Upload
others
View
2
Download
1
Embed Size (px)
Citation preview
Inaugural-Disseration
zur
Erlangung der Doktorwürde
der Wirtschafts- und Verhaltenswissenschaftliche Fakultät
an der Albert-Ludwigs-Universität Freiburg i. Br.
Vorgelegt von
Diplom-Kaufmann
Thomas Günther Koslowski
Geboren in Bruchsal
SS 2014
RESILIENCE MANAGEMENT INFORMATION SYSTEMS –
ACHIEVING SUSTAINABILITY IN TURBULENT ENVIRONMENTS
Albert-Ludwigs-Universität Freiburg
Wirtschafts- und Verhaltenswissenschaftliche Fakultät
Druckdatum: 29.09.2014
Albert-Ludwigs-Universität Freiburg im Breisgau
Wirtschafts- und Verhaltenswissenschaftliche Fakultät
Kollegiengebäude II
Platz der Alten Synagoge
Dekan: Prof. Dr. Dieter K. Tscheulin
Erstgutachter: Prof. Dr. Dr. h.c. Günter Müller
Zweitgutachter: Prof. Dr. Dieter K. Tscheulin
Datum des Promotionsausschusses: 23.09.2014
To Charlotte and Alma Clara, my wonderful girls.
To my family and all my friends who have been my greatest support over the years. I am
grateful to have the opportunity to learn from you.
Acknowledgment "Seht, liebe Kinder, was wäre ich denn, wenn ich nicht immer mit klugen Leuten umgegangen wäre und von ihnen gelernt hätte? Nicht aus Büchern, sondern durch lebendigen Ideenaustausch, durch heitere Geselligkeit müßt ihr lernen."1
Johann Wolfgang Goethe – Letter to Julie von Egloffstein.
This dissertation would not have been possible in its present form without the continuous support and patience of many people2. It is to them that I owe my deepest gratitude.
First and Foremost, I would like to express my sincere gratitude to my advisor Prof. Dr. Dr. h.c. Günter Müller for his mentorship and professional advice. I am very thankful for the time he invested in me notwithstanding his many other academic and professional commitments. His wisdom and commitment to the highest standards have always been an inspiration and motivation to me. Allied to my Supervisor, my sincere thanks also go to Prof. Patricia H. Longstaff, for offering me the scholarship opportunity at Newhouse School of Public Communications. I am much obliged for her wisdom, humor, and her constant belief in me. I am also grateful to Dres. Stefan Fenz, Florian Kerschbaum, and Will Geoghegan for their productive and stimulating collaboration on some parts of this underlying thesis.
I would also like to mention my colleagues and friends in Freiburg: primarily, I want to thank Dr. Rafael Accorsi and Prof. Dr. Jens Strüker for their encouragement and the invaluable discussions. Their guidance helped me through the research and writing of this thesis. I would like to express my sincere gratitude to my fellow colleagues Arnt, Christian, Thomas, Julius, Marco, Jonas, and Maria for their loyalty and continuous support along all stages of my dissertation. In particular, I would like to thank Christian and Richard, for all busy days we worked together before deadlines, and for all the fun we have had in the last years, inside and outside the office. To sum up, I could not have imagined having better colleagues for my Ph.D. study.
Last but by no means least, my biggest gratitude go to my family who have supported me throughout my life. I wish to thank my parents, who were my first teachers and my inspiration to continue to learn. To my wife Charlotte, and my daughter Alma Clara, who taught me about love. They all have always been my safety net on which I was able to develop and experiment without the fear of failing. I wish to hopefully show you with this thesis, that all the efforts undertaken have led to a fruitful endeavor.
1 “Look, dear children, what would I be if I were not always surrounded with wise people and learned from them? One must learn not from books, but through the vital exchange of ideas, by cheerful conviviality.”
2 I would like to gratefully acknowledge the the financial support from sdw - Stiftung der Deutschen Wirtschaft (Foundation of German Business) and Wissenschaftliche Gesellschaft (Scientific Society) Freiburg.
i
Table of Contents
List of Figures .......................................................................................................................... vi
List of Tables ............................................................................................................................ ix
Abbreviations ............................................................................................................................ x
1 Managing turbulent enterprise environments ............................................................... 1
1.1 Resilience Management Information Systems ........................................................... 3
1.2 Research questions and objectives ............................................................................. 6
1.3 Outline ...................................................................................................................... 13
1.4 Contributions ............................................................................................................ 17
1.4.1 Multidisciplinary Resilience Framework ..................................................... 17
1.4.2 Organizational Resilience Framework ......................................................... 17
1.4.3 Information Systems and Resilience ............................................................ 18
1.4.4 Process-Centered Resilience Detection ........................................................ 18
1.4.5 Secure Sustainability Benchmarking Service .............................................. 19
1.5 Related and unrelated publications ........................................................................... 21
2 Theoretical and Conceptual Foundations .................................................................... 23
2.1 Resilience – a fresh perspective for sustainability.................................................... 23
2.1.1 VUCA environments .................................................................................... 24
2.1.2 Resilience and sustainability ........................................................................ 27
ii
2.2 Essential semantics of resilience .............................................................................. 31
2.2.1 Walk in the definitional thicket .................................................................... 35
2.2.2 Multidisciplinary Resilience Framework ..................................................... 47
2.2.3 Application of the framework and conclusion ............................................. 51
3 Organizational Resilience .............................................................................................. 53
3.1 A review and reconceptualization ............................................................................ 55
3.1.1 Descriptive analysis ..................................................................................... 55
3.1.2 Critical analysis ............................................................................................ 63
3.1.3 Resilience elements and organizational capabilities .................................... 69
3.2 Framing organizational resilience types ................................................................... 79
3.2.1 The underlying puzzle .................................................................................. 80
3.2.2 Organizational resilience dimensions .......................................................... 84
3.2.3 Organizational Resilience Framework ......................................................... 95
3.2.4 Discussion and conclusion ......................................................................... 106
4 Resilience Management and Information Systems ................................................... 110
4.1 From risk management to resilience management ................................................. 111
4.1.1 Risk concept ............................................................................................... 113
4.1.2 Protection goal ........................................................................................... 118
4.1.3 Management and design ............................................................................. 120
4.2 IT-induced sources of stress and disruption ........................................................... 126
4.3 IS management fundamentals ................................................................................. 130
iii
4.3.1 ERP and WFMS ......................................................................................... 132
4.3.2 IS risk management .................................................................................... 135
4.3.3 Limitations of IS risk management ............................................................ 143
4.4 Resilience and IS research ...................................................................................... 144
4.4.1 Status quo and shortcomings ...................................................................... 145
4.4.2 Implications for IS research ....................................................................... 147
5 Process-centered Resilience Management .................................................................. 152
5.1 Resilient BPM ........................................................................................................ 152
5.2 Research context and design .................................................................................. 156
5.2.1 Status quo and shortcomings ...................................................................... 156
5.2.2 Research questions and objectives ............................................................. 159
5.3 PREDEC framework .............................................................................................. 160
5.3.1 Event logs and elicitation techniques ......................................................... 161
5.3.2 Resilience Measures ................................................................................... 164
5.3.3 Analysis techniques .................................................................................... 173
5.4 Design and implementation .................................................................................... 174
5.4.1 Review of temporal aspects of workflows ................................................. 176
5.4.2 Methodology and research design .............................................................. 178
5.4.3 Case study .................................................................................................. 182
5.4.4 Evaluation and discussion .......................................................................... 187
5.5 Concluding remarks ................................................................................................ 189
iv
6 Secure Sustainability Benchmarking Service ............................................................ 191
6.1 Sustainability quest for enterprises ......................................................................... 193
6.1.1 Sustainability performance management systems ..................................... 194
6.1.2 IT-based SBM ............................................................................................ 197
6.2 Integration into an ERP on-demand platform......................................................... 199
6.2.1 ERP as a platform ....................................................................................... 200
6.2.2 Literature on ERP on-demand .................................................................... 201
6.3 System dynamics model ......................................................................................... 203
6.3.1 Methodology .............................................................................................. 203
6.3.2 Model development and analysis ............................................................... 205
6.3.3 Discussion .................................................................................................. 211
6.4 Towards a confidential SBS ................................................................................... 213
6.4.1 Research design .......................................................................................... 214
6.4.2 Automated data gathering .......................................................................... 215
6.4.3 Tackling the data heterogeneity and quality problem ................................ 217
6.4.4 Unsolved information-sharing problem ..................................................... 219
6.5 Design of a confidential SBS ................................................................................. 221
6.5.1 Benchmarking types ................................................................................... 222
6.5.2 Security objectives ..................................................................................... 224
6.5.3 Implementation .......................................................................................... 225
6.6 Analysis and evaluation .......................................................................................... 230
v
6.7 Discussion ............................................................................................................... 232
6.8 Concluding remarks ................................................................................................ 235
7 Outlook and Conclusion ............................................................................................... 236
7.1 Summary and main results ..................................................................................... 236
7.2 Implications for future research .............................................................................. 240
References................................................................................................................................. A
vi
List of Figures
Figure 1: Thesis Outline ...................................................................................................... 14
Figure 2: Overview of developed IS artifacts ..................................................................... 21
Figure 3: Changing Nature of Change ................................................................................ 26
Figure 4: Resilience, Sustainability, and Security .............................................................. 29
Figure 5: Resilience Publications (1996-2013) .................................................................. 33
Figure 6: Ball and Cup-Model ............................................................................................ 41
Figure 7: Multidisciplinary Resilience Framework ............................................................ 49
Figure 8: Publications onOrganizational Resilience (1993-2012) ..................................... 57
Figure 9: Organizational Resilience Research Methods .................................................... 57
Figure 10: Organizational Resilience Model Development ............................................... 58
Figure 11: Type of Empiricism Employed ......................................................................... 59
Figure 12: Multi-Disciplinary Background ........................................................................ 60
Figure 13: Business Sub-Disciplinary Perspective ............................................................. 61
Figure 14: Factors in Organizational Resilience Papers ..................................................... 62
Figure 15: Level of Analysis Employed ............................................................................. 65
Figure 16: Resilience Elements and Organizational Capabilities ...................................... 70
Figure 17: Normal Accident Theory ................................................................................... 77
Figure 18: Typology of Organizational Surprises .............................................................. 89
List of Figures vii
Figure 19: Three Types of Change and Resilience ............................................................. 92
Figure 20: Organizational Resilience Framework .............................................................. 96
Figure 21: The Resilience Delta. ......................................................................................... 97
Figure 22: Traditional Risk Management Instruments ..................................................... 115
Figure 23: Risk Elements and Management Implications ................................................ 117
Figure 24: Safety by constraints ........................................................................................ 119
Figure 25: Safety by Management .................................................................................... 120
Figure 26: Four cornerstones of Resilience Engineering ................................................. 124
Figure 27: IT-induced sources of stress and disruption .................................................... 128
Figure 28: WFMS and ERP systems................................................................................. 133
Figure 29. FORISK Modules ............................................................................................ 140
Figure 30: Foundations of IS Resilience ........................................................................... 146
Figure 31: Operational Resilience Management System ................................................. 148
Figure 32: Resilience Management Cycle ........................................................................ 150
Figure 33. BPM Life Cycle ............................................................................................... 154
Figure 34. Relation between Operational Risks and BPM ............................................... 158
Figure 35: Overview of the PREDEC framework ............................................................ 161
Figure 36: Log entry structure ........................................................................................... 162
Figure 37: Resilience Measurement Framework .............................................................. 167
Figure 38: Example Loan Application Process ................................................................ 167
Figure 39: Calculation for the quality of the given Workflow ......................................... 180
List of Figures viii
Figure 40: Example Workflow .......................................................................................... 184
Figure 41: PDF calculation of the example workflow ..................................................... 185
Figure 42: Cummulative calculation of the example workflow ....................................... 186
Figure 43: Simulation results ............................................................................................ 187
Figure 44: Feedback Loops ............................................................................................... 206
Figure 45: Automating the Data Gathering Process ......................................................... 217
Figure 46: SBS system architecture .................................................................................. 228
ix
List of Tables
Table 1: Definitions of key terms .......................................................................................... 6
Table 2: Related and unrelated publications ....................................................................... 22
Table 3: Definitions with Low Complexity, Low Normativity ......................................... 42
Table 4: Definitions with High Complexity, Low Normativity ......................................... 42
Table 5: Definitions with Low Complexity, High Normativity ......................................... 45
Table 6: Definitions with Low Complexity, High Normativity ......................................... 46
Table 7: From Protection to Resilience ............................................................................. 113
Table 8: WFMS vs. ERP Systems .................................................................................... 134
Table 9: Overview of existing Measurement Attempts .................................................... 166
Table 10: Examples of (BPM) Resilience Measures ........................................................ 170
Table 11: Time behavior of each single activity in the example workflow .................... 183
Table 12: Results of the literature review on “SaaS” ....................................................... 202
Table 13: Data Collected and Indicators for SBM ........................................................... 216
Table 14: Features and Benefits of SBS ........................................................................... 225
Table 15: Performance results in seconds ......................................................................... 232
x
Abbreviations
ARIS Architektur integrierter Informationssysteme
BPM Business Process Management
CIO Chief Information Officer
COO Chief Operations Officer
CSR Corporate Social Responsibility
CDF Cummulative Distribution Functions
DSS Decision-Support System
ERP Enterprise Resource Planning
FORISK Formalizing Information Security Risk & Compliance
HRO High Reliable Organization
ICT Information and Communication Technology
IS Information System
ISO International Organization for Standardization
IT Information Technology
KPI Key Performance Indicator
MIS Managements Information System
NAT Normal Accident Theory
NIST National Institute of Standards and Technology
ORM Operational Resilience Management
Abbreviations xi
PaaS Platform-as-a-Service
PDF Probability Distribution Functions
PM Process Mining
PRI Process Risk Indicators
PREDEC Process-Centered Resilience Detection
RMIS Resilience Management Information System
RQ Research Question
SaaS Software-as-a-Service
SBM Sustainability Benchmarking
SBS Secure Sustainability Benchmarking Service
SCM Supply-Chain-Management
SNA Social network analysis
VUCA Volatile, Uncertain, Complex and Ambiguous
WFMS Workflow Management Systems
1
1 Managing turbulent enterprise environments
Organizations around the globe have increasingly adopted sustainability goals by
recognizing not only long-lasting economic performance, but also environmental
protection and social responsibility. The pursuit of sustainability not only
concerns the reduction of negative externalities and the commitment to
obligations toward intra and intergenerational justice. In turbulent environments,
where organizations face too many and too frequent unanticipated shocks,
sustainability further address the survival and persistence of organizations itself
(Seager, 2008; WEF, 2013). Recent studies show that the survival rate of
businesses remain low, as 50-70 percent of all start-ups disband within five years
and more than 80 percent of corporate enterprises do not survive more than a
decade (Hollnagel, 2011; Geus, 1997; Zook and Allen, 2010). Although much
progress has been made in the organizational ‘sustainability’ discourse -
particularly upon resource-efficiency improvements (Walker and Salt, 2006;
Porter and van der Linde, 1995b), a still existing limitation refers to the
relationship between risks, uncertainty and sustainability, which has surprisingly
received little attention thus far (Krysiak, 2009). Moreover, conventional
approaches to risk-management addressing a wide set of organizational risks still
attempt to predict events by emphasizing an a priori evaluation of risks in
probabilistic and consequential terms (Smith and Fischbacher, 2009). However,
complexity and exponential pace of change of business call for better
understanding and mechanisms for navigating through turbulent environments, as
exemplified in case of organizational responses to climate change: “More and
more companies believe that they must learn to adapt to the unavoidable
consequences of climate change, rather than prevent it. […] such strategy […] is
attempting to manage the consequences, not causes of climate change (McCann
and Selsky, 2012, p. 5)”.
Beside ecological risks such as the consequences of climate change,
organizational efforts in achieving sustainability are jeopardized by manifold
1.1 Resilience Management Information Systems 2
man-made sources of turbulence and uncertainty: Modern societies operate in an
increasingly complex and turbulent world marked by interconnection and
interdependence across global networks (Boin and McConell, 2007; McCann and
Selsky, 2012). Information Technologies (IT) have an ambivalent effect on the
performability of organizations and its critical infrastructures, illustrating tensions
between opportunities for sustainable business practices at cost of increasing
turbulence: On the one hand, these platforms for innovation and economic growth
are supposed to coordinate and distribute information more efficiently and have
positive impacts on the functionality and sustainability of infrastructures and
institutions. In the field of environmental sustainability, this is possible for
instance through de-carbonization, rationalization, as well as data gathering and
provision in real-time (Elliot, 2011; Koslowski and Strüker, 2011). On the other
hand, the increasing IT-enabled interconnectedness and interdependence is
leading to the emergence of unintended, unpredictable safety, reliability and
security problems (Hollnagel et al., 2006; Müller et al., 2011; Tanriverdi et al.,
2010).
As a consequence, organizations and its underlying socio-technological
infrastructures are fail-prone with respect to system breakdowns to new and future
threats such as terrorism, pandemic potential, energy volatility, and climate (Risk
Response Network, 2012; WEF, 2013). While such failures and breakdowns have
proven relatively rare, the consequences of failures within an interconnected
world can cause serious problems beyond geographical and functional borders of
organizations (Boin and McConell, 2007; WEF, 2013).
Today, most decision makers, either public administrators or private
organizations, have come to understand that protection of information systems
(IS) as backstones of multiple infrastructures is of high priority. But the
expanding landscape of emerging risks illustrates the borderless and unpredictable
nature of risk and uncovers the limits of traditional risk management practices and
theories.In the face of highly interconnected systems new emerging risks or new
surprises lack a priori indication of occurrence, they exhibit the potential to
“cascade” systems at different speeds and their relation between origin, evolution
1.1 Resilience Management Information Systems 3
and final consequence are frequently ill-understood, e.g. (Hollnagel et al., 2006;
McCann and Selsky, 2012; Smith and Fischbacher, 2009). But just because some
systems are complex and turbulent does not mean they are unmanageable or
impossible to govern: Though, managing them requires different methods and
rests on other assumptions than predominated in classical risk and security
management. Where we had often come to expect predictability and consistency,
we now must accept the necessity of dealing with the consequences of uncertainty
(Grote, 2009; McCann and Selsky, 2012; Milliken, 1987).
Against this background, decision makers at different levels are forced to consider
how to respond to different kinds of emerging risks with regard to sustainability3
in a more holistic manner (Levin, 1998; Walker and Salt, 2006). The concept of
resilience is gaining ground as a denominator to move beyond survival and even
prosper in face of challenging conditions (Hamel and Välikangas, 2003; Hollnagel
et al., 2006; Kahan et al., 2009; Longstaff et al., 2013). A recent article4 briefly
summarized the differences between resilience and sustainability: "Where
sustainability aims to put the world back into balance, resilience looks for ways to
manage in an imbalanced world." Resilience has been a prominent topic in
various scientific fields but also on the agenda of public and private institutions,
recognizing the complex and uncertain nature of social systems.
1.1 Resilience Management Information Systems
Resilience is basically an emergent property associated with an organization's
capacity to pursue its goals despite disruption through mindfulness (Weick and
Sutcliffe, 2007), resourceful agility, elastic infrastructures and recoverability, e.g.
(Caralli et al., 2010; Hollnagel et al., 2006). Hence, resilience is a combination of
technical design features, such as fault-tolerance and dependability (Avizienis et
al., 2004), with organizational features, such as mindfulness, training and
3According to Krysiak (2009, p.483-484), any definition of sustainability has to consider the future but uncertain consequences of present actions in order to limit the probability that a future generation is harmed.
4Andrew Zolli (2012) “Learning to Bounce Back”, New York Times November 2, 2012.
1.1 Resilience Management Information Systems 4
decentralized decision making (Antunes and Mourão, 2011; Weick and Sutcliffe,
2007) and therefore a topic that perfectly fits for IS research and practice.
Presently, decision makers are already equipped with a broad set of tools and
models to enhance organizational resilience and sustainability. However, there is
an ongoing demand for more powerful systems to address sustainability and
operational risks by means of quick information provision and automated decision
support. Apparently, IS can significantly contribute to environmental
sustainability (often called “Green IS” Melville, 2010, p. 3; Müller et al., 2011)
but also for organizational risk and resilience management (Caralli et al., 2010;
Zobel and Khansa, 2012). Apart from increased data quantity and quality, also
shorter reaction times constitute an essential benefit of information systems for
sustainability management (Koslowski and Strüker, 2011) as well as conventional
risk management (Ekelhart and Neubauer, 2011) in comparison with manual data
capturing and analysis. Although IS-architectures such as Enterprise Resource
Planning (ERP) and Business Process Management (BPM) Systems for integrated
management support already exist for decades, most organizations address
security/risk management, business continuity and sustainability, as well as IT
operations siloes, with little integration and communication (Caralli et al., 2010,
p. 17).
Nowadays, many organizations are realizing that these activities are
complementary and collaborative functions having the same goal, namely to
enhance organizational resilience and sustainability (Caralli et al., 2010, p. 17;
Seager, 2008). Corresponding to the increasing attention to more holistic
responses to different kinds of emerging risks with regard to sustainability, an
integrated approach, subsequently termed as “resilience management”, is expected
as a potential panacea to achieve organizational sustainability in turbulent
environments (Lewin, 1998; Park et al., 2013; Seager, 2008). In line with
researchers of the Software Engineering Institute at Carnegie Mellon University5,
resilience management defines “the processes by which an organization designs,
5http://www.sei.cmu.edu/
1.1 Resilience Management Information Systems 5
develops, implements, manages, and improves strategies for protecting and
sustaining high-value services and associated assets such as people, information,
technology, and facilities” (Caralli et al., 2010, p. 19).
This definition already signals the crucial role of IT and IS for organizational
resilience and sustainability: as the pervasiveness of IT provides a myriad of
opportunities and productivity improvements, IT also increases complexity and
interdependences of organizational services and assets (Butler and Gray, 2006;
Caralli et al., 2010). As a consequence, managing complexity and uncertainty is
imperative for modern organizations to ensure resilient operation and to protect
the transmitted and stored data (Butler and Gray, 2006). Thus, there is a pressing
need for an integration of organizational and technological views, as well as the
integration of related, but usually disjointed activities of IS security, business
continuity and IT operations (Allen et al., 2011; Caralli et al., 2010). Accordingly,
this dissertation introduces Resilience Management Information Systems (RMIS)
as a novel approach for the IT-enabled support of all phases along the resilience
management cycle on the level or processes (Accorsi and Stocker, 2012).
As contrasted with traditional risk and security management approaches that
usually attempt to assess operational risks based on (either subjective or
historical) threat probabilities (focus on the cause of events), operational resilience
management focus on the realized risks and its consequences (Caralli et al.,
2010). The proposed resilience management cycle thus begins with (i) Detection
in order to identify failures, potential weaknesses and exceptional process
executions. (ii) The purpose of Diagnosis and Evaluation is to collect and assess
vulnerabilities, and consequently to determine a set of intervention types. (iii) The
next stage covers Treatment and Recovery, including the actual selection and
implementation of supportive actions and automatic corrections. (iv) Finally, the
phase of Escalation and Institutionalization guarantees enrichment or revision of
the current knowledge base, and aims to establish and facilitate an organization-
wide resilience culture.
However, since safety and security standards and reliable IT operations are a
complex range of requirements to which decision makers have to respond,
1.2 Research questions and objectives 6
organizations are increasingly forced to rethink how they address the security and
resilience of their business processes. In the following, RMIS can be understood
as an arsenal of interrelated components that collect, process, store, and distribute
information to support resilience management in an organization. In detail, RMIS
coordinate and orchestrate the activities along the resilience management cycle.
RMIS ideally empower firms to automatically detect abnormal system behaviors,
provide quickly filtered information to operators, and consequently enable an
automated decision-making process.
The following table captures a set of key terms used in this dissertation.
Table 1: Definitions of key terms
Sustainability
the capacity of sth. to endure; linked to the simultaneous recognition of (mostly three) sustainability dimensions (economic, environmental and social)
(adapted from Visser 2007)
Sustainable Development
development that meets the needs of the present without compromising the ability of future generations to meet their own needs.
(Visser 2007)
Resilience "the capacity of a system to absorb disturbance, undergo change, and retain the same essential functions, structure, identity, and feedbacks.”
(Gundersson/Holling 2002)
Turbulent Environments
evolves from the mixture of a hostile, heterogeneous, and dynamic environment that create uncertainty and unpredictability.
(adapted from Calantone et
al. 2003)
Operational Resilience
associated with an organization’s capacity to continue its mission despite disruption through mindfulness, resourceful agility and recoverability
(Caralli et al. 2010)
Operational Resilience Management (ORM)
the process by which an organization designs, implements, and manages the operational resilience of related business processes, and associated assets.
(Caralli et al. 2010)
Resilience Management Information Systems (RMIS)
a complex set of interrelated components (technology, people…) that collect, process, store, and distribute information to support the Operational Resilience Management.
own definition
1.2 Research questions and objectives
The overall objective of the dissertation is to galvanize IS research and research in
sustainable business on organizational resilience. Therefore, the dissertation
provides a “resilience perspective” as a complementary approach to sustainability
1.2 Research questions and objectives 7
management that explicitly recognizes the unpredictable and turbulent business
reality. Despite the wide spread of resilience across multiple disciplines, a number
of open research issues remain. These encompass conceptual and definitional
vagueness of resilience, a lack of empirical research and a lack of applicable
(organizational) solutions and IS-artifacts to bring resilience into action.
Accordingly, the following section introduces a research agenda on resilience and
resilience management comprising five research questions spanning conceptual
perspectives, research methods and prototypical implementations of resilience and
sustainability supporting IS6.
The first research gap refers to the conceptual vagueness of resilience and
organizational/IS resilience in particular. Researchers in different disciplines have
struggled with the concept of resilience in their respective fields for decades.
Against the background of manifold conceptual usage across multiple fields, it is
not surprising that extant resilience research is surrounded by diversity and
ambiguity of definitions, scope conditions, antecedents and outcomes. Is
resilience a metaphor, a capability, a strategy, a goal, a measure or a behavior?
Although an elastic notion of resilience may facilitate communication across
disciplines (or even divergent lines of research within a discipline), a trade-off
may exist due to terminological confusion that may hinder operationalization and
lead to unclear or even contradicting evaluations of results.
A definition that is too broad could hinder empirical research results and even
cause some to question the relevance of the concept (Suddaby, 2010). Thus, as
stated by Suddaby, a clear construct might not only facilitate communication
between scholars, it also “enhances researchers' ability to empirically explore the
phenomena” and further to enhance research creativity by “allowing managers to
redefine problems in ways that are more amenable to resolution”. As a
consequence, a deeper investigation and development of a wide-accepted
definition and specification of (IS) resilience is crucial for both, theory
6This chapter entails revised parts of the conference papers Müller et al. (2013) and Koslowski (2013).
1.2 Research questions and objectives 8
development as well as further empirical analysis and artifact developments. This
raises the following research questions (RQ):
RQ1: How does resilience manifestitself across multiple disciplines?
The lack of construct clarity also impedes empirical exploration of organizational
resilience. In their review of organizational resilience, (Bhamra et al., 2011)
highlight that “there appears to be a strong focus around building theories and
definitions of resilience. However, the literature is lacking in empirically proving
the theories.” Vogus and Sutcliffe (2007) further posit that “given the dearth of
empirical work exploring resilience in organization theory, many (if not all)
avenues are open for future research in resilience”. Dependent on the underlying
theoretical assumptions, the nature of resilience will change. As for example
Colbert (2004) highlights changing implications for strategic human resource
management due to a complex theory perspective of resource-based-view
(Colbert, 2004). Also, Boisot and McKelvey (2011) exemplify the fundamental
re-evaluation of organizational effectiveness based on the network-structure of the
organizational system. Applying either a stable perspective marked by linearity
and predictability or emphasizing turbulence and emergence has strong
implications for the analysis of system behaviors and structures and therefore
substantially modifies the required variety to adapt and survive (both widely
described as related concepts of resilience).
Thus, scholars should aim to untangle the underlying puzzle of organizational
resilience and its related concepts, for instance vulnerability and adaptability by
recognizing underlying assumptions about stability and normativity (Mamouni
Limnios et al., 2014; Tanriverdi et al., 2010). Furthermore, this requires to
acknowledge different levels of abstraction (ranging from vague principles to less
abstract policies, practices and outcomes) of resilience as well as the contextual
scope of different levels of analysis (Colbert, 2004; Koslowski et al., 2013a). This
research challenge leads to the following research questions:
RQ2:How does resilience relate to other organizational factors? More precisely,
what are determinants and antecedents of organizational resilience?
1.2 Research questions and objectives 9
The aforementioned trade-off between the potential of complex perspectives to
enrich and question simpler assumptions at the expenses of academic rigor and a
wide repertoire of quantitative statistics is already acknowledged in organization
science, e.g. (Boisot and McKelvey, 2011), as well as IS research (Tanriverdi et
al., 2010). A similar problem is to be expected when operationalizing and
measuring organizational resilience. For example, a simple conception of
resilience (as bounce back) may be well served in the more stable “Gaussian
worlds” but may bring limits to a more complex or “Paretian world” (Boisot and
McKelvey, 2011). While in particular technical indicators for the earlier resilience
types are already established, e.g. by (Zobel and Khansa, 2012), the development
of more complex indicators and modeling techniques still remain at a formative
stage(Meyer, 2013). Along with measurement issues, new method-sets from other
disciplines such as computer science and information systems may enable new
streams of resilience research in an organizational context. Future efforts may
increasingly include simulation modeling and empirical validation of resilience
and its interaction with related constructs (Meyer, 2013).
We can expect that the incorporation of resilience as an important system feature
will change the organizational object function and therefore leads to a re-
evaluation and extension of organizational effectiveness. Evaluating effectiveness
involves transforming managerial decisions into action and measuring the
performance of that action.
Performance measurement requires a systematic and deep analysis of business
objects, which includes not only a re-structuring of processes but also the
development of innovations in the light of resilience (Allen et al., 2011) and
sustainability issues (Sharma and Henriques, 2005, p. 160; Koslowski and
Strüker, 2011). Hence, both researchers and practitioners need to derive a set of
meaningful indicators of organizational resilience on both, operational and
strategic levels. As resilience is contextualized given a specific challenge, it is
crucial to identify factors that are believed to enhance IS resilience, such as
margin tolerance, buffering capacity and flexibility. Depending on the specific
purpose, the expressive indicators might be either quantitative or qualitative and
1.2 Research questions and objectives 10
claim to determine the gap between the expected and current status of the relevant
business unit (Allen et al., 2011; Somers, 2009). This leads to the following
question:
RQ3: How can resilience be translated to the principles and measurements of
organizations and IS?
The foundations of IS resilience derived in Chapter 3 and 4 will also have a
variety of implications for the design of IS. Recent studies on resilience
management emphasize the integration of organizational and technological views,
as well as the integration of related, but usually disjoint activities of IS security,
business continuity and IT operations (Allen et al., 2011; Caralli et al., 2010).
As a central aspect of modern IS, Business Process Management (BPM) has
attracted considerable attention in recent years, both in academia and practice
(Houy et al., 2011). The rationale to investigate resilience in the context of BPM
arises from the fact that business processes link the different levels of
management and information systems infrastructures by automating or at least
digitalizing the execution of flexible business processes. By decoupling IT from
core organizational competencies, business processes can be thus seen as enablers
of change. Therefore, improvements of business processes can lead to
improvements of both, the management and the underlying IS. Business process
models are virtual representations of an enterprise’s core activities, which include
organizational assets (such as people, information, and technology) connected to
multiple tasks and activities. Existing approaches of BPM mainly assume stable,
predictable and isolated process types. This is sometimes in contrast to the
business reality, as large organizations have often hundreds or more processes in
place, and increasingly invest in the new opportunities of ubiquitous computing
and “big data” (McAfee and Brynjolfsson, 2012). Against this backdrop, more
complex modeling and exploratory analytical techniques such as Process Mining
(Accorsi and Stocker, 2012; van der Aalst and Weijters, 2004) seem promising
developments for identifying and designing business processes more resiliently.
1.2 Research questions and objectives 11
Recent frameworks for resilient BPM such as (Antunes and Mourão, 2011) tend
to state very abstract implementation suggestions. For example, (Antunes and
Mourão, 2011) and (Caralli et al., 2010) provide a set of fundamental
requirements for supporting resilient BPM. While these works capture basic
requirements for resilient IS design, they lack empirical validation, concrete
implementation guidelines, as well as artifacts to support the implementation of
resilience in IS. Thus, concrete measures are mostly missing, leading to inefficient
or even misleading resilience strategies. Effective and cost-efficient tools that
could be used for the (semi-)automated detection of BPM resilience are missing.
Furthermore, existing methods provide decision makers with limited intuitive
support-tools at high personnel costs and, thus, fail to assist them in enhancing
and maintaining resilience of BPM.
Up to now, there are techniques and formal foundations that can, when assembled,
provide for resilience mechanisms at the level of BPM. However, the current
state-of -art do not offer corresponding mechanisms. Similarly, vendors of BPM
systems and workflow management systems have not yet focused their solutions
on resilience. These gaps lead to the following questions:
RQ4: What are fundamental requirements for resilient BPM design? And what
tools and approaches are applicable to support and enhance IS (respectively
BPM) resilience?
Both, sustainability management as well as resilience management have evolved
over the years by expanding from asolely internal to an external, inter-
organizational perspective. For instance, by establishing methods like Life Cycle
Assessment (LCA) (Reap et al., 2008) or Carbon Footprint, a more systematic and
comprehensive covering of environmental impacts increasingly gains attraction.
The basic idea is that environmental impacts are always assigned to the segment
that caused them. This so-called cradle-to-grave principle means to assess
environmental impacts associated with all the stages of a product's life cycle (i.e.
from raw material extraction through manufacturing to disposal or recycling).
Thus, the scope of environmental sustainability is far beyond a single organization
and requires a systematic understanding of an organization’s interconnected value
1.2 Research questions and objectives 12
net (Watson et al., 2010). Due to the growing interconnectedness and
interdependency of organizations, this assumption also holds for resilience
considerations (e.g. (Fiksel, 2003). Hence, inter-organizational collaboration and
networking are seen as crucial enablers for achieving organizational resilience
(e.g. McCann and Selsky, 2012; Weick and Sutcliffe, 2007; Longstaff et al.,
2010).
Although a multitude of benefits are associated with cross-organizational
collaboration in the context of sustainability (e.g. Matthews and Lave, 2003;
Sarkis, 2010) and resilience (e.g. Stephenson et al., 2010; Wolter, 2012),
organizations still face two major obstaclesto take full advantage of such cross-
functional comparisons: First, the heterogeneity of the data requires significant
pre-processing, and, second, the sensitivity of the data causes enterprises to
reluctantly share this data. Interestingly, research on inter-organizational systems
shows how reserved and cautious enterprises are still today when it comes to the
exchange of sensitive data (Kerschbaum et al., 2011). Ideally, in order to track
inter-organizational data in a reasonable granularity and precision for holistic
sustainability assessments, a collaborative exchange of sensitive data like
environmental impacts and sustainability indicators will be necessary (Elliot,
2011). For this purpose, the thesis further provides a second IS artifact, namely a
secure sustainability benchmarking service (SBS) to overcome the information-
sharing problem. Such an automated, collaborative data exchange would need to
be respected by answering the fifth research questions:
RQ5a: What is the economic rationale for organizations to participate in
sustainability benchmarking?
RQ5b: What are functional and security objectives to make confidential
information-exchange feasible?
1.3 Outline 13
1.3 Outline
According to the research questions above, each of the following chapters focus
on different aspects of organizational resilience and sustainability at the
intersection of organization science, information systems, and computer science.
Nonetheless, all chapters address the topic of this thesis: Information systems for
organizational resilience and sustainability management. However, there exists a
controversial discussion over the direction in the fields of IS research for years
(Hevner et al., 2004; Müller, 2009; Simon, 1996). Whereas the Anglo-American
community is dominated by a behavioral science perspective seeking to explore
implications of IT for individuals, organizations and society, the design-science
oriented perspective of IS research (predominant in German-speaking countries)
is marked by creating and evaluating IT-artifacts7 with respect to their utilization
for IS (Bichler, 2006). A simplified distinction is given by Hevner et al. (2004)
who states that “The behavioral-science paradigm relies on truth, the discovery of
truth. In contrast, the design-science paradigm seeks to create what is effective”.
Consequently, in order to address the different research problems, a pluralistic
research approach with different methodological orientations is chosen (Frank,
2006).
Figure 2 depicts the outline of the thesis and further indicates the relationships
between the various chapters, namely theoretical and conceptual foundations
(Chapter 2 – 4) as well as the design and evaluation of IS artifacts (Chapter 5 &6).
7 An overview of the IT-artifacts is deptived in Figure 3.
1.3 Outline 14
Figure 1: Thesis Outline
Chapter 2 explores conceptual foundations and historical development of
resilience across disparate research disciplines and fields of application. For this,
it firstly elaborates the differences of commonalities of resilience and
sustainability, and its mutual relationship (Section 2.1). Subsequently, a
framework is introduced to specify different resilience-types according underlying
assumptions about system’s complexity and normativity (Section 2.2).
Chapter 3 substantiates several claims with related work: First, the claim, that
resilience is still theoretically undeveloped in organizational literature. Therefore,
1.3 Outline 15
a descriptive bibliographic analysis has been applied to identify the current state
of the art of resilience research in organization science (Section 3.1). Second, the
chapter shows that current research on organizational resilience lack concrete
guidelines for designing and implementing resilience in organizations. Moreover,
the chapter provides an overview of four types of organizational resilience
(Section 3.2). The characteristics of resilient organizations derived further present
initial recommendations for organizational structures and governance
mechanisms. These observations pave the way for a deeper investigation of
operational resilience in IS research.
Based on the prior investigation, Chapter 4 then transfers the concept of
resilience to Information Systems (IS) research respectively Business Informatics.
Concretely, the primary objective of this chapter is to capture and to establish a
relationship between resilience research and the IS research field. Resilience
Management Information Systems (RMIS) are introduced to provide managers
and decision makers with suitable information and tools to managing
organizational resilience. For this, the chapter firstly introduces the notion of
resilience management as a complementary approach to prevailing security- and
risk management approaches (Section 4.1). The next section will discuss various
sources of stress and disruption associated with IT-diffusion (Section 4.2). Section
4.3 firstly provides some basics on different types of IS architectures.
Subsequently, it provides an overview of current challenges and limitations of
prevailing IS risk and security approaches. These shortcomings stress the need to
extend IS risk management with resilience. Consequently, this is followed by a
report on the status quo with respect to IS research and a scientific-programmatic
view of the upcoming research questions in this area (Section 4.4). Finally, the
chapter derives foundational requirements for the design and of RMIS.
Chapter 5 is dedicated to introduce “Process-Centered Resilience Detection“
(PREDEC), a detective framework to assert the resilience of business process-
based management (BPM) systems. The chapter starts with a motivation and
exploration of operational resilience in the context of BPM (Section 5.1).
Subsequently, the chapter substantiates the claim with related work that tools and
1.3 Outline 16
artifacts for resilient BPM are rare (Section 5.2). Section 5.3 introduces the
PREDEC framework that serves as a common denominator for the design of IT
artifacts to support operational resilience management in the phases of detection,
diagnosis, and evaluation. Furthermore, the components and requirements towards
process-resilience detection are described. Time-behavior represents one crucial
indicator for process-resilience. Therefore, an IT artifact as an example of
resilience management information systems (RMIS) is introduced. This artifact
enables to model the amount of resources required as a stochastic function and to
sum up the need for the whole business process, including its branches.
Eventually, a case study from the manufacturing sector will be carrying out to
evaluate the performance, feasibility, and effectiveness of the developed IT
artifact. The simulation results show that modeling the time behavior of a
workflow as stochastic variable makes it possible to grasp the concept of
resilience by providing a mathematically framework to deduce resilience
indicators.The chapter concludes with a discussion of the findings and future
research work.
While the instantiation of PREDEC in the previous chapter solely focus
ondecision support within the boundaries of an organization, Chapter 6
elaborates the suitability of information systems for inter-organizational data
exchange. The chapter thus explores a further problem domain – the application
of a benchmarking service for proactive sustainability management. Accordingly,
sections 6.1-3 firstly investigate the economic potential of the integration of an
ERP on-demand provider with a sustainability-benchmarking (SBM) provider.
Throughout the investigation, a system-dynamics model will be developed to
illustrate how SBM can contribute to the lasting success of ERP on-demand
platforms. However, despite multiple benefits related to SBM for organizations,
significant data input and information-sharing problems remain. The chapter’s
concluding research question is how to overcome those problems. This question
drives the remaining sections. For this purpose, the subsequent Sections (6.4 - 6.8)
introduce another IT artifact, namely a secure sustainability benchmarking service
(SBS) to overcome the information-sharing problem.
1.4 Contributions 17
1.4 Contributions
Parts of this thesis are based on several research papers, having been published in
different journals and proceedings or presented on international conferences (a
detailed overview is provided in Section 1.5).
Concretely, this dissertation makes the following contributions:
1.4.1 Multidisciplinary Resilience Framework
The second chapter introduces the “Multidisciplinary Resilience Framework”
which has been presented at the 5th International Symposium on Resilience
Engineering 2013. Therefore, section 2.2 will reassess the multiple definitions of
resilience against the background of the multidisciplinary evolution of the
terminology to advance and clarify the construct of resilience within different
contexts and cases. It utilizes a wide variety of literature research methods to
explore the basic appreciation of resilience. Notwithstanding communalities,
substantial distinctions of the concept exist with regard to (1) the level of
complexity and (2) the degree of normativity included in the perspective. After
analyzing these diametrical meanings, a conceptual framework is developed as a
blueprint for facilitating real-world problem solving and cross-disciplinary
resilience research by giving options for re-contextualizing the appropriate
resilience type to the respective object of investigation.
1.4.2 Organizational Resilience Framework
The third chapter is dedicated to presenting an “Organizational Resilience
Framework” which is a substantial extension of the framework previously
presented. Parts of this chapter are based on the paper (Koslowski et al.,
2013a)presented at the 33rd Annual International Conference of the Strategic
Management Society.The purpose of this chapter is to rigorously systematize the
literature of organizational resilience in order to make the following contributions:
First, a comprehensive review on organizational resilience based on descriptive
1.4 Contributions 18
analysis is provided. Thus helping scholars recognize and segment the different
philosophies and approaches to organizational resilience. Second, this chapter
further identifies knowledge gaps, critical appraisals and inconsistencies within
organizational resilience to help counteract the construct proliferation that has
become apparent within the domain. Third, an organizational resilience
framework based on systematic research is presented. The framework allows a
conceptual tool that will advance a clear method to help distinguish the specific
context for resilience. Finally, the framework will help executives to comprehend
the specific circumstances that characterize their own context for resilience.
