level leadership who need to be kept apprised of the situation.
91
Worksheet 11: Crisis Response Damage and Assessment

A Crisis Response Damage Assessment Worksheet extends the Business Crisis Management
Team beyond enterprise level executives to individuals responsible for business services (e.g.,
communications, security, legal, etc.).
Worksheet 12: Subject Matter Experts
A Subject Matter Expert Report identifies who the expert is for a business process.
Worksheet 13: Business Crisis Management Assessment, Recovery, and Subject Matter
Experts
A Business Crisis Management Assessment, Recovery, and Subject Matter Experts Worksheet
identifies the roles, responsibility, and authority to handle the incident.
Worksheet 14: External Agencies and Action Contacts
An External Agency and Action Contacts Matrix provides the team with a ready list of local and
federal services which may needed to support the incident.
Worksheet 15: Network Connectivity
A Network Connectivity Report identifies the organizational networks which may be called
upon for support.
Worksheet 16: Post Office and Courier Recovery
A Post Office and Courier Recovery Report identifies the key services which may be utilized to
help expedite processing of crisis response actions.
Worksheet 17: Priority Business Suppliers
A Priority Business Supplier Report identifies suppliers, service provider, and government
agencies which may need to be made aware of the incident.
Worksheet 18: Software Vendors
A Software Vendor Report tracks the owners and contact information for software applications
which may be vulnerable due to the incident.
Worksheet 19: Supplier Communications
A Supplier Communication Report can help a team track which suppliers have received
communications and which communications they have received.
Worksheet 20: IT Team
An IT Team Report identifies the Subject Matter Experts needed to repair or rebuild systems.
Worksheet 21: External Agencies
An External Agency Report identifies the external agencies which may need to be made aware
of the situation (e.g., radio, television, newspaper, etc.).
92
The following crisis management diagrams (1 – 5) identify process flows to guide a Crisis
Management team in managing incident response. (NOTE: In each diagram, bold text reflects
differences between preceding diagrams.) The following scenarios represent, respectively:
1. Potential harm to humans rather than physical assets;
2. Potential harm to physical rather than human assets;
3. Facility incapacitated but people OK;
4. Facility incapacitated with harm to people; and
5. Business disrupted but people OK.
What We Will Say What We Will Do
 Core Team assess CM Core Team

 Holding the risk
Statement  Move people to safe Facilities Leader
Notification & Risk  Q&A location
Scenario
Assessment  Fact Sheet  Communicate with HR Leader &
employees Spokesperson
Building OK  Co-Leader
People at Risk Contact Core
Team
 Initial Risk
Assessment
What do we What We Will Do
know?
Emergency
 Holding Statement
or Crisis?  Determine immediate CM Core Team
 Q&A
actions to insure safety
 Fact Sheet
 Activate Crisis Team
 Emergency Call-in
message updated
 Contact Mission Critical Facilities Leader
Proc Own.
 Evacuate facility as
necessary
 Communicate with all HR Leader &

 Contact HQ as necessary CEO
 Organize external Spokesperson

communications: Media
Crisis Management Diagram 1: Building OK/People at Risk
93

Statement  Move people to safe Facilities Leader
Notification & Risk  Q&A location
Scenario
Building at Risk  Co-Leader
People at Risk Contact Core
Team
 Initial Risk
Assessment
know?
Emergency
or Crisis?  Determine immediate CM Core Team
 Q&A
actions to insure safety
 Fact Sheet
 Activate Crisis Team
message updated
 Contact Mission Critical Facilities Leader
Proc Own.
 Evacuate facility as
necessary


communications: Media/
Customers/Vendor
Crisis Management Diagram 2: Building at Risk/People at Risk
94

Statement  Communicate with OrgComm Leader
Notification & Risk  Q&A all employees
Scenario
Assessment  Fact Sheet  Potential BCP Operations Leader
Building Out/  Co-Leader

People OK Contact Core
Team
 Initial Risk
Assessment
know?
Emergency
or Crisis?  Activate Crisis Team CM Core Team
 Q&A
 Contact Mission Critical
 Fact Sheet
Proc Own.
message updated
 Initiate BCP Operations Leader
 Transfer operations to CM Team
second site (if needed)
 Gather in off-site Crisis HR Leader &

Command Center Spokesperson
 Communicate with all CEO

employees
 Contact HQ as necessary

Customers/Vendor
Crisis Management Diagram 3: Building Out/People OK
95
What We Will Say What We Will Do Who Does What

Statement  Locate employees HR
Notification & Risk  Q&A  Notify families
Scenario
all employees Spokesperson
Building Out/  Co-Leader  Initiate BCP Operations Leader
People Not OK Contact Core
Team
 Initial Risk
Assessment
know?
Emergency
 Q&A
 Fact Sheet
Proc Own.
message updated

second site
 Locate employees HR
 Notify families
 Gather in off-site Crisis CM Team

