ANSI SPC.4-2012 Maturity Model for the Phased Implementation of the Organizational Resilience Management System.pdf

1、Maturity Model for the Phased Implementation of theOrganizational Resilience Management SystemASIS INTERNATIONAL STANDARDAMERICAN NATIONALANSI/ASIS SPC.4-2012ANSI/ASIS SPC.4-2012 an American National Standard MATURITY MODEL FOR THE PHASED IMPLEMENTATION OF THE ORGANIZATIONAL RESILIENCE MANAGEMENT SY

2、STEM Approved February 2, 2012 American National Standards Institute, Inc. ASIS International Abstract This Standard provides guidance for the use of a maturity model for the phased implementation of the ANSI/ASIS SPC.1-2009 organizational resilience standard in six phases, ranging from an unplanned

3、 approach, to managing events, to going beyond the requirements of the ANSI/ASIS SPC.1-2009 Standard and creating a holistic environment for resilience management. ANSI/ASIS SPC.4-2012 i i NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of

4、those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS International standards and guideline publications, of which the docum

5、ent contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and es

6、tablishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is

7、 a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no du

8、ty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indire

9、ctly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this doc

10、ument will fulfill any persons or entitys particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making this document available, ASIS is not undertaking t

11、o render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent

12、 professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publicatio

13、n. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS

14、 does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other s

15、tatement of compliance with any information in this document shall not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or

16、 by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2012 ASIS International ISBN: 978-1-934904-30-5 ANSI/ASIS SPC.4-2012 iii FOREWORD The information contained in this Foreword is not part of this American

17、National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standar

18、d. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendatio

19、n represents a goal currently identifiable as having distinct compatibility or performance advantages. About ASIS ASIS International (ASIS) is the preeminent organization for security professionals, with 38,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of

20、security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, gover

21、nment entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industrys No. 1 magazine Security Management ASIS leads the way for advanced and improved security performance. The work of preparing standards

22、and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization, ASIS actively participates in the International Organization for Standardization.

23、The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and e

24、xpertise of ASIS membership, security professionals, and the global security industry. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Commission Members Charles A. Baley, Farmers Insurance Group

25、 Inc. Jason L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Companies, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulting Corporation Michael A. Crane, CPP, IPC International Corporation William J. Daly, Control Risks Security Consulting Lisa DuB

26、rock, Radian Compliance Eugene F. Ferraro, CPP, PCI, CFE, Business Controls, Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc. Robert W. Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group, Inc. Michael E. Knoke,

27、 CPP, Express Scripts, Inc., Vice Chair Bryan Leadbetter, CPP, Bausch b) Establishing a policy, objectives, and strategies to manage risks; c) Implementing controls to manage risks within the context of the organizations mission; d) Monitoring and reviewing the performance and effectiveness of the O

28、RMS; and e) Continual improvement based on objective measurement. The Maturity Model outlines six phases of implementation briefly described below as: 1. Phase One: Pre-awareness Ad hoc resilience activities, no process currently in place, and resilience management is unstructured with no advanced p

29、reparation. 2. Phase Two: Project Approach Commonly known as “the awareness phase”, where management is willing to test the concept and establish a trial project to explore the benefits of resilience management and preparedness. 3. Phase Three: Program Approach - An expansion of the project approach

30、 The organizational view begins to shift from specific issues to addressing division- or organization-wide issues implementing the core elements of the base standard. 4. Phase Four: Systems Approach This phase involves integrating the core elements. Resilience management and preparedness are viewed

31、 as part of an iterative continual improvement process using the Plan-Do-Check-Act (PDCA) model. ANSI/ASIS SPC.4-2012 x i 5. Phase Five: Management System All the core elements of the base standard have been applied and tested. 6. Phase Six: Holistic Management Resilience management culture is well-

32、developed and is considered an inseparable part of decision making. The six phases of the model are focused on the phased implementation of a management system standard, all of which are applicable to any discipline or type of management system that seeks to treat risk. It is focused solely on organ

33、izational resilience utilizing balanced strategies to move from addressing just the minimization of consequences of a disruptive event to the procedures for anticipation, prevention, protection, preparedness, mitigation, and response and recovery appropriate to any organization or industry. ANSI/ASI

34、S SPC.4-2012 xii This page intentionally left blank. AMERICAN NATIONAL STANDARD ANSI/ASIS SPC.4-2012 an American National Standard Maturity Model for the Phased Implementation of the Organizational Resilience Management System 1. SCOPE OF STANDARD This Standard provides guidance for the use of a mat

35、urity model for phased implementation of the ANSI/ASIS SPC.1-2009 as a series of steps designed to help organizations: x Evaluate where they currently are with regard to resilience management and preparedness. x Set goals for where they want to go, and benchmark where they are relative to those goal

36、s. x Plot a business/mission appropriate path to get there. The model outlines six phases ranging from an unplanned approach to managing events, to going beyond the requirements of the Standard, and creating a holistic environment for resilience management. 2. NORMATIVE REFERENCES The following stan

37、dard contains provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encou

38、raged to investigate the possibility of applying the most recent editions of the standard indicated below. ANSI/ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use.11This document is available at . 1ANSI/ASIS SPC.4-

39、2012 3. TERMS AND DEFINITIONS NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the document. For the purposes of this Standard, the following terms and definitions apply: Term Definition 3.1 community A group of associated organizations sharing co

40、mmon interests. 3.2 event An occurrence or change of a particular set of circumstances. ISO Guide 73:2009 NOTE 1: Nature, likelihood, and consequence of an event cannot be fully knowable. NOTE 2: An event can be one or more occurrences, and can have several causes. NOTE 3: Likelihood associated with

41、 the event can be determined. NOTE 4: An event can consist of a non occurrence of one or more circumstances. NOTE 5: An event with a consequence is sometimes referred to as “incident”. 3.3 gap analysis A technique for determining the steps to be taken in moving from a current state to a desired futu

42、re-state. NOTE: Can be used to establish a baseline. 3.4 net centric A continuously-evolving and complex community of people, devices, information, and services interconnected by a communications network to optimize resource management and provide superior information on events and conditions needed

43、 to empower decision makers. 3.5 organizational resilience management (ORM) Systematic and coordinated activities and practices through which an organization manages its operational risks, and the associated potential threats and impacts therein. 3.6 organizational resilience management program Ongo

44、ing management and governance process supported by top management, resourced to ensure that the necessary steps are taken to identify the root causes of potential disruptions; the likelihood and impact of potential losses; maintain viable adaptive, proactive, and reactive strategies and plans; and e

45、nsure stability and sustainability of activities/functions/products/services through planning, exercising, rehearsal, testing, training, maintenance, and assurance. 3.7 resilience The adaptive capacity of an organization in a complex and changing environment ISO Guide73:2009. NOTE 1: Resilience is t

46、he ability of an organization to resist being affected by an event, or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of

47、 internal and external change, and to degrade gracefully when it must. 2ANSI/ASIS SPC.4-2012 Term Definition 3.8 risk Effect of uncertainty on objectives. ISO Guide 73:2009 NOTE 1: An effect is a deviation from the expected positive and/or negative. NOTE 2: Objectives can have different aspects such

48、 as financial, health, safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process. NOTE 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achi

49、evement of objectives. NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence. 3.9 risk makers An individual(s) that creates uncertainty. 3.10 risk takers An individual(s) that accepts uncertainty. 3.11 sustainability The ability to maintain and preserve the activities and functions of an organization. 3.12 top management Person or group of people who directs and controls an organization at the highest level. ISO 9000:2005 4.