1.4.3 Information Systems and Resilience
This dissertation introduces the notion of Resilience Management Information
Systems (RMIS). Therefore, the fourth chapter firstly captures and establishes a
relationship between organizational resilience research and the IS
Research/business informatics field. Parts of this chapter have been previously
published in the proceedings of the Business Information Systems Workshops
2013, and the proceedings of the 43rd Annual IEEE/IFIP Conference on
Dependable Systems and Networks Workshop 2013. The fourth chapter identifies
a number of open research issues and proposes a research agenda on resilience
and resilience management and provides the foundation for resilient IS design in
particular. The chapter sets out to argue that resilience can be featured as a new
and valuable research field in Information Systems. Despite the wide spread of
resilience across multiple disciplines, IS are a crucial but still inadequately
explored enabler for organizational resilience.
1.4.4 Process-Centered Resilience Detection
This thesis presents the Process-Centered Resilience Detection service
(PREDEC), a detective framework to realize resilience in the context of business
processes. Parts of the fifth chapter are based on a preliminary version of the
paperby (Koslowski and Zimmermann, 2013) which has been published in the
Lecture Notes in Computer Science Volume 8203. This paper is one of the first
1.4 Contributions 19
that attempt to combine and systematize the related but still disconnected fields of
IS resilience and process-orientation. The development of a BPM resilience cycle
corresponds with the BPM lifecycle and enables and proposes how to build and
enhance resilient BPM. PREDEC is a novel approach providing event log
specifications to enable process-centric resilience detection. The requirements and
measures developed serve as basis for eliciting and subsequently assessing
structural characteristics of information infrastructures. Consequently, the
framework makes a major step beyond the state of the art by introducing a
methodology that allows for a (semi-)automated conformance check based on
resilient BPM principles. Moreover, a conducted case study from the
manufacturing sector based on experimental simulations illustrates how decision
makers get equipped with a comprehensive methodology for analyzing and
diagnosing the resilience of information infrastructures and thereby generating
meaningful insights and evidences in an intuitive and economic manner. The latter
sections are based on the paper (Zahoransky et al., 2014) that has been accepted
for publication in Lecture Notes in Computer Science. Eventually, these
contributions serve as groundwork for supporting subsequent steps of the
resilience management cycle, such as escalation and institutionalization.
Moreover, PREDEC set the basis for rendering the tedious work of manually
combing the knowledge from best practice guidelines with the actual
infrastructure obsolete. Is also enables the objective detection of vulnerabilities on
executed processes instead of intended process models.
1.4.5 Secure Sustainability Benchmarking Service
The sixth chapter presents a secure sustainability benchmarking service (SBS).
This chapter comprises two articles that have been previously published in
Business & Information Systems Engineering 3/2011 (Koslowski and Strüker,
2011) and in the Proceedings of the International Conference on Information
Systems 2011 (Kerschbaum et al., 2011). The pressure on enterprises to manage
and improve their environmental sustainability is steadily increasing. This has
resulted in a growing awareness that Green Information Systems (Green IS)
1.4 Contributions 20
solutions can significantly contribute to more sustainable business processes by
using modern IT-Applications. In this context, the chapter provides a “green
perspective” on IS-enabled sustainability. For this, the chapter firstly analyzes the
economic benefits of the platform principle for an ERP on-demand provider.
Beside possible cost savings for providers and users, the focus lies on the specific
potential provided by an ERP on-demand platform. This mainly consists of the
integration of complementary enterprise applications with the core ERP
application and the resulting added value for service users as well as platform and
service providers. This value is examined by using the example of a software
service for sustainability benchmarking (SBM). The results of a system-dynamics
model indicate that the quality of the SBM application as well as of corporate
management can be significantly improved. In particular, a SBM software service
that is integrated into an ERP on-demand platform is able to accelerate market
penetration.
However, sustainability benchmarking still faces two major obstacles: First, the
heterogeneity of the data requires significant pre-processing, and, second, the
sensitivity of the data causes enterprises to reluctantly share this data. Hence, the
contribution of a subsequently developed IS artifact is twofold: After analyzing
the data input problem and identifying appropriate and available solutions, the
chapter further presents a secure sustainability benchmarking service (SBS) to
overcome the information-sharing problem. The service uses homomorphic
encryption to protect the data during processing and differential privacy to protect
against leakages from the reports. The evaluation, based on a prototypical
implementation of the SBS, illustrate its applicability in industry: More generally,
the security is evaluated using theoretical, cryptographic proofs, performance via
measuring a prototypical implementation and functionality by comparing to non-
secure benchmarking initiatives. The implemented SBS and derived
measurements show that the performance is manageable for the business user as
well as the service provider. Moreover, the SBS allows companies to mutually
share environmental sustainability data in a confidential manner and therefore
significantly reduces the risk of leakages from existing practices of information-
sharing.
1.5 Related and unrelated publications 21
Figure 3 depicts an overview of the ITartifacts provided in this thesis and the
mutual relations between the previous chapters.
Figure 2: Overview of developed IS artifacts
1.5 Related and unrelated publications
This thesis is based on several research papers, having been published in different
journals and proceedings or presented on international conferences (a summary is
depicted in Table 2).
1.5 Related and unrelated publications 22
Table 2: Related and unrelated publications8
Publications (double-blind peer-reviewed) Koslowski, T. G., Longstaff, P. H. (2014). Resilience Undefined: A Framework for Interdisciplinary Communication and Application to Real-World Problems. In Masys, A. J. (ed.), Disaster Management: Enabling Resilience, (Lecture Notes in Social Networks 8768): Springer (New York), forthcoming. Zahoransky, R., Koslowski, T.G., Accorsi, R. (2014), Resilience Assessment in Business Process Architectures, In Bondavalli, A., Ceccarelli, A., Ortmeier, F. (eds.) 1st International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection, (LNCS): accepted. Berlin, New York: Springer, forthcoming. Koslowski, T. G., Geoghegan, W., Longstaff, P. H. (2013). Organizational Resilience: A Review and Reconceptualization. 33rd Annual International Conference of the Strategic Management Society, Atlanta, VA. Sept 28-Oct 1 2013. Koslowski, T., Zimmermann, C. (2013). Towards a Detective Approach to Process-Centered Resilience. In R. Accorsi & S. Ranise (Eds.), Security and Trust Management, (LNCS 8203): 176-190. Springer (Berlin Heidelberg). Müller, G., Koslowski, T. G., Accorsi, R. (2013).Resilience - A New Research Field in Business Information Systems?. In W. Abramowicz (ed.), Business information systems 2013 Workshops, (LNBIP 160): 3-21. Springer (New York). Longstaff, P. H., Koslowski, T. G., Geoghegan, W. (2013). Translating Resilience: A Framework to Enhance Communication and Implementation. In 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, 25-27 Jun 2013. Fenz, S., Neubauer, T., Accorsi, R., Koslowski, T. G. (2013).FORISK: Formalizing Information Security Risk and Compliance Management. In 43rd annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), Budapest, 24-27 Jun 2013. Koslowski, T., Strüker, J., Brenig, C. (2013), Mastering the Energiewende – A Cross-disciplinary Teaching Approach, In 21st European Conference on Information Systems (ECIS 2013), Utrecht, Netherlands, 6-8 Jun. Koslowski, T. G. (2013) “Resilience Management – Achieving Sustainability in Turbulent Environments. In 5th Annual ARCS Research Conference (Alliance for Research on Corporate Sustainability), Berkeley, CA. 29 Apr – 1 May 2013. Koslowski, T., Longstaff, P., Vidal, M., Grob, T. (2012), Resilience Analysis of the ICT Ecosystem. In 23rd European Regional Conference of the International Telecommunication Society (ITS), Vienna, Austria, 1-4 Jul 2012. Koslowski, T., Strüker J. (2011). ERP-On-Demand-Platform: Complementary Effects at the Example of a Sustainability Benchmarking Service. Business & Information Systems Engineering 53 (6): 359–367. (additional German version: ERP-On-Demand-Plattform, Wirtschaftsinformatik, (53:6), 347-356.) Kerschbaum, F., Strüker, J., Koslowski, T. (2011) Confidential Information-Sharing For Automated Sustainability Benchmarks. In 32nd International Conference on Information Systems (ICIS), Shanghai, China, 4-7 December 2011. Koslowski, T. (2011), Interorganisationale Nachhaltigkeitsmessung als Softwaredienst, In Eymann, T. (ed.) Proceedings of the Doctoral Consortium of the Wirtschaftsinformatik 2011, Zürich (CH), 115-124.
8 Underlined publications are included or partially included in this thesis.
23
2 Theoretical and Conceptual Foundations
2.1 Resilience – a fresh perspective for sustainability
Global business is recognized as being a critical contributor in realizing the
challenges of sustainability (Porter and Reinhardt, 2007; Koslowski and Strüker,
2011). Consequently, organizations have been increasingly faced with
requirements from different stakeholders to reconsider the direction of
sustainability issues by the adoption of sustainability goals to commit to the
obligations toward intra- and inter-generational justice (Sharma and Henriques,
2005). Practical implications encompass mainly the compliance to a variety of
environmental and social laws and standards in order to reduce liability or to
secure access to relevant resources. Additionally, cap-and-trade, the demand for
green and fair-traded products and the spread of sustainable investment funds
demonstrate the business case of sustainability (Linton et al., 2007; Porter and
Reinhardt, 2007; Porter and van der Linde, 1995a; Salzmann et al., 2005; Visser
et al., 2007). Hence, business organizations aim increasingly to improve their
sustainability performance such as eco-efficiency and resource productivity
(Hervani et al., 2005, p. 330; Koslowski and Strüker, 2011, p. 360). Theseefforts
require a systematic and deep analysis and control of all business objects, which
includes not only a re-structuring of processes but also the development of
innovations in the light of sustainability (Sharma and Henriques, 2005, p. 160).
However, the sustainable transformation of business remains a significant
challenge, as highlighted by Fiksel (2003) who identified barriers that limit the
application of sustainable development in practice: the difficulty of balancing the
needs of future generations against daily business pressure; the strong emphasis
on resource constraints rather than innovation; the danger of neglecting the
synergistic relations between the economic, ecological and social aspects of
sustainability.Although much progress has been made in the ‘sustainability’
discourse - particularly upon resource-efficiency improvements (Walker and Salt,
2.1 Resilience – a fresh perspective for sustainability 24
2006; Porter and van der Linde, 1995b), a further limitation refers to the
relationship between risks, uncertainty and sustainability, which has surprisingly
received little attention thus far (Lewin, 1998; Krysiak, 2009). Moreover,
conventional approaches to sustainability and risk-management still attempt to
predict events by emphasizing an ex ante evaluation of risks in probabilistic and
consequential terms (Smith and Fischbacher, 2009; Seager, 2008). But this
dominant approach of conventional sustainable and risk management in modern
complex and dynamic systems are inadequate because threats and hazards are
often unknown since risks emerge through nonlinear interactions of different
system components, e.g. (Fiksel, 2003; Lewin, 1998; McCann and Selsky, 2012;
Walker and Salt, 2006).
2.1.1 VUCA environments
Long before the growing interest of business actors towards sustainability,
management theorists and practitioners have long acknowledged the unique
characteristics of organizations that must exist in environments characterized by
turbulence (Drucker, 1980; Meyer, 1982), discontinuity(Boisot and McKelvey,
2011), and uncertainty (Grote, 2009; Milliken, 1987). These can also be termed as
volatile, uncertain, complex and ambiguous (VUCA) environments (McCann and
Selsky, 2012, p. 10) and illustrate the borderless and unpredictable nature of
diverse risk and uncovers the limits of traditional risk management practices and
theories: ‘New emerging risks’ or ‘new surprises’ lack of a priori indication of
occurrence.They exhibit the potential to cascade through time and space at
different speeds and their relation between origin, evolution and final
consequences are frequently misunderstood (Smith and Fischbacher, 2009).
Consequently, we are confronted by a propensity for system breakdowns and
sense of vulnerability to new and future threats such as terrorism, pandemic
potential, energy volatility, and climate change, all with the potential to trigger
interrelated cascading disturbances (The Critical Infrastructure Protection
Program, 2006). As a result, there are a myriad examples of disasters and
accidents, ranging from natural disasters such as the destruction of New Orleans
2.1 Resilience – a fresh perspective for sustainability 25
by Hurricane Katrina, cyber-attacks, such as the Stuxnet virus (Rid, 2012) or
human-made disasters such as the Deepwater Horizon oil spill (Palin, 2012), to
systematic failures such as the currently ongoing financial crisis (Smith and
Fischbacher, 2009). While such failures and breakdowns have proven relatively
rare, the consequences of failures within a hyper-connected world can cause
serious problems beyond geographical and functional borders (Boin and
McConell, 2007; McCann and Selsky, 2012, p. 8). For instance, the discussion
regarding the safety of nuclear power has been reignited worldwide, leading to the
immediate shutdown of some nuclear plants in Germany (Risk Response
Network, 2012; Kemfert). Furthermore, the Deepwater Horizon oil spill not only
caused significant financial and reputational loss for the participating companies
of the industrial consortium, but also led to serious ecological and social harm of
people and the environment along the Gulf of Mexico (Palin, 2012).
Against this backdrop, decision makers at different levels are forced to consider
how to respond to different kinds of emerging risks with regard to sustainability9
in a more holistic manner (Walker and Salt, 2006). The concept of resilience is
gaining ground as a denominator to move beyond survival and even prosper in
face of highly diverse risks and surprises (e.g.(Beermann, 2011; Derissen et al.,
2011; Fiksel, 2003; King, 1995; Smith and Fischbacher, 2009). Resilience has
been a prominent and emerging topic in various scientific fields but also on the
agenda of public and private institutions, recognizing the complex and uncertain
nature of social systems.
However,an increasing tendency for systems to become turbulent and complex
does not infer that they are unmanageable or impossible to govern (Mitleton-
Kelly, 2003). Managing them solely requires different forms and may rest upon
other assumptions. Where we had used to expect predictability and consistency,
we now must accept the necessity of dealing with uncertainty.To survive, persist
and even thrive in the face of unexpected changes represents a significant
9 According to Krysiak (2009, p.483 & 484), any definition of sustainability has to consider the future but uncertain consequences of present actions in order to limit the probability that a future generation is harmed.
2.1 Resilience – a fresh perspective for sustainability 26
challenge and have resulted in calls for understanding and developing of
mechanisms for coping with unexpected and disruptive events (McCann and
Selsky, 2012; Longstaff, 2005; Weick and Sutcliffe, 2007). In their book
“Mastering Turbulence”, McCann and Selsky (2012) describe the evolving nature
of change and appropriate strategic shifts to cope within these environments: from
controlling episodic change inspired by the scientific management movement;
embracing continuous change through agility and outsourcing; to prepare for
disruptive change through resilience mechanisms (see Figure 4).
Figure 3: Changing Nature of Change10
Hence, the discourse about security, safety and ecosystem management among
others is currently undergoing fundamental changes. While for instance security
research in the 20th century tended to focus on security through control and
prevention, more recent streams emphasis the development of adaptive and
resilient capacities to absorb and adapt to a variety of threats in high-complex
systems (Lentzos and Rose, 2009). Similar in the field of sustainability studies,
there is evidence of adopting complementary “fresh perspectives” (Fiksel, 2003,
10 Adapted and modified from McCann/Selsky (2012), p.25
2.1 Resilience – a fresh perspective for sustainability 27
p. 5330) to sustainability management that takes a more integrated complex
system view11 (Mitleton-Kelly, 2003) to generally manage social-ecological
systems (Holling and Gunderson, 2002; Walker and Salt, 2006) and respond to
climate change (Beermann, 2011) rather by self-organization, adaption and
learning than control resource efficiency.
Before providing a deeper investigation on resilience across multiple disciplines,
the next section will brieflycover the relationship between sustainability and
resilience (more comprehensive discussions are given by Derissen et al., 2011;
Brand and Jax, 2007).
2.1.2 Resilience and sustainability
Sustainability and resilience are both two highly abstract and complex concepts
with a variety of interpretations and definitions(Seager, 2008). Sustainability can
be defined in a variety of ways. While it is nowadays common to link
sustainability with the simultaneous recognition of (three) sustainability
dimensions (e.g. economic, environmental and social) (Visser et al., 2007), the
term is basicallyconsidered as a “capacity to sustain” or “capacity to endure”. In
particular, sustainability is often described in terms of resource stocks necessary
to sustain life. Therefore, sustainable practicesshift attention to the maintenance of
adequate stocks of renewable and non-renewable resources.One of the most
popular definition of sustainable development dates from the
BrundtlandCommission in 1987 as “development that meets the needs of the
present without compromising the ability of future generations to meettheir own
needs" (Melville, 2010). Following this definition, sustainability is a normative
concept capturing the basic ideas of inter- and intergenerational justice (Derissen
et al., 2011). Corporate Social Responsibility (CSR) describes organizational
attempts to commit to sustainable development by integrating a wide set of
11 Complex adaptive systems exhibit properties such as diversity, feedback, emergence and openness, e.g. Levin (1998); Mitleton-Kelly (2003).
2.1 Resilience – a fresh perspective for sustainability 28
regulating mechanisms into their business activities e.g. (Salzmann et al., 2005;
Visser et al., 2007).
Resilience is often defined as “the capacity of a system to absorb disturbance,
undergo change, and retain the same essential functions, structure, identity, and
feedbacks.”12 But as it will be shown in the next sub-sections, the definition and
conceptualization of resilience significantly vary across different disciplines and
fields of application (and even within disciplines, cf. chapter 3). However,
resilience fundamentally describes a property/quality of a system to cope with
change (Brand and Jax, 2007; Haimes, 2009a; Lorenz, 2010) and emphasizes
persistence either by recoverability (resilience as bounce back)13 or by adoption
and transformation (resilience as bounce forward).
As both concepts show similarities by focusing on the survival and longevity of
systems, it is no surprise that many scholars have frequently drawn a connection
between resilience and sustainable development: often the two terms are used
interchangeably, sometimes resilience is conceptualized as a necessary
precondition for sustainably (Derissen et al., 2011; Brand and Jax, 2007).
However, as we described in the earlier section, the growing complexity and
turbulence of modern systems have resulted in calls to encourage resilience
research as a complementary, system-based perspective to sustainability (e.g.
(Fiksel, 2003; Walker and Salt, 2006). In line with this view, the pursuit of
sustainable development and human well-being remain a major desirable goal
while managing and designing for resilience puts stronger emphasizes a process
of preparedness, adaption and renewal in face of unpredictable perturbations and
disruptions (e.g. Norris et al., 2008; Lorenz, 2010).
The following Figure 5depicts two different views of sustainability. On the left-
hand side of the spectrum, sustainability is expressed as securing longevity
(Seager, 2008, pp. 445ff.): sustainability equals the maintainenance of a desirable
system state by preserving the status quo, optimizing functionality and
12 The concept of “resilience thinking” was spread by the Resilience Alliance Gunderson (2002). 13 The next sub-section will deal with the differences between resilience as bounce back vs. bounce forward.
2.1 Resilience – a fresh perspective for sustainability 29
enhancingsystem performance for instance through improving eco-efficiency or
resource-productivity (Porter and van der Linde, 1995b). In contrast, on the right-
hand side of the spectrum, sustainability in environments, marked by dynamic and
disruptive changes, is rather approachable through resilience. From this point of
view, adaption to changing conditions and the acknowledgment of uncertainty
become more important.
Figure 4: Resilience, Sustainability, and Security14
For decision makers, it is crucial to recognize the unique differences of both sides
of the sustainability spectrum: Each perspective comes along with different
14 Adapted and modified from Seager (2008, p. 445).
2.1 Resilience – a fresh perspective for sustainability 30
assumptions regarding the nature of change: In systems marked by higher stability
and predictability, traditional management approaches such as risk analysis and
quality management provide valuable support for decision makers. For example,
risk assessment starts with hazard or failure identification and typically deals with
a relative small amount of scenarios that are considered as a moment in time(Park
et al., 2013, p. 359). Maintenance and protective actions then aim to minimize
different kinds of performance loss by securing status quo and maximizing
functioning, e.g. through improved eco-efficiency. In contrast, a resilient
perspective of sustainability shifts attention to an impending view by anticipating
possible consequences of unforeseeable disruptions. The emphasis lies not in the
(static) optimization of identified factors (e.g. based on probabilistic risk
calculation or ecological life-cycle assessments) but in accepting temporary
failures and loss and moreover, in restorative and even adaptive actions (Walker
and Salt 2006). Consequently, rapid recovery and system adaption are outcomes
of resilient mechanisms such as redundancy, detection, and innovation (e.g.
Hollnagel 2006; Walker and Salt 2006)
Thus, the current resilience discourse attempts to acknowledge the “changing
changes” more comprehensively: to combat the actual causes of threats (e.g.
environmental issues such as reducing carbon emissions or improving eco-
efficiency15), and to prevent their deployment through a variety of control
mechanisms and defensive measures (such as workforce’ safety regulation) will
certainly remain important sustainability strategies. They are, however, placed in
relational perspective by the acknowledgement that absolute protection in a
rapidly changing world must necessarily remain unreachable. Rather than relying
on preventive and mitigating strategies alone, the concept of resilience is linked to
the potentials of open and connected socio-technological systems (Walker and
Salt 2006). As a strategy, it takes systemic risks seriously by not reacting to new
forms of vulnerability with a flexible and open risk management. The aim is not
just to overcome crises as quickly as possible and without extensive social
agitation. The ambition is ratherto lower the brittleness of systems, and in doing
15 A more comprehensive explanation of eco-efficiency and carbon reduction is given in Chapter 6.
2.2 Essential semantics of resilience 31
so to increase the resilience. This rationale in the context of climate change
mitigation is illustrated by (McCann and Selsky, 2012, p. 5): “More and more
companies believe that they must learn to adapt to the unavoidable consequences
of climate change, rather than prevent it. […] such strategy is reactive, not
proactive, in that it is attempting to manage the consequences, not causes of
climate change.”
Summing up, across a wide spectrum of disciplines and fields of application -
resilience as a complementary approach to the conventional management streams
of sustainability and risk management - is gaining ground as a facilitator to move
beyond survival and even prosper in face of challenging conditions(Seager, 2008;
Smith and Fischbacher, 2009).
In order to examine what this complementary approach will be and what concepts
and mechanisms are required is not only useful but also necessary to delineate the
meaning, disambiguate the definitions and contextual specifications of the
resilience concept. Scholars from different fields have already attempted to deal
with conceptual and definitional ambiguity of resilience within their own
disciplines. However, such attempts remain usually within the boundaries of their
respective field and do not take sufficiently the accumulated knowledge as well as
the existing obfuscation across different disciplines and fields of application into
account. Thus, thenext section aims to tackle the blurred conceptual boundaries
caused by tautologies, complementarities and mixing normative aspects.
2.2 Essential semantics of resilience
Most of us are familiar with the translation of languages. Many have been
surprised at how a word or concept from another language gets converted by
translation software or even professional translators who are proficient in both.16
Sometime words carry with them the culture and/or conceptual orientation of the
16 This chapter is a revised version of the paper Longstaff, P. H., Koslowski, T. G., & Geoghegan, W. (2013), Translating Resilience: A Framework to Enhance Communication and Implementation. 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, 25-27 June 2013.
2.2 Essential semantics of resilience 32
speaker that are not shared by the listener. Misunderstanding is almost certain in
such cases. But centuries of dealing with people who speak other languages or
speak the same language but come from other cultures have given us some tools
for managing the potential confusion and misconstructions. Interdisciplinary and
international problem-solving is hard work and there are often communication
errors so it is important to know what level of translation matters for the problem
at hand. Does the problem require the participants to share broad definitions or to
agree on very precise ones? In the following, and alternative approach is
provided. And while the definitional framework proposed here does not solve all
problems it allows us to make progress in areas that are critical to human and
technical systems now.
The increasing complexity of today’s inter-connected social systems has resulted
in calls for greater understanding and development mechanisms for coping with
turbulence and uncertainty (Longstaff, 2005; Weick and Sutcliffe, 2007).
Resilience has been studied and described by various academic disciplines as a
potential answer to move beyond survival and even prosper in the face of
challenging conditions (Carpenter et al., 2012). These disciplines include: ecology
(Holling, 1996; Walker and Salt, 2012), psychology (Masten, 2001), socio-
technical studies related inter alia to safety management (Hollnagel et al., 2006),
disaster research(Norris et al., 2008) and a broad range of organizational studies
(Lengnick-Hall and Beck, 2005; McCann and Selsky, 2012; Sheffi, 2007; Weick
and Sutcliffe, 2007). Publications concerning the concept have increased
dramatically.
The concept of resilience has emerged relatively recently in the scientific debate.
The number of publications dealing with resilience is strongly increasing over the
last years. Taking into account a general increase in publications per year (about
doubled since 1995), scientific articles containing the keyword resilience grew
more than ten-fold since 1995, corresponding to a larger application of the
resilience concept and a wider diffusion to other scientific areas. The picture
below shows the number of publications dealing with resilience in all scientific
2.2 Essential semantics of resilience 33
disciplines. Searching for the keyword “resilience” in only scientific articles on
the scientific database web of knowledge17 yields 9,272 results (Sept. 2011).
Figure 5: Resilience Publications (1996-2013)18
The growing popularity of the term ‘resilience’ has caused some (e.g., (Lorenz,
2010; Strunz, 2012) to believe that resilience is in danger of becoming another
linguistic fashion or buzzword with little or no meaning or validity. While there
may be some transient fashion involved, the increased popularity of resilience also
signals an alternative focus to the challenges of uncertainty and variability that
arise from the increasing complexity and interconnectedness of modern systems.
This has led to new worldwide efforts to recognize and deal with systems that
cross traditional academic boundaries and corporate and governmental regulatory
divisions. For example, the Resilience Alliance19 has developed an
interdisciplinary “Resilience Thinking” as a framework for understanding change
in social-ecological systems (Walker and Salt, 2012). An emerging community of
engineers20 from a variety of subspecialties is developing ‘Resilience
Engineering’ as “a new way of thinking about safety”.
17 www.webofknowledge.com 18from Longstaff et al. (2013). 19 The Resilience Alliance is a multi-disciplinary research consortium who collaborate to explore the
dynamics of social-ecological systems (http://www.resalliance.org , accessed August20, 2013). 20 The Resilience Engineering Association is an emerging community of researchers and practioners to
promote the ideas and principles of Resilience Engineering (http://www.resilience-engineering-association.org/, accessed June06, 2013).
2.2 Essential semantics of resilience 34
Against the backdrop of varied conceptual usage across multiple fields, it is not
surprising that extant resilience research is surrounded by diversity and ambiguity
of definitions, scope conditions, antecedents and outcomes e.g. Lorenz (2010) and
Norris et al. (2008). Is resilience a metaphor, a capacity, a capability, a strategy, a
goal, a guiding principle, a philosophy, a measure or behavior? Although an
elastic notion of resilience may facilitate communication across disciplines (or
even divergent lines of research within a discipline (Brand and Jax, 2007; Strunz,
2012), a lack of clarity confusion may hinder operationalization in specific
contexts and lead to unclear or even contradicting evaluations of results. A
definition that is too broad would also hinder empirical research results and even
cause some to question the relevance of the concept (Strunz, 2012; Suddaby,
2010). As Suddaby (2010) states, a clear construct might not only facilitate
communication between scholars, it also “enhances researchers’ ability to
empirically explore the phenomena” and further enhance outcomes by “allowing
managers to redefine problems in ways that are more amenable to resolution” (p.
352).
Unfortunately, a holistically agreed upon definition will be difficult and
problematic in the short term. And the world cannot wait for the perfect definition
before it begins to tackle the dangers and uncertainties from which we must
bounce back. Fortunately, a variety of definitions can exist as long as they are
acknowledged (Strunz, 2012) and there are people who can translate between
them. The skills for translation between academic disciplines and between the
academy and practitioners will almost certainly need to happen for productive
discussions between ecologists, engineers, physicists and psychologists (who have
all developed their own definitions and lexicon) in order to build new approaches
to the complex problems facing many organizations and all governments(Le Coze
and Dupré, 2008).
The framework proposed here will help begin the process of translation and this
will help identify the modi operandi (strategies and mechanisms used) that are
more likely to allow a system (such as a community or a technical system)
achieve resilience. The four perspectives are broad enough to allowfor differences
2.2 Essential semantics of resilience 35
in situations but concrete enough to allow for the discussion of how and to whom
resources for recovery or adaption are allocated (Baker, 2009) and help identify
other trade-offs with regard to the arsenal of resilience mechanisms and policies
that are employed.
Notwithstanding some substantial communalities among the disciplines,
substantial distinctions of the concept exist with regard to (1) the level of
complexity that is assumed (reductionism vs. holism orientation) and (2) the
degree of normativity included in the perspective (descriptive vs. normative
orientation). After analyzing these meanings, I will discuss the applicability of our
conceptual framework as a blueprint for facilitating real-world problem solving
and cross-disciplinary resilience research by giving options for re-contextualizing
the appropriate resilience type to the respective object of investigation. This
allows for the concept of resilience to continue to evolve as disciplines begin to
talk to each other and as practitioners discover new mechanisms for systems to
recover from shocks they cannot avoid.
That does not mean that there is one best way to accomplish resilience, at least not
at the moment. That is unlikely to be the immediate outcome of international,
interdisciplinary, and inter-organizational efforts to deal with a wide variety of
uncertainties. The first step in managing such an effort is to acknowledge all the
potential opportunities and all possible difficulties. The next steps are to make the
goal clear in each case, decide how success will be judged, and determine how (or
if) the lessons learned in one place can be translated into another place or
knowledge domain.
2.2.1 Walk in the definitional thicket
Resilience, n. 1.The action or an act of rebounding or springing back; rebound, recoil. 2. a. Elasticity; the power of resuming an original shape or position after compression, bending, etc. b. The energy per unit volume absorbed by material when it is subjected to strain; the value of the elastic limit.…. 5. The quality or fact of being able to recover quickly or easily from, resist being affected by, a misfortune, shock, illness, etc.; robustness; adaptability. (Oxford English Dictionary)
2.2 Essential semantics of resilience 36
The English word “resilience” is derived from the Latin words resilire and salire,
meaning to leap back, recoil, spring and spring again, re-flow, et cetera. Although,
in general terms, resilience is often said to reflect any system’s response to
change or forces outside itself, the evolution of the term across different
disciplines and fields of application leads to a diverse and sometimes confusing
definitional lexicon. An extensive review of the literature reveals that the word
resilience has been used to indicate a metaphor, a capacity of a systems and a
strategy to cope with uncertainty (Norris et al., 2008). Several conceptual and
review papers have been written to clarify resilience in various fields: (Klein et
al., 2003a) review resilience in natural hazards, (Brand and Jax, 2007) in
sustainability science, Norris et al. (2008) in community resilience, and Strunz
(2012) has applied resilience into the vague/ precise concept debate in philosophy
of (environmental) science.
Before providing a conceptual framework of organizational resilience, we must
first explore the conceptual genealogy of resilience across a variety of disciplines
and fields of application. This section will systemize the multidisciplinary
research body based on theoretical observations extending to a high level of
abstraction, independent of the specific context and discipline in order to make
differing applications comparable according to (1) the level of complexityand (2)
the degree of normativity.
The level of complexity reflects the assumptions about system behavior, ranging
from a reductionist view of single-equilibrium, linearity and predictability to
complex system view of multi-equilibria, non-linearity and emergence. The
degree of normativity covers the distinct conceptualizations from a descriptive
system property to developmental processes with desirable outcomes. According
to specific combinations across the two dimensions, one can help appreciate the
specific nature of resilience. The section will firstly address the axis of matrix by
giving readers a comprehensive look at how the word is used in several
disciplines.
2.2 Essential semantics of resilience 37
2.2.1.1 Level of complexity Reductionist approaches. Perhaps the most comprehensive development of
resilience frames the concept as a return to normalcy or a single equilibrium. At
this simplest level, resilience refers to dynamics close to a stable equilibrium and
is defined as the (speed) time required for a system to return to its original state
following a disturbance event21(Pimm, 1984). This meaning presumes equilibrium
before the shock, so that the definition is similar to a stability property such as
elasticity, resistance, maintenance(Handmer and Dovers, 1996) or rapidity of a
system for restoration (McDaniels et al., 2008). Hence, the interest and focus of
the often termed “engineering resilience” (Holling, 1996) are on (often designed)
systems with a single equilibrium, such as standard bridge load but also similar to
the speed of homeostasis of body temperature or a fertility replacement rate.
This approach to resilience tends to dominate in the fields of engineering, natural
science as well as earlier psychology and disaster studies; all of which seek to
understand why people, infrastructure and places recover from disturbances and
stresses. For example, psychological resilience literature has tended to examine
how children develop normally and successfully despite adverse conditions;
consequently, resilience referred to as “bouncing back” like a spring to our former
pre-crisis or pre-trauma behavior (Baum, 2005; Masten, 2001). As this stream
focuses on efficiency, constancy, predictability (Holling, 1996) the single
equilibrium bears a close affinity to the more traditional views of reductionist
theories such as conservation law of energy in physics (Griffiths, 2013) or Milton
Friedman’s “plucking-model” of business fluctuations (Friedman, 1993) in
economics. For materials scientists, resilience is an expression of how a material
responds to external force by either bending or breaking (Trautwine 1907). A
material is either ductile or brittle. A resilient (or ductile) material can bend when
force is applied and return to its original condition once that force is removed. The
material will exhibit “stretching” along with unfolding and refolding at
the molecular level. This is referred to as “reversible unfolding.” The
21 This is close to the term found in physics/material science, where resilience is the property of a material to absorb energy when it is deformed elastically and then resume its initial form.
2.2 Essential semantics of resilience 38
more tightly bound a substance is at the molecular level the more brittle it is
(Campbell, 2008). The strength of molecular bond is measurable and so the ability
of the material to bounce back is predictable.
Single-equilibrium and reductionist approaches have some limitations, particular
in situations when the costs of rebound outweigh the benefits and the resistance to
change might fail or lead to further losses e.g. Handmer and Dovers (1996). In
addition, management approaches based on stability and single-states tend to
maintain a predictable world with maximized, consistent production as main goal.
However, in a more dynamic and uncertain world (Boisot and McKelvey, 2011)
this assumption is questionable as adaption towards new environmental conditions
may be more appropriate in the long run and may call for some rethinking on this
perspective.
For instance, engineers have attempted to deal with complex organizational
structures that are intended to develop complex technology with Concurrent
Engineering methods that integrate design, manufacturing and downstream uses.
But the uncertainties in this process has led some to analyze it as a complex
system that must deal with surprises (Wolfram, 1986; Efatmaneshnik and
Reidsema, 2007). They have noted that some technological systems have high
sensitivity to small perturbations – a characteristic of many chaotic systems and
conclude that Complexity x Uncertainty = Fragility(Efatmaneshnik and Reidsema,
2007). Others have concluded that these systems must avoid optimum solutions
because this implies hypersensitivity to small perturbations and therefore fragility
(Marczyk, 2002).
In fact, optimization may not be a meaningful term in complex and adaptive
systems where order emerges from uncertainty – especially if one is trying to
encourage adaptation or innovation (Holland 1998). Some resilience engineering
scholars see a system’s resilience as represented by the adaptations necessary to
cope with the real world complexity (Nemeth, 2008, 2009). An engineered
system’s resilience might be measured by the time it takes to return to appropriate
functionality. Sometimes this will be to bounce back to system specifications and
2.2 Essential semantics of resilience 39
sometimes this will mean bouncing forward to a new, adapted system that can
cope with changed conditions (Mendoca, 2008; Woods, 2006c).
But some engineering scholars argue that measurement is more problematic (e.g.
Park et al. 2013). Resilience in a complex systems context is a dynamic,
emergent property that can only be observed in the context of a specific failure
scenario (Haimes, 2009b). As such, it is improper to think of engineering systems
resilience as a static property of state, as in materials engineering, it cannot be
predicted or calculated from aggregation of the individual components (Hollnagel
et al. 2006; Park et al. 2013). Hence, scholars from different disciplines promote
a more complex system view of resilience.
Holistic approaches. Systems resilience appreciates the dynamism inherent to the
process and is strongly influenced by theories on complex adaptive systems or
complex science emphasizing system attributes such as non-linearity, feedbacks,
emergence, self-organization and co-evolution e.g. (Levin, 1998). This research
stream evolved assuming the existence of multiple, dynamic states of equilibria in
systems (Holling and Gunderson, 2002). In contrast to the return to a single
equilibrium (normalcy), the so called “(eco)system resilience” or “ecological”
view looks beyond restoration and focuses on the magnitude of disturbance that a
system can tolerate and absorb before it is pushed beyond its “elasticity threshold”
into another stable state (Holling, 1996; Brand and Jax, 2007; Cumming et al.,
2005; Handmer and Dovers, 1996). According to this philosophy, resilience is
“the capacity of a system to experience shocks while retaining essentially the
same function, structure, feedbacks, and therefore identity” (Walker et al., 2006)
and is a dynamic attribute associated with a process of permanent change and
adaption.
Similar, for ecologists associated with the Resilience Alliance (Walker and Salt
2006), resilience is the capacity of an ecosystem to tolerate disturbance without
collapsing into a qualitatively different state that is controlled by a different set of
processes. A resilient ecosystem can withstand shocks and rebuild itself when
necessary. Resilience does not mean the system will look exactly like it did
before: the forest fire or the flood but many of the same species and their place in
2.2 Essential semantics of resilience 40
the ecosystem hierarchy will be preserved. It will still be a forest or a prairie even
if the mix of species has changed. The ecosystem depends on the ability of
individual species to adapt.
Example: If a system changes too much by crossing its identity-threshold it starts
to enter into another state operating a different manner. These so called “regime
shifts” are very often driven by infrequently and slow changing variables.
(Ecosystem) resilience is the capacity to absorb disturbances in order to withstand
such regime shifts. Each transition into another state is a consequence of loss of
the resilience in the existing system and its resilience is often determined by a
few “slow changing key variables”. For instance, a rain forest is deforested to
serve as grassland for cattle farms. The ecosystem’s key variables water
depth/saturated soil depth are affected as grassland requires higher amounts of
water consumption. To maintain productivity of the cattle breeding, the farmer
increasingly uses fertilizer. Over the time, a critical level of fertilization is
reached leading to fast shrinking water depth which can finally result in spoil land
(Walker and Salt, 2006).
The key difference between “engineering resilience” and “ecological(system)
resilience” is illustrated by Scheffer et al.’s (1993) “Ball and Cup-Model”, where
each system state is represented by a basin or zone of attraction. The current
position of the ball within a basin reflects the system state. While the slope of the
basin determines the recovery rate to return to the former equilibrium (engineering
resilience), ecosystem resilience is represented by the height and latitude of the
basin and therefore the amount/magnitude of disturbances that a system can
withstand before restricting into another basin of attraction (Holling 1996,
Scheffer et al. 1993).
2.2 Essential semantics of resilience 41
Figure 6: Ball and Cup-Model22
Advocates of the systems view of resilience further emphasize cross-scale
dynamics (temporal and spatial) of co-evolving systems where only temporal or
even no equilibrium state can be achieved, particularly through diversity in
responses and functions (Walker et al., 2006). Holling and Gunderson (2002)
propose the “adaptive cycle” as a metaphor of dynamic behavior in (socio-
)ecological systems suggesting four cyclical phases of change in the structure and
function of a system. But the relationship between resilience and adaptability is
surrounded by confusion: While some ecosystem scholars (Brand and Jax, 2007;
Strunz, 2012; Walker et al., 2002) treat adaptability and resilience as related but
distinct concepts, a number of definitions exist where the concepts are treated as
equivalent (Cumming et al., 2005; Nelson et al., 2007; Smit and Wandel, 2006).
Moreover, others consider adaptability as a subset of resilience(Carpenter et al.,
2001; Folke, 2006) or inversely, resilience as a subset of adaptive capacity
(Adger, 2006).
In summary, the descriptive term of resilience is usually conceptualized as either
an inherent property or as a potential outcome. The both tables below illustrate
examples of resilience definitions as descriptive terms but varying levels of
complexity:
22 From Scheffer et al. (1993)
Engineering Resilience
Ecological Resilience
System State
2.2 Essential semantics of resilience 42
Table 3: Definitions with Low Complexity, Low Normativity
Discipline Definition Author
Business (IS)
thecapacity to resist major business disruptions due to unforeseeable, unexpected, or catastrophic events, leading the organizational systems beyond the planned service limits without serious losses.
(Antunes, 2011, p. 383)
Computer science
resilience as an intrinsic system attribute is arising in every domain of system and software development. Resilience is an attribute often related to robustness, and survivability (and by this dependability) from one side,and sustainability from other side
(Crnkovic, 2011, p. 113)
Risk Analyst
The resilience of a system is a manifestation of the states of the system. Perhaps most critically, it is a vector that is time dependent. [...] 'the ability of the system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable time and composite costs and risks.'
(Haimes, 2009b, p. 498)
Engineering resilience implies the ability to “bounce back” after undergoing deformation of some sort
(Madni and Jackson, 2009, p. 185)
Ecology Thespeed at which the system returns to the stable point or trajectory following a perturbation.”
(Pimm, 1984, p. 321)
Ecology
theability of human communities to withstand external shocks or perturbations to their infrastructure, such as environmental variability or social, economic, or political upheaval, and to recover from such perturbations.
(Timmerman, 1981)
Table 4: Definitions with High Complexity, Low Normativity
Discipline Definition Author
Business the ability to ‘bounce back’ after suffering a damaging blow […] as an ‘emerging property’ of a ‘healthy’ system
(Boin and McConell, 2007, p. 54)
Ecology
Resilience is the magnitude of disturbance that can be tolerated before a socio-ecological system (SES) moves to a different region of state space controlled by a different set of processes. Resilience has multiple levels of meaning: as a metaphor related to sustainability, as a property of dynamic models, and as a measurable quantity that can be assessed in field studies of SES.
(Carpenter et al., 2001, p. 765)
2.2 Essential semantics of resilience 43
Ecology the ability of the system to maintain its identity in the face of internal change and external shocks and disturbances
(Cumming et al., 2005, p. 976)
Ecology … the capacity of a system to experience disturbance and still maintain its ongoing functions and controls
(Holling, 1973, p. 1)
Sociology
Resilience is a relational concept that saliently marks the importance of a balanced relation between a system and its environment, as well as their seminal adjustment with regard to the system’s persistence in the future.
(Lorenz, 2010, p. 2)
Ecology Resilience is the capacity of a system to experience shocks while retaining essentially the same function, structure, feedbacks, and therefore identity.
(Walker et al., 2006, p. 2)
2.2.1.2 Resilience as a normative term Nonetheless, even in ecology, resilience has been often transformed towards a
desirable outcome or ability, e.g. the maintenance of natural capital in the long-
run (Ott and Döring, 2008). Scholars from social science have expanded the
concept by adding social and normative components Folke (2006). For example,
Carpenter et al. (2001) include a system’s ability to self-organize and the
capability of learning and adaption. Although this conceptualization is consistent
with ‘ecosystem resilience’ emphasis of persistence, the addition of learning
particularly points to significant differences between social and ecological
perspectives: They may feature significantly different response dynamics, exhibit
additional capacities of intentionality, interpretation and foresight (for an
overview see (Holling, 2001) and Lorenz (2010)). Thus, social systems are aware
of being within an environment characterized by a given history and expectations
about a certain future, which can be pro-actively influenced by its learning actors.
Consequently, social resilience is often conceptualized as an ability to cope with
external stresses and disturbances or rather the capacity to withstand external
shocks (Adger, 2000) in ecological or technical systems. The added social
component of learning, intentionality and adaptability can be regarded as “the
capacity of humans to manage resilience” (Walker et al., 2004).