Command Center

 Contact HQ CEO

Customers/Vendor
Crisis Management Diagram 4: Building Out/People Not OK
96
What We Will Say What We Will Do Who Does What

Statement  Communicate with HR Leader &
Notification & Risk  Q&A all employees Spokesperson
Scenario
Assessment  Fact Sheet  Potential BCP Operations Leader
Business  Co-Leader
Processes Out or Contact Core
Serious Adverse Team
Product Event /  Initial Risk
People Ok Assessment
know?
Emergency
 Q&A
 Fact Sheet
Proc Own.
message updated

second site (if nec.)
 Gather in Crisis
Command Center


Customers/Vendor
Crisis Management Diagram 5: Business Processes Out or Serious Adverse Product

Event/People OK
97
CRISIS COMMUNICATIONS PLAN

Crisis Calls
In all crisis situations, the site Crisis Team Leader should alert the appropriate COMPANY Pole
Crisis Leader listed in §E2.2. The company Spokesperson is given in §E2.2 and §E2.4.
See the Crisis Process Map in Annex H:
98
Annex I
(informative)
I EXAMPLES OF SUPPLEMENTARY FORMS

SITE Facility Passport
(Fire, Severe Weather, Medical Emergency, Hazardous Spills)
SITE FACILITY PASSPORT
Emergencies Call XXX-XXX-XXXX
Fire
Severe Weather
Medical Emergency
Hazardous Spills
All calls will be answered by the security officer at the Main Guardhouse. You will need to provide the following
information:
1) Your Name
2) Type of Emergency (Fire, Medical, Spill, etc.)
3) Your Locations (Building, Floor & Column Number)
Remember – Remain Calm and Stay on the Phone!!

What to do when an alarm sounds:
WAIT for INSTRUCTIONS over the PA system, such as:

Activate Response Team (medical, fire, spill, etc.)
Proceed to Severe Weather Shelter Area (tornado, severe weather, etc.)
Building evacuation (fire, hazardous spills, etc.)
COMPLY with instructions CALMLY & QUICKLY
99
FACILITY RULES FOR VISITORS/VENDORS
Posted speed limits should be observed.
Wearing of safety glasses and protective footwear are required at all times in designated areas.
Smoking is allowed in designated areas outside of the facility only.
Cameras are prohibited on COMPANY premises without prior approval of the security department.
All on-site injuries, no matter how slight, should be reported. Medical facilities are available on site.
If medical assistance is required, notify your COMPANY contact person or dial NNNNN from any phone.
In the event of a facility evacuation, all visitors/vendors are to use any external door convenient to your location (See
map on inside of passport).
In the event of a severe weather emergency, proceed to the nearest shelter area. (See map on inside of passport and
maps posted throughout the facility for severe weather shelter areas.)
Pedestrians on the shop floor should ALWAYS be aware of motorized equipment such as forklifts and hand trucks.
All chemicals brought into the facility should have prior site approval. Contact the COMPANY person in advance
with a Material Safety Data Sheet.
The rules and regulations contained in this booklet are general and subject to change. Specific safety rules,
regulations and procedures will be brought to your attention as the need arises.
COMPANY insists on full cooperation and observance of all safety rules and regulations. Everyone will benefit from
good safety practices.
100
CRISIS COMMAND CENTER – COMPANY CRISIS ROOM
COMPANY SITE has designated XXXXX as its Crisis Room.
Should the Primary Crisis Room for any reason be inaccessible (power failure, physical damage, etc.), the Secondary
is pre-designated as the alternate Crisis Room. The room and all of its equipment are configured so that it can become
fully operational at any time 24/7. Provisions are in place to supply ventilation, power and computer network access
24/7.
Primary and Secondary locations are used as regular conference rooms to maximize the cost efficiency of the space.
Because a crisis could occur at any time and because the primary purpose of the room is for crisis purposes, all staff
booking the room should understand they could be pre-empted at any time and on very short notice.
NOTE: All crisis-related equipment (phones, display walls, other equipment) is secured and designed so that all of
this equipment can be unlocked, put in place and activated as quickly as possible.
The general parameters for the equipment in the Crisis Room are:
 Two-way communications equipment with back-up;

 Laptop port with full access to company network at each seat;
 Multi-directional speakerphone in the ceiling;
 Electronic display wall which includes facilities for video playback or broadcast monitoring, maps, crisis
log, PowerPoint, technical diagrams, videoconferencing, etc.; and
 Easels with flip charts; or chalk board with print capability.
and Proximity to:
 Fax machine;
 Copier;
 Printer; and
 Facilities for refreshments.
In the case of a crisis, the room should be staffed with at least two to three support personnel to handle phone calls,
copying, fax, and IT support. The maintenance and activation protocol is established along the following guidelines:
 Generally, facilities management personnel have responsibility for activation; and

 Periodic walk-through of the room is performed to be certain that all facilities are intact and operable.
101
BUSINESS UNIT PLANS
Communications Plan
Information Management Plan
Facility Plan
Site Name Site Security Manual
Human Resources Plan
Supply Chain Plan
Security Requirements Plan
If this is a multi-tenant site, the site is managed by XXXXX. XXXXX are employed by the YYYYY through their Agent
ZZZZZ. The reporting lines are that XXXXX will contact their own Management & YYYYY first with tenants notified
immediately afterwards.
XXXXX Tel. No.
The security response procedure is provided to the security officer though their assignment instructions:
• If security sounds an alarm, police are automatically informed.
• If situation escalates, contact Facilities and Security Managers – AAAAA&BBBBB.
IM Contact currently assigned – CCCCC
102
MEDICAL RESPONSE PLAN
COMPANY Medical Emergency Response:
Chemical, Biological, Radiological, Nuclear and Environmental (CBRNE)
Medical Response: EVENT DESCRIPTION
Preparedness and Prevention:
Detection and Surveillance:
Diagnosis and Characterization of Biological and Chemical Agents:
Response:
Communication Systems:
103
BELOW ARE THE OPTIONS FOR THE LOCAL SITE FOR COMMUNICATION AND INFORMATION
DISSEMINATION.
a) Telephone: will be primary with teleconference for company meetings.
b) Web: Instant Messaging Service, Web Meeting, in COMPANY and web page information in addition to local
radio.
c) Local radio net (hand held): will be used for emergency and urgent communications with response teams
(medical, spill, fire, security).
d) Cell phones: Will be used for both emergency communications as well as more routine communications.
This may become primary with a local telephone system failure.
e) Runners: With local failures of multiple communications systems, “runners” may become necessary to keep
command and control of resources.
f) Other: Access to other systems including community radios (fire/police), federal radio (National Guard),
HAM radio, etc. may vary widely and be unavailable.
g) External communications will be carefully channeled through the CML team communications team.
Medical staff will not directly communicate with press or external community organizations without the
knowledge and approval of the CML communications team. This is a critical element of the response plan
to assure that all communications are accurate, coordinated and timely.
104
COMMUNITY PARTNERSHIPS AND CONTACTS:
State Homeland Defense Council:
State Division of Public Health:
State Laboratories:
Regional Department of Public Health:
County Department of Public Health:
SITE County Department of Public Health:
State and Federal Resources:
State Public Health Departments:
State Domestic Preparedness:
Poison Control Centers:
 State: Toll-free telephone

 National: Toll-free telephone 1-800-222-1222
City Health Dept.:
State Laboratory:
US Homeland Security - http://www.ready.gov/
Center for Disease Control (CDC) - http://www.cdc.gov/
Agency for Toxic Substances and Disease Registry (ATSDR) - http://www.atsdr.cdc.gov/
Index of FEMA Web Site - http://www.fema.gov/fema
Homeland Defense - http://hld.sbccom.army.mil/
SITE County Sheriff:
Crisis Emergency Phone Line
 Toll Free (US):

 From Outside (US):
Passcode:
105
FACILITY CRISIS COMMUNICATIONS INFORMATION
Date____________________
I. Facility/Location___________________________________________
First Response Call__________________________________________
On-site EHS/phone/Email_____________________________________
On-site Security Lead/phone/Email______________________________
Plant Manager/phone/Email____________________________________
EAP Contact/phone/Email_____________________________________
On-site Communications Contact/phone/Email___________________________
Facilities Manager/Maintenance Manager Contact/phone/Email________________
Companies with Contractors on site/Phone______________________________
_________________________________________________________________
Is there a facility emergency response plan?_______ Where?________________
II. Business Contacts
Business Medical Director/phone/Email_________________________________
Backup Medical Lead/phone/Email__________________________________
Business Security Lead/phone/Email___________________________________
Business EHS Lead/phone/Email______________________________________
Business EAP contact/phone/Email_________________________________________
Business Communications contact/phone/Email________________________
III. Corporate Contacts
IV. Site Community Contacts
EMS contact_______________________________________________
Phone______________________________________________
Local Public Health contact___________________________________
Phone______________________________________________
Local Hospital Name_________________________________________
ER Contact/phone______________________________________
Local Pharmacy/Phone________________________________________
State Health Department Phone_______________________________________
State Health Department Email________________________________________
CDC Emergency Preparedness & Response Branch: 1-770-488-7100
CDC Health Emergency and Preparedness Web Site: http://www.bt.cdc.gov
106
Annex J
(informative)
J EXAMPLE OF REGULATORY IMPACT ASSESSMENT