Managing resilience or “resilience engineering” (Hollnagel et al., 2006) are
usually normative activities as they aim to either maintain a desirable state
2.2 Essential semantics of resilience 44
(bounce back) or adapt and transform towards an alternative desirable state
(bounce forward). Under pure ecological considerations, none of the potential
system states is preferable. When transitioning from one state to another there is
usually an absence of choice e.g. when a jungle turns into a desert. The
importance is not whether an ecosystem becomes a dessert but the persistence
against change. In social systems however such potential path-dependency is seen
as a problem (or an undesirable state, hence the need for a normative value).
Following the rationale of this third type of resilience, a regime change from
democracy toward a dictatorship or lock-in-situations (e.g. the dominant usage of
an inferior technology) can also be described as persistent or resilient.
This active and normative conceptualization of resilience (Handmer et al., 1999;
Klein et al., 2003b) is not exclusive to the higher level of analysis of socio-
ecological (Gunderson, 2002) and socio-technological systems (Park et al., 2013):
The most prominent introduction of normative aspects is also found on the
individual level in psychology, where scholars define it either as “good outcomes
in spite of serious threats to adaptation or development” (Masten, 2001), as
“dynamic process encompassing positive adaptation within the context of
significant adversity” (Luthar et al., 2000) or as “a process linking a set of
adaptive capacities to a positive trajectory of functioning and adaption” (Norris et
al., 2008).
This process view of individual and social resilience explicitly includes not only
surviving but also thriving (Masten, 2001) and exemplifies that the holistic view
of resilience can be regarded as normative. Supporters of the normativity,
particularly in psychology and related social studies such as disaster research
emphasize the capacity for successful adaption when confronted by challenges.
They further conclude, that resilience is better conceptualized as an ability or
process rather than an outcome, and focusing on the adaptive rather than the
recovery aspect of resilience (Handmer and Dovers, 1996; Longstaff, 2005; Norris
et al., 2008).
2.2 Essential semantics of resilience 45
A wide set of resilience definitions as normative terms are illustrated in the two
tables below. While table 5 consists of normative definitions with low levels of
complexity, table 6 entails normative definitions with higher complexity.
Table 5: Definitions with Low Complexity, High Normativity
Discipline Definition Author
Economics Resilience is defined as the ability of an economy to reduce the probability of further deep crises or at least to mitigate the effects of a crisis.
(Aiginger, 2009, p. 311)
Risk Analyst
resilience is defined as the ability of the system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable time, and composite costs, and risks.
(Aven, 2011, p. 515)
Economics
economic resilience refers to the policy-induced ability of an economy to recover from or adjust to the negative impacts of adverse exogenous shocks and to benefit from positive shocks. The term is used in two senses […], relating to the ability to: (1) recover quickly from a shock; and (2) withstand the effect of a shock.
(Briguglio et al., 2009, p. 233)
Business (IS)
the organization’s ability to adapt to risk that affects its core operational capacities. Operational resilience is an emergent property of effective operational risk management, supported and enabled by activities such as security and business continuity.
(Caralli et al., 2010, p. 1)
Psychology “good outcomes in spite of serious threats to adaptation or development
(Masten, 2001, p. 238)
Business (SCM)
the adaptive capability of the supply chain to prepare for unexpected events, respond to disruptions, and recover from them by maintaining continuity of operations at the desired level of connectedness and control over structure and function
(Ponomarov and Holcomb, 2009, p. 131)
Economics
refers to the inherent and adaptive responses to disasters that enable individuals and communities to avoid some potential losses. It can take place at the level of the firm, household, market, or macroeconomy. In contrast to the pre-event character of mitigation, economic resilience emphasizes ingenuity and resourcefulness applied during and after the event.
(Rose, 2004, p. 307)
Resilience Scholar
the act of rebounding or springing back” from a disaster, and a resilient organization often is described as one which is able to quickly return to normal (or even improved) operations after such an event has occurred
(Zobel, 2011, p. 394)
2.2 Essential semantics of resilience 46
Table 6: Definitions with Low Complexity, High Normativity
Discipline Definition Author
Business (SCM)
the ability of a system to return to its original state or move to a new, more desirable state after being disturbed.
(Christopher and Peck, 2004, p. 2)
Business
Resilience is a fundamental quality of individuals, groups, organizations, and systems as a whole to respond productively to significant change that disrupts the expected pattern of events without engaging in an extended period of regressive behavior
(Horne III and Orr, 1998, p. 31)
Business (Strategy)
as an organizational capacity to adopt new organizational routines and processes to address the threats and opportunities arising from disruptive business model Innovation. Organizational resilience is manifested through both cognitive and behavioral resilience.
(Dewald and Bowen, 2010)
Business (Strategy)
Ability to dynamically reeinvent business models and strategies as circumstances change […] It’s about continuously anticipating and adjusting to deep, secular trends that can permanently impair the earning power of a core business.
(Hamel and Välikangas, 2003, p. 53)
Disaster Studies
A three-class typology of resilience (resistance to change; change at the margins; openness and adaptation)
(Handmer and Dovers, 1996, p. 494)
Business (Strategy)
properties that increase a firm’s ability to understand its current situation and to develop customized responses that reflect that understanding. Resilience capacity is a multidimensional, organizational attribute that results from the interaction of three organizational properties: cognitive resilience, behavioral resilience, and contextual
(Lengnick-Hall and Beck, 2005, p. 738)
Business (Strategy)
The main aspects of organizational resilience in this context are the continuing capacity to recover from disturbances as well as the capacity torebound from adversity in a strengthened and more resourceful way.
(Linnenluecke and Griffiths, 2010, p. 488)
Business (SCM)
the capacity for an enterprise to survive, adapt, and grow in the face of turbulent change”
(Pettit et al., 2010, p. 1)
Business the capability to self-renew over time through innovation.
(Reinmoeller and van Baardwijk, 2005, p. 61)
Business (Strategy)
as the maintenance of positive adjustment under challenging conditions such that the organization emerges from those conditions strengthened and more resourceful.
(Vogus and Sutcliffe, 2007, p. 3419)
2.2 Essential semantics of resilience 47
Despite the different conceptualizations, the reader will have noted that there are
clearly ideas that are common among one or more of these disciplines. In
fact,there is some evidence that resilience is most likely to be found in systems
that:
• Build the right amount of diversity and robustness for increasing options and spreading risk;
• Increase their range of knowledge for learning and problem solving; • Create opportunities for self-organization, including strengthening local
functions, building cross-scale links, and building problem-solving networks;
• Organize with the right balance of tight and loose coupling; • Increase resilience at the right scale.
And there is some evidence that resilience will be a trade-off for other desirable
traits for the system. For example:
• Things that increase resilience may decrease some kinds of efficiency; • Efforts to increase the stability can lower adaptability and resilience; • Resilience at one scale can reduce it at another.
(e.g., Berkes, 2007; Woods, 2006c; Dorner, 1996; Longstaff, 2005; Walker and
Salt, 2006).
For human organizations that are good at dealing with uncertainty: “The traits of
resilience include experience, intuition, improvisation, expecting the unexpected,
examining preconceptions, thinking outside the box, and taking advantage of
fortuitous events. Each trait is complimentary and each has the character of a two-
edged sword. (Nemeth 2008, p. 7)”.Therefore there is hope for some sort of
definitional structure that is broad enough to allow for translation between them
all even as we allow for the particulars to remain at the disciplinary level.
2.2.2 Multidisciplinary Resilience Framework
It helps to think of each discipline or domain as looking at a resilience problem
through their own “frame”: Think of a group of people each standing with an
empty picture frame and looking through it at a scene while ignoring everything
2.2 Essential semantics of resilience 48
outside their frame. It becomes clear that only by putting all the frames together
will we get a good picture of the scene. And while that ultimate construction for
resilience may not be available to us in the near future, we can put some frames
together where we know they look at the same things and pulling them apart
where we know they are looking in very different directions. Translation enables
us to construct some broader frames that can be used by more people.
There are two main differences that must be bridged in translating resilience ideas
between disciplines: First, the various disciplines differ with regard to their
assumptions about their system’s potential for stability and equilibrium. Some
have a Newtonian outlook (everything can be counted and predicted) while others
take complexity/unpredictability outlook (the system has so many dimensions or
variables that it is mathematically intractable and/or emergent properties that
make prediction difficult or impossible) (Lewin and Regine, 1998; Mitleton-
Kelly, 2003). And second, the degree of normativity (resilience as a coping
capacity vs. a desirable outcome). The conceptual model presented below puts
these two differences in a framework that allows us to make some distinctions that
are broad enough to find commonality put narrow enough to recognize
differences. It is the contention of this work that these fields are not mutually
exclusive and that a fuller understanding of resilience would encapsulate many (if
not all) of these views.
We have also differentiated resilience that is seen as a capacity or a capability of
the system. The choice of these terms is somewhat arbitrary but reflects the most
commonly understood ideas behind those words. The term capability is used to
denote human/animal skills or abilities to perform or achieve certain actions and
outcomes through a set of functions or processes. In contrast, the term capacity is
used as a description for anything you can hold and/or measure(IF4IT, 2014).
There are obviously no bright lines between the two because you can sometimes
measure skills. But the distinction is worth noting because it affects how
disciplines look at the systems they study and how they describe and (sometimes)
measure what they call “resilience.”
2.2 Essential semantics of resilience 49
The Multidisciplinary Resilience Framework outlines four applications based on
the differing fields of study. The boxes on the left of the Framework focus on
system’s level of complexity. In the upper box, the state of the system and the
impact of a disturbance are both predictable and measurable. In the lower box the
system has multiple possible states due to high levels of complexity/non-linear
behavior and there are often high levels of uncertainty. Measurement and
prediction in the bottom box is thus more problematic.
The boxes on the top of the matrix focus on the level of normativity that is applied
to describing the resilience of a system, that is, the extent to which humans
determine how things should be, how to value the state of the system, and which
strategies are good or bad. Normativity can be contrasted with positivity which is
generally described as producing factual statements that attempt to describe
reality.
Figure 7: Multidisciplinary Resilience Framework23
23 from Longstaff et al. (2013)
2.2 Essential semantics of resilience 50
Type I Resilience: The capacity to rebound and recover (low complexity/low
normativity). The systems/disciplines that fall in this box see resilience as a purely
descriptive measure of elasticity against perturbations and the rapidity of the
recovery to a pre-defined (usually intended) state. Resilience can be seen as a
system property or measure of stability. This view of resilience is predominantly
adopted in traditionally engineered and other designed systems. It is most feasible
in situations where the normal system state is assumed to be a reliable (if not
necessarily optimal) state for the system or the adaption of the previous system
state toward an alternative state is too difficult in terms of time and/or costs.
Type II Resilience: The capability to maintain a desirable state (low
complexity/high normativity). This is described in systems/disciplines that have a
low level of complexity and focuses on the maintenance of some predetermined
state or equilibrium that is judged to be either a desirable outcome or as a process
of positive adjustments that leads the system back to that predetermined, desirable
state (Luthar et al., 2000; Seligman, 2011). Predominantly employed in business,
psychology and other social studies; resilience in these systems is regarded as
something positive and bouncing back to an approved equilibrium proves the
existence of resilience.
In contrast to the first two constructs of resilience, which focus on efficiency and
constancy (similar to Newtonian Thinking), the latter two conceptualizations
emphasize stable landscapes (in line with evolutionary and complexity theory
with multiple states due to complex and non-linear behavior that is far from any
equilibrium and full of uncertainty.
Type III Resilience: The capacity of the systems to withstand stress (high
complexity/low normativity). The disciplines in this box often describe resilience
as the relationship between the current system state and a potential system shift
that will flip the system into a different state often called a “regime shift.” The
focus is on persistence thresholds. The distance between the current state and a
potential flip is a measurable indicator of resilience levels. High resilience implies
sufficient robustness and buffering capacity against a regime shift and/or the
ability of system components to self-organize and adapt in face of fluctuations. If
2.2 Essential semantics of resilience 51
resilience is low, the system loses its original identity and moves toward a new
regime or “basin of attraction.” It’s noteworthy, that none of the potential system
states or regimes is preferable to the system itself since it cannot make good/bad
distinctions:
Type IV Resilience: The capability to adapt and thrive (high complexity/high
normativity). Resilience in social systems and psychology is often conceptualized
as skill that an individual or group can bring to a disturbance that will allow it to
reach a level of functionality that has been determined to be “good.” Human
beings and human systems have high complexity and a determination of what is
good or “adaptive” in these systems is often highly high normative. The
disciplines in this box acknowledge the existence of multiple possible states, but
also explicitly call for a successful adaption before or after a disturbance occurs.
This contrasts to Type II resilience, which focuses on a successful return to an
assumed normal state. Hence, a positive adjustment can involve different
desirable states ranging from a worse, but acceptable level to an even better post-
disturbance state. Managing resilience as a normative activity or outcome
involves human capabilities such as anticipation, sensemaking and learning.
2.2.3 Application of the framework and conclusion
The categories in the descriptive boxes of the framework will allow participants to
ask questions about how the other participants see the level of complexity/
predictability of the system(s) they are trying to deal with. The framework will
also help them discuss how they see the role of shared norms. A discussion of the
four Resilience Types will further identify shared or differing goals (e.g., bounce
back or bounce forward). So, for example, people in government are likely to be
in category II with a high degree of normativity about outcomes and a seeking
short-term, linearity and predictability for their actions. Engineers at the table may
be less sure of predictability for anything that requires a human interface but less
interested in the norms that applied to outcomes so they would be in category I or
category III. Ecologists may be more comfortable with designing systems that can
adapt so might be in category IV.
2.2 Essential semantics of resilience 52
Once the similarities and differences have been identified the next steps are to
make clear what the goal is in each case, how success will be judged (or
measured), and how (or if) the lessons learned in one place can be translated into
another place or knowledge domain. Does the problem require a capacity or a
capability? Does the system have to be maintained as it is or should it be capable
of adaptation? How will that adaptation be judged? Can the adaptation be
designed in advance or will it have to emerge from the conditions that are
presented? Once these questions are answered the group can narrow down its
search for definitions and mechanisms that are found in similar systems to the
Resilience Type they are dealing with.
Of course there is the possibility (and in some cases a likelihood) that a particular
problem will involve multiple types of resilience. In those cases the role of
translators becomes critical as two stems attempt to work in consort toward
resilience for both without unanticipated harm to the other system. If the
resilience of one requires the rules of the other to be ignored for a time how does
that get decided and by whom? If action by one or both is called for in response to
some danger (or opportunity) does this require the measurement of something that
they measure differently? This does not require that the two systems (or
disciplines or organizations) respect each other’s methods but it does require
agreement on the goals and that they actually understand what the others are
saying.
It seems certain that the need to find ways to make things bounce back will only
continue to grow. The groups who come together to deal with these issues will
only become more diverse. The framework proposed here allows researchers and
practitioners from various disciplines and/or economic sectors to communicate
and concentrate their efforts on specific types for resilience goals by allowing
broad definitions where that is possible and identifying where specific definitions
are necessary to deal with the issues at hand. The words used to designate these
efforts will undoubtedly adapt, splinter into subgroups, and go in and out of
fashion. Translation and translators will only become more important.
53
3 Organizational Resilience
As we learned in the previous chapter (Section 2.1 in particular), organization
scholars and practitioners have long acknowledged the unique characteristics of
organizations that must exist in environments characterized by turbulence (Meyer,
1982; Drucker, 1980), discontinuity (Boisot and McKelvey, 2011) and uncertainty
(Grote, 2009). To survive, persist and even thrive in the face of unexpected
changes represents significant challenges for organizational decision-makers and
have resulted in calls for understanding and developing mechanisms of coping
with uncertainty (Longstaff, 2005; Weick and Sutcliffe, 2007). Although a
plethora of insightful concepts, theories and frameworks pay attention to the
survival and longevity of organizations, the survival rate of businesses remain
low, as 50-70 percent of all start-ups disband within five years and more than 80
percent do not survive more than a decade (Hollnagel, 2011; Geus, 1997; Zook
and Allen, 2010). As organizational decision-makers were forced to consider how
to respond to different kinds of uncertainties the concept of resilience began to
gain ground in business management. Some saw it as a potential panacea to move
beyond survival and even prosper in face of challenging conditions. But the
interest of business managers has not been matched by the attention that
academics have given the concept of resilience.
Coutu (2002) stated that “resilience is a hot topic in business these days” and goes
on to quote a CEO that emphasized the importance of resilience, citing that “a
person’s level of resilience will determine who succeeds and who fails. That’s
true in the cancer ward, it’s true in the Olympics, and it’s true in the boardroom”.
Interestingly, in 1997 John Horne III wrote of the ‘coming age of resilience’ and
highlighted that factors such as: the end of communism; a technological shift to an
era dominated by manmade brain power industries; changing global
demographics; a global economy; and no dominant economic, political, or
military power as contributions to an increased focus on organizational resilience.
2.2 Essential semantics of resilience 54
It seems that these factors combined with the recent economic changes have now
made resilience research an imperative.
Here, organizational resilience is not offered as a panacea but in understanding its
antecedents and processes it may help engender and promote new strategies that
will increase an organization’s ability to manage in times of high uncertainty.
Resilience scholarship has become important for at least five reasons. First, in any
era of economic turbulence there may be very few hiding places for firms that
operate on a global basis. Second, organizational resilience scholarship is still
largely fragmented and misunderstood by many (Klein et al., 2003a). An
appreciation of the varied applications is warranted, as is finding unifying themes
will help in the development of larger organizational strategy. Third,
organizational resilience is in danger of becoming another catch-all-word for
change (Longstaff et al., 2013; Koslowski et al., 2013a) and a systematic rigorous
review would help solve some of the construct proliferation issues surrounding its
use. Fourth, it has practical application for executives, allowing for a new frame
of reference to help them view their context. Finally, very few reviews explicitly
address organizational resilience in a comprehensive manner and few still try to
integrate desperate research into helping understand organizational resilience.
The purpose of this chapter is to rigorously systematize the literature of
organizational resilience in order to make the following contributions: First, a
comprehensive review on organizational resilience based on descriptive analysis
is provided. Thus helping scholars recognize and segment the different
philosophies and approaches to organizational resilience. Second, this chapter
further identifies knowledge gaps, critical appraisals and inconsistencies within
organizational resilience to help counteract the construct proliferation that has
become apparent within the domain. Third, an organizational resilience
framework based on systematic research will advance a clear method to help
distinguish the specific context for resilience.
3.1 A review and reconceptualization 55
3.1 A review and reconceptualization
Organizational resilience remains an underspecified concept. Parallels can be
drawn between resilience and the seminal work of Orton and Weick (1990) on
loosely coupled systems:
“The concept provides a combination of face validity, metaphorical
salience, and cutting-edge mysticism, all of which encourage
researchers to adopt the concept but do not help them to examine its
underlying structure, themes, and implications. Because the
concept has been underspecified, its use has generated controversy.”
(Orton and Weick, 1990, p. 203)
Thorough examinations of organizational resilience24 remain difficult due to the
diversity and ambiguity of definitions, scope, conditions, antecedents and
outcomes of this existing research, c.f.Lorenz (2010) and Norris et al. (2008). The
respective definitions used will affect strategies and mechanisms used to achieve
resilience (Norris et al., 2008) e.g. how and to whom resources for recovery or
adaption are allocated (Baker, 2009). Hence, the next sub-section seeks to address
these varied perspectives and untangle the resilience web. Moreover, this will
serve as a basis for the development of a resilience management cycle, introduced
in Chapter 4.
3.1.1 Descriptive analysis The first step to build a rigorous organizational resilience database was to identify
the major sources of scholarly publications. Three of the most prominent archives
were identified and employed as initial search banks. Data mining occurred in the
following three main catalogues: (1) Web of Knowledge & Web of Science (2)
Social Sciences Citation Index (SSCI) and (3) EBSCO. The search was limited to
Peer reviewed journal articles – omitting books, book chapters and non-refereed
publications in line with similar literature reviews, e.g. (Koslowski and Strüker,
24 Parts of this section are adapted from the paper Koslowski et al. (2013a).
3.1 A review and reconceptualization 56
2011). Searches were carried out with for ‘organizational/organizational
resilience’ in ‘title’, or ‘subject term’ or ‘author supplied key word’ in each of the
three databases. Then the results have been limited to those that were classified as
having a management or business orientation. This yielded a total of 142 papers
across all three sites. The remaining 142 papers were analyzed to glean insights
into the specific gaps pertinent to an organizational resilience. Specifically, seven
main themes within each of the papers were investigated, including:
• Research Method (Conceptual or Empirical) • Type of empiricism employed • Model Development • Level of Analysis • Disciplinary context • Sub disciplinary perspective • Antecedents & determinants
This was done through a process of reading and categorizing the different papers
into the variables mentioned above. Categorization errors were limited through a
double blind review process that sought to decrease the variability in some of the
subjective categories.
Total Publications.One can observe from the chart below the huge increase in
interest afforded to organizational resilience over the last five years compared to
the relative inactivity from more than a decade beforehand. The relative fall off in
2012 can be accounted for by the time lag in some of the databases in updating
their catalogue.
3.1 A review and reconceptualization 57
Figure 8: Publications onOrganizational Resilience (1993-2012)
Organizational Resilience Research Methods. An initial investigation into the
research paradigm employed by these papers sought to examine whether they
were mainly of a conceptual or empirical nature. The conceptual papers mainly
pertained to literature reviews, frameworks and discussion pieces. These papers
did not employ any research into the field of organizational resilience and mainly
posited ideas, thoughts, classifications and models. The empirical papers were
classified as such if that paper had undertaken some research. The caveat was that
anecdotal examples were also deemed empirical. The basis of empiricism shall be
developed in a subsequent section. Those of a conceptual nature that had research
and an empirical part were classified as empirical. This led us to 66 papers of a
solely conceptual nature and 76 papers that had some empiricism.
Figure 9: Organizational Resilience Research Methods
Model/Framework Development.The research also investigated whether a
model had been developed or not. This helped to ascertain the nature of the
0
5
10
15
20
25
Total number of journal articles on organizational resilience
Research Method Employed
Conceptual
Empirical
3.1 A review and reconceptualization 58
conceptual contribution. Although not overly indicative of any high level analysis
it allows us to observe the nature of the contribution by the authors of the 142
papers. It was found that 48 of the papers developed and hypothesized a
somewhat stylized model within their analysis.
Figure 10: Organizational Resilience Model Development
Type of empiricism employed. Following from a broad classification of
conceptual/ empirical a logical subsequent step was to analysis the type of
empiricism that was carried out. Six major empirical classifications were mainly
found in organizational resilience, these included: anecdotal examples, single case
studies, multiple case studies, econometric/ macro analysis, surveys and focus
groups. One can see from the graphic below that the majority of papers employ
anecdotal examples or single case studies to analyze resilience. Of the 142 papers
analyzed, 57 were found to have used a single case study and 39 solely relied on
anecdotal examples.
Model/ Framework Development
Yes
No
3.1 A review and reconceptualization 59
Figure 11: Type of Empiricism Employed
Multi-DisciplinaryContext.The analysis then investigated what disciplines
organizational resilience papers had been built upon i.e. what were the main
academic fields or branches of knowledge outside of organizational science have
these papers borrowed from, adapted or built upon. As has been illustrated (see
section 2), resilience has been written about in a wide variety of disciplines. We
can see that many authors found a congruency exists between some of these
disciplines, making the adaptation of their ideas into organizational resilience
reasonable. Specifically, many organizational resilience papers have employed
ecology, engineering and psychology as support for writings within a business or
management context. This may illustrate the multidisciplinary nature of resilience
and how potential opportunities exist to further clarify and investigate how
organizational resilience may draw learning’s from other disciplines and branches
of knowledge.
0
10
20
30
40
50
60
Anecdotal Examples
Single Case Study
Multi Case Study
Econometric/ Macro
analysis
Survey Focus Group
3.1 A review and reconceptualization 60
Figure 12: Multi-Disciplinary Background
Business Sub-Disciplinary Context.The research then focused on the business
sub-disciplinary context within the organizational resilience database. The remit
for these sub-disciplines were largely driven by the different functions within
organization studies i.e. the operational level strategies and activities carried out
within an organization. These helped to clarify the specific business context that
the 142 papers on organizational resilience emphasized. One can observe that
there is large importance given to the Human Resource Management function
within organizational resilience writings with 43 of the 142 papers stressing this
sub-discipline. HRM is followed by strategy and crisis fields in joint second place
with 31 articles each, with information systems, communication and innovation
coming in fourth, fifth and sixth place respectively.
1116
29
4 4
05
101520253035
Ecology Engineering Psychology Pathology Biomedical
3.1 A review and reconceptualization 61
Figure 13: Business Sub-Disciplinary Perspective
Antecedents and Determinants of Organizational Resilience. A major
contribution of the organizational resilience database is to investigate how
organizational resilience has been operationalized in previous studies. Several
iterations were made to help make this list as comprehensive as possible. It was
found that most of the organizational resilience papers use 13 constructs to help
clarify the antecedents or explanatory factors for resilience.
It should also be noted that originally the analysis included ‘resilience capacity’
but this was found in more than 93 papers and it was deemed to be overly generic
as a determinant of organizational resilience. The remaining 12 constructs,
determinants and antecedents are illustrated in the pie chart below. Many of the
papers employed more than one of these constructs and the total number includes
all papers that used each construct i.e. we found that constructs were not mutually
exclusive and that papers usually employed more than one to help explain
resilience in an organization setting.
There is a mixture of external and internal factors in the list of factors, which
helps to explain the organizational resilience matrix, i.e. that resilience and the
Innovation; 12
Strategy; 31
Crisis Mgmt; 31
Info Systems; 18
Communication; 17
Marketing; 1
SCM; 11
HRM; 43
3.1 A review and reconceptualization 62
typology associated with organizational resilience is a mixture of scope and nature
of resilience.
Figure 14: Factors in Organizational Resilience Papers
Risk 20%
Vulnerability17%
Uncertainty14%Bricolage
2%Safety
3%
Protection3%
Robust Transformation
4%
Adaptive Fit5%
Learning8%
Adaptive capacity
10%
Agility3%
Capabilities11%
3.1 A review and reconceptualization 63
3.1.2 Critical analysis Several publications (Bhamra et al., 2011; Burnard and Bhamra, 2011; Pettit et
al., 2010), (Ponomarov and Holcomb, 2009; Vogus and Sutcliffe, 2007) have
sought to form a literature review of resilience within an organizational
perspective. Others have applied existing ideas about vulnerability to problems of
increased organizational uncertainty in supply chains (Rice, JR and Caniato, 2003;
Sheffi, 2007), high-reliable-organizations (Weick and Sutcliffe, 2007), terrorist
attacks (Freeman et al., 2003), disruptive innovation (Dewald and Bowen, 2010;
Reinmoeller and van Baardwijk, 2005) natural disasters (Baker, 2009) and
pandemics (Nohria, 2006). Other authors have attempted to analyze the link
between resilience and competitive advantage (Hamel and Välikangas, 2003;
McCann et al., 2009). These studies, although helpful, do not fully address some
of the important broader issues in organizational resilience. Most of these reviews,
theories, frameworks or typologies either approach the topic in an inclusive, but
necessarily vague, manner (e.g. Bhamra et al., 2011; Burnard and Bhamra, 2011;
Pettit et al., 2010; Ponomarov and Holcomb, 2009; Vogus and Sutcliffe, 2007).
Others focus on a narrow perspective that does not place resilience in the larger
context of the organization (Freeman et al., 2003).
The main limitations of these early works on organizational resilience fall under
four main categories: (1) construct ambiguity, (2) vagueness about the specific
level of analysis, (3) failure to integrate and appreciate other research strands, and
(4) lack of managerial guidelines for practical implications. The first three
limitations will be discussed in detail in the following paragraphs. Chapter 4 will
further provide a set of practical implications of organizational resilience for the
management and design of Information Systems.
3.1.2.1 Construct ambiguity First is the lack of construct clarity, which relates to the cautious recognition of
different conceptual abstractions of resilience. Ensuring construct clarity requires
an appropriate definition that captures essential properties and characteristics of
the concept. The descriptive analysis of existing contributions in the field of
organizational studies (either conceptual or empirical) indicate that many papers
3.1 A review and reconceptualization 64
fail to build on other academics’ work: 76 papers (53,5%) developed their own
definitions.
Some of the papers studied use resilience as a meta-theory (Freeman et al., 2003;
Vogus and Sutcliffe, 2007) Some paper identify resilience as an emerging
discipline in areas such as security (Perelman, 2006), safety (Hollnagel et al.,
2006; Wildavsky, 1988) and risk management (Smith and Fischbacher, 2009).
Others use resilience as a dynamic property (Coutu, 2002; Horne III and Orr,
1998; Weick and Sutcliffe, 2006)or as a meta-construct that encompasses multiple
features and mechanisms such as ‘redundancy’, ‘adaptability’ and ‘capability to
self-organize’ (Burnard and Bhamra, 2011; Longstaff, 2005; Woods, 2006c) or a
multi-dimensional high-level capacity (‘resilience capacity’) encompassing
cognitive, behavioral and contextual dimensions (Dewald and Bowen, 2010;
Lengnick-Hall and Beck, 2005). Some use the term to identify a set of
competitive strategies (Carmeli and Markman, 2011; Hamel and Välikangas,
2003; Reinmoeller and van Baardwijk, 2005).
The lack of construct clarity would not be an insurmountable problem in an
emerging field if the authors acknowledge or address the similarity and
differences of closely related topics and constructs. For example, how does the
author’s use of the term “resilience” relate to other concepts such as adaptive
capacity, adaptive fit, robust transformation, strategic agility, the learning
organization, turnaround and failure? Are resilience and efficiency simply
negative correlated (e.g. (Longstaff, 2005) or can their relationship be described
as curvilinear such as innovation vs. slack(Geoffrey Love and Nohria, 2005)?
Confusion can develop when authors use terms such as adaptive capacity and
resilience interchangeably. Some authors treat resilience and vulnerability as two
sides of the same coin (e.g. Aven, 2011),while others see resilience as a relational
concept moderating the interaction of other constructs such as adaptive capacities,
vulnerabilities or threats (Pettit et al., 2010; Ponomarov and Holcomb, 2009). The
existing strands within organizational research may help explain and complement
resilience thinking, however the links between these strands and organizational
3.1 A review and reconceptualization 65
resilience need to be knitted together or some sort of translation made to allow the
strands to talk to each other.
3.1.2.2 Level of analysis The majority of organizational resilience papers studied are specific to different
contexts and levels within the organization to which resilience is applied. This
contextual variance is detailed by (Somers, 2009) when he questions what
constitutes resilience and if its definition can be a product of the units of analysis
in which it has been used. Of the 142 specific organizational resilience papers
investigated for this paper it was found that four main levels were studied: the
operational, the organization and the systems level. Some papers do not specify
the lines between these four levels and sometimes do not clearly delineate their
contribution to a specific level (compare Figure 16):
Figure 15: Level of Analysis Employed
For example (McCoy and Elwood, 2009; Luthans et al., 2010; Riolli and Savicki,
2003) do not explicitly distinguish between resilience on an individual and
organizational resilience, while the papers of (Buys, 2012; Wastell et al., 2006;
Erol et al., 2010b; Bhamra et al., 2011) do not reconsider difference between
organizational and industrial level. This is problematic because the resilience of a
sub-system does not ensure resilience of the larger system. I There is evidence
that cross-level interactions are critical, as the resilience of a system at one level
Individual Operational/ Team
Organization
Industry/ Systems
Level of Analysis Employed 21 30 79 37
0102030405060708090
Jour
nal A
rtic
les
3.1 A review and reconceptualization 66
(or “scale”) is affected by influences from scales above and below (Woods,
2006c, p. 23; McCann and Selsky, 2012, p. 53).
Lengnick-Hall et al. (2011) write that the relationship between individual
resilience and organizational resilience reflects the typical interaction between
systems and subsystems: “Organization-level capabilities are not just additive
composites of individual capabilities. Both, the actions of individuals and the
interaction effects matter. The complex social network in which it is enacted alters
both the development and realization of an organization's capacity for resilience in
important ways (Lengnick-Hall et al., 2011, p. 245).” Upward, it remains unclear
whether resilient individuals ensure a resilient community (Longstaff, 2005) or
whether resilient species within a biological system also guarantee a resilient
ecosystem (Maruyama, 2013). Moreover, factors determining resilience may vary
across different levels of analysis and are difficult to compare and transfer
(McDonald, 2006, p. 158): For instance, personality traits such as “self-
confidence” and mental orientations such as “locus of control” that are linked with
increasing individual resilience (Coutu, 2002; Masten, 2001; Luthar et al., 2000)
are not necessarily transferable to group or organizational level (Norris et al.,
2008).
Downwards, resilience of employees is affected by how organizational context
(e.g. culture, hierarchy, procedures) offers resolution of pressures such as goal
conflicts and other dilemmas. For instance, mismanaging goal conflicts or an
ineffective automation design can create power differentials and confusion at the
individual scale, leading to inflexible and misaligned responses with negative
consequences (Woods, 2006c; Riolli and Savicki, 2003). On the other hand,
upward resilience is affected by the behavior of entities of local agents: local
adaptions such as workarounds or innovative tactics can have delayed effects on
strategic goals. For example, workload bottlenecks at the operational scale can
lead to higher workarounds that make strategic attempts to implement standards
for better compliance and efficiency unworkable (Woods, 2006c, p. 23). This
further exemplifies the need to stringently reconsider contextual variances in
3.1 A review and reconceptualization 67
organizational research regarding the selected level of analysis (McDonald, 2006,
p. 158).
3.1.2.3 Lack of theory building Since the existing organizational resilience constructs lack universality it is
important to outline the precise contextual conditions under which a construct
may or may not adhere. Types of scope conditions include e.g. space, time and
constraints of assumptions, which can strongly affect the specific
conceptualization of resilience and its related determinants. The importance of
“space conditions” for organizational resilience have already described in the
section above as the different hierarchical roles that are operational (e.g. leader,
manger, or employee) can also be viewed as a dimension of “space”. As
responsibilities, obligations and capabilities across the different hierarchical role-
levels largely differ, organizational resilience requires different principles and
enablers in each dimension of that space (Välikangas, 2007). For instance, front-
line employees such as maintenance stuff or sales-managers are often most
knowledgeable about the actual state of the current organizational process, while
employees of higher managerial levels such as division leaders might have a
clearer picture about the strategic mission and interaction of the web of
organizational processes (Butler and Gray, 2006; Weick and Sutcliffe, 2007).
In line with Suddaby (2010) the lack of construct clarity for resilience impedes
empirical exploration of organizational resilience. Bhamra et al. (2011) in their
review of organizational resilience highlight that “there appears to be a strong
focus around building theories and definitions of resilience. However, the
literature is lacking in empirically proving the theories.” This assertion is
supported by (Rose, 2004), citing that “at the empirical level, it is especially
difficult to gather data on resilience to specify models.” Vogus and Sutcliffe
(2007) further posit that, “Given the dearth of empirical work exploring resilience
in organization theory, many (if not all) avenues are open for future research in
resilience” (Vogus and Sutcliffe, 2007).
3.1 A review and reconceptualization 68
These observations are basically confirmed by the descriptive analysis in the
preceding section as around 46% of the reviewed organizational resilience
literatures were solely conceptual. In addition, only approx. 33% of the papers
developed a model within their analysis.
The following sections seek to answer the call from Lengnick-Hall and Beck
(2005) that “components of resilience capacity need to be better understood.” It
also looks to inform the questions posed by Carmeli and Markman (2011): “What
strategies are primarily related to organizational resilience; and what tactics are
indispensable when organizations strive to enhance their resilience and prolong
their existence? These and similar questions regarding the architecture of long-
lasting organizations are vexing research topics in the field of strategic
management” (Carmeli and Markman, 2011).
The next section also illustrates that although the differing literature streams on
resilience help inform the nuances, there is no cure-all for organizational
resilience anywhere on the horizon. And, in line with Lengnick-Hall and Beck
(2005), this research supports the assertion that resilience is not an effective
approach under all circumstances and for all organizations. So the elements of
resilience appearing crucial in moderately dynamic environment marked by
punctuated equilibrium appear to be different than those resilience elements in an
extremely turbulent environment (Lengnick-Hall and Beck 2009, p.53). For
instance, they further state that one of the four resilience types identified, robust
transformation, “should be a situation-specific choice and a distinct, deliberate,
episodic set of responses to an environmental condition rather than an underlying
organization design paradigm” (Lengnick-Hall and Beck, 2005). Therefore, it
becomes important to begin by looking at several strands within the research that
attempt to discover the link between resilience elements and organizational
capabilities.
3.1 A review and reconceptualization 69
3.1.3 Resilience elements and organizational capabilities Scholars across different disciplines have discussed the importance of temporal
scales of resilience (e.g. Hollnagel et al. 2006; Kahan et al. 2009; Norris et al.
2008; Walker and Salt 2006). Some systems are in a continuous state of change
while others require the development of multiple capabilities and strategies for the
different phases of an occasional or episodic disturbance: before, during and after
(Hollnagel et al. 2011). Figure 17 depicts three different “resilience elements”
which capture the relationship between resilience responses across these different
time points. In addition, unique organizational capabilities that are said to enhance
and maintain organizational resilience are depicted as well.
Research on organizational design and capabilities has received growing attention
since 1980s with rise of the so-called “resource-based view” (for a detailed
overview, see for instance Dosi et al., 2000; Teece and Pisano, 1994; Wernerfelt,
1984). Although the concept of organizational capabilities still remains rather
ambiguous, it is basically accepted that a set of capabilities can be identified,
selected, developed, and implemented in unique ways to enable firms to deal
effectively with organizational problems, and consequently generating
competitive advantage and better firm performance (Dosi et al., 2000; McCann
and Selsky, 2012, p. 115). At least one scholar has proposed that a capability
consists of several interrelated knowledge dimensions: employee knowledge and
skills; technical and managerial systems; and values and norms (Leonard-Barton,
1992). Barney (1991) stressed that these unique capability configurations are due
to particular historical conditions, while causal ambiguity and social complexity
can be vital in achieving a sustainable competitive advantage (Teece and Pisano,
1994; Hitt et al., 2011). Coutu (2002)states that resilience is “merely the skill and
the capacity to be robust under conditions of enormous stress and change.” Cunha
and Da Cunha (2006) explores the complexity of many sub strands of strategic
management and sees commonalities between concepts such as improvisation,
minimal structures, simple rules, dynamic capabilities, bricolage, and
organizational resilience. Carmeli and Markman (2011)also link
3.1 A review and reconceptualization 70
organizationalcapabilities with helping to answerwhat makes an organization
resilient and prolongs their existence.
Therefore, an array of different organizational capabilities with focus on each
resilience element is provided.
Figure 16: Resilience Elements and Organizational Capabilities
3.1.3.1 Before an event On the first end of the time line, before an event occurs, resilience elements
encompass processes of preparation and anticipation(Hollnagel, 2011;
Lengnick-Hall et al., 2011; Madni and Jackson, 2009). Successful anticipation
and prediction of expected disruptions allow for preventive measures and
therefore an avoidance of an actual occurrence. This includes, for example,
building walls around a city or screening people for weapons at a building
entrance. These approaches of resistanceand anticipation are suitable for semi-
stable and predictable environments (compare Section 2.2)where the types of
disruption are knowable. In other situations, where anticipation is not possible,
forecasting or calculating probabilities of threats and vulnerabilities may not be
feasible. Instead, resilience may require a process by which ongoing knowledge
about the systems’ structure and behavior is gained by increased awareness and
3.1 A review and reconceptualization 71
sensing25 to permit ex-ante adaptive moves to reduce the impact of unexpected or
unavoidable disruptive events (Hollnagel, 2011; Park et al., 2013).
3.1.3.2 During an event Organizational capabilities to anticipate further enable and strengthen other
organizational capabilities in the subsequent periods of the time-line, namely
during and after the occurrence of the event. The resilience elements during an
event combine current capabilities and practices with the objective of risk
mitigation and endurance. Here, organizations are forced to leverage on
robustness, capabilities to absorb or withstand stress, related to a disruptive event,
as well as a quick and thoughtful response in order to mitigate the impact of an
event to an organizational system or process. While improvisational skills such as
bricolage and creativity gain importance on an individual level (e.g. Weick and
Sutcliffe, 2007; Välikangas, 2007), prompt and flexible coordinative or
networked-based actions enable resilience in this phase on a group or
organizational level (e.g. McCann and Selsky, 2012; Sheffi, 2007; Woods,
2006c). A deeper investigation about networked-based actions is subsequently
provided in the paragraph on the resilience element “integration”.
3.1.3.3 After an event Some authors focus solely on restoration and adaption after an event has occurred
(such as (Ponomarov and Holcomb, 2009, p. 131; Boin and McConell, 2007, p.
54; Zobel, 2011, p. 394). Those ex-postiori responses require unique
organizational capabilities that are also included in the corresponding resilience
definitions, such as the ability to recover or return to normal (Linnenluecke and
Griffiths, 2010, p. 488; Zobel, 2011, p. 394), the ability to adapt or adjust to
normal (operation) (e.g. (Caralli et al., 2010, p. 1; Vogus and Sutcliffe, 2007, p.
3419), but also the ability of renewal and reinventing (e.g. Dewald and Bowen,
2010; Hamel and Välikangas, 2003, p. 53; Reinmoeller and van Baardwijk, 2005,
p. 61). This element of resilience obviously addresses situations where disruptive
events have taken place, despite (ineffective) efforts in the previous times.
25Further explanations of awareness and sensing will be given later in the same section “Continous elements”.
3.1 A review and reconceptualization 72
Another crucial capability, on both, the tactical as well as the strategic level that
must take place after the event, is learning from the experience. (e.g. Hollnagel,
2011; Lengnick-Hall et al., 2011). Learning is generally understood as a process
by which knowledge is created, accumulated, and maintained by observations and
experiences of the past (Hamel and Välikangas, 2003; Hollnagel et al., 2006;
Weick and Sutcliffe, 2007). In turn, those learning experiences serve as a
foundation for further improvements of the other resilience elements in
successional periods or future similar disruptions (Crichton et al., 2009; Erol et
al., 2010b).
3.1.3.4 Continuous elements A transversal resilience element along the whole time line or life cycle of the
organization relies on continual awareness, sense-making, and
integration(McDaniels et al., 2008; McCann and Selsky, 2012; Pettit et al., 2010;
Stephenson et al., 2010; Weick and Sutcliffe, 2007). According to the taxonomy
of (Lengnick-Hall and Beck, 2005, pp. 750f; Lengnick-Hall et al., 2011),
awareness and sensemaking present cognitive factors of organizational resilience.
These factors can, for instance, foster a positive and focused mental orientation if
given a strong sense of purpose, sophisticated tools and solutions for scanning
and interpreting signals, as well as an ability to accumulate knowledge (McCann
and Selsky, 2012, pp. 85f.). In contrast, integration and the related ability to create
and manage networks refer to behavioral and contextual elements of
organizational resilience. Those elements enhance and maintain organizational
resilience along the whole timeline. For example an established cross-
organizational platform (such as periodic risk reporting between suppliers or a
common information system (Koslowski and Strüker, 2011) for managing supply-
chain risks allows a more comprehensive and faster repertoire of responses in
times of stress (Lengnick-Hall et al., 2011; McCann and Selsky, 2012).