An organization may use a Regulatory Impact Assessment tool to map existing regulatory requirements and what portion of the
supply chain it affects as well as identify where new regulations affect its supply chain.
The table below shows where a regulatory/compliance requirement impacts the supply chain.
Cargo Supply Chain

Indicate with an "X" where the requirement affects the supply chain.
Reulatory / Compliance Requirement On-Board
Originating Customs On-Board Unloaded Customs
Carrier Not Alongside ship Ocean/Air vessel Inland Named
Named Clearance Loading Inland Freight vessel Port Port of Clearance
Unloaded Port of Loading Freight Port of Freight Destination
Place (Export) of Loading Destination (Import)
Destination
Supply Chain Security program x x x x x x x x x x x x x
Cargo Screening / Scanning x x x
Advanced Data Requirements x x x x
High security bolt seals (on int'l incoming
truck and ocean containers x x x x x x x x x x
Red Have no controls or visibility

Yellow Some controls and/or visibility
Green Have controls and visibility
107
You may then want to identify which organization is impacted and needs to address such requirements.
Responsible Organization
Reulatory / Compliance Requirement Supply Supply Import

Chain Chain Export Supplier Government
Security Logistics Operations Management Contracts Affairs
Supply Chain Security program x x
Cargo Screening / Scanning x x x
Advanced Data Requirements x x
High security bolt seals (on int'l incoming
truck and ocean containers x
108
Annex K
(informative)
K EXAMPLE OF THE SUPPLY CHAIN RISK LEADERSHIP COUNCIL’S (SCRLC)

MATURITY MODEL
Category Sub-category Stage 1 Stage 2 Stage 3 Stage 4 Stage 5

Reactive Aware Proactive Integrated Resilient
1. Leadership 1A. Executive No SCRM leadership Functional SCRM has senior SCRM has senior SCRM has a senior
Leadership defined. managers have management management management defined
responsibility for support, but leadership leadership role and
leading risk leadership is found functionally defined active engagement of
management at functional levels. and is coordinated management is
within their across functions. enterprise-wide.
domain.
1B. Individuals assume SCRM activities are SCRM activities are SCRM activities are SCRM is coordinated
Line/Functional responsibility when led by affected pre- coordinated through led by a collaborative across the enterprise
Leadership an event is triggered. designated supply chain team of functional including multi-tier
functional manager(s) with managers with focus priority supply chain
managers. focus on on internal partners with defined
management within management roles and
the functions. including priority responsibilities.
supply chain partners.
1C. Governance No SCRM framework. Functional SCRM is SCRM is governed by SCRM framework is
managers use risk coordinated across a cross-functional well well-defined across the
management functional units defined framework enterprise including
frameworks with defined roles of including priority multi-tier priority
appropriate for key internal supply supply chain partners. supply chain partners.
their function with chain stakeholders.
no cross function
coordination.
109

1D. Resources & No designated SCRM SCRM resources SCRM resources SCRM has committed SCRM is embedded
Commitment resources. are identified designated for resources with well- within the
within functional functional units. defined roles and organization's culture
units and risk Accountability and responsibilities on a and seen as a value
management is resource allocation cross-functional level added activity with
considered a within functional and considering appropriate resources
collateral duty. level. critical supply chain committed.
partners. Enterprise-wide
accountability and
resource allocation
considered as part of
regular fiscal allocations.
1E. Program No defined internal or Informal SCRM Formal SCRM Integrated SCRM Enterprise-wide
Communication external SCRM communications communications communications and communication and
communication. occur within the occur within consultation across consultation includes
functional units. functional units. functional units and multi-tier priority
Supply chain includes priority supply chain partners.
partner supply chain partners.
communications
occur as they relate
to individual
functions.
2. Planning 2A. Supply No supply chain Informal supply Formal process for Supply chain End to end supply chain
Chain Mapping mapping. chain mapping supply chain mapping completed mapping conducted
occurs. mapping within on critical products across priority products
product lines. and includes priority on an ongoing basis, are
supply chain partners readily available and
and include priority
interdependencies interdependencies.
across product lines.
110

2B. Context and No identification Informal process Formal process for Formal process for SCRM context and
Operating SCRM context or for identifying identifying SCRM identifying SCRM operating environment
Environment operating SCRM context and context and context and operating is understood
environment. operating operating environment across enterprise-wide as well
environment within environment within product lines and as by multi-tiered
product lines. product lines. includes critical priority supply chain
priority supply chain partners.
partners and
interdependencies.
2C. Stakeholder Internal and external Internal SCRM Formal process Key SCRM All SCRM stakeholders
Identification stakeholders not stakeholders established to stakeholders identified and actively
identified. identified within identify key SCRM identified including engaged in SCRM
product line. stakeholders. those related to planning process.
priority supply chain
partners and
interdependencies.
2D. Risk No risk criteria Risk criteria are SCR criteria are SCR criteria are SCR criteria are
Tolerance established. identified for established for established across the established across the
specific current and specific current and SC based upon SC based upon
past events. past events and organization's organization's
anticipated risks. objectives. objectives, continually
Functional leaders reviewed for relevance,
consulted in and endorsed by senior
establishing risk management.
criteria.
2E. Risk No risk categories Risk identified for Risks identified Risks identified Comprehensive
Categories identified for types of specific issues, internally for internally and identification of risk
risk. typically related to specific issues externally across categories covering risks
past events, or within product lines. supply chain. related to tangible and
warnings intangible risk assets.
highlighted by Identification is aligned
governments or the with the overall
media. enterprise objectives.
111

2F. Business No formal process for Informal process Formal process for Formal process with Comprehensive and
Impact threat, vulnerability or for analyzing analyzing threat, internal and external integrated process for
criticality analysis. threat, criticality criticality and stakeholders for conducting threat,
and vulnerability. vulnerability analyzing threat, vulnerability and
utilized throughout criticality and criticality analyzes
internal supply vulnerability utilized. across the enterprise and
chain. its supply chain.
2G. Event No formal process for Informal process in Formal risk analysis Formal risk analysis Comprehensive
Likelihood and analyzing likelihood place for analyzing process in place for process in place for documented and
Consequence and consequence to likelihood and analyzing internal analyzing internal integrated process for
determine level of consequence to likelihood and and external analyzing likelihood
risk. determine level of consequence based likelihood and and consequence to
risk. upon risk criteria to consequence based determine level of risk
determine level of upon risk criteria to across the enterprise and
risk utilized. determine level of risk supply chain.
utilized.
2H. Risk No formal process to Informal process in Formal process in Formal process in Comprehensive and
Prioritization evaluate or prioritize place to evaluate or place to evaluate or place to evaluate or integrated process in
risk. prioritize risk. prioritize internal prioritize internal and place to evaluate or
risk. external risk. prioritize across the
enterprise aligned with
the business objectives
of the organization.
2I. Risk No formal process for Informal process in Formal process in Process in place to Comprehensive
Treatment determining risk place to determine place to determine determine risk documented and
treatment strategy. risk treatment risk treatment treatment strategy integrated process to
strategy, but shared strategy developed developed in determine risk treatment
within risk in collaboration with collaboration with strategy across the
management internal supply internal and external enterprise and its supply
function and/or chain stakeholders. supply chain chain.
specific product stakeholders.
line supply chain
stakeholders.
112

2J. Stakeholder No consultation with Informal Formal process for Formal process for Formal and ongoing
Consultation stakeholders. consultation with communication and communication and communication and
limited specific consultation consultation consultation with
internal throughout internal throughout internal and external
stakeholders. organization. organization to stakeholders (including
include supply chain sub-tier supply chain
partners. partners).
Communication and
consultation with
external stakeholders
is conducted as part of
the risk assessment
process.
3. 3A. Risk No risk monitoring. Risk monitoring for Resources are Risks are actively Systematic approach for
Implementation Monitoring Events become known specific identified designated for monitored across early warning risk and
when impact to issues, typically specific functions to organization threat detection
business is realized. related to past monitor risks in including Tier-1 (includes supply chain
events, or warnings their functions and supply chain partner partners and
highlighted by escalate when base. Formal early interdependencies) to
governments or the appropriate. Formal warning detection communicate threats to
media. Risk is early warning system in place for the organization which
monitored in detection system in real time threats can trigger risk
individual place for real time across the supply treatment plans to
functions, but there threats within chain. prevent, mitigate or
is a lack of cross supply chain respond to the threat.
function functions.
monitoring and
warning.
113