A broad and widely accepted definition of situationalawareness is given by
(Endsley, 1995, p. 36) as “the perception of environmental elements within a
volume of time and space, the comprehension of their meaning, and the projection
of their status in the near future.” Hence, situational awareness is basically about
3.1 A review and reconceptualization 73
an achieved knowledge base (“big picture”) of current data. It comes along with
data gathering that sufficiently provides management with insights about current
state of system behavior (such as the problems regarding the quality of
performance, safety, security, etc. and the current state of defense controls)
(Wreathall, 2006, p. 280). In contrast, sense-making is about those collaborative
processes to achieve (shared) situational awareness (Klein et al., 2006). Literally,
sensemaking is a process of framing experienced situations as meaningful to all
decision makers. Moreover, it describes a process26 of examining past events that
further allows for the interpretation and justification of the present and for the
prediction of a plausible future. The concept is widely applied in organizational
studies and generally provides insights into factors that arise when organizations
face uncertain or ambiguous situations (Weick, 1995; Weick et al., 2005).
A related but distinct concept is mindfulness. It is said to be “a rich awareness of
discriminatory detail […] Mindfulness is different from situational awareness in
the sense that it involves the combination of ongoing scrutiny of existing
expectations, continuous refinement and differentiation of expectations based on
newer experiences, willingness and capability to invent new expectations that
make sense of unprecedented events, a more nuanced appreciation of context and
ways to deal with it, and identification of new dimensions of context that improve
foresight and current functioning” (Weick and Sutcliffe, 2007, p. 23).
Consequently, mindfulness is “about the quality of attention” (Weick and
Sutcliffe, 2007, p. 23). As organizations become more vulnerable when their
attention is distracted or unstable, mindfulness preserves a resilience enhancing
capability to see the significant meaning of weak signals (such as emerging threats
or small failures) and to give strong responses to weak signals. Therefore,
mindfulness helps organizations to anticipate unexpected events, but it further
assists in mitigating the potential damage of those events. Mindful organizations
continually refine existing processes and establish a wide array of creative skills
to cope with stress. Key aspects and processes of mindfulness introduced by
26 According to Weick (1995, p. 17), sensemaking is understood as” a process that is 1. Grounded in identity construction; 2. Retrospective; 3.Enactive of sensible environments; 4.Social; 5.Ongoing; 6. Focused on and by extracted cues; 7. Driven by plausibility rather than accuracy.”
3.1 A review and reconceptualization 74
(Weick and Sutcliffe, 2007, pp. 36–39) will be discussed in the next Chapter on
the role of Information Systems for resilient organizations.
In addition to these cognitive factors of organizational resilience, there are also
behavioral and contextual conditions that support resilience(Lengnick-Hall and
Beck, 2009). These conditions primarily rely on integration, here broadly
defined as the ability to systematically create and manage structured networks of
relationships, both within and outside an organization in order to facilitate
effective collaborative responses to environmental and operational turbulence and
complexity (e.g. (Hoffer Gittell et al., 2006; Longstaff, 2005; McCann and
Selsky, 2012; Lengnick-Hall et al., 2011; Sheffi, 2007). This is supported by
(Lengnick-Hall and Beck, 2009, p. 51; Lengnick-Hall et al., 2011), who find
evidence for the crucial role of access to broad resource networks in creating
contextual resilience. The authors define contextual resilience as “the combination
of interpersonal connections, resource stocks, and supply lines that provides the
foundation for quick action under emerging conditions that […] have the potential
to jeopardize the organization’s long-term survival” (Lengnick-Hall and Beck,
2009, p. 50). Hence, resilient organizations are able to utilize relationships with
other stakeholders to enrich an inventory of resilient responses by obtaining
external resources and supportive actions.
As highlighted previously, organizations are increasingly confronted with an
operational environment marked by interconnectedness and interdependence.
These challenges are object of Perrow’s “Normal Accident Theory” (NAT)
(Perrow, 1984). According to Perrow’s investigations in the aftermath of the
accident at the Three Mile Island nuclear power plant, Perrow introduced the idea
that multiple failures and errors are inevitable in complex socio-technological
systems (e.g. nuclear power plants or air traffic). As a consequence, accidents are
unavoidable and “normal” as a result of a system’s combination that is
characterized by two dimensions, coupling and interaction (interactive
complexity). The first dimension (sometimes called coupling) describes the extent
to which an action is related to its consequences, indicating how fast cause and
effect propagate through the system. “Tightly coupled” systems are highly
3.1 A review and reconceptualization 75
interdependent, and have prompt and major impacts on each other. Although such
systems can quickly respond to perturbations, there is a danger that this response
may be catastrophic. In contrast, loosely coupled systems have fewer links and
interdependencies (Orton and Weick, 1990) and therefore allow local adaptions
and absorbing failures or unplanned behavior.
The other dimension, interactive complexity describes the interaction between
system elements: complex interactions consists of many alternative sub-tasks at
any completion while linear interactions are comprised of a set of fixed step
carried out in rigid sequence. Moreover, complex interaction further indicates that
it is very difficult for operators to understand and interpret/predict the system’s
behavior. The two-dimensional framework of Perrow is illustrated in Figure 18:
The tight coupled and linear situations (matrix field 1) represent more stable
configurations with emphasis on efficiency and prompt response (Lengnick-Hall
and Beck, 2005, p. 752). In such systems like assembly-line production, routine-
based approaches ensure resilience through standardizing processes, automation,
and embedding procedures and therefore fundamentally Tayloristic27 (e.g. (Butler
and Gray, 2006, p. 214). This requires that potential failure-modes have already
been anticipated ex ante in the original design of the system or process.
Examples of the other extreme, loose coupled and complex interactions (matrix
field 4), can be found in research and development departments or universities.
The sequence of processes is often independent from each other, feedback times
are relatively slow, and the system is better prepared to allow sub-system
breakdowns without damaging the entire system (Orton and Weick, 1990).
Vulnerable systems are those with interactive complexity and tight coupling
(matrix field 3) such as aircraft, nuclear plant, and space missions. In such
turbulent and incomprehensible environments, independent failure events can
27 Taylorism or „scientific management“ is a management approach focusing on detailed decomposition of labor, control, and standardization (e.g. Pruijt (2000), Section 3.2). It still receives great attention in current business as a foundation for the “Business Process Engineering”-paradigm Davenport (1993); Hammer and Champy (2003), which is research object in chapter 4 & 5.
3.1 A review and reconceptualization 76
interact in unpredictable ways that cannot be predicted and prevented by designers
of the system. For example, the so called compositionality challenge describes
such a phenomena: Emergence and the concentration of novel services, functions,
or components to a shared infrastructure places a considerable strain on any
system that has originally been designed with a more limited set of components in
mind, but later adopted to run multiple services (not originally envisioned). This
increase of complexity further enhance unforeseen events and therefor uncertainty
(Paries 2006). Operators are in danger of reacting too slowly, and automatic
systems are prone to cascading failures with possibly disastrous consequences
(Perrow, 1984). Perrow concludes, that accidents in complex and tightly coupled
systems are inevitable, and attempts to improve safety is questionable as
corrective actions involve increasing complexity and therefore render accidents
more likely (Woods, 2006a; Hollnagel, 2011).
3.1 A review and reconceptualization 77
Figure 17: Normal Accident Theory28
While Perrow’s conclusion is very pessimistic (Hollnagel, 2011, p. 128), it is
widely accepted that Taylorism under such circumstances lead to higher
supervision and controlling costs, lack of flexibility, loss of creativity and
(information) processing overload. This eventually can lead to a call for mindful-
based responses to resilience that are more loosely coupled and flexible (e.g.
(Grote, 2009; Meyer, 1982; Nohria, 2006; Weick and Sutcliffe, 2007).
Hence, we can conclude from this literature that, in turbulent and complex
operational settings, any kind of incident or disruption has the potential to affect
the multiple lines of business and organizational units to which they are
connected (e.g. Sheffi, 2007; Tanriverdi et al., 2010; Weick and Sutcliffe, 2007).
This may call for a higher degree of flexibility, agility, and informal decision-
making. Such situations reveal that localized and discrete responses may not be
28 from Perrow (1984, p. 97)
3.1 A review and reconceptualization 78
sufficient and could require harmonization of managerial responses by means
integration, collaboration and the management of interdependencies within an
organization and across organizations (e.g. (Caralli et al., 2010; Grote, 2009;
Victor and Blackburn, 1987; Roberts, 1990). While all these terms such as
interdependence (Victor and Blackburn, 1987; Grote, 2009, p. 19), integration
(Barki and Pinsonneault, 2005), cohesion (Fiksel, 2003, p. 5333), convergence
(Borgatti, 2003, p. 1004; Caralli et al., 2010, p. 17), or “engaged networking”
(McCann and Selsky, 2012, pp. 155f.)describe distinctive concepts with their own
definitions and meanings, this thesis focus on the commonalities and similarities
and therefore use the terms interchangeably.
To sum up, integration as another resilience element encompasses both managing
positive effects of the organization’s networks (such as quick response,
information exchange, collective learning, etc.) as well as managing negative
effects of the networks (such as increasing complexity and interdependency, less
predictability, and emerging systemic risks that can cause cascading failures and
system collapse)(Boisot and McKelvey, 2011; Perrow, 1984; Schweitzer et al.,
2009).
Some organizational resilience scholars who have dealt with integration mention
the extension of decision making amongst networks as highly important, such as
immediate cross-organizational communication and collaboration (e.g. Crichton et
al., 2009; Grote, 2009, pp. 83f; Kahan et al., 2009; Lengnick-Hall and Beck,
2005, p. 752; Rice, JR and Caniato, 2003; Sheffi, 2007). Other scholars emphasize
distributed decision-making, mutual collaboration and coordination between
departments within an organization (Coutu, 2002; Mallack, 1998; McCann and
Selsky, 2012; Nohria, 2006).
In practice, integration can be manifested as cross-departmental training of
employees (Somers, 2009; Stephenson et al., 2010) to attain the convergence of
operational risk management activities with local objectives, such as security,
business continuity, crisis and IT operations management (Caralli et al., 2010, p.
17).
3.2 Framing organizational resilience types 79
In contrast, others emphasize managing risks of networks inherent in its
interdependencies, at least when organizations become overexposed to network
relationships (McCann and Selsky, 2012, p. 157)29. For instance, the financial
crisis in the mid-2000s revealed the fragility of the hyper-connected network of
global banks, creating some institutions with a “too big to fail” status, making it
impossible for financial institutions (and regulators) to correctly assess and predict
their own robustness and risk of contagion (McCann and Selsky, 2012, p. 18;
Schweitzer et al., 2009; Taleb, 2008).
Another well-known example is given by Sheffi (2007) in “Big Lesson from
Small Disruption”, describing why a relatively small disruption - a lightning strike
in a supplier’s plant - affected two companies in the same business (Ericsson and
Nokia) in dramatically different ways. The disruption forced Ericsson to exit the
market while Nokia could increase its market share (Sheffi, 2007, pp. 3–10)
because Nokia had connections to alternate suppliers. The essence of these
anecdotal examples is that integration not only requires the ability of prompt
relationship-building, but also the ability to carefully manage these
interdependencies by creating boundaries and decoupling relationships when risks
of containment occur (McCann and Selsky, 2012, pp. 166ff; Sheffi, 2007, p. 224).
3.2 Framing organizational resilience types
Perrow’s „Normal Accident Theory“ introduced in the previous section shows,
that a combination of specific system-characteristics (interaction and coupling)
have significant impacts regarding the requirements and mechanism in order to
cope with turbulence. This serves as a starting point for developing a novel
framework to distinguish and categorize organizational resilience types. The
framework explores how the recognition of environmental and internal
characteristics help to clarify substantial distinctions of the organizational
resilience concept according to the dimensions (1) Degree of Turbulence and (2)
State of Adaption. This allows for a systematic consolidation of both external and
29 Risks associated with IT-induced connectivity are presented in Chapter 4.
3.2 Framing organizational resilience types 80
internal forces that can be examined to determine the appropriate organizational
resilience type for each combination. Such a clarification and categorization
enables an appreciation into the nuanced nature of the specific mechanisms for
building resilient organizations under specific environmental conditions.
The next section will review existing approaches to organizational resilience. It
will build on the existing work in this field to build a theoretical framework that
recognizes the competing visions and manifestations of organizational resilience
(i) as either as a tactical or strategic response to uncertainty or surprise; (ii) as a
capacity for resistance to change or a capacity for transformation and renewal;
(iii) as a descriptive or normative notion; and (iv) as a solely reactive ex-post
response or a broader proactive response. The basic problem of current attempts
to conceptualize organizational resilience is they fail to capture both the different
external system characteristics (“resilience to what?”) and the internal
mechanisms (as well as the amplitude of the applied resilience elements).
3.2.1 The underlying puzzle
As one can learn from the multidisciplinary resilience matrix introduced in
Section 2.2.2, there exist four generic resilience types based on the level of
complexity and the degree of normativity. The comparison between the
descriptive and normative applications of resilience masks a further obscurity of
resilience: the nature of change. In material science and ecology, resilience
mechanisms become apparent in the event of destabilizing change and strain. In
human and ecological systems change can be positive surprises that can lead to
opportunities. Or the change can be negative events such as failure and crisis that
can lead to a reduction in resources or even system collapse. The latter situation
dominates the attention of organizational studies, as organizational resilience is
linked to adjustments in the face of challenging conditions (Sutcliffe and Vogus,
2003), responses on “disruptive surprises that potentially threaten organization
survival” (Lengnick-Hall et al., 2011), “springing back from a disaster” (Zobel,
2011) or triggered by any kind of crisis (Norris et al., 2008).
3.2 Framing organizational resilience types 81
However, some authors see resilience in both situations. They see the term is
associated with the “a set of technical and organizational capabilities in order to
manage performance variability, both as a source of failure and success”
(Hollnagel et al., 2006) and “any kind of surprise” (Longstaff, 2005). This second
school of thought that sees change and challenge as both an opportunity and a
danger corresponds well to Schumpeter’s notion of creative destruction, where
experiments, failure and deconstruction involve opportunities and sources of
innovation and novelty (Lorenz, 2010).
The academic work that emphasizes resilience against ‘bad events’ seems to
correspond with the specific field of application: The importance of resilience as a
capacity or capability to cope with negative events is often highlighted in the
theory and practice of disaster response and related sub-fields such as business
continuity, emergency response, security and safety management. These authors
have examined these problems using different terms but all look at negative
events: accidents (Hale and Heijer, 2006; Woods, 2006a), human adversity
(Masten, 2001), crisis (Norris et al., 2008), disturbances (Woods, 2006b), risks
(Hale and Heijer, 2006), shocks (Kendra and Wachtendorf, 2003), failure
(Leveson et al., 2006), loss and trauma (Freeman et al., 2003) in order to
minimize the exploitation of vulnerabilities in threats. In these fields, managing
for resilience is linked with a wide arsenal of managerial, analytical and
architectural principles with the objective of damping negative impacts through
‘fault tolerance’ and ‘graceful degradation’ and rapid recovery to an acceptable
performance state (Madni and Jackson, 2009). Across different disciplines and
fields, the underlying mechanisms to enhance and maintain resilience involve
investments in different kinds of buffering capacities (Lynn, 2005) such as
‘redundancy’, ‘diversity’ and ‘modularity’ both in structure and responding-
actions of a system, such as an organization.
Although these mechanisms do not fundamentally differ from other streams with
a more strategic orientation such as in ecosystem management (McCann and
Selsky, 2012, pp. 43ff.) and particularly strategic management (Hamel and
Välikangas, 2003; Reinmoeller and van Baardwijk, 2005), it is evident that the
3.2 Framing organizational resilience types 82
range of options or ‘strategic degree of freedom’ increases with a longer time
horizon. Hence, a second aspect of the nature of change concerns the perceived
pace, predictability and the magnitude of the impact, leading to different degrees
of turbulence(Ansoff and Sullivan, 1993; McCann and Selsky, 2012) that
consequently call for different respond-types. A short-term oriented application of
resilience emphasizes low-complexity types of recovery and withstand.
Instead, a longer time frame allows a higher degree of freedom: a stronger
consideration of other related resilience capabilities such as learning and
innovation that can lead to adaption or transformation (Walker and Salt, 2006).
For example Hamel and Välikangas (2003) link strategic resilience as “having the
capacity to change before the case for change becomes desperately obvious”.
Authors such as Reinmoeller and van Baardwijk (2005) and Carmeli and
Markman (2011) underpin capabilities for innovation and renewal as the core of
organizational resilience. As we can see, the conceptualization of organizational
resilience is often dependent on the specific time frame/predictability applied and
consequently requires fundamentally different resources and policies for
enhancement and maintenance.
An illustrative example is given again by Nokia: Nokia’s success in the late 90’s
and early 2000s is often used as business case for resilience. In particular, Nokia’s
reaction during the lightning-strike incident at Philips Electronics semi-conductor
fabrication plant (for recap see Section 3.1.3) is often used example of resilient
behavior (Sheffi, 2007): After Nokia was informed about the incident they
immediately started daily discussion with Philips regarding affected parts.
Moreover, they pressed Philips to find alternative suppliers, and further paid extra
rates for quick setup and production. As a consequence, Nokia increased its
market share more than 10% while its competitor, Ericsson, was forced to exit
market. But while Nokia impressively demonstrated operational resilience in the
short-run, they fail to sustain their superior position in the long-run (lack of
strategic resilience). Today, Nokia confronts declining yields and market shares as
they struggled to adapt their business model to transformation of the mobile
3.2 Framing organizational resilience types 83
industry when Apple and Google introduced their smartphones and mobile apps
(Cord, 2014).
A similar, but distinctive issue addresses the relationship between dangers that are
known and those that are not. Ecologists who investigate the interaction between
human and ecological systems (social-ecological systems) highlight the unique
role of human capacity for foresight and anticipation e.g. (Gunderson, 2009). As
people can anticipate, learn and plan to increase resilience, many theorists and
decision-makers advance the view that preventive principles and actions need to
be included into the arsenal of resilience mechanisms. This extended scope of
organizational resilience is found in safety management (Hollnagel, 2011), the
protection of critical infrastructure e.g. (Jackson, 2009), as the ‘readiness’-
component of supply-chain resilience (Sheffi, 2007), or in strategic management
as the “continuously anticipating and adjusting to deep, secular trends that can
permanently impair the earning power of a core business” (Hamel and
Välikangas, 2003). This exists under relatively stable and predictable
environments where causalities, boundary conditions and system dynamics are
known.
In contrast to the broad scope of resilience, another perspective exists in which
organizational resilience is explicitly against unexpected, unforeseeable events, as
for instance noted by Wildavsky (1988) who characterizes organizational
resilience as the “capacity to cope with unanticipated dangers after they have
become manifest” (Wildavsky, 1988, p. 77). Similar to Perrow’s assumptions
regarding “normal accidents”, Wildavsky (1988) criticizes the prediction of
hazards and the ‘pretend” safety improvement within high-complex technologies
and favors resilience as an alternative, complementary approach. Instead of a lull
into a “false sense of controllability or security”, this stream outlines
organizational resilience as a collective ability to learn how to cope with
unanticipated events through a positive attitude/culture towards failure
(Wildavsky, 1988, p. 79).
3.2 Framing organizational resilience types 84
3.2.2 Organizational resilience dimensions
The arguments advanced in the previous paragraphs have signified the need to
consider contextual (system-) conditions, resulting events and related mechanisms
to cope with risks and perturbations. As claimed by (Mamouni Limnios et al.,
2014, p. 109; Longstaff et al., 2013) and in Chapter 2.2 of this dissertation,
resilience cannot be a goal itself. In contrast to resilience in social-ecological
systems, resilience in human systems is usually30 accompanied by intentionality
and expectations about a certain future. Thus, managing resilience or “resilience
engineering” (Hollnagel et al., 2006) are usually (positive) normative activities as
they aim to either maintain a desirable state (bounce back) or adapt and transform
towards an alternative desirable state (bounce forward). Organizational resilience
is almost always conceptualized with normative connotations (Mamouni Limnios
et al., 2014, p. 109).
In order to recognize both, environmental forces as well as organizational desired
responses to the environment, the resilience of an organization will depend on two
dimensions: (1) Degree of Turbulence of the (external) environment; and (2) the
current State of Adaption (Chakravarthy, 1982, pp. 35f.), which expresses the
degree to which an organization is matching its capabilities with the external
environment.
According to the specific combinations across the dimensions, one can identify
four different typologies of organizational resilience and its corresponding key
actors, design strategies, and outcomes.
3.2.2.1 Degree of turbulence Swift change, driven by technological innovation, has been seen in many parts of
the world in the Twentieth and Twenty-first century. Early work on change was
during the time of the transformation from industrial to information age (McCann
30 In fact, situations are possible where human systems such as organizations successfully cope with challenging conditions by accident or by fortune. This can happen when they fail to realize “wrong” plans. Nonetheless, the activities of human systems basically remain goal-oriented and therefore intended.
3.2 Framing organizational resilience types 85
and Selsky, 2012, pp. 24f.). In organizational studies, at least three prominent
research streams exist emphasizing the crucial relationship between organizational
environment and organizational performance:
The most prominent theory in the strategy literature, often referred to as the
“market-based view of the firm” is based on industrial organizational economics
and stresses an adequate market position as a source of economic performance
(Hitt et al., 2011). The widely used framework “Five Forces Analysis” developed
by Michael Porter is drawn upon this perspective and focus outside the
organization on diverse external forces (bargaining power of (i) suppliers and (ii)
customers, (iii) new entrants, (iv) substitutes, and (v) rivalry within an industry
(Porter, op. 1998). The second perspective treats organizations as complex
adaptive systems that are sensitive to their environment, respond, and co-evolve
with them (Colbert, 2004; Holland, 1998; Mitleton-Kelly, 2003; Church, 1999)
(for recap on complex adaptive systems see Section 2.2). Thirdly, other scholars
stress the need for organizations to seek for a strategic fit with its changing
environment (e.g. Chakravarthy, 1982; Ginsberg and Buchholtz, 1990; Levinthal,
1997; Venkatraman and Camillus, 1984). According to this stream, organizational
design – work systems, managements processes, organizational cultures, and
leadership – evolve to “fit” their business environment and their strategic actions.
This fit or alignment enabled organizations to develop the required capabilities to
compete successfully (Beer, 2002; Venkatraman and Camillus, 1984). From this
point of view, both environmental characteristics and organizational potential
shape a firm´s adaptive response and consequently determines its survival and
performance (Lengnick-Hall and Beck, 2005; Lengnick-Hall and Beck, 2009).
As we learned in Section 2.1.1 on VUCA environments, there is an increasing
tendency for systems to become turbulent and complex. However, all systems,
industries, and organizations experience turbulence and complexity of varying
degrees. Turbulent environments are often described as highly dynamic and
having volatile changes that create uncertainty and unpredictability (Calantone et
al., 2003, p. 91). Calantone et al. (2003) provide an overview of the multifaceted
notions that have been used to describe turbulent environments: unfamiliar,
3.2 Framing organizational resilience types 86
hostile, heterogeneous, uncertain, complex, dynamic, and volatile. Calantone et al.
further conclude that these descriptors alone constitute only measures of a
turbulent environment. Hence, they do not completely describe turbulence
because turbulence evolves from the mixture of a hostile, heterogeneous, and
dynamic environment. However, the majority of organizational scholars
emphasize the unpredictability of turbulent environments. For example, McCann
and Selsky (2012) define turbulence as the “pace and disruptiveness of change”
(McCann and Selsky, 2012, p. 19) while Milliken (1987) highlights the
“unpredictability of change” as a crucial element of turbulence (Milliken, 1987, p.
139). A continuum of varying degrees of turbulence (from more stable and
predictable to volatile and unpredictable) will constitute one dimension to
categorize different organizational resilience types.
Low Degree of Turbulence. An environment with a low degree of turbulence is
marked by events with moderate levels of predictability and severity. The system
characteristics exhibit stable features such as the linearity and embeddedness of
vertical hierarchical control structures. The “expected” surprises or change
impacts occur as episodic, incremental or continuous, meaning that the turbulence
may be embedded in the expectations of the organization (cf. Figure 4 in Section
2.1.1). An example for a continuous turbulence is competition or market
turbulence which is characterized by continuous changes in customers’
preferences, in price structures, and in the composition of competitors. These
challenges exhibits ongoing risk and thus are not surprisingly for organizations
(Sutcliffe and Vogus, 2003; Calantone et al., 2003, p. 91). In less turbulent
environments, the emphasis on coping with change lies in investments to create
robustness and stability through anticipation and preventive measures (Lengnick-
Hall and Beck, 2009; Wildavsky, 1988, pp. 119f.). They share a lot of
commonalities with Perrow’s characterization of linear, tightly coupled systems
(cf. Sub-Section 3.1.3.4). The intelligence base is introduced as another feature to
describe the varying degrees of turbulence: it includes different scanning,
planning, and control systems for decision-makers (e.g. Burns and Stalker, 2000).
Under more stable and predictable circumstances, organizations may be able to
deal with this kind of turbulence in advance by setting up routines and
3.2 Framing organizational resilience types 87
standardized procedures. Algorithmic, systematic optimization models are
effective for problem solving based on historical precedents and experiences as
long as the forces that created those precedents and experiences have not changed
(Chakravarthy, 1982, p. 38).
High Degree of Turbulence. In contrast, high-turbulent environments have
properties such as highly dynamic and volatile change creating uncertainty and
unpredictability (Calantone et al., 2003, p. 91). A major feature of high degree of
turbulences is their potential for disruptive changing environments, surprises and
discontinuity. In the 1960s, Emery and Trist first noted the term “turbulent
environment” and that the nature of change itself was beginning to change
(McCann and Selsky, 2012, p. 24). Consequently, it is not just the pace of change
but rather the disruptiveness of change what are experienced in some systems.
Turbulent, uncertain types of change are given multiple terms in notions in
organizational studies such as “black swans” (Taleb, 2008), “environmental jolt”
(Meyer, 1982). They all describe an abruptly and unexpected event which is
difficult or even impossible to foresee and whose impacts on organizations are
disruptive and harmful (Meyer, 1982). Such “low-probability/high-impact events”
(Sheffi, 2007, p. 21) are outside the scope of daily management or “safety
envelope” (Hollnagel et al., 2006; Nemeth et al., 2009) and call for different
decision-making styles and resources. Historical records are not sufficient
anymore, and organizations need to develop capabilities for improvisation and
creativity to face these turbulences (Coutu, 2002; Horne III, 1997; Lengnick-Hall
and Beck, 2009; Lengnick-Hall et al., 2011).
Turbulent systems often come along with complexity. Such complex systems are
often open and nested (Dorner, 1996; Longstaff, 2005). An open system is one
that continuously interacts with its environment by means of information, energy
and material exchange. Moreover, they are often nested in a sense that the
components or sub-systems of a complex system are also complex. For instance,
an industry is constituted by different market players such as competing firms,
public agencies, suppliers, which are made up of people. Consequently, complex
systems may feature many, intractable non-linear relationships, and emergent
3.2 Framing organizational resilience types 88
behavior (for a more detailed explanation on complexity properties compare
Section 2.2).
The consequences for organizations in complex environments can be tremendous:
Comfort et al. (2001) identified that a negative correlation between environmental
complexity and organizational performance. The organization is not able “… to
process the amount and range of information required to adequately establish the
coordination required across the components of the response system” (Comfort et
al., 2001). According to Perrow, loosely coupled structures are favorable in highly
complex systems (Perrow, 1984). Other scholars support this view and highlight
that flexible organizational structures are essential to maintain the focus after
disruptive events (Comfort et al., 2001). The organization requires an increase in
informational exchange, communication, coordination etc. caused by the increase
in environmental complexity.
Another possible outcome of turbulence is surprise (Longstaff, 2005). Cunha et al.
(2006) describe that surprises (defined as events that happen unexpectedly or
expected events that take unexpected shapes) can be formed into a typology. The
dimension “issue” represents events from external sources while “processes” arise
from internal activities. The combined typologies help clarify how to distinguish
internal vs. external sources of surprise, but also show the interplay between them.
This typology further posits that different surprising situations call for distinct,
sometimes even contradicting managerial responses. For instance, “creeping
developments”, expected issues take surprising shapes when minor, often
interrelated changes accumulate, cause system drift and lead to major impacts.
When formerly reliable routines and standard processes drift, employers and
managers cannot retain control, as the sources of change are distributed. Instead,
managers should empower operators by employing flexible rules (Cunha et al.,
2006, p. 324; Grote, 2009). Combinations of unexpected issues and processes can
result in “losses of meaning”, where people are astonished and forced to
fundamentally re-analyze their assumptions and behaviors. Here, a manager’s
responsibility is facilitating sense-making and allowing the development of new
interpretations that adjust to the new situation by means of improvisation.
3.2 Framing organizational resilience types 89
Expected process Unexpected process
Expected issue
Routines Creeping developments Distinctive characteristics: organizational routines in moderately dynamic markets
Distinctive characteristics: emergent, complex and interactive processes lead to unexpected situations
Examples: linear routines, standard operating procedures, preventive action
Examples: normal accidents, escalating commitment, cultural change
Managerial implications: management as controlling
Managerial implications: managing as empowering
Unexpected issue
Sudden events Losses of meaning Distinctive characteristics: new themes emerge from existing processes
Distinctive characteristics: novel, incomprehensible situations
Examples: exploration, evolutionary dynamics
Examples: wild cards, crises of sensemaking, 9/11
Managerial implications: management as facilitating learning
Managerial implications: managing as sensemaking
Figure 18: Typology of Organizational Surprises31
All these examples illustrate that if the nature of organizational environment
continues evolves and changes, the organizations relationship within the
environment must also evolve (McCann, 2004). Depending on the underlying
complexity of a system or the type of surprise, the nature of the desired resilience
will change. Applying either a stable-system perspective (marked by linearity and
predictability) or a volatile-system perspective (emphasizing non-linearity and
emergence) has strong implications for the analysis of system behaviors and
substantially modifies the resources required to survive, including variety and
adaptability (Forrester, 1961; Holland, 1998; Senge, 1997); both widely described
as related concepts of resilience.
The stable-system perspective is related to mechanic management systems
introduced by (Burns and Stalker, 2000). Mechanical organizations often have
great difficulties adapting to change because they are designed to achieve specific
31From Cunha et al. (2006).
3.2 Framing organizational resilience types 90
goals; they are not designed for innovations (Burns and Stalker, 2000, p. 44).
However, the mechanical vision of the organization fits well to an era of stability
and slowly incremental change and thus for low degrees of turbulence (Burns and
Stalker, 2000; Horne III, 1997). In contrast, a high degree of turbulence requires
more complex and open strategies of the organizations. Such an “organic
management system” (Burns and Stalker, 2000, p. 45) is characterized by flat
hierarchies, task roles according to experience and competence, network structure
of communication, and joint decisions.
3.2.2.2 States of adaption In order to identify the appropriate organizational response for environments with
varying degrees of turbulence, a second dimension “States of Adaption”may be
necessary.
A state of adaption for an organization describes a condition in which a firm
survives uncertainty by adapting internal processes and/or external relationships
to fit changing conditions. The term “adaptive fit” is utilized by Chakravarthy
(1982) “to intend, that a firm is able to accommodate the level of complexity
presented by its environment” (Chakravarthy, 1982). Originally, he proposed a
framework of adaptive fit that included three states of adaption (Chakravarthy,
1982, p. 37): The unstable, stable, and neutral states, which all are viable for a
corresponding environmental condition. In the unstable state, an organization
tries to protect itself from its environment and aims to resist internal or external
disturbances. This “narrow focus” is a defensive arrangement, as organizations
seek to create stability through a set of actions to dampen the interaction from
outside. The stable state slightly differs, as the organization is open to the
environment and “offers a reactive move in keeping with every move with the
environment (Chakravarthy, 1982, p. 36). The emphasis is on short response times
and incremental adjustments. In opposition to the first two states, an organization
in a neutral state will withstand and embrace environmental changes. This is
clearly an offensive arrangement, as organizations are continuously searching for
opportunities and keeping pace with change. All three states are suitable for
coping with the environment, however, not all states have the same immunity
3.2 Framing organizational resilience types 91
from environmental changes. The proactive notion of adaption in neutral states
enables firms to handle the highest levels of complexity. Nonetheless, not all
organizations, departments or actors aspire to the same level of adaption. The state
of adaption is rather determined by the resources of and organization, the time-
horizon for responses, and the nature of management processes (Chakravarthy,
1982) linked with the desirability of the current state (Mamouni Limnios et al.,
2014). As we will see in the subsequent chapters, there exist situations where
protection and stability of critical systems by robust measures is sometimes a
more desirable goal than transformative change.
There exist two conflicting perspectives of resilience across different disciplines
(Longstaff et al., 2013) but also within organizational science (Lengnick-Hall et
al., 2011): a narrow perspective emphasizing resilience as a capacity to resist or
recover; and a broader perspective of resilience emphasizing adaption and
learning. In line with the states of adaption, one can differentiate these two
opposing resilience manifestations as either defensive or offensive (Mamouni
Limnios et al., 2014).
Similar to Chakravarthy’s states of adaption, Fiksel (2003) introduced the three
different adjacent system-states depicted in Figure 20. The figure illustrates
thermodynamic changes that characterize different types of resilience. Each
system features a stable state representing the lowest potential energy at which it
maintains order (Fiksel, 2003, p. 5332). The first system, called resistant system,
represents a highly controlled system which is designed to resist perturbations that
would move it from its equilibrium state. It rapidly recovers from small
disruptions, but may not survive large disruptions (Fiksel, 2003, p. 5332).
The second system can function in a broad spectrum of possible states and tends
to gradually return to its original (single) equilibrium. By means of adaption and
evolution, it is able to survive large perturbations in order to retain its basic
identity and high-level functions.
The third system exists where it is possible to shift to an alternate equilibrium,
representing a transformational change in its structures and lower-level functions.
3.2 Framing organizational resilience types 92
Here the system can withstand shocks and rebuild itself. In contrast to the first
two systems, it is possible that the system will not look exactly like it did before
and allows a system to move towards a new basin of attraction. This new
equilibrium state may even result in a fundamental change in its structure and/or
function (c.f. Section 2.2).
Figure 19: Three Types of Change and Resilience32
It worth noting, that some organizations may need to shift between all modes of
adaption. However, the choice of which of these modes and states of adaption is
appropriate for any organization will be different depending on considerations
such as the goal (seeking for stability and improved efficiency vs. continuous
adaption and transformation), the time-horizon (short-term and tactical moves vs.
long-term and strategic moves), and the responsibility of the respective task-level
(sub-systems and sub-ordinates vs. corporate systems and managers).
Defensive and Reactive Mode of Adaption: Resistance and Resilience. In line
with Chakravarthy’s framework on adaptive fit, organizations that apply a
defensive and reactive mode are looking for stability with their environment by
trying to resist internal or external disturbances. This strategy will not be
appropriate if there are unforeseeable conditions that the organization has not
32From Fiksel (2003).
3.2 Framing organizational resilience types 93
planned for and any attempts to quickly recover and adapt to disturbances may
fail catastrophically. This point becomes crucial in disaster research and related
sub-fields such as business continuity, emergency response, security- and safety
management because these fields highlight the importance of resilience as a
positive capacity or capability to cope with negative events. The shorter time-
horizon for coping with these unpredictable events limits the “degree of freedom”
of response-options and helps to demarcate tactical or operational resilience from
strategic resilience.
Operational resilience is linked with a wide arsenal of managerial, analytical and
architectural principles with the objective of damping negative impacts through
‘fault tolerance’ and ‘graceful degradation’ and rapid recovery to an acceptable
performance state (Madni and Jackson, 2009). It involves enhancing
organizational defenses such as investments in different kinds of buffering
capacities (Lynn, 2005) such as ‘slack’, ‘redundancy’, ‘diversity’ and
‘modularity’ both in the structure and the responding-actions of an organizational
or management system. Although most of the previously identified Resilience
Elements and Organizational Capabilities remain important, this mode of
adaption/resilience clearly emphasizes the mitigation of hardships. Moreover, this
tactical notion of resilience receives increasing attention for sub-systems of the
organization, such as on a departmental or divisional level, or even individual
level. Here, the actors usually seek for stability and have to develop capabilities to
withstand or resist disturbances and to recover quickly from perturbations.
It is acknowledged in both, resilience research of social-ecological-systems (for an
overview e.g. (Berkes, 2007; Folke, 2006; Holling and Gunderson, 2002) and
Section 2.2) as well as research on organizational resilience (e.g. (Mamouni
Limnios et al., 2014; Reinmoeller and van Baardwijk, 2005; Hamel and
Välikangas, 2003; Välikangas, 2007; Välikangas and Romme, 2013) that such
defensive resilience measures may help (organizational) systems to survive and
maintain their current structures and functions for a long period of time. However,
such persistence in the face of change may also come with negative effects.
Persistence or resistance against change may also impede the spring of innovative
3.2 Framing organizational resilience types 94
ideas and products. This is similar to two situations that Mamouni Limnios et al.
(2014) described as “vulnerability quadrant” and “rigidity quadrant”. In both
situations, an organization will seek to survive by exploitation and the control of
status quo. The increasing control and efficiency gained by this strategy also
results in cycles of reinforcing exploitation leading to systems that maintain only a
narrow focus and that may decrease in value over time. This can result in a
maladaptive system in the long-run. Organizations may experience path-
dependent situations where they are unable to trigger a period of change and
reorganization. According to Mamouni Limnios et al. (2014, p.111) the
organizations “are caught in a rigidity or poverty trap and can suddenly collapse
upon a disturbance.” Therefore, another mode of adaption is needed to capture the
multi-faced nature of organizational resilience.
Offensive and Proactive Mode of Adaption. This mode of adaption is more
compatible with Chakravarthy’s third state of adaption: neutral state: In this
offensive arrangement, organizations are continuously searching for opportunities
and even embracing change. The proactive notion of adaption equals strategic
resilience that arises with as a response to opportunity by engaging in exploration
(Välikangas and Romme, 2013). Here, the goal of system operators is to improve
and sustain organizational prosperity by means of transformation. Organizations
need to develop a wide range of organizational capabilities to adapt, to
reconfigure, and to reinvent in order to sustain themselves. These capabilities
enable organizations to match the requirements of a changing environment in
order to create “organizational fitness” (Beer, 2002). This not only involves the
creation of innovations, but also the continuous redesign of existing systems,
processes, culture, and leadership behavior (Beer, 2002, p. 3). Hence, the long-
term prosperity and survival of such an organization calls for a “total system
approach to organizational transformation.” This would enable the organization to
overcome a set of interrelated barriers to organizational fitness such as unclear
strategy, poor communication and coordination across business units, and lack of
top-management commitment.
3.2 Framing organizational resilience types 95
Consequently, the proactive mode of adaption finds its roots on a higher level
within the organization: on a corporate level with the commitment of leaders and
top teams (Beer, 2002, p. 6; Park et al., 2013; Vogus and Sutcliffe, 2007).
According to Välikangas and Romme (2013), the journey toward strategic
resilience starts learning to practice mindful and experimental behavior, to
permanently develop and renew a set of organizational options. For this, the
quality and speed of learning demands a culture of honest conversation (Beer,
2002, p. 6), and the capability to mobilize employees and managers toward
experimental and mindful behavior (Reinmoeller and van Baardwijk, 2005;
Välikangas and Romme, 2013).
3.2.3 Organizational Resilience Framework In the following, a framework is introduced to conflate the different dimensions
discussed above: (1) the degrees of turbulence and (2) the different modes of
adaption. While the first dimension captures environmental conditions, the second
dimension captures inherent organizational characteristics and responses. This
allows for identifying and examining four types of organizational resilience:
Prevention and Absorption, Restoration, Strategic Agility, and Robust
Transformation and Renewal. The resulting matrix is depicted in Figure 21.
The matrix helps to engender a greater understanding regarding organizational
resilience by integrating the previous mentioned factors. It delineated four
applications of organizational resilience based on the differing results of the
research. The X-Axis which constitutes the State of Adaption separates
organizations with a mechanic structure and a defensive/reactive response from
organizations with an organic structure and an offensive/proactive response. The
Y-Axis constitutes the Degree of Turbulence, focusing on the predictability and
severity of disturbances.
3.2 Framing organizational resilience types 96
Figure 20: Organizational Resilience Framework
3.2.3.1 Prevention and Absorption The defensive/reactive modes of resilience share commonalities with
“engineering” or “static” resilience, as posited by a pioneer of resilience research
Buzz Holling (Holling, 1996; Longstaff et al., 2013; Norris et al., 2008; Walker
and Salt, 2006). Here, the conceptual approaches of resilience focus on
maintenance of a stable state. The strength of this simple view of resilience as a
reactive term of bouncing back is its measurability. In this sense, resilience can
simply be derived by the so called “resilience triangle” (see Figure 22) which
reflects three dimensions of resilience: pre-disaster functionality, the extent of
damage, and the speed of recovery of the system (Birkland and Waterman, 2009,
pp. 20f.). According to Birkland (2009), resilience is achieved when four factors
are present (p. 20f.):
3.2 Framing organizational resilience types 97
• Robustness: the ability to withstand a given level of stress or demand without suffering unrecoverable degradation or loss of function. This can be reflected in physical building and infrastructure design (office buildings, power generation and distribution structures, bridges, dams, levees);
• Redundancy: the extent to which elements, systems, or other units are substitutable
• Resourcefulness: the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds. This includes identifying courses of action for, business continuity planning, training, supply chain management, prioritizing actions to control and mitigate damage, and effective communication of conditions and decisions.
• Rapidity: the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption. Components include carefully drafted contingency plans, competent emergency operations, and the means to get the right people and resources to the right place.
Figure 21: The Resilience Delta33.
Hence, it is possible to calculate the “resilience triangle” or “resilience delta”
(Zobel, 2011). It is determined by robustness or resistance (the vertical axis
33 Adapted from from Zobel (2011)
3.2 Framing organizational resilience types 98
representing the initial amount of damage) and its hypotenuse reflecting the rate
of recovery to the prior level of functionality. Thus as posited by Birkland
(Birkland and Waterman, 2009, p. 27), robustness and redundancy can maintain
higher levels of functionality than non-robust and non-redundant systems while
recoverability/rapidity can vary considerably. Although the resilience delta is
highly simplified, it provides insights about the multi-dimensional nature of
engineering/static resilience as a combination of robustness, rapidity and
redundancy as well as resourcefulness. These measures will have indirect positive
effects on all resilience features by reducing vulnerability (Birkland and
Waterman, 2009; Zobel, 2011). Moreover, the resilience delta further illustrates
the importance of temporal scales of resilience (see also Subsection “Resilience
Elements”): Business systems at different levels (such as organizational,
departmental, or team) are in a continuous state of change and call for the
development and maintenance of resilience capabilities and strategies before,
during and after challenging events occur at all levels (Hollnagel et al. 2011 and
Subsection 3.1.3).