3B. Risk No formal risk Risk treatments Risk treatment Risk treatment Risk treatment processes
Treatment treatment processes. focus on addressing process emphasis process emphasis an emphasize an adaptive
issues identified response and integrated approach capacity and pre-
from past events. recovery. Proactive to anticipate, prevent, emptive measures
Risk treatment measures are protect, mitigate, within the organization
processes emphasis introduced to better response and recovery and its supply chain.
response and respond and by eliminating silos Risk treatment based
recovery but lack recover. and coordinating upon creating and
an effort to address Risk treatment disciplines in a single protecting value to the
root causes and approaches are coordinated risk organization.
taking pre-emptive siloed along management effort. Risk treatment is based
measures. disciplines with A pre-emptive upon a multi-
separate efforts for capacity using an disciplinary and
security, crisis, and approach to unsiloed approach.
business continuity anticipate, prevent,
management. These protect and mitigate
separate efforts potential undesirable
interface with tier or disruptive events,
one supply chain include supply chain
partners. partners, is being
developed.
3C. Event No communication Communication Two-way Integrated An integrated capacity
Communication procedures. and consultation communication and communication and using all available
Communication not procedures are consultation consultation technologies
coordinated with establish with procedures are procedures are communications and
internal or external internal establish with establish with internal consultation with
stakeholders and is stakeholders based internal and external and external external stakeholders
typically one-way on experiences with stakeholders stakeholders (supply chain,
communication which past incidents and (including key (including supply government and
is reactive in nature. identified needs for supply chain chain partners and community) is fully
Driven by demands information sharing partners and government) based on implemented and tested.
for information. and warnings. government). output from the risk Communication
Communication is Procedures are assessment. capacity tested and
not cross function. established for Communication verified and
communications protocols for normal contingencies are in
114

with internal and and disruptive events place for internal and
external are established for external stakeholders in
stakeholders internal and external the event of a
including stakeholders. disruption.
information sharing
and warnings.
4. Evaluation 4A. Program No SCRM metrics to SCRM indicators SCRM indicators SCRM indicators and Supply Chain metrics
Metrics measure the impact of and metrics have and metrics are metrics are defined are integrated with the
an event to the been defined based defined based on based on the risk overall risk management
organization. on information past events and risk assessment process metrics of the
needs on previous assessment. Metrics and the organization's organization. Risk
events. Post event are function based overall objectives. assessment and risk
review of response and do not evaluate Metrics measure the treatment effectiveness
and recovery times impact to the effectiveness of risk is analyzed on a multi-
to specific events. enterprise. treatment programs tiered perspective to
and include critical determine the best
supply chain partners. return on investment for
adaptive, proactive and
reactive risk
management strategies.
Metrics highlight how
organizations can
minimize the likelihood
of an event or
consequences of an
event in the extended
supply chain.
4B. Performance No performance Performance Program Program performance Program performance
Review review conducted. review conducted performance metrics metrics are metrics are established
within functions. are established to established to assess to assess the
assess the the effectiveness of effectiveness of risk
effectiveness of risk risk programs across programs across the
programs within the enterprise to enterprise.
functions. Gaps include priority
between plan and supply chain partners.
115

actual performance Performance review

are identified. emphasizes root cause
of deviations and
identifies
opportunities for
improvement.
4C. No audits/drills Informal Periodic Periodic audits/drills Periodic audits/drills
Audit/Drill/Test performed. audits/drills are audits/drills conducted to assess conducted to assess the
conducted within conducted internally the resiliency of across resiliency across the
specific functional to assess the functional units to enterprise to include
units based upon resiliency of the include priority multi-tier supply
known risks from functional units to supply chain partners partners, emergency
previous events. risks. to risks suppliers. responders, and priority
interdependencies to
risks.
5. Improvement 5A. Continuous No formal Program Program Program Continually monitoring
Program improvement/learning improvements improvements improvements based for opportunities for
Improvement program in place. based on based upon forward on cross-functional improvement
shortcomings looking risk unit reviews of risk throughout the
identified from assessment at the treatments including enterprise and the
previous events. functional unit level. priority supply chain supply chain.
partners.
5B. Change No change Change Formal change Formal cross- Formal enterprise-wide
Management management system management management system functional change change management
in place. initiated after is in place within management system system is in place
disruptive events. functional units. is in place including including priority multi-
priority supply chain tier supply chain
partners. partners. Change
management is inherent
throughout
organization's culture to
promote opportunities
for improvement.
116
Annex L
(informative)
L BIBLIOGRAPHY
L.1 ASIS International Publications

ANSI/ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness and Continuity
Management Systems — Requirements with Guidance for Use
ANSI/ASIS/BSI BCM.01-2010, Business Continuity Management Systems: Requirements with
Guidance for Use
L.2 ISO Standards Publications

ISO 9004:2009, Managing for the sustained success of an organization -- A quality management
approach
ISO/IEC 17021:2011, Conformity assessment -- Requirements for bodies providing audit and
certification of management systems
ISO 17712:2013, Freight containers -- Mechanical seals
ISO 19011:2011, Guidelines for quality and/or environmental management systems auditing
ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security
management systems – Requirements
ISO 28000:2007, Specification for security management systems for the supply chain
ISO 28002:2011, Security management systems for the supply chain -- Development of resilience in the
supply chain -- Requirements with guidance for use
ISO 31000:2009, Risk management – Principles and guidelines
ISO/IEC 31010:2009, Risk management -- Risk assessment techniques
L. 3 Other Relevant Publications