Before a dangerous event occurs, a resistance strategy that attempts to keep a
danger away (prevention) is only appropriate for occurrences that can be planned
and that will justify the additional costs. This includes building walls or screening
people for weapons at a building entrance. In contrast, engineering/static resilient
preparedness is an appropriate strategy where we know how a system will be
surprised but not when (Longstaff 2005). This kind of resilience is achieved by
having buffers that enable a system to withstand a disruption without need for
major reconfiguration. Such fault tolerance or graceful degradation can be reached
by redundancy (the duplication of critical components or functions of a system) or
response diversity (the range of different response types available to substitutable
perform a function) (Madni and Jackson 2009; Walker and Salt 2006).
This leads us to the first organizational resilience quadrant, assuming low degree
of turbulence and a defensive/reactive state of adaption to disturbances:
Prevention and Absorption. The organizational management system in this
quadrant is characterized by hierarchical, centralized leadership, and is policy and
3.2 Framing organizational resilience types 99
procedure driven. The key actor would be a custodian or controller/administrator
that aims to restrict variability bydetecting and resolving any deviations from
target plans. Consequently, an organization which aspires this state of adaption
will be in a relatively stable environment and will focus on preventive measures.
Norris et al. (2008) noted, that resistance and maintenance is the best outcome of
a system after a disturbance. This means, “that the resources have effectively
blocked the stressor” (Norris et al., 2008). But such an approach is only feasible if
organizations are capable to anticipate possible future events. Moreover,
organizations may satisfy stakeholder needs and maintain their current structures
only under a narrow spectrum of conditions, making them susceptible to
unexpected external disturbances (such as governmental and legal actions,
technological or socio-demographic shifts or ecological changes) (Mamouni
Limnios et al., 2014, p. 111). Therefore, in organizations that experience more
unpredictability the alternative approaches in the lower quadrant may be more
useful when it is necessary for defensive organizations to match turbulent
environments.
3.2.3.2 Restoration Under more turbulent circumstances, organizations applying defensive/reactive
response mode focus on restoration and adaption. In contrast to organizations
that can plan for resistance to stress and disturbances within expected and narrow
boundaries, other organizations face unforeseeable perturbations. Here, resilience
is mainly built on organizational capabilities that become effective after an event.
The anticipation and interpretation of low-probability events can require actions
outside the normal set of responses (this is also a well-known observation
discussed as “outside the safe operating envelope” in safety management- and
engineering introduced by (Cook and Rasmussen, 2005). This is in line with
resilience concepts emphasizing recoverability as key for survival – also
previously highlighted as the fourth factor of the resilience triangle “rapidity”.
Therefore, scholars such as Bhamra et al. (2011) describe resilience as “capability
and ability of an element to return to a stable state after a disruption”. Also
Wildavsky (1988) describes resilience simply as the capacity to bounce back.
3.2 Framing organizational resilience types 100
Sutcliffe and Vogus (2003) note, that resilience in organizational theory is an
ability to recover and bounce back from undesirable events. Also in positive
psychology, a tumbler represents an ideal type of a resilient and optimistic person
that bounces back from adversity (Margolis and Stoltz, 2010; Powley, 2009;
Seligman, 2011). Such a tumbler is “a positive person with a bouncebackabilty,
like a sportsman who has a capacity to recover quickly after setback (Oxford,
accessed 14.01.2014). Bouncing back like a tumbler may require an organization
to invest in build-in redundancy and diversity where possible in order to use
resources that are not typically available under normal conditions(Sheffi, 2007;
Weick and Sutcliffe, 2007; Wildavsky, 1988).
Moreover, resilient organizational actors have been seen to constantly improvise,
reorganize and create new resources and to move quickly to cope with unexpected
events. The literature suggests that bricolage34 (experimentation and mindfulness)
and resourcefulness are central to resilience under such circumstances (Horne III
and Orr, 1998; Mallack, 1998; Park et al., 2013; Välikangas and Romme, 2013;
Weick, 1995; Zobel, 2011): Consequently, turbulent environments demand
organizational capabilities for restoration of the system’s pre-disruption state as
closely and quick as possible (Madni and Jackson 2009). As illustrated through
the resilience triangle, the effectiveness of recovery mechanisms will also highly
rely on the successful implementation of preparedness efforts. But in addition to
preparative efforts, effective communication skills and distinctive resourcefulness
are likely to affect the recovery process in positive ways (Zobel 2011).
These defensive/reactive responses are similar to “engineering resilience”,
introduced in Section 2.2. This involves the idea of designed systems that can be
stressed to a particular point without breaking, or without suffering a significant
degradation in functionality (Birkland and Waterman, 2009, p. 17). The goal of
the first two resilience types therefore “is either to allow for a wide performance
envelope given particular stresses, or to allow some components of a system to
34 According to Weick (1995), organizational bricolage encompasses the employment of intimidate knowledge of resources from a wide range of sources, carefull observation and mutual trust among organizational members.
3.2 Framing organizational resilience types 101
fail so that the overall system” (Birkland and Waterman, 2009, p. 17) remains
intact. This is similar to the first type “resistant systems” depicted in Fig. 20
(Fiksel 2003). However, resilience with focus on efficiency and consistency ends
here. A focus on adaptability becomes more important in situations where
surprises and other challenges will be so debilitating that planning for recovery
becomes too costly or even dangerous (as when the vulnerability against the
event will persist).
For such situations and in face of long-term threats where optimal solutions are
often impossible to reach or even remain unknown, an offensive/pro-active mode
of resilience provides a more comprehensive and suitable foundation of
organizational survival and well-being. In the following, these two types of
organizational resilience will be explained.
3.2.3.3 Strategic Agility Although this quadrant in the framework assumes relatively stable and predictable
environmental conditions, a multitude of strategic challenges such as disruptive
innovations can still threaten the survival and resilience of incumbent firms
(Dewald and Bowen, 2010). This strategic notion of resilience is not just about
responding on turbulences but rather about constantly updating the organization’s
ability to adapt to future turbulences.
Accordingly, an offensive/proactive resilience mode is favorable where
organizations seek to develop and maintain organizational capabilities to cope
with long-term change and uncertainty. A stream of literature on resilience
suggests, there is a need for constant, proactive and quicker response to change
than ever before. Adaptive capacity, often outlined as a key capacity for
organizational resilience (e.g. Lorenz, 2010; McCann and Selsky, 2012;
McDonald, 2006; Smit and Wandel, 2006). Advocates of such an adaptive
management approach postulate that in competitive and dynamic markets, the
more successful firms are the ones that continuously apply and develop new
knowledge. This tension further parallels much of what has been written about the
concept of strategic ambidextrousness (e.g. Benner and Tushman, 2003; O'Reilly
3.2 Framing organizational resilience types 102
III and Tushman, 2004): organizations need to simultaneously combine
exploration and exploitation strategies. In other words, they need both, the ability
to take leverage of existing circumstances, as well as capacity for continuous
scanning for opportunities.
Managing in environments with low degrees of turbulence - characterized by
anticipated events and long-term planning - allows organizations to establish
fitness with its environment through Strategic Agility(Lengnick-Hall and Beck,
2009; Hamel and Välikangas, 2003; Dosi et al., 2000). Strategic Agility can be
defined as “capacity for moving quickly, flexibly, and decisively in anticipating,
initiating, and taking advantage of opportunities and avoiding negative
consequences of change (McCann and Selsky, 2012, p. 19). In opposition to
reactive and short-term oriented resilience, an offensive long-term approach treats
(continuous) change as a source of competitive advantage (McCann and Selsky,
2012, p. 29) and variability as a source of success (Hollnagel et al., 2006). Thus,
strategic agility “enables a firm to initiate and apply flexible, nimble, and dynamic
competitive moves in order to respond positively to changes imposed by others
and to initiate shifts in strategy to create new marketplace realities ((Lengnick-
Hall and Beck, 2009, p. 40) referring to McCann, 2004). This proactive notion of
resilience is increasingly advocated by organizational scholars: For instance,
according to Mallack (1998), resilient organizations will not experience the
environment passively; instead they will permanently develop and apply new
knowledge. Ates et al. (2001) demonstrate, that resilience will be enhanced by
“paying attention to long-term planning and external communication to drive
change proactively […]”. Furthermore, organizations have to “[...] increase the
amount and quality of resources through improvisation and recombination” (Ates
and Bititci, 2011).
A high level of strategic agility is often linked with a firm’s demonstrated
capacity for quick and effective concentration of resources on strategic key issues,
accumulating new resources, and (re-)combining resources in new ways for new
uses (Hamel and Välikangas, 2003; McCann and Selsky, 2012; Lengnick-Hall and
Beck, 2009). The organizational literature offers a number of factors associated
3.2 Framing organizational resilience types 103
with such agility, including response speed, the number and variety of strategic
moves undertaken, and different indicators of broad action repertoires coupled
with decisiveness (Lengnick-Hall and Beck, 2009, p. 53). Enablers of strategic
agility encompass different routines, capabilities, and resource deployments
depending on the environmental conditions and the outcomes a company is
striving to achieve. Strategic Agility asplanning for resilience emphasizes
Contingency and Responsiveness as intended outcomes. Some believe that the
underlying logic for agile and resilient organizations is to open its boundaries to
larger environments by means of outsourcing and networking (Lengnick-Hall and
Beck, 2009, p. 51). Building strategic agility may involve- the creation of rapid
growth and encouraging large scales systems in order to respond adequately to
challenges or opportunities. Key actors for such an endeavor are often called as
entrepreneurs and strategic planners(Dewald and Bowen, 2010; Hamel and
Välikangas, 2003).
For organizations with low levels of environmental turbulence, organizational
literature suggests mechanical structures with centralized leadership, vertical
hierarchies, formalized and standardized routines and processes to achieve
efficiency and consistency (Burns and Stalker, 2000). But, as pointed out earlier,
in increasingly turbulent environments, “organic management system” (Burns and
Stalker, 2000, p. 45) may be more effective at coping with uncertainty. The
positive contributions of decentralization and diversity to resilience has also been
acknowledged within the safety discourse by Aaron Wildavsky (1988) more than
two decades ago: “The larger and more centralized the organization seeks to
predict the future, the longer it will take to get agreement, the fewer the
hypotheses it can try, and the more costly each probe is likely to be. […]
Decentralized anticipation (numerous independent probes of an uncertain future)
can achieve a greater degree of safety” (Wildavsky, 1988, p. 8). Such a structure
emphasizes decentralization (for instance flat hierarchies, joint decisions with
cross-trained generalists, network structure of communication, etc.) to achieve
flexibility and adaptability.
3.2 Framing organizational resilience types 104
As stated by Lengnick-Hall and Beck (2009), resilient organizations in the long-
run generally comprise features of agile organizations (being nimble, flexible and
agile). However, not all agile organizations can be classified as resilient
organizations (Lengnick-Hall and Beck, 2009, p. 43). Strategic agility is
designated to address continuous and relentless change. As a consequence, high
degrees of turbulence call for a more radical strategic resilience response captured
in the fourth quadrant of the matrix.
3.2.3.4 Robust Transformation and Renewal This alternative strategic resilience type in high-turbulent environments is labeled:
Robust Transformation and Renewal. The term “robust transformation” is
posited by Lengnick-Hall and Beck as “a deliberately transient, episodic response
to a new, yet fluid, environmental condition.” (2005, p. 742). In contrast to
strategic agility, which aims to achieve contingency to promote (at least
temporary) equilibrium, robust transformation seeks to capitalize on
environmental change in ways that create new options and capabilities. It is
therefore linked with the resilience idea of “even thrive” in the face of challenges
which is often found in positive psychology (compare Section 2). Following this
logic, a turbulent condition triggers processes of improvement (such as the
development of new capabilities) and positive outcomes. This was exemplified by
the Ericsson-Nokia case in an earlier paragraph, where Nokia capitalized on its
competitors’ rigid responses by introducing new products and growing market-
share (Section 3.1.3). This is in line with other examples highlighted in multiple
works on organizational resilience and high-reliable organizations such as
(Hollnagel et al., 2006; Meyer, 1982; Roberts, 1990; Seligman, 2011; Välikangas,
2007; Weick and Sutcliffe, 2007) showing that organizations often find new
effective solutions that were previously counterintuitive during normal operations.
Here, the key actors have to be creative and innovative. In these organizations you
can see a process of learning, transforming, growing and reconstructing in face of
change. This type of resilience is also captured in a definition given by Fiksel: In
3.2 Framing organizational resilience types 105
the business context “… resilience is the capacity for an enterprise to survive,
adapt, and grow35 in the face of turbulent change” (Fiksel, 2006). Effectively
responding and adapting to a new environment requires providence, innovation,
experimentation and improvisation.
Reinmoeller and van Baardwijk devote their working paper the linkage between
resilience and innovation. They defined resilience, as “the capability to self-renew
over time through innovations” (2005, p.61). Moreover, they argue that resilient
companies are those which make use of the dynamically balance of four
innovation strategies: Exploration, entrepreneurship, knowledge management and
cooperation (Reinmoeller and van Baardwijk, 2005, p. 63). The differences
between the set of strategies follows two dimensions: (1) whether the innovative
resources are internal or external, (2) in use or being created. These dimensions
share some commonalities with the dimensions of the proposed resilience matrix:
in less turbulent environments, organizations are able to employ resources that are
already in used by means of internal knowledge (“Knowledge Management”) or
complementary knowledge of partners (“Cooperation”). In contrast, high-
turbulent environments require the creation of “new ideas and resources”, either
internally by means of experimenting and recombining of existing organizational
resources (“Exploration”) or by means of experimenting and sensemaking of
environmental factors (“Entrepreneurship”). The latter underpins the need for the
fourth type of resilience as Robust Transformation and Renewal. Here,
organizations must go beyond conventional knowledge management and
continually encourage entrepreneurial behavior to drive change and innovation
(Reinmoeller and van Baardwijk, 2005, p. 64). The emphasis does not lie in the
continuity of status quo but in more radical changes in order to keep pace with a
fast changing environment.
In a case study about resilience in a project team employed by(Edson,
2012)showed a positive correlation between resilience and the potential for
innovation though creative destruction. Similarly, Hamel and Välikangas (2003)
35emphasis added.
3.2 Framing organizational resilience types 106
noted, that renewal must be the natural outcome of organizational resilience.
Moreover, according to Linnenluecke and Griffiths (2010), the main aspect of
resilience in organizations is the capacity to rebound from hardship in a
strengthened and more innovative way.
Resilient organizations in a high-turbulent/offensive arrangement are seeking for
robust transformation and renewal. They perceive deviations positively as source
of success and therefor interpret their environment as a turbulent flow of
opportunities. Organizational actors constantly learn, improvise, reorganize and
create new resources to move quickly to explore the manifold unexpected
opportunities. The literature suggest bricolage36 (experimentation and
mindfulness) central to resilience under such circumstances (Horne III and Orr,
1998; Mallack, 1998; Park et al., 2013; Välikangas and Romme, 2013; Weick,
1995). In contrast to strategic agility, which is an appropriate resilience type in
less turbulent environments, robust transformation and renewal do not seek for
establishing fit or contingency with the environment by scanning and incremental
adaptions. Here, organizations attempt to undertake transformations of their
structure, processes and products. This can be involved with complete strategic
turn-arounds and renewal of an organization’s identity.
3.2.4 Discussion and conclusion
Although the term “resilience” in general reflects a system’s property to cope with
change, the evolution of the term across different disciplines and fields of
application lead to a diverse and confusing definitional lexicon. It is not surprising
then that the different levels of abstraction and levels of analysis make
comparison and the identification of common characteristics or
synthesis/comprehensive definition almost impossible (Carpenter et al., 2001).
The main issues revolve around two main assumptions (often unstated) about
36 See Section 3.2.3.2 for a definition given by Weick (1995).
3.2 Framing organizational resilience types 107
fundamental two aspects of the system being studied. The literature reviewed here
fundamentally differs with regard to assumptions about the (1) degree of
turbulence of the organizational environment and (2) the current modes of
adaption an organization is seeking for (defensive/reactive vs. offensive/proactive
orientation).
Accordingly, this chapter has rigorously examined the organizational resilience
literature in order to make the following contributions: First, a comprehensive
review on organizational resilience will be an important starting point for scholars
working in this area by enabling them to recognize and segment the different
philosophies and approaches to organizational resilience. Second, the information
gathered from disciplines such as ecology can give important clues for new
research directions for organizational resilience. Third, this chapter identifies
knowledge gaps, critical appraisals and inconsistencies within organizational
resilience to help counteract the construct proliferation that has become apparent
within the domain. Finally, the organizational resilience framework presented
based will advance a clear method to help distinguish the specific context for the
application of resilience principles in multidisciplinary contexts.
Resilience as a construct is essential to the process of theory building theory and
to enrich existing theories. Hence, it is reasonable to believe that a re-evaluation,
extension and development of theories across disciplines in order to include the
various types of resilience within those theories. The literature reviewed here
fundamentally differs with regard to assumptions about the environment’s degree
of turbulence and assumptions about the state of adaption, here defined as an
expression of the degree to which an organization is matching its capabilities with
the external environment).
Making these assumptions explicit will have important implications for research
in organizational management. Some resilience concepts will be more useful for
organizational theories and schools of thought than the others, e.g. the resilience
types with lower complexity may fit better with more static frameworks such as
Ansoff’s ‘Strategic Planning’ (Ansoff and Sullivan, 1993), the Resource-based
view (RBV) (Wernerfelt, 1984)or some of the contingency theories (Hoffer,
3.2 Framing organizational resilience types 108
1975), while the more complex concepts are more compatible with evolutionary
theories such as Dynamic Capability (Teece and Pisano, 1994), Population
Ecology (Hannan and Freeman, 1977)or Neo-Institutionalism (DiMaggio and
Powell, 1983).
Depending on the underlying theoretical assumptions, the nature of the required
resilience type will change. As for example Colbert (2004) highlights changing
implications for strategic human resource management using a complexity theory
perspective of a resource-based-view. Also, Boisot and McKelvey (2011)
exemplify the fundamental re-evaluation of organizational effectiveness based on
the network-structure of the organizational system. Applying either a ‘Gaussian
perspective’ emphasizing linear-additivity and predictability or a ‘Paretian
perspective’ emphasizing non-linearity and emergence has strong implications for
the analysis of system behaviors and structures and therefore substantially
modifies the required variety that will be necessary to adapt and survive (p. 126,
both widely described as related concepts of resilience). New method-sets from
other disciplines such as mathematics, quantum mechanics and complexity
science may enable new streams of resilience research in an organizational
context. However, researchers such asBoisot and McKelvey (2011) highlight the
trade-off between the potential of complex perspectives to enrich and question
simpler assumptions at the expenses of academic rigor and a wide repertoire of
quantitative statistics.
The policy alternatives, organizational practices and intended outcomes will also
depend on the specific type of resilience that is needed and the unique
organizational context. So it is important for policymakers and managers to know
which part(s) of the quadrant they want to operate in. For example, the defensive
resilience types (Prevention & Absorption and Restoration) might emphasize
principles of efficient recovery that align lower policies such as ones that ‘invest
in business intelligence services for anticipating changes’ (so this organization
will invest in prediction) or ‘build sufficient buffer capacity for critical processes’
and practices such as ‘rewarding failure reporting’ to the actual outcomes
(‘number of failures in a given process’).
3.2 Framing organizational resilience types 109
The specific context or type of resilience sought will also affect the menu of
possible instruments for measurement. Measurement in a simple version of
resilience may be well served by Newtonian or Gaussian analysis but will have
significant limits in a more complex or Paretian system. Recovery time and the
amount of accidents are relatively easy to measure, while measurement of the
effectiveness of proactive adaption towards a new state remains an adventure.
Therefore each type of resilience has different implications for decision makers
and theorists. While in particular technical indicators for the earlier resilience
types are already established (e.g. Zobel, 2011), For instance, the development of
more complex indicators still remains at a formative stage.
Many socio-technological systems such as telecommunications, nuclear power or
medicine include a wide set of potential failure modes. Establishing redundant and
robust mechanisms make the system safe from single point failures but also add
more complexity and uncertainty (Hale and Hovden 1998). Hence, we can argue,
that at least in particular complex situations and in face of long-term threats,
where optimal solutions are impossible to reach or even remain unknown, the
ecological resilience types provide a more comprehensive and suitable foundation
of organizational or societal survival.
As technology and human connectedness develop ever-more complex systems
that have the ability to change by self-organization, adaption and continual
learning, the need for theories and models to improve security and survivability
will only increase. Hence, organizations and societies will need to find innovative
ways to deal with risks in socio-technical systems that are more and more
complex and tightly coupled in a world where security, productivity and its
deviations can no longer be disjunctive. The resilience-analysis model presented
here begins the process of enabling organizations find new strategies to cope with
challenges that confront them.
110
4 Resilience Management and Information Systems
Today, decision makers are already equipped with a broad set of information
technology (IT) tools and models to enhance organizational resilience.
Information systems (IS) support resilience management by means of quick
information provision and automated decision support. As explained in the
previous chapter, resilient organizations are forced to adapt to changing needs of
their operational environment. As a consequence, the intensive use of technology
also brought up the need for decision makers such as CIOs to systematically (re-
)organize and manage their IT- and IS-infrastructures to new requirements which
have not been explicitly incorporated into the existing IT design. As we will see in
the subsequent sections, IS play a key role to support managers to maintain and
enhance the resilience of an organization. Therefore, this chapter is dedicated to
transfer the concept of resilience to IS research and Business Informatics37.
In this thesis, a Resilience Management Information System (RMIS) is defined as
a complex set of interrelated components (technology, people, facility, processes)
that collect, process, store, and distribute information to support the operational
resilience management. The remainder of the chapter firstly introduces the notion
of resilience management as a complementary approach to prevailing security-
and risk management approaches (Section 4.1). The next section will discuss
various sources of stress and disruption associated with IT-diffusion (Section 4.2).
IS risk and security management traditionally offer a wide set of approaches to
cope with operational risks. Section 4.3 firstly provides some basics on IS
architectures. Subsequently, it introduces an exemplary research project to show
current challenges and limitations of prevailing IS risk and security approaches.
These shortcomings stress the need to extend IS risk management with resilience.
Consequently, this is followed by a report on the status quo with respect to IS
research and a scientific-programmatic view of the upcoming research questions
37 This chapter is based on revised versions of Koslowski and Zimmermann (2013); Müller and Koslowski (2012); Müller et al. (2013); Fenz et al. (2013).
4.1 From risk management to resilience management 111
in this area (Section 4.4). Finally, the chapter derives foundational requirements
for the design of RMIS and paves the way for the design of PREDEC, an IS
artifact for detection of process-centered resilience.
4.1 From risk management to resilience management
How organizations manage turbulence has been a core issue in organizational
literature. Today, many organizations have integrated risk management and
contingency planning to respond to disruptions and crisis. This “hard paradigm”
(Perelman, 2006, p. 24) of conventional organizational security and safety
emphasizing risks mitigation and prevention is strongly influenced by engineering
and Taylor’s “scientific management”, but also by Max Weber’s bureaucratic
administration (Grote 2009, p.30). The conventional views were developed under
the assumption that uncertainties can be designed out of the system by prescribed
procedures and controls (Grote 2009; Perelman 2006). For instance, Erik
Hollnagel described this paradigm of protection in the field of safety management
as “safety by design” (Hollnagel, 2008, p. 1). Safety by design - also termed
“analytical safety” - is rather a requirement than an option to ensure continuous
operations of an organization as “all possible, or practicable, precautions needed
to ensure an acceptable level of safety are taken ahead of time”. Therefore, the
“mechanistic” or “Tayloristic” design methodologies emphasizing resistance are
appropriate for firms who are operating in a stable market with little or no
uncertainty on the horizon (e.g. Grote 2009 and Chapter 3), but have their limits
in hypercompetitive and dynamic markets as for instance (Nohria, 2006) notes:
“Much of the organizational thinking about […] crisis management in
general has focused on preparation. […] This is necessary but not
sufficient. In the complex and uncertain environment of a sustained,
evolving crisis, the most robust organizations will not be those that simply
have plans in place but those that have continuous sensing and response
capabilities.”
In contrast to conventional approaches of the “protection paradigm” (Jackson,
2009, p. 14), the interest in resilient organizations that can “bounce back” from
4.1 From risk management to resilience management 112
some sort of challenge and even thrive (“bounce forward”) is clearly related to the
recent unpredicted economic events that swept the globe and the socio-political
uncertainty that flowed from them. This “soft paradigm” (Perelman, 2006, p. 24)
is therefore associated with adaption and resilience. There is no competition but
rather a complementary relationship38 between the different paradigms. But the
evolving resilience paradigm requires a fundamental shift to different visions,
strategies and capabilities (as indicated in Table 7).
38 Some authors even presume an overlapping relationship, e.g. Kahan et al. (2009); Sheffi (2007); Avizienis et al. (2004).
4.1 From risk management to resilience management 113
Table 7: From Protection to Resilience39
Paradigm Control / Resistance Adaption / Resilience
Risk Concept
Perception of deviation
Engineering
• as to be avoided symptoms of inefficient system design
Human Factor
• as opportunity for use and development of competencies and for systems change
Protection Goal Strategic Focus Management Objectives
hardening potential targets against threats
aligned toward criticalness
• minimizing • reducing operative degree of
freedom through procedures and automation
softening the brittleness of potential threats
aligned toward brittleness
• coping • maximizing operative
degree of freedom through integrative complete tasks and lateral cooperation
Management and Design
Organization
System Coupling Leadership Workforce Competencies Governance
Hierarchical
• Tightly coupled • Centralized leadership • Concentrated workforce • Specialists • Policy and procedure driven
Networked
• Loosely coupled • Distributed leadership • Dispersed workforce • Cross-trained generalists • Guided by simple yet
flexible rules
Design strategies • Armoring, strengthening,
oversizing, resistance, isolation
• Diversity, adaptability, cohesion, flexibility, renewability, regrowth, innovation, transformation
4.1.1 Risk concept By comparing the distinctive paradigms of managing turbulence, one can observe
key differences regarding the concept of risk and how operators perceive
variability/deviations.
39Adapted from Grote (2009); Hollnagel (2008); Nohria (2006); Park et al. (2013); Perelman (2006).
4.1 From risk management to resilience management 114
The dominant approach of control and resistance is rooted in engineering and the
related (analytical) risk management approach (Park et al., 2013). Generally, a
fundamental assumption of this traditional security paradigm is that system’s
components have a bimodal functioning, i.e. they function correctly or they fail.
Deviations and inefficiencies are seen as failures, and source of hazard and the
object or activity that needs protection are separated. Hence, the management of
risks – attempted to prevent system failures - is based on the identification and
quantification of the product of threats, vulnerability and consequences in order to
eliminate or mitigate the negative symptoms by corrective actions (Park et al.,
2013).
Organizations are faced with different types of risk such as hazards, financial,
operational or strategic risks. Operational risks are generally defined as those risks
that affect an organization’s operations (internal activities). They are usually
arising from the actions of people, systems and technology failures, failed internal
processes, but also external events (e.g. Allen and Cebula, 2011; Fenz et al., 2011;
Haimes, 2009a; Prokein, 2008; Tjoa et al.). Traditional (operational) risk
management often involves statistical analysis attempting to predict future
occurrences to judge whether the risk is worth the reward or if the risk can be
mitigated through different responses depicted in Figure 23:
4.1 From risk management to resilience management 115
Figure 22: Traditional Risk Management Instruments40
Risks with high probability and high magnitude should be prevented and finally
avoided. This requires the ability to predict the outcomes and take a proactive
action to circumvent. Those risks with relatively high probability and moderate
magnitude should be mitigated, for example via adaption, risk reduction, or
diversification (hedging). Adaption requires timely reconfigurations while risk
reduction is achieved by means of controls such as safeguards or quality
management. Risk diversification (hedging) calls for a broad set of alternative
systems, processes or resources. Risk transfer by means of insurance41 is
appropriate for bad events with low to moderate probability but high magnitude of
impacts. Finally, those risks that exhibit low probabilities and low impacts can be
accepted and absorbed. This can happen by having sufficient buffer capacity (such
as redundant back-up systems or slack) that enables the system to withstand stress
without having to reconfigure itself.
This works well for situations where risk is known or can be approximate based
on historical data and subjective assumptions (Longstaff, 2005; Perelman, 2006;
Smith and Fischbacher, 2009). However, such risk analysis consisting of both risk
assessment and risk management have their limits in the following situations
40 Adapted from Prokein (2008, p. 100). 41 Beside traditional insurance premiums, their exist a wide range of alternative options of risk transfer, such
as securitization, derivatives, debt obligations (for an overview e.g. Prokein (2008, pp. 91f.)).
4.1 From risk management to resilience management 116
(Longstaff, 2005, p. 10): where hazards are simply unknown or when some
known events exhibit low-probability but high impacts (compare e.g. (Longstaff,
2005; Perelman, 2006), Chapter 3). Such risks can emerge through nonlinear
interactions among system components and finally may result in cascading or
multiple and simultaneous failures (Park et al., 2013). Thus, problems and
limitations refer to the identification and understanding of probabilities, but also
to the understanding of how failures propagate and amplify within and across
complex systems (Smith and Fischbacher, 2009). For instance, the calculation of
asymmetric probability distribution functions (such as power law distributions, for
example Boisot and McKelvey, 2011) is problematic since they lack
representative set of historical data and the ability to determine meaningful
measures of mean and variance. Moreover, “systematic bias in risk analysis”
(Park et al., 2013) can often result in underestimation (“false sense of security”)
or even ignorance of such risks (Perelman, 2006, p. 27; Taleb, 2008).
Within the resilience paradigm, acknowledging the complexity and rapidity of
change, a system cannot be completely specified. It rather must vary to meet
changing conditions and demands. Hence, variability and permanent adjustment,
particular based on human’s capacity to adapt, is an inevitable asset to ensure
functioning of an organization42. However, as noted by (Dekker, 2003), at the
same time, variability and human adjustments can also harm security when it
combines unexpectedly. Different from traditional risk management with
emphasis on ex-ante identification, resilience in a complex systems context is an
emergent property that can only be observed after an event has occurred (an ex-
post approach of resilience management is presented in the subsequent sections).
The distinct risk concepts between traditional risk and security management vs.
resilience management are depicted in Figure 24. Risk assessment in security
management often means the process to identify risks relative to threats and
vulnerabilities. Here, operators attempt to manage the conditions of risk by
42 As one can see in the following subsection, resilience management forms a positive view of deviation. Variability is linked with the openness to new developments and innovative experimentation, both fundamental for daily success Hollnagel et al. (2006), Hollnagel (2008, 2009), as well as sustainable competitive advantage (Hamel and Välikangas 2003; Lengnick-Hall 2005).
4.1 From risk management to resilience management 117
reducing the likelihood of threats and vulnerabilities that are determined by
conditional factors (actors, motive, and outcome). In opposition, operational
resilience management aims to reduce effects on organizations by managing the
consequences.
Figure 23: Risk Elements and Management Implications43
According to the taxonomy of (Allen and Curtis, 2011; Allen and Cebula, 2011;
Allen et al., 2011; Allen and Davis, 2010; Caralli et al., 2010), outcome refers to
unwanted or unintended results of an actor with a motive exploiting a weakness,
exposure, or vulnerability. In contrast, consequence refers to the impact on a
person or organization as a result of the exploitation. For example the outcome of
a technical failure can be the access detention to a sales information system, while
the impact for the affected organization might be a loss of $50.000 in revenue per
hour.
To sum up, the ex-ante risk management approach is suitable to address
anticipated risks; in contrast, operational resilience management, as an ex-post
approach, intends to support an organization to continue its mission despite/after
disruption.
43 Adapted from Allen and Cebula (2011).
4.1 From risk management to resilience management 118
4.1.2 Protection goal A further distinction between conventional protection and resilience can be drawn
regarding the strategic focus and the related objectives for management and
design:
Within the established paradigm, the operational concept of safety and security
has a focus on singular, concrete assets and hardening against a range of
imaginable threats (Perelman, 2006, p. 27). The established approach is to try to
reach a state44 that is marked by the absence of something (bad) by means of
minimizing uncertainty and variability (Hollnagel, 2008). To contrast protection
and resilience as two different perspectives on safety, Erik Hollnagel introduced
Theory W and Theory Z: According to the first idealized position of Theory W,
safety and efficiency are to be achieved because: Systems are well designed and
scrupulously maintained; procedures are complete and correct; people (system
operators) behave as expected/as they are taught; designers can foresee and
anticipate any contingency (Hollnagel, 2008, p. 3). Different types of failures and
malfunctions can threat normal performance. Accordingly, safety is achieved by
constraining performance (variability) in multiple forms as depicted in Figure 25.
The shift from functioning (normal operation) to malfunction can happen either
gradually in form of drift or slow misalignment, or in form of an abrupt transition.
The solution to manage uncertainty and variability is to constrain the performance
through strengthening barriers and controls such as regulations and procedures
(Hollnagel, 2008, p. 3).
44 According to advocates of resilience engineering, former safety models treated safety as something a system has, rather than something a system does (e.g. Hollnagel et al. (2006); Hollnagel (2008)).
4.1 From risk management to resilience management 119
Figure 24: Safety by constraints45
In contrast, the resilience paradigm takes a holistic view of complex adaptive
systems by softening the brittleness of the system by reducing vulnerabilities
through redundancy, dispersal, reduced scale, self-healing capabilities, accelerated
recovery and more graceful failure modes (Perelman 2006; Grote 2009). That is
similar to Hollnagel’s oppositional idealized position termed Theory Z. This
position emphasizes that (performance) variability is not only inevitable but also a
source of success. Moreover, the functioning of socio-technological systems is
based on the acceptance that humans are key to proper the functioning of
organizations because of their inherent capacity to adapt. For this, he gives
following reasons: people learn to overcome design flaws and functional glitches;
they adapt their performance to meet demands as they further interpret and apply
procedures to match conditions; designers can detect and correct when things go
wrong. Here, the solution to manage uncertainty and variability is to identify
situations where normal performance variability may composite unwanted side-
effects. Continuous monitoring seek to discover how the system functions in order
to select and implement appropriate controls to dampen the threatening impacts of
performance variability. Hence, decision makers should try to understand the
45 From Hollnagel (2008, p. 3).
4.1 From risk management to resilience management 120
nature of performance variability, and specifically the underlying forces (internal
and external factors) as depicted in Figure 26.
Figure 25: Safety by Management46
4.1.3 Management and design Conventional security practices often follow a ‘top-down’ or ‘command and
control’ approach (compare the explanations of mechanical and organic
management systems previously accomplished in Chapter 3). Such hierarchical
and tightly-coupled systems allow efficient and immediate response (Longstaff et
al. 2010). Centralized leadership can control the concentrated and specialist
workforce based on strict policies and procedures (Nohria 2006). Such feed-
forward oriented control can feature high efficiency in responsiveness in face of
anticipated disturbances (Grote, 2009). But analytical study and empirical
observation of modern complex systems indicate that such tightly controlled
systems often behave in counterintuitive, unintended ways with the potential of
46 From Hollnagel (2008, p. 4)
4.1 From risk management to resilience management 121
producing even catastrophically damages (Perrow, 1984). Moreover, according to
many conventional approaches to safety and reliability management that often
tend to take a technological optimistic perspective47 (e.g. Grote, 2009; Hollnagel
et al., 2006; Nemeth et al., 2009; Perrow, 1984; Weick and Sutcliffe, 2007),
humans are often perceive as a liability causing variability. As variability is seen
as a threat, the purpose of design is to constrain variability so that efficiency can
be maintained.
In contrast, resilient organizations treat humans as an asset that enable a proper
functioning of modern technological systems (Hollnagel, 2008). Thus, scholars in
the fields of safety management and organizational reliability (e.g. (Butler and
Gray, 2006; Hollnagel et al., 2006; Weick and Sutcliffe, 2007; Roberts, 1990)
argue that organizational design should concentrate on flexible, local and situated
action (Grote, 2009). These scholars further conclude that loosely coupled
organizations are better prepared to tolerate perturbations in subsystems (Weick
and Sutcliffe 2007). A networked organization characterized by distributed
leadership and dispersed workforce with diverse skills and experiences might be
superior in sensing threats and coordinating actions in the occurrence of surprising
events (Comfort et al., 2001; Grote, 2009; Mallack, 1998; Nohria, 2006).
Conventional risk approaches seek for system design that is resistant to identified
threats by means of several design principles. Classical resistant design strategies
include prevention, “resistance that keeps the bad thing(s) from happening”
(Longstaff, 2005, p. 25). This “fortification” is found in many fields of
application. For instance, oversizing or strengthening hardship of barriers can be
found in armored vehicles in military operations, or isolating assets from others
by means of ordinary security principles based on access control (Müller and
Koslowski, 2012; Park et al., 2013; Perelman, 2006). Contemporary design
practices are typically favoring efficiency over thoroughness (Hollnagel, 2009).
Thus, design is mainly approached as a process of hierarchical decomposition. In
this sense, the overall system function and architecture is developed first and then
the systems and subsystems are designed accordingly (Fiksel, 2003, p. 5332).
47 The optimistic view of technology is also dominant in IS research Butler and Gray (2006).
4.1 From risk management to resilience management 122
Some resilience scholars claim that there is a need to shift from conventional
practices by integrating risk and resilience approaches (Fiksel, 2003; Park et al.,
2013; Petersen and Johannson, 2008). The problem of current engineering starts
with a too limited system’s definition in the early stages in the design phase. This
means that only a portion of variables that actually affect the system are
considered. Hence, where traditional design thinking with a narrow focus of
protection and control dominates, failure can often be brittle and catastrophic: The
designer might fail to consider consequences of several threats that might occur
outside the defined system. Moreover, the design tends to putting too little
emphasis on different agent’s capabilities to respond to adverse events (Petersen
and Johannson, 2008, p. 162). Furthermore, another perverse outcome of
catastrophe is sometimes a more determined application of conventional
protective measure that failed in the first place, such as building higher levees or
sea walls, reinforcing existing structures, or armoring vulnerable targets (Park et
al., 2013; Perelman, 2006; Senge, 1997).
Additionally, prevailing design is often based on incremental adaptations of
previous approaches. But in some instances, incremental adaptation can actually
lead to the degradation of a safe structure over time due to asynchronous
evolution (emergence) , where only a minor change is made, but fails to fit with
changes in the connected parts (Park et al., 2013; Perrow, 1984), leading to
undesired consequences. Hence, defining system borders for design becomes
increasingly difficult since our infrastructures and services are becoming more
and more interconnected. This increasing interconnectedness and interdependence
might bring up the need to expand the (scope of) the system model that also
includes other systems that are only indirectly affected by the current design
changes (Petersen and Johannson, 2008, p. 163). However, managing for
resilience highly relies on expanding decision making boundaries, dialogue and
coordination also across organizations48(Comfort et al., 2001; Grote, 2009;
Longstaff et al., 2010; Mallack, 1998; Nohria, 2006).
48 As we will learn in Chapter 6, the reluctance of organizations to share information regarding their system architecture, make it difficult to incorporate external knowledge in the design and management process.
4.1 From risk management to resilience management 123
Resilience is a novel way of design and management thinking that relies on an
understanding of structures and behavioral patterns of a system (Gunderson, 2002;
Walker and Salt, 2006). The often unpredictable nature of complex systems calls
for cautious design principles. Hence, (socio-technological) systems should poses
adaptive capacity to cope with unexpected events. Regardless of the field of
application, the following design principles enhance adaptive capacity and finally
resilience: Resilient systems should exhibit diversity, a broad set of different kinds
of components that build up the system (Fiksel 2006; Walker and Salt 2006). With
regards two resilience, there are two types of diversity that are particularly
important (Walker and Salt, 2006, pp. 64–73): functional diversity refers to the
range of functional groups that a system depends on. For example in ecological
systems, this might include groups of different kinds of species like trees, grasses,
deer, wolves, and soil. Functional diversity means that species do different things
and therefore underpins the performance of a system. In management, this type of
diversification is widely used for risk-mitigation, e.g. in terms of business and
product diversity (Hitt et al., 2011), or a diverse portfolio of investments in
banking or insurance (Prokein, 2008). The other type is response diversity, the
range of different response types existing within a functional group. In ecology,
species with the same basic service/function respond differently according to
conditions (such as changes in temperature, pollution etc.) (Walker and Salt,
2006, pp. 64–73). This in-built redundancy can effectively increase the resilience
of multiple systems: For instance in IT-security, it is widely accepted to decrease
the vulnerability by using different computer systems, e.g. different operating
systems or email-applications. In the same field of application, the use of
redundant systems such as back-up systems and distributed systems is very
natural to IT-security and dependability experts (e.g. Wolter, 2012; Avizienis et
al., 2004; Sterbenz et al., 2010). Another design feature is modularity as it allows
the containment of propagating failures (e.g. (Longstaff, 2005; Madni and
Jackson, 2009).
Resilient practices are not limited to structural or technological changes, but also
strongly rely on behavioral or cultural innovations (McCann and Selsky, 2012;
Stephenson et al., 2010): According to (Dekker, 2003, p. 233), organizations
4.1 From risk management to resilience management 124
should “invest in understanding the gap between procedures and practice, and
help develop operators’ skill at adapting”. For this, he concludes that
organizations need to “(a) Monitor the gap between procedure and practice and try
to understand why it exists (and resist trying to close it by simply telling people to
comply). (b) Help people to develop skills to judge when and how to adapt (and
resist telling people only that they should follow procedures)” (Dekker, 2003, p.
236). This is similar to the notion of mindfulness (introduced in Chapter 3), that
presumes that “unvarying procedures can’thandle what they didn’t anticipate”
(Weick et al., 2007).
The importance of cognitive capabilities for resilience is also underpinned by
Hollnagel’s “Four cornerstones of resilience” (depicted in Figure 27): According
to Hollnagel, a resilience management process can be modeled as a cycle
including responding, monitoring, anticipating and learning (2011, p. xxxvii):
Figure 26: Four cornerstones of Resilience Engineering49
• Responding is the ability to address the actual: it requires knowing what to do, e.g., how to respond to regular and irregular disruptions and disturbances by adjusting normal functioning;
49From Nemeth et al. (2009, p. 121); Hollnagel (2011, pp. xxxvii;279)
4.1 From risk management to resilience management 125
• Monitoring is the ability to address the critical: it demands knowing what to look for, e.g. how to monitor that which is or could become a threat in the near term (either from the environment or within the system);
• Anticipating is the ability to address the potential: it aims to knowing what to expect, e.g., how to anticipate developments and threats further into the future;
• Leaning addresses the ability to address the factual: it involves knowing what has happened, e.g., how to learn from experience.
Another popular set of resilience management principles is proposed by Weick
and Sutcliffe’s “High Reliability Organizations”. While the previously introduced
“Normal Accident Theory” can be regarded as a “pessimistic” perspective on
safety management, the concept of HRO attempts to capture an “optimistic view”
on organizational safety (Roberts, 1990). HROs actively pursue reliability by
means of adaption and mindfulness to enable efficient responses to stress and
disturbances. HROs’ main principles are:
• Preoccupation with failure: HROs give strong attention to weak signals such as “near-misses” and treat any lapse as something wrong with the system. Unanticipated outcomes and incidents may be analyzed in depth, as the coincidence of several separate small errors may have severe consequences;
• Reluctance to simplify: HROs accept that the world they face is complex, unstable and unpredictable. Attempts at simplification could lead to the non-detection of failures and consequently a crisis might occur;
• Sensitivity to operations: they encourage situation awareness among frontline workers and allow continuous adjustments to current operational information;
• Commitment to resilience: HROs develop capabilities to detect, contain and bounce back from the inevitable errors by training and preparing personnel with deep and varied knowledge;
• Deference to expertise: HROs push decision making down to the people with the most expertise in order to make better decisions, because they know the most about the problem (Weick and Sutcliffe, 2007).
Based on the HRO principles, scholars in the field of safety management claim
that resilience is built on mindfulness rather on than on routines and complex
compliance management systems. Such adaptive approaches (to safety) do not
4.2 IT-induced sources of stress and disruption 126
imply an abandonment of procedures, but rather a more demanding informed
culture of attention. Turbulence or performance variability demand organizational
sensitivity to operations: the timeliness and density of information presented to
decision makers is critical in determining whether something becomes an
opportunity or a threat (McCann and Selsky, 2012, p. 105).
Mindfulness allows detecting important aspects of the context and taking timely,
appropriate action. However, according to the HRO principles above, in
organizations the processes of perception are often separate from the processes of
action. Front-line employees are often most knowledgeable about the actual state
of its operational system. For example, sales people who interact regularly with
customers are often most aware of shifting needs and demand. However, these
individuals rarely are capable of fundamentally changing the direction or priorities
of the organization (which is usually the responsibility of higher management
levels). Thus, mindfulness requires organizations to combine quick detection with
the capability to make significant decisions. This may involve open decision-
making authorities or taking steps to increase top management’s ability to
perceive the important signals (Butler and Gray, 2006; Riolli and Savicki, 2003;
Weick and Sutcliffe, 2007).
Yet, in order to achieve mindfulness and finally organizational resilience, RMIS
must promote timely and accurate information to enable quick responses. This is
also stressed by Weick (2003) who states that effective resilience requires quick
accurate feedback. Hence, the next sections address the role of IT and IS50 for
organizational resilience.
4.2 IT-induced sources of stress and disruption
Before discussing the relationship between resilience research and the IS field in
detail, the next section is intended to reconsider the “dark side” of IT for
50 A differentiation between IT and IS is given by Boudreau (2008): IT is capable of information transmission, processing, or storing, whereas IS depict “integrated and cooperating set[s] of software using IT to support individual, group, organizational, or societal goals" Boudreau et al. (2008, p. 2).
4.2 IT-induced sources of stress and disruption 127
organizational resilience by introducing various sources of stress and disruption
associated with an ongoing IT-diffusion.
The importance of information technology (IT) brought up the urgent need to
ensure its continuous and reliable operation and to protect the processed and
stored data. The intensive use of interconnected and complex IT-systems incurs
risks with increasingly severe disruptive effects. The double-edged role of
information systems for coping with complexity and disruption has been a major
theme in prior computer science and IS research (for an overview e.g. Avizienis et
al., 2004; Butler and Gray, 2006; Caralli et al., 2010; Fenz et al., 2011; Seo and
La Paz, Ariel I., 2008; Sterbenz et al., 2010; Tanriverdi et al., 2010; Tjoa et al;
Wolter, 2012).
For instance, Tanriverdi et al. (2010) discuss how IT has contributed to increasing
complexity of operational environments “by fusing into the fabric of products,
services, and business processes and by increasing the diversity, adaptiveness,
interconnectedness, and interdependency of firms (p. 823)”. This complexity
increase arises by the co-evolution between global and economic pressures on the
one hand and the pervasiveness of technological on the other hand. The global
economy brings requirements for more open borders to compete and thrive.
Moreover, open boarders introduce additional stress and exhibits risks outside the
focal firm’s control. For instance, outsourcing can often cause core competencies
to diminish while the dependency on upstream partners steadily grows (Tanriverdi
et al., 2010, pp. 823f.). In order to keep pace with the volatile and highly
competitive business landscape, companies attempt to optimize their business
processes by intensifying IT usage. But more technology comes also along with
more complexity: The sources of competitive advantages increasingly rely on
intangible resources that are more challenging to identify, locate and protect
(Caralli et al., 2010, pp. 15f; Seo and La Paz, Ariel I., 2008). Further, as processes
evolve, new technologies can introduce new risks. This is depicted in Figure 28.
4.2 IT-induced sources of stress and disruption 128
Figure 27: IT-induced sources of stress and disruption
The IT-diffusion raises complexity, dynamics, and vulnerability by multiple ways:
An example of IT-induced complexity in terms of products is the automotive
industry where more than 80% of innovations come from computer systems and
software that improve technical performance, safety, convenience, and energy
consumption (Tanriverdi et al., 2010, pp. 823f.). Today, a premium car contains
around 100 million lines of software code that executes on more than 70
microprocessor-based units. Nowadays, cars have become “a platform for IT-
innovations that interconnect car components and increase their mutual
dependencies”. This development is accompanied by significant economic effects:
Firstly, the costs of IT in cars climbed from 5% of total costs in the 1970s to more
than 15% today (ibid.). Secondly, the complexity has further led to emerging
unintended and unpredictable safety and reliability problems. Tanriverdi et al. cite
a study conducted by IBM estimating thatin 2009 approx. 50% of all car warranty
costs related to IT-failures (2010, p.823).
IT-induced complexity is also evident in entire business systems in terms of
interdependence and in terms of inter-connectedness (Butler and Gray, 2006;
Caralli et al., 2010; Tanriverdi et al., 2010): IT-enabled interconnections have
promoted the rise of business ecosystems (e.g. (Kim et al., 2010) and Chapter 6)
where industry and market-boundaries have blurred. In those ecosystems,
different actors, such as dominant platform leader and complements, have
4.2 IT-induced sources of stress and disruption 129
developed various types of nonlinear dependency relationships that are often
asymmetric and unpredictable. Today, companies are faced with turbulent
disruptions and cascading effects across a wide range of industries. For instance,
in the financial sectors, interactions between automated trading software can
create anomalous stock trading patterns; seemingly minor problems of a supplier
can cause serious disruptions for the integrated supply chain (as for example in
the Nokia case described in Chapter 3); and also software problems can trigger
widespread power outages (Tanriverdi et al., 2010).
The work by (Seo and La Paz, Ariel I., 2008) also identified and discussed several
problems of IS with regard to their impact on organizational agility. One major
problem arises with the overwhelming collection of data: Most organizations are
confronted by floods of data from a variety of sources, which creates information
overload and exacerbates identification and interpretation of changing business
needs. Among other problems, the authors point out two major obstacles that
hinder effective responsiveness: a lack of standardized data that require time
consuming conversion, and the increasing management efforts due to IT-usage
(Seo and La Paz, Ariel I., 2008).
All these examples underpin the need for organizations to reconsider also the
threats and vulnerabilities that arise with extensive IT-usage. Because despite the
fact that implementation of technology provides demonstrable opportunities for
organizational effectiveness and efficiency, it also increases the likelihood of
disruptions and failures. But as highlighted in the previous chapters, being
responsive in cases of unexpected disruptions is already a major challenge for
management. However, achieving resilience by means of IT and IS is even more
challenging as IT systems are generally developed to fulfill predefined properties,
and offer a hard-wired set of exception handling functionalities. Therefore,
organizations and its decision makers are increasingly forced to rethink how they
address the security and reliability of their IT-infrastructure and the supported
business processes. Traditionally, this has been object of experts in the field of IT-
security, information risk management and business continuity management
(Caralli et al., 2010, p. 17).
4.3 IS management fundamentals 130
The next section is dedicated to briefly introduce the reader with fundamentals on
IS and IS security and risk management in particular. This is followed by an
introduction of recent challenges and efforts of IS risk and security management
(Subsection 4.3.2).
4.3 IS management fundamentals
Today, companies are enabled to act on global markets by help of modern
information technology (IT) and information systems (IS). IS scholars, such for
instance (Laudon and Laudon, 2010), suggest the following differentiation
between IT and IS: While IT consists of hardware and software an organization
uses to achieve its mission, IS can be understood as a complex set of interrelated
components that collect, process, store, and distribute information to support
decision making and control in an organization. Additionally, IS may also support
users in problem-solving and the development of new products (p. 45-46).
In order to support organizations with appropriate information, a typical firm will
usually make use of different types of IS such as Enterprise Resource Planning
(ERP) Systems (Koslowski and Strüker, 2011), Managements Information
Systems (MIS) or Supply Chain Management (SCM) Systems (for an overview,
e.g. Laudon and Laudon, 2010, pp. Chapter 2). To overcome complex and
complicated computing tasks, so-called decision-support systems (DSS), are
intended to support human decision making. DSS initially have emerged in the
1970's, coupled with the introduction of IT infrastructures. Until now, their
evolution has not stopped and contemporary IT infrastructures such as the internet
still improve the development of DSS (Power, 2008). Power (2008) provides a
more detailed history of DSS. As a subgroup of IS, DSSs depict computer
technology solutions which provide relevant data and information to decision
makers in order to support problem solving and complex decision making;
thereby, the provided information allows for enhanced efficiency and rationality
(Power, 2008). In this regard, Power identifies three major characteristics of DSS
(Power, 2002): (1) Facilitation of decision processes; (2) Focus on support rather
than automation of decision making; (3) Quick response to changing needs of
decision making processes. Power (2002) further notes that DSS "should be
4.3 IS management fundamentals 131
considered when two assumptions seem reasonable: firstly, good information is
likely to improve decision making; and secondly, managers need and want
computerized decision support".
As we will see in the subsequent chapters, in terms of organizational resilience
and sustainability, both assumptions seem to be reasonable. On the one hand,
visibility is essential in order to improve resilience and reduce vulnerability of
organizational structures and processes; on the other hand, decision making in
complex supply networks would not be feasible without computational support.
Therefore the provision of supporting information is essential for successfully
developing resilient and sustainable organizations.
Despite the fact that the application of ICT entails various benefits for
organizational sustainability and resilience (see the following chapters), a recap of
section 4.2 shows that an excessive expansion of IS may also increase complexity
and therefore enhance the vulnerability towards disruptions. Hence, the
consideration of complexity-efficiency trade-offs in IS architecture is important.
As introduced in the beginning of this chapter, the main components of IS
architectures are technology (such as hardware and software), people and data. In
order to store and proceed data in a systematic way, IS use databases, generally a
collection of related records organized and structured manner that can be retrieved
efficiently. Hence, IS are key to support organizations to support operations,
knowledge work, and management and organization. For operational support, IS
rely on transactional processing systems that help to integrate all tasks and
resources required to design, market, produce, and deliver products and services.
The other role of IS refers to management support, such as DSS, MIS, knowledge-
management-systems (e.g. Power, 2002; Laudon and Laudon, 2010). As IS have
an undeniable impact on the operational performance (McAfee and Brynjolfsson,
2012), they are also key-enabler for organizational resilience: Resilient
organizations invest in awareness and mindfulness, as they actively scan and
engage in sensemaking of what they perceive and experience, and are able to
derive insights from deviations detected (McCann and Selsky, 2012, p. 46).
Building awareness requires well-developed information gathering, filtering,
4.3 IS management fundamentals 132
sharing, and decision making processes that support sensemaking. Information
systems form the basis of awareness-building, as they collect, coordinate and
validate information from different and distributed sources. Organizations need to
employ analytical tools and technologies such as Data Mining, for handling the
overwhelming amount of data and information.
Before describing the goals and requirements for the design of Resilience
Management Information Systems, the next subsection is dedicated to provide a
brief overview of two widely used IS-architectures, Enterprise Resource Planning
(ERP) and Workflow Management Systems51 (WFMS), that enable decision
makers to deal with the growing data quantity and quality, and consequently to
react to changes quickly. Hence, specialists who are familiar with these IS may
want to turn directly to the next subsection 4.3.2. Here, the reader will shortly be
introduced to IS risk and security management.
4.3.1 ERP and WFMS
IT systems that focus on process management and improvement help
organizations to fulfill their operational missions. Generally speaking, processes
are structured specifications of personnel and business data usage that run (at
least) semi-automated in an IS. Today, the vast majority of organizations see the
necessity to explicitly model their business processes in order to apply automated
analytical and optimization techniques. A major advantage of process-orientated
management is the decoupling of infrastructure and organizational workflows as a
means to enhance enterprises’ overall performance and effectiveness. Examples
for systems building upon processes can be found in very different domains and
range, e.g., organizations’ supply chains, banking, backbone infrastructure to parts
of critical infrastructure such as smart grids or nuclear power plants (Vom Brocke
and Rosemann, 2010). Very popular IS architectures for managing and improving
business processes are Workflow Management and Enterprise Resource Planning
(ERP) systems.
51 WFMS can be defined in various ways. However, almost every definition defines WFMS as a sub-area of Business Process Management (BPM) Systems van der Aalst (2004). A deeper investigation of BPM will follow in Chapter 5. Till then, the terms WFMS and BPM will be used interchangeably.
4.3 IS management fundamentals 133
Although both classes of IS-architectures focus on business processes, they
exhibit distinct features and approaches. According to (Cardoso et al., 2004),
under a WFMS, a workflow model is first created to specify organizational
business processes, and then workflow instances are created to carry out the actual
steps prescribed in the workflow model. During the workflow execution, the
workflow instances can access legacy systems, databases, applications, and can
interact with users. On the other hand, ERP systems are implemented around the
idea of prefabricated applications. To achieve better “fit” between the
prefabricated applications and the needs of the organization, ERP systems must be
“customized” by setting various application parameters. However, the workflow
model in conventional ERP systems is not explicitly specified because it is
embedded in the applications and the parameter tables.
Figure 28: WFMS and ERP systems52
Figure 29 represents one of the key differences between WFMS and ERP systems.
One way to better understand these differences is to distinguish between flow
logic and function logic. Function logic deals with a specific task, such as
updating a customer record or calculating order discounts, while flow logic deals
with combining many functions in some sequence to solve more complex
problems such as processing an order. In ERP systems, flow logic and function
logic are both embedded in applications and parameter tables. In contrast, a
52 From Cardoso et al. (2004).
4.3 IS management fundamentals 134
WFMS separates the two explicitly. Flow logic is captured in a workflow model,
usually graphically represented, and function logic is captured in the applications,
data, and people the model invokes. Thus, a WFMS enable developers to separate
the flows among a system’s components (applications, data, and resources) from
the workflow model. Workflow systems are process-centric, focusing on the
management of flow logic. On the other hand, ERP systems are data-centric,
focusing on managing function logic via a common homogeneous data
infrastructure across the organization to support multiple applications.
Cardoso et al.(2004) compare the IS-architectures along three main dimensions:
domain scope, technological scope, and system implementation, summarized in
Table 8.
Table 8: WFMS vs. ERP Systems53
WFMS ERP systems
Domain Scope • Customized processes
• Domain independence
• Ad-hoc and dynamic domains
• Embedded processes with some customization
• Domain specific
• Static domains
Technological Scope • Process-centric
• Supports workflows involving humans, IT applications, and transactional workflows
• Heterogeneous and autonomous environments
• Data-centric
• Transactional workflows
• Homogeneous environments with common data infrastructures
System Implementation • Workflows are manually
designed and the corresponding code is automatically generated
• May require data conversions
• Based on pre-written “off-the-shelf ” components
• Require data conversions
The domain scope captures the suitability of an IS for a specific application type.
The capability of WFMS to uncouple flow logic from functional logic, and to
53 Adapted from Cardoso et al.(2004).
4.3 IS management fundamentals 135
integrate different kinds of data, applications and resources allows an application
in a wide range of domains. In opposition to this, ERP systems are largely domain
specific as they are built on reference models, including predefined libraries of
business processes for diverse functions (including underlying data and process
models). Thus, ERP has usually more difficulties to support ad hoc and
heterogeneous processes compared to WFMS.
The technical scope describes differences in technological capabilities. WFMS are
well suited for controlling and coordinating process executions of multiple tasks
that require access to heterogeneous, autonomous and distributed systems with
high human involvement (Antunes and Mourão, 2011). Instead, ERP are data-
centric, as the focus lies on the integration of interoperable databases and
structured data transactions.
The last dimension covers implementation issues such as code generation and data
conversion. ERP systems are usually composed of prescribed software modules
available “off-the-shelf” and require data conversions for further module
integration (Cardoso et al., 2004; Koslowski and Strüker, 2011). WFMS on the
other hand are not module-oriented and the deployment of applications is usually
accomplished with little programming. As they do not require a uniform and
interoperable data infrastructure, a data conversion is not mandatory but may be
helpful for organizational purposes (Cardoso et al., 2004).
Despite the differences between ERP and WFM systems, both IS architectures are
widely used in practice for managing business processes. Moreover, there is an
ongoing trend that both system types are increasingly integrated with each other.
However, the goal of this section was to provide the reader some basic knowledge
on IS architectures by giving a brief comparison between ERP and WFM systems.
Both system architectures will be subject of two IT artifacts introduced in Chapter
5 and 6.
4.3.2 IS risk management As illustrated in the previous section, managing evolving IT risks is imperative for
modern organizations to ensure resilient operation and to protect the transmitted
4.3 IS management fundamentals 136
and stored data (Butler and Gray, 2006)54. Beside the disruptions and stress-
factors described above, legal frameworks, such as the Sarbanes-Oxley act and
Basel II/III, demand decision makers to define mitigation strategies for their
operational IT risks. However, since data protection, privacy regulations, and
security standards are a complex range of requirements to which decision makers
have to respond, organizations are increasingly forced to rethink how they
perform risk and compliance management and, equally, how they address the
security and resilience of their business processes. There is, thus, a pressing need
for an overarching resilience management information system able to provide
context and coherence to risk and compliance activities.
To date, though, organizations have mostly relied on best practice guidelines,
information security standards, or domain experts to conduct the risk assessment
and mitigation phases. The prohibitive costs of such approaches can lead to the
ignorance of risk assessment. In fact, according to the 2008 Information Security
Breaches Survey (Fenz and Neubauer 2011) only 48% of 1,007 interviewed UK
organizations formally assess information security risks. While approaches based
on best practices, standards and experts can substantially support organizations in
managing risks, they have a variety of shortcomings. In particular, because
decision makers have to "manually" deal with the following key questions:
(1) What are potential threats for my organization?; (2) What is the likelihood of
these threats?; (3) What is the potential impact of a particular threat?; (4) Which
vulnerabilities could be exploited by such threats?; (5) Which controls are
required to mitigate these vulnerabilities?; and finally (6) What are the
investments in security worth?
While in-depth knowledge of the organization in question and the IS domain as a
whole is fundamental to existing approaches, little research has been conducted on
the knowledge representation of the domains that are relevant to IS risk
management. Recent studies indicate the lack of IS knowledge at the management
54 This subsection is based on Fenz et al. (2013) which presents the research cooperation project “FORISK (Formalizing Information Security Risk and Compliance Management)” between the Department of Telematics of Freiburg University and Technical University of Vienna. The author of this thesis has been member of the project from 2013-14.
http://www.telematik.uni-freiburg.de/forschung/forschungsgebiete/itrc?projectId=8595.
4.3 IS management fundamentals 137
level as one reason for inadequate or missing IS risk management
strategies (Caralli et al., 2010).
4.3.2.1 Current Challenges of IS Risk Approaches A myriad of limitations with existing IS risk and resilience approaches exist:
• Best practice guidelines provide good information about potential threats, vulnerabilities, and controls, but without an information security domain expert, the organization is usually unable to consider the many complex relationships between all the relevant information security concepts, which results in a non-comprehensive information security approach that endangers the performance of the organization’s mission.
• Information security standards, such as ISO 27001/27002, tend to state very abstract implementation suggestions for risk mitigation; concrete measures or combinations thereof are mostly missing, leading to inefficient or even misleading risk mitigation strategies. Effective tools that could be used for the automated compliance check are missing.
• In order to identify the concrete infrastructure elements at risk, the organization has to manually combine the knowledge from best practice guidelines with their actual infrastructure.
• The determination of threat probabilities is predominantly based on subjective perceptions and not on an objective evaluation.
• While companies strive for cost-conscious solutions, they are frequently unaware of their level of IT security capital expenditure or, even more importantly, whether these investments are effective.
Management decision makers, such as the COO or CIO, are faced with a great
spectrum of potential IT security investments on the one hand and the decision of
choosing the most appropriate set of IT security investments on the other hand.
Existing methods provide decision makers with limited intuitive and interactive
decision support and, thus, fail to support them in making an appropriate risk
versus cost trade-off when deciding on the optimal level of investments in IT
security solutions.
The project “Formalizing Information Security Risk and Compliance
Management” (FORISK) has pursued to carve these essential yet open issues by
4.3 IS management fundamentals 138
providing a new approach to support decision makers in interactively defining the
optimal set of security controls and resilience principles according to common
regulations and standards. The proposed project has involved three essential yet
unsolved research problems:
• Formal Information Security Standards Representation: How can decision makers (and organizations) be supported in assessing, defining and selecting the optimal level of security investments (and thereby making an appropriate risk versus cost trade-off) in line with given business processes, multiple objectives such as acceptable risk level or resource constraints and interdependencies? And more precisely, how can they be supported in selecting which ISO 27002 control it is worth investing?
• Risk Determination: How can business processes be used to determine assets’ importance (potential impact) in the overall organizational context? How can risk levels of business processes (i.e., the probability that the business process does not deliver the expected output) be determined based on assets’ importance as well as implemented safeguards, applicable a priori probabilities, and relevant attacker profiles?
• Semi-) automated Countermeasure Definition: What and how much data has to be presented for risk management and how must the data be displayed to decision makers in order to support them in making the optimal decision according to their corporate requirements?
In order to answer these research questions FORISK makes the following
contributions:
(i) Support decision makers in focusing on the essential parts of the compliance
check: defining risk mitigation strategies. The ontology developed brings the
abstract suggestions stated in standards to a concrete level and extracts the
information that is necessary for an effective and efficient decision. (ii) Provide
decision makers with a methodology for defining countermeasures (and thereby
making the appropriate risk versus cost trade-off) in an interactive and intuitive
way while the system automatically ensures that the selected solution will be
efficient with respect to given business processes, acceptable risk and resilience
levels, and resource constraints. (iii) Make a major step beyond state of the art by
introducing a methodology that allows a (semi-)automated compliance check
based on the ISO27001/27002 standard. (iv) Render the tedious work of manually
4.3 IS management fundamentals 139
combing the knowledge from best practice guidelines with their actual
infrastructure obsolete. (v) Allow the objective evaluation of risks in accordance
with corporate business processes and the demand for protection instead of
subjective perceptions. (vi)Provide decision makers with a framework
characterized by ease of operation and efficient handling, such as decision makers
are used to it, e.g., from using their iPad. The subjective user experience is an
essential factor for the success of methodologies intended to be used by top
management. Furthermore, usability allows cost reduction and faster project
cycles due to a higher level of user acceptance and user satisfaction. (vii) Provide
a formal and standardized representation of the ISO27002 standard within an
ontology and thereby provide a “common language” in the area of risk
management to facilitate communication of stakeholders. (viii) Enable an ex post
assessment and control-loop of business process resilience based on exploratory
mining techniques. (ix) Build the methodologies on the requirements made by top
management decision makers and evaluate the applicability of the approaches in
practice.
4.3.2.2 FORISK Framework This section provides an overview of the FORISK framework. The main modules
are illustrated in Figure 30.
Business Process Importance Determination.Based on business process models
and an overall importance value for each business process, asset importance
values are automatically calculated. As input we use business process models,
such as provided by business process management solutions ARIS and ADONIS,
including required assets connected on the activity level, which are internally
transformed into Petri nets for further processing. In addition, for each business
process an importance value is assigned, either monetary (e.g., Euros per hour) or
qualitative (e.g., High, Medium, and Low). With this input data at hand for each
resource (i) a business process-wide, local importance value, and (ii) an
organization-wide, global importance value is calculated. While existing
approaches of importance determination (cf. Fenz et al., 2009) do not incorporate
dynamic aspects such as duration of activities and recovery times, we aim to
4.3 IS management fundamentals 140
integrate the time-factor as a crucial determinant of business process
resilience (Caralli et al., 2010).
Figure 29. FORISK Modules55
Inventory Knowledge Base. In the early phase along the risk and resilience
management cycle, an organization has to define (i) their assets, (ii) its
corresponding acceptable risk levels, (iii) the organization-wide importance of the
defined assets, and (iv) the attacker profile in terms of motivation and capability.
To store and interrelate this information with general information security domain
knowledge we use a security ontology. The security ontology by Fenz et al. is
utilized, which is based on the security relationship model presented in the NIST
800-12 (Fenz and Ekelhart, 2009). Transforming the advantages of formal
specifications on the challenge of modeling security relationships results in the
following three major advantages: (i) ontologies facilitate interoperability by
55 From Fenz et al. (2013).
4.3 IS management fundamentals 141
providing a shared understanding of the domain in question and help to avoid
heterogeneity, (ii) ontologies provide a formalization of shared understanding
which allows for machine-processability, and (iii) ontologies support reusability
as an important factor in information security risk management. Already gained
information about the own company, including identified risks and applied
actions, is of paramount importance for ongoing handling and maturity of the
information security risk management process. Not only can the created data be
reused in future projects, independently of implemented tools, but also can other
groups, e.g., open communities facing similar risks in the same domain or partner
organizations, profit from the collected data. The ontology follows the OWL-DL
(W3C Web Ontology Language) standard and ensures that the knowledge is
represented in a standardized and formal form to enable its utilization by
automated systems. The introduced security ontology incorporates a basic set of
concept definitions, relations, and formal axioms to generate an ontological model
of the organization in the system characterization phase but has to be adopted to
allow the use of ISO27001/27002 objects and filled with data.
Ex-ante Risk Determination. In this phase, our approach extracts knowledge
regarding threats, threat a priori probabilities, vulnerabilities, existing and
potential control implementations, attacker profiles, and the assets of the
organization from the security ontology and establishes a Bayesian network
capable of calculating threat probabilities based on the aforementioned input
information. In general a threat requires a threat origin and an existing
vulnerability to become effective. A human threat origin can exploit vulnerability
either accidentally or deliberately. At this step it is important to compile a
comprehensive list of potential threats (e.g., as recommended in (Fenz et al.,
2011). While standards and best practices often provide an exemplary threat list,
the risk manager is not always aware about the nature of each threat (Which
threats threaten critical assets? Which threat is a multiplier?) Such questions are
hardly addressed in current information security risk management standards or
best-practice guidelines. Starting from the threat report produced in the previous
step, the vulnerability identification step analyzes potential vulnerabilities which
are present in the defined system. This includes the consideration of
4.3 IS management fundamentals 142
vulnerabilities in the field of (1) management security (e.g., no assignment of
responsibilities or no risk assessment), (2) operational security (e.g., no external
data distribution and labeling or no humidity control), and (3) technical security
(e.g., no cryptography solutions in use or no intrusion detection in place). For
each threat and highly granular vulnerabilities, which a threat could exploit, are
defined and modeled in the ontology. For each of the vulnerabilities a mitigation
control is assigned, thus implementing a control aim to close vulnerability. With
these functions in place, a user knows exactly how to protect his organization
from specific threats: mitigating vulnerabilities by implementing recommended
controls.
Control Selection. In this process step, controls which could mitigate or eliminate
the identified risks, as appropriate to an organization’s operations, are provided. In
the control evaluation phase existing and potential control implementations, their
effectiveness, initial and running costs are extracted from the security ontology.
Information regarding the relevance of existing and potential control
implementations is extracted from the Bayesian threat probability model. Using
the extracted data as input for the interactive decision support methodology, a
methodology is provided for two fundamental IS risk management questions (and
a significant extension to our previous work, cf. (Neubauer et al., 2008): (i)
Which IT security solutions can generally be used to mitigate the risk to an
acceptable level?, and (ii) Which IT security solutions should be used to mitigate
the risk cost-efficiently to an acceptable level? In contrast to traditional risk
management processes, this solution provides a thorough knowledge base about
countermeasures and thus (i) saves time, (ii) avoids that solutions are simply
forgotten, and (iii) provides effective controls in compliance with best-practice
standards. Furthermore, it supports decision makers to derive concrete security
solutions based on the abstract control definition of the ISO 27001/27002
standard. However, with the list of potential control instances at hand, the
decision makers still have to identify the optimal set of security solutions under
economic considerations. Such cost-benefit analysis are still rarely considered by
existing security standards such as NIST SP 800-30 and focus mainly on financial
measures only.
4.3 IS management fundamentals 143
Resilience Determination.In contrast to module “Ex ante Risk Determination”
that attempts to calculate operational risks based on (either subjective or
historical) threat probabilities (focus on the cause of events), ex post detecting
resilience will focus on the business processes’ interdependencies and potential to
cascade (focus on the impact) (Koslowski et al., 2013a). This module for “Process
Resilience Detection” (PREDEC) will be introduced in the next chapter. The
design of PREDEC as an ex post-checking module will close the management-
cycle of the FORISK architecture. Thus, PREDEC intends to complementary
address further questions such as (i) Do the actual process models correspond with
the intended concepts? (ii) Does the observed system behavior meet requirements
of the respective compliance standard? (iii) Can we derive further information
about the dynamic system behavior (e.g. recovery time, rate of degeneration)? In
order to extract the interdependencies and dynamics, PREDEC attempts to
employ process mining techniques for conformance checking (Accorsi and
Stocker, 2012) as well as process discovery (Accorsi et al., 2012; Accorsi et al.,
2013).
4.3.3 Limitations of IS risk management FORISK is one of many examples within the areas of IT/IS risk and security
management that underpins that the tensions between IT-enabled productivity
gains versus emerging vulnerabilities and risks are well recognized for decades.
However, while IS architectures such as ERP and BPMS (for a more detailed
explanation recap Sec. 4.3.1) are often associated with significant performance
improvements by means of standardization, high formalization, automatization
and service decomposition (Balasubramanian and Gupta, 2005), their potential for
enhancing security and risk management is gaining momentum but still is not
exploited thoroughly (Jakoubi et al., 2009). A key challenge arises with the fact
that existing approaches of information security and risk management mainly
assume stable, predictable and isolated process types.
This is sometimes in contrast to the business reality, as large organizations have
often hundreds or more of interdependent processes in place (Houy et al., 2011).
As a consequence, today's complex and fragile IS are prone to unforeseeable
4.4 Resilience and IS research 144
disruptions (Caralli et al., 2010). This is supported by Butler and Gray (2006) who
identified the paradox of relying on complex systems composed of unreliable
components for reliable outcomes as a mostly neglected field in IS research so far
(Butler and Gray, 2006). These gaps call for a transfer of resilience engineering
and resilience management principles to IS research and management. The next
section attempts to introduce the resilience concept and its implications in the
areas of IS research and business informatics56.
4.4 Resilience and IS research
The starting point for putting resilience into IS research context has its roots in the
study of safety-critical socio-technological systems characterized by high
uncertainty (Hollnagel et al., 2006; McCann and Selsky, 2012; Meyer, 2013).
Recent works and theoretical developments, introduced in the earlier chapters of
this dissertation, such as the “Normal Accident Theory” (Perrow, 1984)and “High
Reliability Organizations” (Weick and Sutcliffe, 2007) indicate that some failures
are not only hard or impossible to predict, but also inevitable products in complex
and tightly-coupled systems. Resilience is an emergent property associated with
an organization's capacity to continue its mission despite disruption through
mindfulness (Weick and Sutcliffe, 2007), resourceful agility and recoverability,
e.g. (Caralli et al., 2010; Hollnagel et al., 2006). Therefore, resilience is a
combination of technical design features, such as fault-tolerance and
dependability (Avizienis et al., 2004), with organizational features such as
mindfulness, training and decentralized decision making (e.g. (Antunes and
Mourão, 2011; Weick and Sutcliffe, 2007) and Chapter 3). Hence, this socio-
technological conception of resilience has recently attracted IS scholars' attention
(e.g. (Antunes and Mourão, 2011), Caralli et al., 2010; Riolli and Savicki, 2003).
The following sections are dedicated to provide an overview of existing work on
IS resilience and its shortcomings, and finally discuss its implications for IS
Research.
56 This section entails fragment of the paper Müller et al. (2013) that capture and establish a relationship between resilience and IS research.
4.4 Resilience and IS research 145
4.4.1 Status quo and shortcomings Although resilience is widely recognized in related disciplines such as Computer
Science (Wolter, 2012), Contingencies and Crisis Management (Boin and
McConell, 2007), or Safety Engineering (Hollnagel et al., 2006), there is an
apparent incongruity between the level of interest paid by practitioner and the
attention that IS scholars have given to resilience (Müller et al., 2013). Today,
only a limited number of resilience researchesexist. This research gap is
surprising, as resilience is often said to be a combination of social or
organizational and technical qualities and, therefore, a research topic well-suited
for IS research. The following literature review identifies current research gaps
and challenges as a foundation for a IS resilience research agenda.
The majority of recent work on IS resilience and related research remains on a
pure conceptual level. For example, a recent literature review on the related
concepts IS reliability and mindfulness has been carried out by Butler and Gray
(2006), examining how organizations achieve reliability when operating in
complex, fragile, and often unreliable IS environments. Although the authors
intended to contribute to IS reliability, they introduced mindfulness, an
organizational resilience concept into IS research (Weick and Sutcliffe, 2007).
Accordingly, they provide a foundational framework of IS reliability achieved by
balancing routine-based strategies (focus on reducing variability and deviation)
and mindfulness-based strategies (focus on cognitive and organizational
capabilities for contextual sense-making). This is depicted in figure 30 below:
Based on a comprehensive literature review, they conclude that IS research
provides little guidance for organizational reliability and highlight the need for
conceptual tools and artifacts that help mindfully management to support
surviving and thriving in complex, dynamic environments. Similarly, Riolli and
Savicki (2003) emphasize individual and organizational characteristics against
pressuring information system work environments. The authors conclude that
much more empirical work has to be done to analyze the interrelations between
stressors and resilience outcomes on an individual and organizational level. Based
on a broader literature review on resilience across multiple disciplines, Erol et
4.4 Resilience and IS research 146
al.(2010) propose a framework to discuss the moderating role of IS on assisting
connectivity and collaboration in order to support resilience (Erol et al., 2010b).
Figure 30: Foundations of IS Resilience57
Another research stream addresses the issue of resilient IS architectural design.
Inspired by biological systems, (Zhang and Lin, 2010) introduced a set of
resilience axioms and derived five principles of engineered artifact systems. These
principles encompass technical and managerial recommendations to increase
system resilience such as inherent redundancy, flexible coordinative
responsibilities, and components for monitoring and continual training. Others
discuss the relationship between resilience and other similar architectural
properties and present seven constraints to consider in the architecture for
enhancing resilience (Liu et al., 2010a). A set of fundamental requirements for
supporting resilient business process management (BPM) is given by Antunes and
Mourão (Antunes and Mourão, 2011). While these works capture basic
requirements for resilient IS design, they lack empirical validation, concrete
implementation guidelines, as well as artifacts to support the implementation of
resilience in IS, e.g. (Antunes and Mourão, 2011; Caralli et al., 2010).
A further research stream focuses on measurement issues of resilience in the IS
context. Wang et al. (2010) present a measure in the context of enterprise
information systems focusing on recoverability(Wang et al., 2010). They develop
57 Adapted from Butler and Gray (2006).
Emergent systems composed of vulnerable components
Individual and CollectiveMindfulness
Routines, Procedures,and Structures
Organizational Resilience
4.4 Resilience and IS research 147
a formula that calculates the weighted relation between request time and
completion time. A more advanced contribution with regard to measuring and
visualizing resilience is given by Zobel et al. in the context of disaster events and
cyber-attacks (Zobel and Khansa, 2012). Their approach captures multiple
dimensions of resilience as a function of the predicted amount of initial loss and
associated recovery time. Derived resilience curves provide further decision
support for appropriate selection of countermeasures.
4.4.2 Implications for IS research Despite the wide spread of resilience across multiple disciplines, a number of
open research issues remain. These encompass conceptual and definitional
vagueness of resilience, a lack of empirical research and a lack of applicable
(organizational) solutions and IT-artifacts to bring resilience into action (Chapter
1 and Müller et al., 2013). Müller et al. articulate a research agenda on resilience
and resilience management comprising four research questions spanning
conceptual perspectives, research methods and prototypical implementations of a
resilience supporting information system. The first research question refers to the
divergent understanding and the need for construct clarity. The second research
question focus on research challenges regarding the lack of empirical exploration
of resilience in IS research. The third research challenge address problems when
operationalizing and measuring resilience in the IS context. Finally, the fourth
research challenge focus on guidelines, requirements, and approaches for resilient
IS design. While the some of these challenges (challenge one and two in
particular) have been already addressed in the previous chapters of this thesis, the
subsequent section will focus on implications of resilience foundations for IS
design.
The foundations of IS resilience have a variety of implications for the design of
IS. Recent studies on resilience emphasize the integration of organizational and
technological views, as well the integration of related, but usually disjointed
activities of IS security, business continuity and IT operations (Allen et al., 2011;
Caralli et al., 2010) as depicted in Figure32.
4.4 Resilience and IS research 148
Figure 31: Operational Resilience Management System58
As for other business information systems, the elicitation of requirements and
their system-wide enforcement are of utmost importance. At the technical level
resilience requirements are intricate to capture, as they merge the capability of
absorbing failures and unexpected situations (e.g. cushioning the ripple effect on
the advent of change) with detecting the continuous deterioration of systems
throughput (e.g. when running out of resources). While the former can be
somehow estimated at design-time, the latter requires the a posteriori analysis and
intervention. Interestingly, current literature reviews on risk-aware BPM by
(Jakoubi et al., 2009) or (Suriadi et al., 2012) show that the vast majority of
contributions focus on design-time risk-management in BPM systems, while
approaches at run-time and the exploitation of process-related log files a posteriori
are largely neglected. Process-oriented resilience management might have the
potential to fill these gaps.
According to the CMU-CERT Resilience Management Model (Caralli et al.,
2010), an operational resilience requirement is defined as a constraint that an
organization places on the productive capability of assets to ensure viability when
charged into business processes. These requirements provide the foundation for
58 Adapted from Allen and Cebula (2011).
4.4 Resilience and IS research 149
how to enhance the resilience of assets and related processes. They embody
organizational objectives, risk appetite and tolerance, critical success factors, and
operational constraints (Caralli et al., 2010). Moreover, (Antunes and Mourão,
2011) propose fundamental requirements for resilient BPM: They support (i)
various levels of severity, ranging from simple failures of key resources to
catastrophic accidents; (ii) the coexistence of stable processes with unstable
changes in the operating environment; (iii) the dynamic construction and update
of situation awareness; (iv) assistance for knowledge representation and
management, a fundamental drive to decision-making (Fenz et al., 2013); (v)
flexible operations and unplanned tasks whenever necessary; (vi) the opportunity
to experiment with and learn from the novel, innovative and challenging situations
that emerge from hazards; and finally (vii) the transition from emergency to
normal operations.
Up to now, there are techniques and formal foundations (for instance Antunes and
Mourão, 2011; Caralli et al., 2010; Fenz et al., 2013) that can, when assembled,
provide for resilience mechanisms at the level of BPM. However, the current state
of the art does not offer corresponding mechanisms. Similarly, vendors of BPM
systems and workflow management systems have not yet focused their solutions
on resilience.
Based on a literature review, a resilience management cycle has been developed
for automated support for resilient BPM according to the well-established BPM
lifecycle. The cycle contains four phases adapted primarily from (Antunes and
Mourão, 2011), beginning with (i) Detection in order to identify failures, potential
weaknesses and exceptional process executions. (ii) The purpose of Diagnosis
and Evaluation is to collect and assess vulnerabilities, and consequently to
determine a set of intervention types. (iii) The next stage covers Treatment and
Recovery, including the actual selection and implementation of supportive actions
and automatic corrections. (iv)Finally, the phase of Escalation and
Institutionalization guarantees enrichment or revision of the current knowledge
base, and aims to establish and facilitate an organization-wide resilience culture.
4.4 Resilience and IS research 150
Figure 32: Resilience Management Cycle
In accordance with the resilient management cycle (see above), it is natural to
focus on the detection stage first. The purpose of this phase is to collect, record,
and distribute information about the operational resilience of BPM on a timely
basis. Effective resilience detection provides essential information about
changes/deviations (Hollnagel et al., 2006; Meyer, 2013), such as hazard
occurrences and exceptional process executions, but also potential weaknesses
such as high utilization at the margin of resources' or processes' capacity. Data
collection, logging, and measurement are at the heart of resilience detection: they
addresses the organization's competencies for identifying, collecting, logging, and
disseminating information needed to ensure that operational resilience
management processes are performed consistently and within acceptable
tolerances (Caralli et al., 2010). This requires an effective measurement and
analysis process that transforms operational resilience objectives and requirements
into visible measures. Measures need to express the gap between intended
process-goals and actual process-goals.
Works on BPM re-engineering (Harrington, 1991), risk-aware (Balasubramanian
and Gupta, 2005), and resilient BPM in particular (Caralli et al., 2010), provide a
solid basis for measures for the attempted resilience detection service. However,
4.4 Resilience and IS research 151
deriving meaningful measures for resilience detection requires the alignment with
organizational goals and missions (Caralli et al., 2010). As these objectives need
to be interpreted and aligned for a specific organization, the well-established
objective-driven approach suggest by (Allen et al., 2011) seem promising. The
rationale behind it is to assure that resilient measures for extraction and detection
have a direct link with operational goals and therefore impact the resilience of
diverse organizational missions.
Another implication for resilient IS design arises with the concept of mindfulness,
an organization's capability to perceive cues, interpret them, and respond
appropriately (Butler and Gray, 2006; Koslowski et al., 2013a). Ongoing research
aims at elaborating the conception and implementation of intuitive user interfaces.
For instance, process resilience detectors as an a posteriori checking module could
complement and support established risk-aware BPM architectures. In contrast to
those approaches with emphasis on design-time analysis to calculate operational
risks based on (either subjective or historical) threat probabilities (focus on the
cause of events) (Suriadi et al., 2012), the a posteriori resilience approach will
focus on the business processes' interdependencies and potential to cascade, so-
called ripple effect (Koslowski et al., 2013a; Hollnagel et al., 2006).
152
5 Process-centered Resilience Management
This chapter introduces “Process-Centered Resilience Detection“ (PREDEC), a
detective framework to assert the resilience of business process-based information
technology infrastructures.Beside a detailed description of the components and the
analysis of its requirements, the chapter introduces process-oriented resilience
measures (Section 5.3.2) and further elaborates underlying mechanisms (Section
5.3.3).It will turn out that time-behavior represents one crucial indicator for
process-resilience. Therefore, Section 5.4 will introduce an IT artifact as an
example of resilience management information systems (RMIS). This artifact
enables to model the amount of resources required as a stochastic function and to
sum up the need for the whole business process, including its branches. Based on
a case study from the manufacturing sector,theperformance, feasibility, and
effectiveness of the developed IT artifact will be evaluated. The chapter concludes
with a discussion of the findings and future research work.
The next section firstly provides some basics on business process management
(BPM). Subsequently, the section describes the increasing attention paid to
resilience management as a complementary approach to process-oriented security
and risk management is explained in detail. In that, the section provides a brief
overview of existing work on resilience in IS research with an emphasis on
resilient BPM.