Berman, Al, “Business Continuity in a Sarbanes-Oxley World,” Disaster Recovery Journal, Vol.
17, No. 2, Spring 2004, pp. 18-24.
British Standards Institute, “Risk Management: Code of Practice,” BS 31100, October 2008.
Castillo, Carolyn, “Disaster Preparedness and Business Continuity Planning at Boeing: An
Integrated Model,” Journal of Facilities Management, Vol. 3, No. 1, July 2004, pp. 5-26.
Chopra, Sunil, and ManMohan S. Sodhi, “Managing Risk to Avoid Supply-Chain Breakdown,”
MITSloan Management Review, Vol 46, No. 1, Fall 2004, pp. 53-61.
117
Christopher, Martin, “Understanding Supply Chain Risk: A Self-Assessment Workbook,”

Cranfield University, School of Management, Department for Transport, 2003. As of August 10,
2011:
https://dspace.lib.cranfield.ac.uk/bitstream/1826/4373/1/Understanding_supply_chain_risk.pdf
Ellis, Simon, “Supply Chain Risk Management: A Best Practice Case Study of Cisco,”
Manufacturing Insights, June, 2009.
European Union Authorized Economic Operator (AEO) Program, Taxation and Customs
Union, http://ec.europa.eu/taxation_customs/customs/policy_issues/customs_security/aeo/
Favre, Donovan, and John McCreery, “Coming to Grips with Supplier Risk,” Supply Chain
Management Review, September 1, 2008.
Finch, Peter, “Supply Chain Risk Management,” Supply Chain Management: An International
Journal, Vol. 9, No. 2, 2004, pp. 183-196.
Giunipero, Larry C., and Reham Aly Eltantawy, “Securing the Upstream Supply Chain: A Risk
Management Approach,” International Journal of Physical Distribution & Logistics
Management, Vol. 34, No. 9, 2004, pp. 698-713.
Hepenstal, Ann, and Boon Campbell, “Maturation of Business Continuity Practice in the Intel
Supply Chain,” Intel Technology Journal, Vol. 11, Issue 2, May 2007, pp. 165-171.
Hillman, Mark, and Heather Keltz, “Managing Risk in the Supply Chain – A Quantitative
Study,” AMR Research, 2007.
Lee, Don, and David Pierson, “Disaster in Japan Exposes Supply Chain Flaw,” Los Angeles
Times, April 6, 2011.
Moore, Nancy Y., Clifford A. Grammich, and Robert Bickel, Developing Tailored Supply
Strategies, Santa Monica, Calif.: RAND Corporation, 2007.
Norrman, Andreas, and Ulf Jansson, “Ericsson’s Proactive Supply Chain Risk Management
Approach After a Serious Sub-supplier Accident,” International Journal of Physical Distribution
and Logistics Management, Vol. 34, No. 5, 2004, pp. 434-456.
Pitt, Michael, and Sonia Goyal, “Business Continuity Planning as a Facilities Management
Tool,” Facilities, Vol. 22, No. 3/4, 2004, pp. 87-99.
Ritchie, Bob, and Clare Brindley, “Supply Chain Risk Management and Performance: A
Guiding Framework for Future Development,” International Journal of Operations and
Production Management, Vol. 27, No. 3, 2007, pp. 303-322.
Sheffi, Yossi, The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage,
Cambridge, Mass.: MIT Press, 2005.
Sheffi, Yossi, and James B. Rice Jr., “A Supply Chain View of the Resilient Enterprise,” MIT
Sloan Management Review, Vol. 47, No. 1, Fall 2005, pp. 41-48.
Smith, Briony, “Intel: Disasters Can Be ‘Business As Usual’ With Enough Planning,”
ComputerWorld, June 18, 2008.
118
Solomon, Lance, and Joe McMorrow, “Case Study: Chengdu Earthquake Crisis Response,”
Supply Chain Risk Leadership Council Newsletter, Fourth Quarter, 2008.
United States Customs and Border Protection C-TPAT: Customs-Trade Partnership Against
Terrorism, http://c-tpat.com/
Verstraete, Christian, “Share and Share Alike,” Supply Chain Quarterly, Quarter 2, 2008.
World Customs Organization, The SAFE Framework of Standards, 2012,
http://www.wcoomd.org/en/topics/facilitation/instrument-and-
tools/tools/~/media/55F00628A9F94827B58ECA90C0F84F7F.ashx
Zsidisin, George A., “Business and Supply Chain Continuity,” Critical Issues Report, January
2007.
Zsidisin, George A., Gary L. Ragatz, and Steven A. Melnyk, “Effective Practices for Business
Continuity Planning in Purchasing and Supply Management,” East Lansing, Mich.: Michigan
State University, July 21, 2003.
Zsidisin, George A., Alex Panelli, and Rebecca Upton, “Purchasing Organization Involvement
in Risk Assessments, Contingency Plans, and Risk Management: An Exploratory Study,”
Supply Chain Management, Vol. 5, No. 4, 2000, 187-198.
L.4 References Relating to ICT SCRM