5.1 Resilient BPM
Today, enterprise systems and information infrastructures increasingly build upon
processes. Generally speaking, processes are structured specifications of
personnel and business data usage that run (at least) semi-automated in a business
process management (BPM) system. Examples of systems building upon
processes can be found in very different domains and range from, e.g.,
organizations’ supply chains, banking backbone infrastructure to parts of critical
infrastructure such as smart grids or nuclear power plants (Vom Brocke and
5.1 Resilient BPM 153
Rosemann, 2010). Business process models are virtual representations, which
include organizational assets connected to multiple activities. The advantage of
process-orientation is the decoupling of infrastructure and organizational
workflows as a means to enhance enterprises’ overall performance and
effectiveness. A myriad of BPM definitions exist, most of which include
Workflow Management (see Section 4.3.1). In this thesis, a popular definition of
BPM given by (van der Aalst, 2004, p. 4) is used: “supporting business processes
using methods, techniques, and software to design, enact, control, and analyze
operational processes involving humans, applications, documents and other
sources of information”.
The BPM life cycle, depicted in Figure 33 describes the various phases in support
of operational business processes. According to (van der Aalst, 2004), in the
design phase, processes are (re)designed. In the configuration phase, designs are
implemented by configuring a process-aware information system (such as WFMS
introduced in Chapter 4). Afterwards, the enactment phase starts where the
operational business processes are executed using the system configuration. In the
diagnosis phase, the operational processes are analyzed to identify weaknesses
and problems for the purpose of an ongoing optimization.
Existing approaches of BPM mainly assume stable, predictable and isolated
process types. This is sometimes in contrast to the business reality, as large
organizations often have hundreds or more processes in place (Houy et al., 2011),
and increasingly invest in the new opportunities of ubiquitous computing and “big
data” (McAfee and Brynjolfsson, 2012). Against this backdrop, more complex
modeling and exploratory analytical techniques such as Process Mining (Accorsi
and Stocker, 2012; van der Aalst and Weijters, 2004) seem to be promising
developments for identifying and designing business processes more resiliently.
5.1 Resilient BPM 154
Figure 33. BPM Life Cycle59
As previously described in Chapter 4, the increasing reliance on IS such as BPM
brought up an urgent need to ensure continuous business operations despite a
multitude of risks. For instance, a comprehensive arsenal of so-called risk-aware
BPM-approaches has been constantly evolving for years (Jakoubi et al., 2009;
Suriadi et al., 2012). While conventional approaches of risk or security
management have provided valuable support for risk prevention and mitigation in
relatively stable operational environments, they may fall short of addressing new
emerging risks such as unforeseeable disruptions with the potential to cascade
(Caralli et al., 2010). Against this backdrop, the concept of resilience has recently
attracted IS scholars’ attention as a denominator to move beyond risk control and
survival, but even prosper in the face of challenging conditions (Caralli et al.,
2010; Antunes and Mourão, 2011; Müller et al., 2013). Interestingly, the current
state of the art at the intersection of BPM and resilience approaches the high-level
design of resilient information systems (Antunes and Mourão, 2011), the
satisfiability of workflows (Basin et al., 2012; Wang and Li, 2010), change
59 Adapted from van der Aalst (2004).
5.1 Resilient BPM 155
propagation (Fdhila et al., 2012) and incident response (Freiling and Schwittay,
2007)(cf. also Chapter 4). However, there are no approaches and technical
frameworks that put processes in a “resilience loop” which also encompasses
adaption (cf. Section 4.3.2. ff.).
According to the BPM lifecycle, the analysis of processes can take place at design
time (a priori), at runtime and offline (a posteriori)(Accorsi, 2013), depicted in
Figure 33. While the first two points of time allow for preventive mechanisms to
avoid violations, a posteriori methods based on the analysis of event logs are
detective. Casting them into the context of resilience, preventive methods are in
place to allow for robustness (resistance against incidents) whereas detective
approaches serve as an input for business process redesign and, if in large scale,
re-engineering.
However, extensive literature review in the field of risk-aware BPM reveals that
current approaches focus on the design-time phase, while concepts and artifacts
with focus on runtime and offline analysis are rare (Jakoubi et al., 2009; Suriadi et
al., 2012). As stated by van der Aalst (2004), the focus of prevailing WFMS is on
these latter phases of the BPM life cycle. So in order to take full advantage of
WFMS by means of automated collection and interpretation of real-time data,
organizations need new tools and models at hand such as business activity
monitoring (Jakoubi et al., 2009; van der Aalst, 2004) to finally detect the
resilience of current processes. Concretely, in the context of resilience
management, the ultimate goal of PREDEC is to enable organizations to
automatically identify and assess the interdependence of assets and processes. In
order to extract the interdependencies PREDEC employs process mining
techniques developed by (Accorsi, 2013; van der Aalst, 2011). In the future, it is
also planned to employ techniques as developed by, e.g., (Reijers et al., 2005) to
elicit sociometric data from event logs in order to build social networks of the
subjects involved in process executions. In that, it is aimed at augmenting the
assessment of interdependence of assets and processes with a social network
perspective.
5.2 Research context and design 156
The next section describes the research context and design. Furthermore, the
increasing attention paid to resilience management as a complementary approach
to process-oriented security and risk management is explained in detail. In that,
the chapter provides a brief overview of existing work on resilience in IS research
with an emphasis on resilient BPM. By screening prior research, we see that there
is a lack of research on (semi-automatic) BPM resilience tools (Section 5.2).
5.2 Research context and design In accordance with the resilient management cycle (cf. Figure 1 in Chapter 1.2), it
is natural to focus on the detection stage first. Hence, in order to detect operational
resilience, the goal is to automatically identify failures (cause a loss of acceptable
service Meyer, 2013), exceptional process executions (Hollnagel et al., 2006), and
potential weaknesses (such as interdependencies and bottlenecks Yen, 2009;
Weick and Sutcliffe, 2007) by means of forensic techniques.
Before describing PREDEC framework and its modules, the subsequent sections
will first review current research and identify several research gaps to formulate
the research agenda.
5.2.1 Status quo and shortcomings
The majority of recent work on IS resilience and related research remains on a
pure conceptual level. For example, a recent literature review on IS resilience has
been carried out by (Müller et al., 2013), proposing an IS research agenda on
resilience and resilience management. Through a comprehensive collection and
evaluation of relevant literature, the authors identified and consolidated a myriad
of limitations and research gaps: Resilience is rarely acknowledged in theoretical
discussions of IS domains, which results in a lack of understanding of
antecedents, principles and outcomes of IS resilience. The current state of art is
dominated by conceptual or anecdotal contributions. This results not only in a
lack of empirical work to validate IS resilience, but also in the lack of systematic
resilience requirements for either IS design or methodological approaches.
Moreover, current attempts to operationalize IS resilience are still on a very
5.2 Research context and design 157
immature stage and impede both empirical evaluation of current research work as
well as the actual implementation and validation of techniques and IS artifacts to
make resilience operational. Finally, the paper discusses the integration of
resilience and BPM (Müller et al., 2013): Although the management of risks in
BPM has been well recognized in the past few years, the link between resilience
and BPM is largely neglected so far, leading to an absence of frameworks and
approaches.
Interestingly, current literature reviews on so-called risk-aware BPM by (Jakoubi
et al., 2009) or (Suriadi et al., 2012) show, that the vast majority of contributions
concentrate on design-time risk-management in BPM systems, while approaches
at run-time and the exploitation of process-related log files a posteriori are largely
neglected. But as highlighted in the previous section, operational resilience
focuses on run-time and a posteriori analytics in order to manage consequences of
risks, as also illustrated in Figure 34.
5.2 Research context and design 158
Figure 34. Relation between Operational Risks and BPM60
Recent frameworks for resilient BPM such as (Antunes and Mourão, 2011) tend
to state very abstract implementation suggestions. For example, (Antunes and
Mourão, 2011) and (Caralli et al., 2010) provide a set of fundamental
requirements for supporting resilient BPM. While these works capture basic
requirements for resilient IS design, they lack empirical validation, concrete
implementation guidelines, as well as artifacts to support the implementation of
resilience in IS. Thus, concrete measures are mostly missing, leading to inefficient
or even misleading resilience strategies. Effective and cost-efficient tools that
could be used for the (semi-)automated detection of BPM resilience are missing.
Moreover, existing methods provide decision makers with limited intuitive
support-tools at high personnel costs, they fail to assist them in enhancing and
60 From Koslowski and Zimmermann (2013, p. 180).
5.2 Research context and design 159
maintaining resilience of BPM. Furthermore, monitoring and measuring how
closely a system is operating relative to its performance margins to improve its
ability to detect unexpected events before they emerge and building capacities for
recovering rather than eliminating errors and unexpected events is crucial for the
success of organizations in turbulent environments (Weick and Sutcliffe, 2001).
5.2.2 Research questions and objectives
This chapter pursues to address these essential, yet open, issues by providing a
new approach to supporting decision makers in automatically detecting the
occurrence of hazards, and therefore addressing the sensitivity and resilience of
information infrastructures.
RQ1: Requirements for Detection of Resilience Measures in Event Log Data:
What are fundamental requirements for resilient BPM? How can they be
translated into measures in order to provide decision makers with a resilience
detection service based on analysis of event logs?
RQ2: Assessing Suitability of Process Mining Techniques for Resilience
Detection: How can event logs be used to detect hazards’ occurrence and
resilience levels of business processes and associated resources and activities?
RQ3: (Semi-) Automated Resilience Detection: What and how much log-data has
to be depicted for resilience detection and how must the data be displayed to
decision makers in order to support them in making better decisions according to
their corporate requirements?
In order to answer these research questions, the chapter makes the following
contributions. It aims at:
• Combining and systematizing the related but still disconnected fields of IS resilience and process-orientation. The development of a BPM resilience cycle corresponds with the BPM lifecycle and enables and proposes how to build and enhance resilient BPM.
5.3 PREDEC framework 160
• Providing event log specifications to enable process-centric resilience detection. The requirements and measures developed serve as basis for eliciting and subsequently assessing structural characteristics of information infrastructures.
• Making a major step beyond the state of the art by introducing a methodology that allows for a (semi-)automated conformance check based on resilient BPM principles.
• Providing decision makers with a comprehensive methodology for analyzing and diagnosing the resilience of information infrastructures and thereby generating meaningful insights and evidences in an intuitive and economic manner.
• Rendering the tedious work of manually combing the knowledge from best practice guidelines with the actual infrastructure obsolete.
• Enabling the objective detection of vulnerabilities on executed processes instead of intended process models.
• Setting the ground for subsequent phases on the BPM resilience cycle, such as diagnosis and evaluation, treatment and recovery, as well as escalation and institutionalization.
In the following, PREDEC as a process-oriented framework for information
infrastructure resilience is introduced.
5.3 PREDEC framework
The PREDEC framework constitutes a process-oriented and a posteriori approach
to determining information infrastructure resilience. As depicted in Figure 35,
BPM systems’ event logs build the fundament of process resilience detection with
PREDEC. On these event logs, elicitation techniques building upon, e.g., process
mining (Accorsi et al., 2012) or complex event processing (Etzion, 2009) are
applicable in order to elicit processes’ control and information flow data as well
as sociometric data. These techniques allow for elicitation of control flows, i.e.,
process models (van der Aalst, 2011), data flows, i.e., the indirect flows of
information between actors in a process (Accorsi and Lehmann, 2012) and
5.3 PREDEC framework 161
sociometric data, i.e., social structures of subjects performing processes’ activities
(Reijers et al., 2005). Based on resilience-oriented analysis of this information,
insight can be gained into the resilience of an organization’s interdependent
processes.
Figure 35: Overview of the PREDEC framework61
In the following, the next section examines PREDEC’s components and analyzes
the requirements they must meet in order to effectively and precisely provide for
resilience detection.
5.3.1 Event logs and elicitation techniques
The requirements for event logs regard both their structure (i.e. what to log),
quality (i.e. how good to log) and their integrity (i.e. how to log). The following
addresses these requirements accordingly and indicates the corresponding
mechanisms necessary to achieve a sufficient level of assurance for PREDEC.
Figure 36 depicts the minimal set of fields to be logged per entry in order to
provide a basis for elicitation. Each event in the business process management
system corresponds to an activity of a business process triggered during its run.
Hence, the CaseID records the business process run in which an Activity has
taken place. The timestamp captures the StartPoint and the Endpoint of an
activity. The organizational perspective is captured by the Originator of the
activity (subject or role that triggers the event) and its OrganizationalUnit. Finally,
the data perspective records the Input and the Output fields of the particular
61From Koslowski and Zimmermann (2013).
5.3 PREDEC framework 162
activity. Of course, for the latter, only the type of data serving as input (or
produced as output) is recorded; the actual fields are not recorded. Although this
information altogether amount to only a few fields, this is sufficient to feed
powerful elicitation mechanisms based upon, e.g., process mining (Accorsi et al.,
2012) or complex event processing (Etzion, 2009). Hence, this provides a
sufficient basis for PREDEC.
Logfile Data
TimeActivity Organization Data
Start-point
End-point
Name
Type
Who
Where
Input
Output
Figure 36: Log entry structure
As for the quality, van der Aalst provides five maturity levels for event logs,
ranging from worst (Level 1) to best (Level 5) (van der Aalst, 2011). PREDEC
requires logs with at least Level 3, which encompass, e.g., tables in ERP systems,
event logs in CRM systems and transactions logs of DBM systems. This is
because, at this level, information can be correlated and organized in a way that
allows the compilation of logs exhibiting the structure in Figure 36. Logs
exhibiting a higher maturity level are already recorded using this structure (Level
4) or are grounded upon semantic annotations and ontologies explaining the
meaning of each activity in the enterprise context.
Turning to the integrity, to provide a reliable log basis for detection, the events
must faithfully record the activity of the system. In particular, it should be
impossible, say, for an attacker to hide its traces or manipulate the logs so that
false-positives (detection of resilience-relevant incidents that did not happen) and
false-negatives (overlooking resilience-relevant incidents) arise. To achieve this,
5.3 PREDEC framework 163
secure logging mechanisms (Accorsi) must be in place to provide (a) tamper
evidence and, in some situations, (b) confidentiality of event logs.
While the requirements for event logs regarding elicitation of control and data
flow are well examined, requirements for event logs regarding elicitation of
sociometric data have become subject to research only recently. In order to elicit
sociometric data, i.e., social network graphs, from event logs, these event logs
must reflect relations between subjects executing processes’ activities. As shown
by (Reijers et al., 2005), elicitation of these relations from event logs structured as
described above is feasible. Hence, provided event logs meet the requirements
stated above, they provide a sufficient basis for elicitation of sociometric data for
PREDEC.
Elicitation techniques. The elicitation techniques envisaged for the realization of
the PREDEC framework build upon process mining (Accorsi et al., 2012),
(Reijers et al., 2005). In particular, when using these techniques, there is a trade-
off between the following quality criteria (van der Aalst, 2011) (see (Accorsi et
al., 2013) for details):
• Fitness: the elicited structures (e.g. process model or social network graph) should allow for the behavior seen in the event log.
• Precision: the elicited structures should not allow for behavior completely unrelated to what was seen in the event log.
• Generalization: the elicited structures should generalize the example behavior seen in the event log.
• Simplicity: the elicited structures should be as simple as possible.
Technical approaches for the PREDEC framework must seek a balance between
good fitness and precision, thereby minimizing the number of false-positives and
false-negatives arising from measurement errors. A structure having good fitness
is able to replay most of the traces in the event log. Precision is related to the
notions of underfitting in data mining: a structure having poor precision is
underfitting (i.e. it allows for behavior that is very different from what is in the
log). Tackling this trade-off is one of the key challenges in process mining.
5.3 PREDEC framework 164
5.3.2 Resilience Measures
Measuring resilience is crucial, since metrics and indicators provides the
information that allow for better decision-making (Erol et al., 2010a), learning,
and performance improvement (Hollnagel et al., 2006). The development of a
process-centered measurement approach primarily addresses the detection and
assessment stage of the resilience management cycle. That means, by deriving
appropriate measures, it is possible to identify failures, potential weaknesses and
exceptional process executions. Consequently, measures express not only current
process-gaps but furthermore allow the simulation of impacts of proposed changes
(Allen and Davis, 2010). As PREDEC’s overarching goal is to enable
organizations to automatically identify and assess the interdependence of assets
and processes, one objective of PREDEC is to conceptualize a process-centered
measurement framework which satisfies information needs by collecting and
systemizing quantifiable metrics and indicators based on the ex-post analysis of
event logs. It is intended to serve as foundation for the design of a detective
resilience measurement system.
Measures are differentiated between metrics that quantify an attribute of a process
or a resource and indicators which are pointed towards not directly measurable
characteristics (Allen and Davis, 2010). On basis of these measures vulnerabilities
can be collected and assessed in a second step, which eventually results in the
determination of intervention types (Koslowski and Zimmermann, 2013). BPM
along with risk and security should be treated in a more integrated manner
(Jakoubi et al., 2009). We need a solid idea of resilience measurement issues for
detecting and assessing business process attributes as well as for deriving valid
implications. By providing objective results, one is able to make informed
decisions and taking appropriate corrective actions (Allen and Davis, 2010).
5.3.2.1 Existing Measurement Approaches Currently, organizations still lack reliable means for measuring resilience based
on their business processes. Largely unaddressed are questions about how
organizations achieve operational goals despite challenging conditions and
5.3 PREDEC framework 165
disruptions. As a result, a number of current research gaps still exist, leading to
the following sub-research questions:
1) Regarding existing measurement approaches for resilient BPM: Which
approaches do exist and which properties of resilience do they address? Do
current approaches provide a holistic approach towards process-centered
resilience measurement?
The shortcomings of existing works further raise questions regarding the
suitability of employed metrics for resilience detection. This logically leads to
question:
2) Regarding the conceptualization and requirements of resilience measures:
How can fundamental requirements of resilient BPM be categorized and
transformed into concrete measures?
Several authors contribute on measurement issues of resilience in the IS context
(for an overview see Table 9). The review of existing measurement approaches
clarifies that current measures primarily consider high-level resilience features
and are not focused on the processes of BPM systems.
Although these works provide comprehensive insights on design features for
distributed IT architectures, they say little about what decision-makers and
organizations actually must do to meet mission goals despite challenges and
consequently to achieve organizational resilience. Decision-makers have to
choose which attributes are most suitable to align with the organization’s strategic
objectives and critical success factors. Accordingly, resilience objectives deliver
the foundation for targeted resilience measurement. But the presented approaches
generally lack well-defined objectives for developing measures. Furthermore,
dynamic aspects and emergence of processes are still poorly considered in
resilience measurement approaches.
5.3 PREDEC framework 166
Table 9: Overview of existing Measurement Attempts
Attempt Source State Space:Measure in the context of networks focusing on vulnerability. Two dimensions a network can be viewed as: Operational State and Service Parameters. Resilience evaluated as range of operational conditions for which the service level stays in an acceptable range.
(Sterbenz et al., 2010)
Recovery Time & Performance Level: Approach considering the adaptive capacity of a system based on recovery time after an adverse event and the corresponding level of recovery. Recovery time and level of recovery may be used as indicators for resilience.
(Erol et al., 2010a)
Resilience Triangle: Measure in the context of disaster events and cyber-attacks. Multi-event resilience based on the predicted amount of initial loss and recovery time. Assesses the vulnerability and capability to adapt when disruptions occur. Besides, derived resilience curves provide additional decision support for appropriate selection of countermeasures.
(Bruneau et al., 2003)
Business Continuity Analysis: Authors intend to be able to estimate the business impact of potential threats. Therefor they identify critical resources and interdependencies to address the availability of processes and related services. Many or severe abnormalities in comparison to normal process performance level characterize low organizational resilience.
(Winkler et al., 2012)
Value Tree: Based on a checklist of organizational and technical objectives, assessment how organizations perform on attributes of resilience management. A value tree divides the overall resilience objective into sub-objectives in terms of technological and operational resilience and their respective performance measures.
(Stolker et al., 2008)
Nevertheless, they provide a solid foundation for further evaluation: In the future,
PREDEC intends to recognize aspects of (Winkler et al., 2012), for instance the
incorporation of financial impacts of outage times as well as a deep analysis of
resource-interdependencies. Additionally, the “Value Tree”-approach by (Stolker
et al., 2008) entails a subjective goal-formulation and covers a set of structural
resilience properties. However, none of the approaches offers a holistic method
for resilient BPM. PREDEC aims to bring together those promising pieces in our
resilience measurement framework.
5.3.2.2 Measurement framework The components and its relationships of the envisaged process-centered resilience
measurement framework are depicted in Figure 37. The framework provides the
conceptual foundation of measurement system.
5.3 PREDEC framework 167
Figure 37: Resilience Measurement Framework
Throughout this sub-section, the process of a loan application is used as an
example to provide a concrete practice-oriented implementation (depicted in
Figure 38).
Figure 38: Example Loan Application Process
Single instances of the process start when a loan application is received. In this
simple case, the process consists of only two activities: (i) The process participant
assesses the eligibility of the process applicant (check credit history, check
personal background etc.). (ii) The applicant is informed whether the loan is
granted or not. The process instance ends after the two activities are completed.
Basic Metrics and Log Files. BPM systems’ event logs serve as input for the
calculation of process-centered measures (either simple metrics or indicators).
5.3 PREDEC framework 168
These logs have to meet certain requirements to provide the needed information
for resilience-oriented analysis. The lower part of Figure 37 shows which fields
must be logged in order to define resilience metrics and indicators. The activity
corresponds to what activity of a business process is captured by the log. In the
loan application process this could be either the “assess eligibility” or the “inform
applicant” activity. By now, the attention is given to the eligibility assessment. It
is crucial to know when an activity took place. For this reason, the Start- and End-
Point of an activity is captured by the timestamp. It contains information about the
time point a process participant starts (and finishes) working on the eligibility
assessment. The organization field determines who (subject or role) triggers and
event, and where (organizational unit) inside an organization the event is
triggered. It may be a clerk, or a software application used to process applicant-
specific data, associated to the credit department of a bank. Finally, the data
perspective is a technical requirement and records which data serves as input or is
produced as output of the respective activity (Koslowski and Zimmermann, 2013).
Potential input data are credit records and formulas containing information about
the personal background of an applicant. Output data includes a statement whether
the particular loan application was accepted or rejected and serves as input data
for the “inform applicant” activity.
With this information, it is possible to derive meaningful basic metrics from the
event logs. A basic metric is the quantification of a directly observable attribute of
a resource or a process. It is “functionally independent of any other measures and
defined by fundamental units that are not composed of any other units” (Allen and
Davis, 2010). Typical basic measures are numbers of an entity or a measure of a
time period. Basic metrics will be used as input for derived metrics introduced in
the next subsection. Examples for basic metrics are: number of roles in a process;
number of activities in a process; or the total time from start-point to end-point of
a process (compare Table 10). The simplified loan application process consists of
two activities and as many events. Well-established resilience measurements have
been derived by expert interviews and literature review. These measurements are
organized in accordance with the categorization in the following.
5.3 PREDEC framework 169
Resilience Objectives and Derived Metrics.Deriving basic metrics from log files
allows for the definition of process-centered resilience measurements (both,
metrics and indicators). At that point, a set of measurements to identify failures
and exceptional process executions is available, but it must be context-related
with the unique characteristics of different organizations to build a foundation in
order to address the challenge of Detection. For this reason, an objective-driven
approach based on the Goal Question Metric (GQM) is used, which is already
well-established in IS research (Basili et al., 1994; Travassos et al., 2006) and
resilient BPM (Caralli et al., 2010). In order to enable an organization to measure
resilience in a purposeful way it must first specify goals that correspond to its
needs, put these goals into meaningful data and, in a last step, analyze to which
extent the goals are achieved. The result of the application of the GQM is a
hierarchical measurement system with three levels of abstraction: (1) Conceptual
level (goal); (2) Operational Level (Question); and (3) Quantitative Level
(measure). The conceptual level defines goals for the objects of interest, whereby
objects can be resources or even whole processes. A set of questions characterizes
how the assessment of a specific goal is performed on the operational level. The
quantitative level associates measures to the questions with intent to answer them.
The resulting GQM model can be composed of several goals, multiple questions
per goal and a set of measures addressing the questions (Melcher, 2012). Using
this top-down approach assures the required data and analysis to be adequate and
prevents unreasonable data collection with a lot of data never being used and
analyzed. Furthermore, measurement is costly, organizations should therefore be
cautious in selecting measures for economic reasons (Allen and Curtis, 2011).
An Objective-driven approach allows us to constitute purposeful derived metrics,
which are mathematical functions combining two or more basic/derived metrics
and indicators. Those derived metrics and indicators are directly related to
resilience objectives. A selection includes: resource utilization rate; number of
unique activities, joins, splits, and other control flow elements. Table 10 provides
a short overview of some indicators and metrics, their definition and respective
type. Different susceptibility values are evaluated (quantitatively or qualitatively)
applying the two types of metrics.
5.3 PREDEC framework 170
Table 10: Examples of (BPM) Resilience Measures
Criteria & Definition
Type
Source
(B)a
sic,
(D
)eriv
ed
(S)tr
uctu
re,
(B)e
havi
or
Roles:Number of roles in a process B S (Allen et al., 2011)
Transitions: Number of transitions in a process B S (Allen et al., 2011)
Events: Number of events in a process B S (Allen et al., 2011)
Activities: Number of activities in a process B S (Cardoso et al., 2006)
Diameter: Length of the longest path from start node to end node B S (Cardoso et al.,
2006)
Process Interrelationship: Interfaces with other processes D S
(Balasubramanian and Gupta,
2005) Organizational Interfaces: Interaction between internal departments D S
(Balasubramanian and Gupta,
2005) Coupling: Relationships of the elements within a module D S (Vanderfeesten
et al., 2008) Bottlenecks: An activitiy with lower capacity determines process capacity D S (Yen, 2009)
Throughput: Number of transactions and requests which could be processed simultaeously D B
(Balasubramanian and Gupta,
2005) Resource Utilization Rate: Percentage of actually used capacity of a process D B (Yen, 2009)
Timeliness: Punctuality of interim outputs for a following process activity D B
(Balasubramanian and Gupta,
2005) Working Time: Cumulated time of all operative process activities (without) waiting time D B (Yen, 2009)
Lay Time: Time in which a process stagnates and no handling is possible D B (Harrington,
1991)
Referring to the example, one concrete resilience-objective on the conceptual
level is to ensure the continuity of operations if a fraction of the computing
capacity used for the processing of loan applications becomes unavailable.
Possible questions for the assessment of this issue on the operational level and
their corresponding measures are:
5.3 PREDEC framework 171
• How much available computing capacity was used by the process over the last two years?
The actually used computing capacity for the processing of loan applications is
expressed by the “Resource Utilization Rate”. It can be used to identify process
runs, where the utilization rate of computing capacity was above a certain
threshold, whose excess hampers continuity of operations.
• To what extent was the process output used as input for another process?
The (not explicitly modeled) payout process for granted loan applications relies
on input data from the loan application process. Those interfaces with other
processes are measured in terms of “Process Interrelationships”.
Metrics and indicators are further categorized regarding the aspect whether they
address either the structure or the dynamic behavior of the process. A literature
survey carried out by (González et al., 2010) applies a similar categorization of
measures, based on the distinction between the business model design and the
actual execution of the business process. But in contrast to (González et al.,
2010), we intend to incorporate both, structural as well as dynamic metrics into
one measurement system to form an assessment of vulnerabilities. In this context,
structure means that the measurement relates to basically static properties of
business processes. The structure may also strongly influence the process
performance, and, thus, the dynamic behavior of processes (Tjaden, 1999). One
example of a pure structural measure is “Diameter”, which quantifies the length of
the longest path from start node to an end node or “Density”, the ratio of the total
number of arcs (transitions) to the maximum number of arcs in the longest path.
Behavior measures address observed interactions between resources and activities
associated to the process. The behavior of the considered process over time plays
an important role in determining its dynamic evolution, with the goal to evaluate
how well the process is executed. This dynamic behavior of a process is hard to
determine by only analyzing its static structure. Side effects or dependencies
between activities and needed resources have a big impact on the workflow’s
behavior and may easily be overlooked. Therefore, an estimation of the time
5.3 PREDEC framework 172
response is only possible after consecutive runs of the same process and
additionally statistical computation. This estimation cannot be done only by
analyzing the structure of the process as a simulation lacks critical knowledge on
the individual activities. After observing the overall behavior of the process, an
estimation of the runtime of each single activity can be obtained which again
gives further possibilities to quantify the workflow’s resilience. For example,
critical paths can be extracted or the most probable run time is computable.
PREDEC aims to integrate such measures into our approach, because they are
crucial factors influencing business process resilience (Antunes and Mourão,
2011).
Once a set of measures from the measurement system has been linked to
organizational resilience objectives, the desired goals and outcomes of the process
will be stated. The success in reaching those goals/outcomes is subsequently
(automated) measured. To do so, it is important to define operational resilience
levels. Following (Sterbenz et al., 2010), the service levels in particular are
acceptable, impaired and unacceptable, which describe how well the process is
executed. Those levels may be further refined if needed. Resilience is then
specified as the range of operation conditions, for which the service level stays in
the acceptable range. Operational resilience may be compromised by failures (loss
of acceptable service (Meyer, 2013), exceptional process executions (Hollnagel et
al., 2006) and potential weaknesses (interdependencies and bottlenecks Weick
and Sutcliffe, 2007).
The information gathered through the Detection of resilience and respective
vulnerabilities provides input for the subsequent stages of the resilience
management cycle: In the phase of Diagnosis and Evaluation, these
vulnerabilities influencing operational resilience requirements are to be collected
and assessed in terms of traditional security objectives such as confidentiality and
availability as well as economic factors such as costs and utilities (Dumas et al.,
2013; Basili et al., 1994).
5.3 PREDEC framework 173
5.3.3 Analysis techniques
Automated calculation of resilience measures based on event logs requires
application of appropriate analysis techniques to be applied on the structures
elicited from the event logs.
Process mining provides a basis upon which control flow and data flow
information can be gained from the log files. Specifically, processes can be
reconstructed using process discovery techniques. These techniques reconstruct
the control flow, i.e., the structure of the process, possibly extracting time
information regarding the duration of tasks. Process discovery approaches usually
build a Petri net model of the process. These approaches can be classified as
(Accorsi et al., 2013):
• Abstraction-based algorithms. These algorithms construct a model based on ordering relations (preceding/-succeeding) amongst process activities.
• Heuristic-based algorithms. In contrast to abstraction-based algorithms, heuristic methods additionally consider the frequency of ordering relations. This allows the discovery of models that describe the most common behavior recorded in an event log.
• Search-based algorithms. Abstracting from local properties like ordering relations, genetic algorithms mimic the process of evolution.
• Region-based algorithms. Based on a behavioral process specification (language or state-space), the aim of this group of algorithms is to construct a Petri net with corresponding behavior.
Further, commercial process mining suites (e.g. Disco62) often make use of fuzzy
mining methods for the description of process behavior. Instead of focusing on the
detection of the process structure in the sense of OR or AND structures, they only
view activity transitions and their frequency within the process log.
62 http://fluxicon.com/disco/
5.4 Design and implementation 174
The analysis of these structures, which is partly automated, can be used to
visualize, for example, bottlenecks and throughput.
Conformance checking can be used to detect deviations between the expected
process behavior and the actual behavior encoded in the event logs (Accorsi and
Stocker, 2012). These techniques carry on a trace-based analysis and can be used
to determine, e.g., the time needed for each execution and the number of different
executions.
The bulk of work on process mining focuses on analyzing the control flow of the
process. Recent works also deal with data flows or, more generally, resources
used in the process (Accorsi et al., 2013). Data flows can be used to identify
potential leaks or key resources in the enterprise, as well as monitor their
continuous consumption. Similarly, staff workload and work transfer can be
asserted by inspecting the corresponding traces.
5.4 Design and implementation
The preceding sections have introduced the PREDEC-framework that allows the
design of a prototype to detect and assess the resilience of process-centered IS
infrastructures. Based on the conceptual foundations provided by PREDEC, in the
following, the chapter introduces one possible artifact as an example of resilience
management information systems (RMIS) (as introduced in Chapter 4 & 5.1-3).
As we learned in this thesis, resilient systems accept and manage variability rather
than trying to mitigate or reduce it from the outset. Among various resilience
indicators (as introduced in Section 5.3.2), the temporal behavior of a business
process for resilience estimation is crucial since it shows its reaction on different
type of events and threats, as they delay and slow down processing (Dongen et al.,
2008). A less sensitive process will show smaller delays in its execution even
upon high fluctuation of resources.
Consequently, the remaining chapter examines the use of process mining (PM) for
resilience detection. As PM stands for automatable techniques to analyze business
5.4 Design and implementation 175
process models and their execution traces (logs) (van der Aalst, 2011), it is of
great importance for the support and management of automated workflows.
PREDEC represents a framework on which data from the PM is further processed
on, allowing for the extraction of resilience indicators. Focusing on compliance
checking, the next sections report on a case study for the manufacturing sector.
The investigation follows the guidelines of (Runeson and Höst, 2009) for
conducting and reporting case studies. In particular, expert interviews were used
to obtain: firstly, the shape of a non-trivial order-to-cash workflow; secondly, the
set of concrete resilience requirements derived from the set of global business
process security requirements (Power, 2008); and thirdly, the usual execution
characteristics.
The focus of this ITartifact (see Chapter 1 and Bichler, 2006) is on the temporal
aspects of the process. For this, the subsequent sections present a method to model
the amount of resources required as a stochastic function and to sum up the need
for the whole business process, including its branches. In the calculations,
probability distribution functions (PDF) are used instead of using classical
numerical values. Using distribution functions open up the possibility of
considering and measuring uncertainty and to compensate for unknown future
risks and behaviors. The method is not limited to standard distributions as in many
of the previous works. Using PM, decision makers can extract the resource
distribution as PDF for each activity.
A case study is used to illustrate the approach. It shows that modeling the
temporal behavior of a workflow as stochastic variable makes it possible to grasp
the concept of resilience by providing a mathematically framework to deduce
resilience indicators. In line with PREDEC, the ultimate goal is to enable
organizations to automatically identify and assess the interdependence of assets
and processes.
The remaining chapter is structures as follows: First, limitations and research gaps
are identified by reviewing current works on temporal aspects of workflows.
Subsequently, the methodology and research design is elaborated on. Then, the
case study is introduced including an implementation and evaluation of the
5.4 Design and implementation 176
developed IT artifact. Finally, a discussion and summary of the findings conclude
the chapter.
5.4.1 Review of temporal aspects of workflows
Research about temporal behavior of workflows started in the middle of the
1970s. Ramchandani introduced timed petri nets (Ramchandani, 1974) which he
used to model the time response of asynchronous pipelined processors. Later, this
method got adapted and used by Tsai et al. to model the behavior of workflows
(Tsai et al., 1995). Both have in common that they use only earliest possible end
time and latest finish time of an activity to represent time constraints. Eder et al.
provided a similar approach to calculate the timeliness of a workflow or if a
cancellation of optional activities is required to reach the deadline (Eder et al.,
1999). The novelty of this approach is,that it could be used as a monitoring
approach on life processes. Also, Pozewaunig et al. suggested an extension to the
PERT model to cooperate time issues (Pozewaunig et al., 1997). Their model
includes an additional timing aspect with two cases for each activity: worst and
best case, each denoting the first possible start time and the latest possible start
time of an activity. Although these simplifications make it easy to calculate and
describe a workflow, it is no well suited when discussing resilience.
Currently, methods are available to use process mining techniques to predict the
cycle time of a workflow and to tell when a certain case will end. This is done for
example by van Dongen et al. in (Dongen et al., 2008). In this work, non-
parametric regression of data records in event logs are used to estimate the
remaining procession time of a running instance. In (van der Aalst, W.M.P. et al.,
2011) the same question is addressed. A transition system is built to model the
time behavior and to answer, if a given workflow will end in a given time-span. In
the same work, an implementation for the ProM63 toolbox is presented. Another
way of dealing with temporal aspects of workflow is done by Pika et al. (2013).
63 http://www.promtools.org/prom6/
5.4 Design and implementation 177
They identified a set of Process Risk Indicators (PRI) with the intention to capture
the potential of delayed process executions(Pika et al., 2013).
Despite the valuable contributions of existing works, a wide range of limitations
for resilient BPM assessment exist:
Most approaches use parametric descriptions of time such as start/end time or
best/worst cases. Moreover, while today’s approaches treat time as a stochastic
process existing approaches are considering a Gaussian distribution. Even the
regression based methods do only output single values as a possible remaining
execution time and do not supply the user with a probability density function
(PDF) for the remaining time. However, resilience strongly depends on the
behavior between extremes (best case, worse case). Information on how the
system reacts to changes in the environment lies within these two extreme
boundaries (e.g. graceful degradation). The aspect of resilience can only be
discussed when detailed behavior information of a workflow is given so that
possible changes on a workflow model can be simulated accurately to deduce
resilience key indicators.
The here presented approach also gives the opportunity to test on which
probability the workflow will end at which time through calculating the
cumulative distribution function (CDF). The proposed method also makes a
monitoring approach possible: During an active instance more information of the
workflow are known, the estimation is re-computable and yields in a better
forecast which can again be expressed as CDF so that a decision maker can
efficiently judge the current instance in terms of availability, discrepancies and
capable-to-promise aspects. Depending on the risk-appetite of a company, the
order promise can be evaluated at arbitrary points and the method will return a
success ratio for this point. By providing a fine grained probability value instead
of providing only the information that the workflow will be delayed, this method
yields the possibility to estimate how much the workflow is delayed and at which
time the delayed workflow will most likely finish. This approach further does not
depend on the classification of PRI to make forecasts. Instead, by using PM on
single activity basis, all risks that already occurred get encompassed and used for
5.4 Design and implementation 178
estimation calculations. It is also possible to use the extracted information for
finished, single activities in non-finished instances.
5.4.2 Methodology and research design
The guidelines of Runeson and Höst (2009) have been employed to conduct the
case study. A case study is the most appropriate research methodology for this
setting, as its primary objective is exploratory, with a flexible design, and
collecting qualitative (instead of quantitative) data. Concretely, the case study
encompasses the following steps:
1. Case study design: the objectives and objects of the case study are defined.
This is given below.
2. Preparation for data collection (Subsection. 5.4.3.1
3. Evidence collection: carry out the analysis (Subsection. 5.4.3.2).
4. Analysis of collected data (Section 5.4.4).
The “case under study” is the analysis of a real-life business process model and
the derived log file. The process is derived from a medium sized company in
Germany. Figure 40 depicts the formalization of the process.
To present the approach, a scenario is used based on an example workflow. This
section is structured in three parts. First an introduction to the case is given. Then
the requirements are stated. Third, the example is introduced. At the end the
scenario is applied and analyzed.
5.4.2.1 Time behavior - calculus The time distribution for the whole workflow can be calculated out of the time
behavior of each activity. In our case the following rules apply:
Sequential Activities. Two activities with known duration PDF behave like one
activity whose PDF is the convolved PDF of both activities. The convolution of
two functions f(t) and g(t) is defined as
5.4 Design and implementation 179
(𝑓𝑓 ∗ 𝑔𝑔)(𝑡𝑡) = ∫𝑓𝑓(𝑡𝑡)𝑔𝑔(𝑥𝑥 − 𝑟𝑟)𝑑𝑑𝑟𝑟 (1)
For concrete functions, the integral becomes a sum.
The convolution can be seen as the weighted average of the two functions at
moment t. The resulting function will have an area of 1, given the area under both
functions is also 1. This means, if two PDF s are merged, the result will again be a
PDF. As a rule of thumb, the variance increases and the mean get shifted.
Conditional Activities.Convolution does not work for conditional activities.
Depending on the outcome of the branch the one or the other path is taken. For
computation the following procedure is done: First, each individual path is
calculated. Second, each path is weighted with the probability that it is taken
(w0wi). This number can be taken from process mining, it can be estimated or
1/2 for each path, if unknown. After this, the function must be normed. The area
beneath the function must sum up to one. This is done by dividing the resulting
function by its integral.
(𝑓𝑓 ⋁𝑔𝑔)(𝑡𝑡) = 𝑤𝑤0 ∙ 𝑓𝑓(𝑡𝑡)+𝑤𝑤1 ∙𝑔𝑔(𝑡𝑡) ∫ 𝑤𝑤0 ∙𝑓𝑓(𝑡𝑡)+𝑤𝑤1 ∙𝑔𝑔(𝑡𝑡)𝑑𝑑𝑡𝑡∞
0 (2)
5.4.2.2 Resilience in workflows Different aspects must be taken into account to be able to measure the ability of a
workflow to endure stress and to recover from it. According to (Bruneau et al.,
2003), resilience may be defined as
𝑅𝑅 = � 1 −𝑄𝑄(𝑡𝑡)𝑑𝑑𝑡𝑡𝑡𝑡
0
WhereQ(t) is the quality of the system at time t. t0 is the time where a shock took
place and time t1 after recovery of the shock. This resembles the resilience
triangle (Bruneau et al., 2003). In the present case Q(t) can be considered the on-
5.4 Design and implementation 180
time delivery reliability. That is the probability that the desired outcome is
reached until the deadline is due. This calculates to:
𝑄𝑄(𝑡𝑡) = 𝑃𝑃(𝑑𝑑𝑑𝑑𝑟𝑟𝑑𝑑𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑 = 𝑡𝑡) = ∫ 𝑝𝑝𝑑𝑑𝑓𝑓(𝑡𝑡)𝑑𝑑𝑡𝑡 = 𝑐𝑐𝑑𝑑𝑓𝑓(𝑡𝑡)𝑡𝑡0 (3)
WherePDF is the resulting time distribution of the whole workflow (see Figure 39
where also deadline d is given). In the figure, the quality value Q(t) is the shaded
area below the curve. After a shock, this probability (hence, Q(t)) decreases and
recovers again over time when new resources are built or are restored. CDF is the
resulting cumulative probability distribution.
Figure 39: Calculation for the quality of the given Workflow64
In line with the well-known “R4 resilience framework” (already introduced in
Chapter 3.2.3.1) created by researchers affiliated with the Multidisciplinary
Center for Earthquake Engineering Research (Bruneau et al., 2003), four aspects
of resilience are used with the here presented approach:
• Robustness: the ability to withstand a given level of stress or demand without suffering unrecoverable degradation or loss of function. This can
64 Visualized as the shaded area below the PDF function from 0 to d (from Zahoransky et al. 2014).
5.4 Design and implementation 181
be reflected in physical building and infrastructure design (office buildings, power generation and distribution structures, bridges, dams, levees);
• Redundancy: the extent to which elements, systems, or other units are substitutable
• Resourcefulness: the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds. This includes identifying courses of action for, business continuity planning, training, supply chain management, prioritizing actions to control and mitigate damage, and effective communication of conditions and decisions.
• Rapidity: the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption. Components include carefully drafted contingency plans, competent emergency operations, and the means to get the right people and resources to the right place.
The questions this chapter plans to answer are: Firstly, what guarantees can be
made to the costumer regarding the duration of a production-process? In contrast
to the majority of recent approaches, the answer will not be a simple timespan but
a more sophisticated calculation resulting in a PDF (workflow’s completing time
and related likelihood). Each activity is assigned a probability distribution used
for calculations. It is later described how to obtain such distribution.