To learn more about ICT SCRM review the following documents and sources.
NIST Supply Chain Risk Management (SCRM) for Information and Communication
Technology Program Office http://csrc.nist.gov/scrm/index.html
NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information
Systems http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System
View http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
119
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
Supply Chain
Supply Chain Risk
AA SS II SS II N
N TT EE RR N
N AA TT II O
O N
N AA LL
Risk Management:
Management: A
A Compilation
Compilation of
A
A Compilation
Compilation of
of Best
Best Practices
Practices
of Best
ANSI/ASIS
SCRM.1-2014
Best Practices
Practices
1625
1625Prince
1625 PrinceStreet
Prince Street
Street
Alexandria,
Alexandria,Virginia
Alexandria, Virginia22314-2818
Virginia 22314-2818
22314-2818
USA
USA
USA
ANSI/ASIS
ANSI/ASIS
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:+1.703.519.6299
Fax: +1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org
SCRM.1-2014
SCRM.1-2014
S TA N D A R D
S T
S T A
A N
N D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
D A
and
and guidelines
guidelines development
development
A R
R D
D

Supply Chain Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Supply Chain Risk Management

Uploaded by

Copyright:

Available Formats

Supply Chain

Supply Chain Risk

an American National Standard

SUPPLY CHAIN RISK MANAGEMENT:

Approved March 28, 2014

NOTICE AND DISCLAIMER

Copyright © 2014 ASIS International

About the SCRLC

Robert W. Jones, Socrates Ltd

Frank Amoyaw, LandMark Security Limited

Mike Edgerton, CPP, Good Harbor Consulting, LLC

Augustine Okereke, CPP, PZ Cussons Nigeria PLC

Working Group Members

Frank Amoyaw, LandMark Security Limited

Pradeep Bajaj, Professional Industrial Security Management Academy

This page intentionally left blank.

B.2 PREVENTION AND MITIGATION PROCEDURES ...............................................................................................................51

0.1 Supply Chain Risk Management: An Overview

0.2 The Need for Supply Chain Risk Management

supply-base rationalization, just-in-time deliveries, supplier consolidation and lean inventories.

This page intentionally left blank.

Supply Chain Risk Management:

3 TERMS AND DEFINITIONS

4 CHARACTERISTICS OF SUPPLY CHAIN RISK MANAGEMENT

4.2 Leadership and Team Composition

4.3 SCRM Business Case

4.4 Change Management in SCRM

4.5 Continual Improvement

5 RISK MANAGEMENT PRINCIPLES AND PROCESS

Figure 1: Risk Management Process (based on ISO 31000)

5.2 Risk Communication and Consultation

5.3 Establishing the Context

5.3.2 Internal Context

c) Cultural characteristics (including differences in education and social interactions and

5.3.3 External Context

Figure 2: Example of Internal and External Contexts for a Food/Beverage Company

5.3.4 Mapping the Supply Chain

c) Single source suppliers;

Figure 3: Notional Supply-Chain Process Flows

5.4 Risk Assessment Process

5.4.2 Risk Criteria

5.4.3 Risk Appetite

5.4.3 Risk Identification

Table 1: Examples of Sources of Risk to an Organization and its Supply Chain

Legal and regulatory (including compliance) Human resources

Operational, organizational, and transparency Competition and market dynamics

Information technology and information integrity Demographics and labor

Brand and reputation Leadership and planning

Critical infrastructure dependencies and availability Organizational and community interdependencies

Physical, non-compliance, and regulatory Production and performance

Financial losses and premiums Management

Physical, non-compliance, and regulatory Customer satisfaction

Labor availability and disruption Cargo damage or theft

Long, multi-party supply pipelines Reverse logistics

INTERNAL ENTERPRISE RISKS

Operational Political, legal and regulatory uncertainty

Demand variability Personnel and labor competence, availability and reliability

Design uncertainty Planning and objective uncertainties

Financial uncertainty Facility availability and capacity

Testing capacity Enterprise underperformance

Supplier relationship management Management practices

5.4.4 Risk Analysis

Figure 4: Determining the Level of Risk