Secondly, how resilient is the workflow against disruptive effects? More
concretely, if single activities fail, how does it affect the behavior of the whole
workflow? Thus, the impact of each single activity on the whole workflow will
be evaluated. This enables the simulation of situationswhere some paths of a
workflow become unavailable. To state probability values for the whole
workflow, process mining (PM) may be used to measure the individual time
consumption of single activities. This enables process-managers to calculate the
overall workflow restrains. Eventually, PM returns historic data for instance
running time. This data already includes instances where the completion of the
workflow was not optimal due to different occasions, including malfunctions,
external shocks or other difficulties. Instead of estimating each risk individually,
they are automatedextrapolated by means of PM.
5.4 Design and implementation 182
5.4.3 Case study
To provide a basis for analyzing our framework within a realistic setting, an
order-to-cash workflow by a medium-sized company in Germany was chosen.
The example workflow is depicted in Figure 40. In the present case, it is intended
to assess the resilience and the delivery reliability of this workflow even under
turbulent situations. It is taken to evaluate the introduced approach for resilience
assessment.
5.4.3.1 Example workflow The workflow is triggered when a customer orders machinery, or anything that
needs assembly. We assume that the workflow generates a trace inside a log. By
utilizing this log by PM, we extract the timing information needed for our
calculation. As stated in Section 5.3.2, the log must contain enough information
for the PM to work (such as start and end time, activity ID and instance name).
The timing behavior can still be extracted, even if the workflow model itself is not
known.
5.4.3.2 Evidence collection For each activity a PDF is extracted from the process logs. Some standard
activities take only short times with a low variance while customized or
interrupted activities exhibit longer duration with high variability. This variability
or risk is modeled with a great variance in the time behavior distribution
regardless of the cause of delay. In order to assess the resilience of a workflow we
need information about the workflow’s completing time. This might be a hard
deadline or a point in time after which the service or product is no longer of value.
In our example the requirement is that it must finish within a given number of
days. The historic data from PM would then be used to calculate the probability
that the current workflow model will end within this deadline. As this is an
example workflow, no historic data is available. Hence, the time response of the
single activities is described by common distribution. A short overview of the
single activities is given in Table 11:
5.4 Design and implementation 183
Table 11: Time behavior of each single activity in the example workflow
Activity PDF: (µ,σ) or (p,b) for γ-distribution
Incoming order log-normal(0.2,0.4)
Print component plan φ(0.5, 0.1)
Print assembly plan φ(0.6, 0.15)
Create part list γ(0.9, 0.7)
Acquire parts γ(0.8, 0.8)
Fill out order log-normal(0.1, 0.5)
Send order γ(1, 0.5)
Arrival and inspection log-normal(0.25, 0.5)
Obtain from warehouse log-normal(0.07, 0.3)
Stage from warehouse γ(0.8, 0.3)
Assemble parts log-normal(1.3, 0.4)
Assemble Components log-normal(0.4, 0.4)
Final inspection φ(1, 0.4)
Invoicing and dispatch φ(0.8, 0.3)
5.4 Design and implementation 184
Figure 40: Example Workflow65
65 Each activity is denoted a PDF that it will finish at the given time (see Table 11). (from Zahoransky et al. 2014)
5.4 Design and implementation 185
5.4.3.3 Simulation settings and analysis After applying the rules from the previous sections (5.4.2.1-2.), Figure 41 and
Figure 42 show the resulting PDF and cumulative probability distributions (CDF)
for the time behavior of the whole workflow. While the continuous line illustrates
the result for the overall workflow, theremaining lines symbolize the individual
paths within the workflow. The first figure shows the probability density scaled to
1 for each path.
Figure 41: PDF calculation of the example workflow66
The second figure depicts the CDF, the overall probability that the workflow will
end until the given time. As we can see, the workflow has almost a 90 % chance
of finishing within 10 days under the assumption that the fastest path (all
components are available) is taken. In the other extreme scenario where the
longest path is taken (neither stocks nor preproduced components are available),
66Calculations of the overall time distribution for the example workflow and for each individual paths. Note: Each pdf’s area is scaled to 1. (from Zahoransky et al. 2014)
5.4 Design and implementation 186
the likelihood of workflow completion is less than 10 % (marked by the green-
crossed line). However, if all OR-Splits are considered equally, the overall
workflow still has a change of about 50 % to finish in that time (marked by the
dark-blue line).
Figure 42: Cummulative calculation of the example workflow67
The proposed method provides an accurate picture of the probability distribution
function of the duration time of the workflow: The higher its value (probability
density) at time t, the higher is the probability that it will end at this specific point
in time. Figure 41 shows the PDF for the overall workflow and for each of the
possible paths of the workflow. For readability, the single PDFs are not weighted
with their occurrence probability. Instead they are normalized so that the area
accumulates to one.
Integrating the single PDF yields to the depicted CDFs in Figure 42. Its value
shows the probability that the workflow will end until time t.
67 Cumulative time distributions of the overall workflow and for each individual paths. (from Zahoransky et al. 2014)
5.4 Design and implementation 187
The next section discusses and evaluates the results from the case study.
5.4.4 Evaluation and discussion
For the workflow, the following PDFis calculated by using the calculus from the
previous section as seen in Figure 42. A certain deadline is assumed to depict the
methodology. The calculated PDF of the example workflow is also verified by a
simulation of the workflow. In the simulation each activity is mapped to a random
generator implementing the denoted probability density. The activities are started
according to the structure of the workflow. Each path of an OR-decision is
traversed with a probability of 12� . 100 million runs where simulated for the
result depicted in Figure 43.
Figure 43: Simulation results68
The evaluation shows 98.98 % probability, that the workflow is finished within 18
days even under disruptive events. As discussed previously, this value is not based
68 100 Million runs: The required time (red bars) and calculated values (blue line). (from Zahoransky et al. 2014)
5.4 Design and implementation 188
on optimal or worst case scenarios as in previous works but a realistic estimate
based on historic data that already includes adverse impacts. As seen in Figure 41,
the greatest change for a delay is when parts are not preproduced and need to be
ordered. The additional information can be extracted out of the time behavior: The
robustness of a workflow is expressed by the slope of the pdf. The steeper it is at
the negotiated delivery time, the more susceptible the workflow is to external
influences. In Figure 43, robustness can be expressed as the density of the pdf at
the projected delivery time (near to zero). If an interruption happens, the
workflow would take slightly longer. However, the overall probability of the
intended completing time would not change significantly as the shattered area will
not decrease much. The redundancy of a workflow can be calculated as the
difference between actual probabilities of delivery compared to the negotiated
delivery reliability. A higher success rate indicates a surplus on resources that
increase the redundancy.
The quick and accurate information about the observed workflow further
enhances the resourcefulness and rapidity of the IS: The calculations grant the
possibility to react early to situations that are no longer covered by the workflow’s
robustness or redundancy. Furthermore, our framework gives the possibility to
compare different variations of the same workflow. This is useful for workflow
engineers which start to redesign a given workflow. For each evolved design, they
can compare robustness and redundancy. This also increases rapidity as the
redesign process is more efficient and target-oriented.
It is now possible to rearrange the activities based on the learned numbers to
further increase the operative viability (e.g. by creating the parts list in parallel to
creating the components list). Despite the fact that it would slow down the best
case, this modification could decrease the time required when the upper path is
taken. It would therefore increase the systems capacities to absorb negative effects
as the upper part is essentially involved in the delayed cases. The time behavior
and thus the resilience levels of the re-designed workflow are instantaneous
available as no new data is required.
5.5 Concluding remarks 189
5.5 Concluding remarks
The traditional understanding of trust and security amounts to building large
information systems that are robust, i.e. they avert failures by mitigating the
corresponding risk associated to the execution of business processes. This chapter
introduced a process-oriented framework for information infrastructure resilience.
The key premise behind PREDEC framework is that in merging robustness and
resilience, one can provide for more trustworthy information systems that not only
prevent incidents, but that, upon an incident, fault or attack, can also bounce back
to a stable state and even improve their design. In line with the operational
resilience management cycle, the main research questions for resilience detection
were introduced and schematically sketched the PREDEC and its building blocks.
The subsequentlyproposed approach uses process mining (PM) to create
probability distributions on time behavior of workflows. Instead of relying on an
expert’s view who gauges the possible risk according to her experience, PM can
help and automate this part. The resulting time probability provides an overall
resilience estimation for a workflow. Repeating this method yields in even more
accurate results and finally enables a monitoring approach for resilience
assessment during runtime. This approach is not dependent on an overall
workflow as each activity is considered on its own. This brings the advantage that
the process log does not need to identically match the workflow, as long as the
single activities correspond.
A remodeled workflow can thus be simulated and compared to the original one by
using the same process log. This comparison can be on different resilience
dimensions to support workflow designers to improve existing workflows. During
execution of a workflow the current resilience level can be monitored and
countermeasures can be initiated on run-time if the level drops.
In the future, it is possible to empirically evaluate the effectiveness of the PM data
with interview partners in practice. This comparison will allow foran evaluation of
both, the usability and the relative benefits of the proposed approach compared to
manual exception handling. Moreover, the introduced method is not limited to
5.5 Concluding remarks 190
evaluating timing behavior. Depending on the input functions the method can for
instance be extended to estimate economic impacts of a workflow. Moreover, in a
more complex setup, the functions could be plotted against each other, resulting in
a cost-dependent time behavior. This enables a new and throughout visibility of a
workflow’s resilience on run-time.
design
191
6 Secure Sustainability Benchmarking Service
Chapter 3 shows that in turbulent and complex operational settings any kind of
incident or disruption has the potential to affect multiple lines of business and
organizational units to which they are connected (e.g., Sheffi, 2007; Tanriverdi et
al., 2010; Weick and Sutcliffe, 2007). Such situations reveal that localized and
discrete responses may not be sufficient and require harmonization of managerial
responses by means of integration and collaboration within an organization and
across organizations (see Section 3.1.3.4). Hence, integration - previously defined
as the ability to systematically create and manage structured networks of
relationships – becomes crucial in order to facilitate effective collaborative
responses both within and outside an organization. According to literature
resilient organizations are able to utilize relationships with other stakeholders to
enrich an inventory of resilient responses by obtaining external resources and
supportive actions(Antunes and Mourão, 2011; Bayuk and Silverstein, 2007).
Similarly, integration and cross-organizational collaboration receive also growing
attention in the field of sustainability management. To measure and assess
ecological sustainability performance, such as Carbon Footprint, the assignments
of environmental impacts to those segments that caused them are required.
Consequently, this so-called cradle-to-grave principle means to assess
environmental impacts associated with all the stages of a product's life cycle (i.e.,
from raw material extraction through manufacturing to disposal or recycling). As
organizations have been reducing their production intensity for years by means of
outsourcing and off-shoring of multiple services, the scope of environmental
sustainability is far beyond a single organization and requires a systematic
understanding of an organization’s interconnected value net (Watson et al., 2010).
As business is apparently recognized as being a critical contributor in realizing the
challenges of environmental sustainability (Elliot, 2011), requirements from
stakeholders on sustainability measurement have steadily grown (Chatterji and
5.5 Concluding remarks 192
Toffel, 2010). Moreover, research increasingly demonstrates benefits of proactive
sustainability management (Burnett and Hansen, 2008). In line with the prevailing
view in theory and practice, sustainability benchmarking is defined as a
management tool to identify sustainability performance gaps between business
objects for facilitating continuous improvement and organizational learning (e.g.,
Shaw et al., 2010; Wiedmann et al., 2009). Note, that similar to resilience the
multidisciplinary field of environmental sustainability developed a variety of
definitions and conceptualizations leading to confusion of terminology (Elliot,
2011; Koslowski et al., 2013b). For example, according to the triple-bottom-line
accounting framework sustainability incorporates the three dimensions of
economic, social, and environmental performance (compare Chapter 2), while
Elliott (2011) states that environmental sustainability is an essential prerequisite
of social development. As the contribution of this chapter is rooted in the green IS
research field, e.g., (Dedrick, 2010; Melville, 2010), in the following,
environmental sustainability will be utilized as proposed by Elliot (2011) that
focuses on impacts on the environment without an explicit reconsideration on an
extra social dimension.
This chapter attempts to show that while sustainability benchmarking, in
particular, is a promising approach of proactive sustainability management. It
faces a significant data input and information-sharing problem: Firstly, the
heterogeneity of the data requires significant cost-intensive data gathering and
pre-processing. Secondly, the sensitivity of the data causes enterprises to
reluctantly share this data.
Accordingly, the first division of this Chapter (Sections 6.1 – 6.3) focuses on the
first challenge by analyzing the utilization of the platform principle for an ERP
on-demand provider and sustainability-benchmarking provider69. Beside the
consideration of possible cost savings for providers and users, the focus lies on the
specific potential provided by an ERP on-demand platform. This mainly consists
of the integration of complementary enterprise applications with the core ERP
69 These sections are based on the paper Koslowski and Strüker (2011) which has been previously published in the journal of Business & Information Systems Engineering.
6.1 Sustainability quest for enterprises 193
application and the resulting added value for service users as well as platform and
service providers. This added value will be investigated by using the example of a
software service for sustainability benchmarking (SBM) and explores how this
may contribute to the lasting success of ERP on-demand platforms. As
subsequently shown the quality of the SBM application as well as of corporate
management can be significantly improved. In particular, an SBM software
service that is integrated into an ERP on-demand platform is able to accelerate
market penetration.
Nonetheless, research on inter-organizational systems shows how reserved and
cautious enterprises are still today when it comes to the exchange of sensitive data
(Kerschbaum et al., 2011). Ideally, in order to track inter-organizational data in a
reasonable granularity and precision for holistic sustainability assessments, a
collaborative exchange of sensitive data like environmental impacts and
sustainability indicators will be necessary (Elliot, 2011). For this purpose, the
second division (Sections 6.4 - 6.8) introduces an IT artifact, namely a secure
sustainability benchmarking service (SBS) to overcome the information-sharing
problem70.
For a start, the next section describes why SBM is increasingly relevant for
companies.
6.1 Sustainability quest for enterprises
Stakeholders, such as customers, investors or legislators, are increasingly
confronting enterprises with expectations for more sustainable business practices
(Hoffmann and Busch, 2008, p. 506; Sharma and Henriques, 2005). Practical
implications for companies so far mainly concern the compliance to a variety of
environmental laws in order to reduce liability or to allow better access to relevant
resources: In the European Union, for instance, the so-called ‘climate and energy
package’ (20-20-20 targets) became law in June 2009. The goal was to reduce the
70 These sections are based on a revised version of the paper Kerschbaum et al. (2011) presented at International Conference on Information Systems 2011 in Shanghai.
6.1 Sustainability quest for enterprises 194
output of greenhouse gases by 20%, improving energy efficiency by 20% and
increasing the percentage of renewable energy by 20% by the year 2020 (Melville,
2010). Beside a growing trade of CO2 emission allowances the demand for green
products and sustainable investment funds are further indicators of the growing
importance of an environmentally sustainable business policy (Chatterji and
Toffel, 2010; Dedrick, 2010).
Companies increasingly address the demands of stakeholders for sustainably
responsible business practices by means of publication of sustainability
performance statements (Sharma and Henriques, 2005, pp. 174 f). These
developments include to a greater extent the measurement and documentation of
effects on the environment in the form of sustainability reports and eco-efficiency
labeling of products, besides the avoidance and reduction of ecologically harmful
substances (Cho and Patten, 2007). The European Accountants Modernization
Directive wants enterprises to reveal environmental information in the annual
report as part of their annual accounts. Also in the US, more than 80 percent of the
Global Fortune 250 published sustainability reports (Koslowski and Strüker,
2011, p. 360). Moreover, public, media, and non-governmental organizations,
such as the Carbon Disclosure Project, ask enterprises to provide accountability
and proof of sustainable management such as certificates or sustainability reports
(Dedrick, 2010). Finally, the growing demand for green products calls for
environmental sustainability information (Sharma and Henriques, 2005). Besides
publishing sustainability reports, enterprises have met this demand by
implementing corporate environmental management systems for quite a while.
These measures are especially supposed to fulfill the compliance requirements of
the stakeholders and, in this manner, help to avoid liability claims, reputation
damage, and consumer boycotts (Chatterji and Toffel, 2010; Sharma and
Henriques, 2005).
6.1.1 Sustainability performance management systems
The measurement and documentation of environmental impacts is meant not only
to meet environmental compliance requirements (Sarkis, 2003, p. 97), but also to
6.1 Sustainability quest for enterprises 195
provide a basis for improvements in a company’s sustainability performance and
resource productivity (Hervani et al., 2005, p. 330). This requires a systematic and
deep analysis and control of all business objects, which includes not only a re-
structuring of processes but also the development of innovations in the light of
sustainability (Sharma and Henriques, 2005, p. 160). As a consequence,
sustainability reporting has also changed over the years by expanding from an
internal to an external, i.e., cross-enterprise perspective. By establishing methods
like Life Cycle Assessment (LCA) (Reap et al., 2008) or Carbon Footprint
(Weidema et al., 2008), a more systematic and comprehensive covering of
environmental impacts is increasingly gaining attraction. The basic idea is that
environmental impacts are always assigned to the segment that caused them.
This so-called “cradle-to-grave” principle means to assess environmental impacts
associated with all the stages of a product's life cycle (i.e., from raw material
extraction through manufacturing to recycling and disposal) (Tukker and Jansen,
2006, pp. 152 f). This becomes relevant as more stringent environmental laws and
reporting standards require tracing and accounting of indirect emissions and also
taking pre-chain and post-chain services into consideration. Thus, the scope of
environmental sustainability is far beyond a single organization and requires a
systematic understanding of an organization’s interconnected value net (Watson et
al., 2010).
But particular challenges for the determination of this information results from the
fact that for years, companies have been reducing production intensity and
outsource a variety of upstream processes to suppliers and other third parties for
realizing specialization benefits. As a consequence companies need to examine
their entire value chain in terms of its (environmental) resource productivity in
order to ensure the allocation of all environmental impacts according to their
causes and to avoid double counting(Koslowski, 2011). Different institutions,
such as the World Business Council for Sustainable Development or the National
Renewable Energy Laboratory in the U.S., issue comprehensive recommendations
as regards which environmental effects and related indicators should be included
in the analysis as inputs or outputs (Fava et al., 2009, pp. 492ff).
6.1 Sustainability quest for enterprises 196
Accordingly, Shaw et al. (2010) highlight the importance of managing and
reporting on sustainability indicators to gain significant cost savings and enhanced
productivity. Widely used productivity indicators, such as carbon productivity or
eco-efficiency, represent the relationship of output from a productive activity to
its inputs (e.g., Dedrick, 2010; Hoffmann and Busch, 2008; Wiedmann et al.,
2009). However, in order to make a statement about the productivity of a business
unit or a process, usually the use of a reference object to determine a performance
gap is necessary (Figge and Hahn, 2005). Such a comparative, relative efficiency
measurement represents “the constitutive feature of benchmarking, which is a
fundamental and by now well established concept of modern management and
strategy research as well as business practice” (Hammerschmidt, 2006, pp. 89,
translated). Hence, benchmarking is seen as a promising tool for sustainability
performance measurement and management (Sarkis, 2010).
Benchmarking, in general, means the “search for industry best practices that leads
to superior performance” (Camp, 1989, p. 19) and as a continuous and systematic
process that compares specific research objects with reference partners using
diverse measurements (Spendolini, 1992). Due to an increasingly dynamic
environment and complex markets on the one hand and limited rationality and
scarcity of resources on the other, companies are striving to increase their own
performance at reduced risk by means of learning from successes and failures of
others. Solutions should not only be imitated, but rather be seen in context with
their own core competencies and developed further. The orientation towards
competitors is also supposed to prevent that market requirements in resource
allocation are not sufficiently taken into account. Benchmarking thus represents
“a synthesis of the thesis ‘market orientation’ (search for opportunities) and the
antithesis ‘resource orientation’ (capacity building)” (Hammerschmidt, 2006, p.
93).
In terms of sustainability policies Graafland et al., 2004, pp. 139ff) mention
central reasons for sustainability benchmarking (SBM): It increases the
transparency, accountability, and credibility for stakeholders through the
objectivity of a third party and improves the identification of a company’s
6.1 Sustainability quest for enterprises 197
weaknesses. Eventually, (Reid and Toffel, 2009, p. 1171) argue that companies
often react to external requirements in order to follow their competitors who have
already taken appropriate action. With the help of an SBM thus the next
evolutionary step for pro-active management of a company’s sustainability
performance can be reached (Hoffmann and Busch, 2008, p. 506). The validity of
information on a company’s sustainability performance always depends on the
quality and quantity of the provided data basis. In practice, the potential
significance of the sustainability performance to be measured can be increased
with an increasing scope and detail of information about a company’s processes
and products (Melville, 2010).
On the enterprises’ side, the need for detailed analyses clearly exists (Wiedmann
et al., 2009, p. 361), but the realization often fails as a consequence of difficulties
in terms of data availability due to inconsistent approaches to the measurement
and collection as well as the insufficient exchange of data between companies
(Hoffmann and Busch, 2008, pp. 517f). In addition to such methodological
problems, also the high costs of extensive analyses may hinder the sustainable
development of enterprises (Butler, 2011). The next sections explores in detail
why sustainability benchmarking – in spite of the aforementioned benefits – is
still in an early stage of development.
6.1.2 IT-based SBM
During the last two decades, information technologies have already led to crucial
improvements regarding the operational efficiency of supply chains in terms of
the well-established dimensions of cost, time, quality, and flexibility. Companies
now also expect the realization of ecological improvements through the use of
information systems, so-called “Green IS” (Dedrick, 2010, p. 179; Koslowski et
al., 2013b; Melville, 2010, p. 3). For example, ERP data on machinery and
process lead times may provide a detailed data basis for sustainability
management by linking these to respective energy costs and CO2 concentration.
Also in product development, the access to ERP data, such as material and
supplier choice, could allow conclusions on environmental effects during the
6.1 Sustainability quest for enterprises 198
product life cycle. Different substances and materials are made comparable by
transformation into CO2 equivalents and can therefore be included in calculating
optimization. Furthermore, physical properties, such as weight or size, which may
influence the transport and energy consumption during use and recovery of the
final products, are calculated prior to development (Zhu, 2010, p. 28; Linton et
al., 2007, p. 1075).
Apart from increased data quality also shorter reaction times constitute an
essential benefit of information systems for sustainability management. To date,
enterprises’ sustainability-relevant data are mainly collected manually using
questionnaires or semi-automatically through import of different documents and
tables (Butler, 2011). Given, for instance, the Global Reporting Initiative, the
Dow Jones Sustainability Index, the EPA Climate Leaders Greenhouse Gas or
Toxic Release Inventory, a number of established and competing standards exists
(Chatterji and Toffel, 2010). They cause immense personnel expenses both on the
part of data providers through the data compilation and preparation and on part of
the user during data collection. Therefore, companies often draw upon specialized
service providers such as SAP or C2P GreenTech info (Butler, 2011, p. 19).
Currently available SBM on-premise71 applications already allow extensive
comparisons inside a company. However, to perform inter-organizational
comparisons enterprises often join benchmarking networks and groups
exchanging experience such as the Carbon Disclosure Project. This is often
because of high data collection costs as well as the necessary adaptation of data
due to different software. The involvement in such a cooperative network
platform is supposed to enable the transfer of core capabilities, which also
includes tacit knowledge in addition to explicit knowledge assets
(Hammerschmidt, 2006). Although companies are pursuing different - sometimes
contradictory - objectives even within one value chain and inter-organizational
benchmarking has long been considered unthinkable, it can be observed that
71 In a conventional on-premise application deployment model, the organizational data continues to reside within the organizations boundary and is subject to its physical, logical, and personnel security and access control policies. In an on-demand or “as-a-service” model, the data is stored outside with the service vendor Subashini and Kavitha (2011a).
6.2 Integration into an ERP on-demand platform 199
companies increasingly realize that the additional benefits through collective
“learning” may prevail the risks of opportunistic behavior for all parties
concerned (Helper et al., 2000, p. 468)72. The essential importance of an inter-
organizational exchange of information for meeting corporate sustainability
objectives is also highlighted by Linton et al. (2007) who particularly identify the
large potential for improvement in product development and reuse of raw
materials and by-products through re-design (Linton et al., 2007, pp. 1078f).
Outsourcing sustainability performance management to an intermediate service
provider could not only reduce costs of acquisition and maintenance of relevant
expertise and knowledge, but also increases objectivity and thus credibility with
third parties (Kolk and Mauser, 2002, p. 25). Furthermore, permanent contact and
a greater number of relationships make it possible for a benchmarking service
provider to detect trends early (so-called innovation effect). As a mediator
between both sides of the market (data supplier and benchmarking consumer), he
has a strong interest in permanently keeping up the relationship with the
companies in order to save agreement and coordination costs for repeated
acquisition of data and also to establish a positive reputation and in consequence
create trust.
6.2 Integration into an ERP on-demand platform
ERP applications offered as Internet-based software services (SaaS) so far only
have a small market share (Benlian et al., 2009; Hofmann, 2008). The ERP world
market leaders for traditional on-premise applications, SAP and Oracle, react
ambivalently to this on-demand service: On the one hand, they point to the
industry’s continuing demand for traditional ERP solutions and are thus skeptical
of the market potential of ERP on-demand solutions. In addition to regulatory
obstacles and critical privacy and security related aspects, researchers and
practitioners particularly identify so-called “mission-critical applications” to be a
72 However, lack of trust may still constitute an insurmountable obstacle for information sharing. A problem to overcome this challenge will be provided in Section 6.5f..
6.2 Integration into an ERP on-demand platform 200
problem and therefore claim further technical development needs (Subashini and
Kavitha, 2011b). On the other hand, SAP currently offers ERP on-demand
solutions with Business One (formerly Business ByDesign73) and Oracle via
NetSuite74. They bind significant corporate resources through the development of
other software services, and see a growing willingness among companies to trust
in cloud providers also for financial data, e.g., a recent forecast report estimates a
18.5 percent market growth in public cloud services in 2013 to total 131 billion
US-Dollar (Gartner, 2010).
6.2.1 ERP as a platform
However, the changes which currently become apparent in the market for
enterprise software are not limited to the choice between the alternatives ERP on-
demand or ERP on-premise: Platforms for enterprise applications, such as
“AppExchange”75 by Salesforce, show how to successfully transfer the platform
principle, as e.g., known from Apple’s App-Store, to enterprise applications
today. Hence, this CRM on-demand provider claims to already have offered more
than 1,800 complementary services, so-called apps, via its internet-based platform
in August 2013. Given this success and the central importance of ERP software
for managing companies the integration of ERP on-demand and the platform
approach appears promising (Hofmann, 2008).
The ongoing subsections analyze the utilization of the platform principle for an
ERP on-demand provider. Beside the consideration of possible cost savings for
providers and users, the focus lies on the specific potential provided by an ERP
on-demand platform. This mainly consists of the integration of complementary
enterprise applications with the core ERP application and the resulting added
value for service users as well as platform and service providers. This added value
will be investigated by using the example of software service for sustainability
benchmarking (SBM) and explore how this may contribute to the lasting success
73http://www54.sap.com/pc/tech/cloud/software/business-management-bydesign/overview/index.html 74 http://www.netsuite.com/portal/landing/oneworld-for-oracle.shtml 75 https://appexchange.salesforce.com/
6.2 Integration into an ERP on-demand platform 201
of ERP on-demand platforms. As subsequently shown, the quality of the SBM
application as well as of corporate management can be significantly improved. In
particular, a SBM software service that is integrated into an ERP on-demand
platform is able to accelerate market penetration.
6.2.2 Literature on ERP on-demand
Before explaining the platform concept and discussing the essential work relevant
for an ERP on-demand platform, this section firstly outlines the research gaps on
ERP on-demand by means of a comprehensive literature search.
The scientific analysis of ERP applications designed according to the SaaS model
has hardly been carried out so far. A search of title, abstract, and keywords (in
August 2011) in the databases Business Source Premier, MLA International
Bibliography, EconLit, Science Direct, IEEE Xplore, ACM Digital Library,
SpringerLink, DBLP, and Google Scholar found only six relevant results. As
logical search term we used (“ERP” OR “Enterprise Resource Planning”) AND
(“on-demand” OR “as-a-service” OR “software-as-a-service” OR “Cloud
Computing” OR “Platform as a Service” OR “PaaS”). The above databases
considered the journals ACM Transactions on Information Systems,
Communications of the ACM, European Journal of Information Systems,
Information Systems Journal, Information Systems Research, Journal of
Management Information Systems, Journal of the AIS, Management Science, MIS
Quarterly, and Wirtschaftsinformatik/BISE, among others. None of the six
contributions found was published in one of these journals.
The literature review on the much more comprehensive concept of Software as a
Service (SaaS) has provided a number of works presented in table 12. In total,
however, computer science related publications are dominant again, while IS-
related contributions are available only sporadically. The contributions by
Lehmann and Buxmann (2009) and (Mathew and Sumesh, 2010) dealing with
SaaS and pricing have to be pointed out as well as Benlian et al. (2009) who
empirically investigate the adoption of SaaS-based applications. (Demirkan et al.,
6.2 Integration into an ERP on-demand platform 202
2010) analyzes potential coordination strategies between software and hardware
or infrastructure providers. (Susarla et al., 2010) deals with modeling the
relationship of SaaS providers and consumers as a principal agent problem
illustrated by a SaaS CRM application. The question of what additional value is
achieved through a SaaS-based application for enterprise customers by means of
cost savings and flexibility or elasticity (Armbrust et al., 2010) remains
unanswered.
Table 12: Results of the literature review on “SaaS”76
Databases Search term: SaaS or Software as a Service
Business Source Premier (including MLA International
Bibliography, EconLit, and ScienceDirect) 11
IEEE Xplore 96
ACM Digital Library 6
Springerlink 2
DBLP 49
Google Scholar (without limitation to peer-reviewed
journals) 144
In addition to Apple’s App Store and the marketplaces for business software
offered by Salesforce, generally platforms (also sometimes termed as eco-
systems) have long played a major role in information-goods markets and in
markets with physical products and services (Cusumano, 2010; Kim et al., 2010).
76From (Koslowski and Strüker, 2011, p. 360).
6.3 System dynamics model 203
A central characteristic of such platforms is that actors using these platforms
create more value together than alone (Kim et al., 2010, p. 151). Conversely, this
means for the participating companies of a platform that their own success
depends on the long-term vitality of the platform. This is especially true for
knowledge-intensive industries such as ICT where companies often do not
compete individually, but are sub-units in a competition of platforms which is
highly influenced by self-reinforcing feedback (Arthur, 1996, p. 104). The next
section will tie in with this aspect and shows how a SaaS-based SBM application
that is integrated into an ERP on-demand platform may significantly contribute to
the diffusion and economic success of the platform.
6.3 System dynamics model
For analyzing how the integration of a SaaS-based SBM application into an ERP
on-demand platform may significantly increase and accelerate the market success
of both components, an ERP on-demand platform is assumed which is not being
offered at the market in this form. This platform for SaaS-based enterprise
applications is characterized by the fact that the success of the participating actors
significantly depends on the vitality of their platform (Arthur, 1996, p. 100). This
is, among other things, due to feedback effects which have been studied
intensively as increasing economies of scale in economic disciplines, e.g., in the
context of organizational path dependence (for a review see (Sydow et al., 2009)
or strategic management Markides and Williamson, 1996). Since comparative-
static analysis methods do not allow for a holistic view of feedback of an
integrated ERP on-demand platform, we have chosen a qualitative system
dynamics approach that considers the systemic interconnections as well as
complexity and dynamics of social and economic systems (Coyle, 2001, p. 10).
6.3.1 Methodology
The bounded rationality and the predominantly linear thinking of individuals lead
to the fact that decision makers often do not directly recognize the dynamical
behavior of social systems and their functional relations (Richmond, 1997, p.
6.3 System dynamics model 204
133)and, due to these misjudgments, make changes to the system that may have
unintended consequences (Senge, 1997, p. 58). Based on system thinking, i.e., the
disclosure of mental models and the representation in formal models, knowledge
about system identity, such as its structure or behavior, can be generated. In this
case, each model element has a real world counterpart so that an adequate analysis
of the causes of problems and their consequences contribute to decision making
(Senge, 1997, p. 73). Following the axioms of system dynamics, social systems
interact with their environment. Interactions are represented via causal arrows
between system elements, whereas the kind of impact (positive or negative) is
visualized through polarities. Since any impact between two system elements
directly or indirectly becomes a cause of new impacts itself, dynamic time figures
evolve from cause-effect-chains, which can only be explained and predicted by
means of models and sufficient knowledge of the internal system structure (Senge,
1997, p. 63). Hence, the modeling process forms the center of system thinking
(Forrester, 1994, p. 246).
Jay Forrester originally refers to the quantification and simulation of a formal
model as a necessary step for the traditional system dynamics approach to reach a
solution (Forrester, 1994, p. 245). However, since the early 1980s more and more
purely qualitative models have been developed, which are limited to the
description of the system and the creation of causal loop diagrams (Coyle, 2000,
p. 225). The starting points of these models are the lack of availability of valid
data, the idealized representation of reality due to the restrictive nature of flow
charts, and the tendency to develop models that are too detailed and complex to
allow for common learning, which actually is the main purpose of system
dynamics (Wolstenholme, 1999, p. 424). Hence, especially in situations of great
complexity and uncertainty a qualitative approach in terms of “system thinking”
(Senge, 1997) or “qualitative modeling” (Coyle, 2000, p. 225) is sufficient and
appropriate (Forrest, 2010). In the following context, hypotheses will be
formulated based on an appropriate theory so that the problem behavior is
(endogenously) generated from the feedback structure of the model. To visualize
the hypotheses-based causalities, mainly causal diagrams are used. Following
(Coyle, 2000, p. 225) the benefit of qualitative modeling results particularly from
6.3 System dynamics model 205
the facts that very complex problems can be visualized in a simple and compact
form, that the problem focus is sharpened during the discussion and analysis and
that the identification of feedback can already explain system behavior. The first
objective of this chapter predominantly consists of explaining the added value of
an integrative SBM service within an ERP on-demand platform from a dynamic
perspective for scientists and practitioners. For this, a qualitative model will be
developed that discloses feedback within the platform and offers sufficiently
realistic predictive power despite simplifying assumptions to reduce complexity.
For this purpose, the proposed model will draw upon information and network
economy for the definition and derivation of suitable hypotheses as well as upon
concepts of adoption and diffusion research. The starting point of investigation is
the problem definition, which is carried out from a dynamic perspective
(Forrester, 1961): How does an integrated SBM complementary service affect the
market penetration of an ERP on-demand platform? The remaining aspects of the
modeling process are subject of the next sub-section.
6.3.2 Model development and analysis
After a problem is defined, it is important to firstly identify key variables, i.e.,
central factors which explain the system structure and behavior patterns.
A dynamic perspective requires the behavior of the variables over time to be taken
into account. Key variables and temporal behavior eventually enable the
development of a causal loop diagram which helps to detect and visualize cause-
effect relationships. Figure 44 shows the result of the analysis. Due to the
complexity of the model, the identified key variables are presented at first before
we draw attention to their interactions. In order to facilitate the comprehensibility
of the arguments for the reader, key variables and feedback are distinguished.
6.3 System dynamics model 206
Figure 44: Feedback Loops77
Diffusion curve: Limited by the maximum market potential (potential_adopters),
the diffusion curve of an ERP on-demand application and an SBM service can be
described as an S-shaped curve through the aggregation of the individual purchase
or adoption processes becoming steeper with increasing diffusion or adoption
(adoption_rate) (Rogers, 2003, p. 272). Product-related factors are considered to
be the most important influencing determinants for the diffusion of an innovation
(Gatignon and Robertson, 1985, pp. 850 ff). According to the classification
proposed by (Rogers, 2003, pp. 22 ff), here, the innovation attributes
(attributes_of_ERP/SBM) relative advantage, compatibility, and complexity are
particularly significant (Moore and Benbasat, 1991, pp. 195 ff). Relative
advantage represents a measure of the extent to which the innovation is preferred
to alternative offerings. This superiority may result from economic reasons, time
savings, or status issues. In addition to the existence of common standards,
compatibility also describes the innovation’s consistency with existing values,
needs, and experiences of the consumer. While the first two influencing factors
have a positive impact on the rate of adoption, complexity, i.e., the difficulty of
77 From Koslowski and Strüker (2011, p. 363).
6.3 System dynamics model 207
understanding and applying an innovation, leads to a delay of adoption (cf.
Rogers, 2003, pp. 233, 249, 257). As an additional obstructive feature the
perceived risk is mentioned as an influencing factor considering the fact that the
adoption of an innovation is determined by the pursuit of risk reduction (see
Figure 44).
Network effects: Information technologies are often characterized by network
effects when people use a common standard and thus form a common network
(Brynjolfsson and Kemerer, 1996). Here, direct network effects refer to the added
value of a product resulting from the increasing number of network users (Katz
and Shapiro, 1985). These effects are identified in the model through the loop
between actual_adopters_ERP andattributes_of_ERP. Particularly regarding the
use and management of information systems there is a variety of standardization
advantages both for the application and for the support of IT (Lee and Mendelson,
2007, p. 395): The coordination of a standard platform facilitates the exchange of
information, generates a larger repository of configuration knowledge and
problem solving options, and increases the availability of complementary
software. As already shown, this particularly applies to knowledge-based services
such as SBM (see the previous section).
Therefore, we can conclude that network effects are also of great importance for
the success of an ERP service, since the diffusion of a system may additionally
result in a higher interoperability (syntactic and semantic compatibility) between
companies and provides an advantage compared to less common solutions.
Another cause for network effects can be seen in so-called learning and
experience effects (Arthur, 1996, p. 103). High-complex products, such as
software applications, require an introductory period to establish a sufficient
understanding (Moore and Benbasat, 1991, p. 200). The resulting learning
expenses and uncertainty of potential consumers have an obstructive effect on
their adoption (Rogers, 2003, pp. 233ff). If an established standard exists, it is
more likely that customers will be able to draw upon existing knowledge and
easier to appoint employees who are familiar with the standard. Especially in case
of standardized corporate applications, such as ERP systems, the experience and
6.3 System dynamics model 208
expertise of the users may lead to switching costs or even lock-in effects (Varian
et al., 2005, p. 21).
Learning and experience effects on provider side: Conversely, providers may
exploit users’ collected experience and their suggestions for further product
development. Moreover, they can gain experience (improved_knowledge) and
develop capabilities (Rosenberg, 1982) themselves in the course of service
provision, which can also be used for quality improvements (Fichman and
Kemerer, 1997, p. 1345). Furthermore, empirical studies show that in many
industry sectors unit costs can be reduced by an average of 20–30% with a
simultaneous doubling of output as a result of experience (Dutton and Thomas,
1984, p. 235). Also an ERP provider will be able to realize some cost reductions
with growing demand, among other things, as a result of increasing experience
and specialization in data collection, data normalization and data analysis, as well
as through standardized contracts and volume discounts for the use of the network
infrastructure, which in turn can positively affect the adoption rate. Since building
knowledge and experience is time consuming, a delay must be taken into account
during modeling. In the case of time savings here, e.g., a first-mover advantage
may come into effect.
High fixed costs: Investments in building an IS infrastructure and the production
of information are usually associated with significant costs and uncertainty.
Information is an intangible good which continues to exist even with repeated use
and which can be quickly transported and consumed via media (Laudon and
Laudon, 2010). Thus, costs largely occur during the initial creation of
information, whereas reproduction and distribution cause very low marginal costs.
Once these sunk costs are realized information providers can achieve significant
economies of scale with increasing dissemination of information (Arthur, 1996, p.
100). Economies of scale and capacity utilization are also a major selling point for
cloud computing (Armbrust et al., 2010).
While development, maintenance, and administration of ERP applications in form
of SaaS are carried out only once, the provider can quickly and inexpensively
make the application available to a variety of customers via the internet. The
6.3 System dynamics model 209
customer, in turn, uses the application via the internet without owning it and pays
for its use, usually in the form of a subscription fee (Lehmann and Buxmann,
2009). The potential economic benefits of a software service from the customers’
perspective can be seen in the fact that companies can afford IT departments that
are not fully stretched with capacity limits that are designed for the maximum
usage (Armbrust et al., 2010). At different points in time and with fluctuating
demand a specialized and large software service provider can then achieve a
significantly higher utilization of data centers by means of statistical multiplexing
and virtualization technologies.
Moreover, additional economies of scale result from discounts for energy,
hardware, and bandwidth when operating very large data centers (Armbrust et al.,
2010). As shown in figure 44, the capacity utilization of ERP providers increases
with an increasing number of users, which enables significant cost savings
(utilized_capacity_ERP). These gains may – for example, through investments in
improvements or price reductions – increase the relative advantage of the ERP
service which in turn promotes adoption and dissemination.
Social influences: Investments in enterprise software constitute adoption
decisions, which bear uncertainty due to their specificity. Thus, potential users
frequently turn to the observed product selection of prior adopters when
searching for information and shaping preferences,
(positive_expectations_ofpotential_customers) (Bikhchandani et al., 1992). Such
effects are important for internet-based goods and services for two main reasons:
On the one hand, the complexity of the adoption decision resulting from the flood
of data and information is reduced by means of selecting popular offerings. On the
other hand, information about the preferences and decision behavior of third
parties is more easily accessible in digital markets, due to, e.g., recommender
systems and user experience (Duan et al., 2009, p. 23). Duan et al. demonstrate
empirically that informational cascades have an increasingly positive impact on
the adoption of lower ranking products (2009, p.25). As opposed to network
effects, informational cascades and social contagion (Angst et al., 2010) do not
refer to the increase in economic benefits of the goods or services, but to the
6.3 System dynamics model 210
reduction of uncertainty. Since in accordance with the diffusion theory
particularly late adopters and laggards adopt only after advanced steps of
dissemination (Rogers, 2003, pp. 284 f) a substantial time delay here is to be
expected, too.
Economies of scope: If a provider is in a situation where it is more cost-effective
to market several products jointly, economies of scope or synergistic effects may
result (Panzar and Willig, 1981, pp. 268 ff). Often, these effects originate from
sharing common resources and the transfer of skills (Markides and Williamson,
1996, p. 340). Economies of scope on the consumer side are often referred to as
indirect network effects (Katz and Shapiro, 1985, p. 424). The benefit increase is
not a direct result of the relation between the actors of a network, but is rather
caused by the additional (further) development of complementary services due to
the increasing numbers of users. Today, sustainability benchmarks are primarily
based on published data which can be partly questioned in terms of their
reliability and objectivity and thus ultimately as regards their information value
(e.g. Chatterji and Toffel, 2010, p. 1163; Graafland et al., 2004).
Although the offers from established software vendors like SAP and Microsoft
basically provide an automated access to various information systems using
appropriate application programming interfaces, but also in our case the data basis
is mostly provided by estimated “average” values. The comparison with the
industry average (average practice) is contrary to the principle of benchmarking
which inherently focuses on the best comparison partners (best practice) (Camp,
1989, p. 19). Furthermore, a superficial investigation and use of highly aggregated
and unverified data does not allow for an effective detection of performance gaps
in accordance with the objectives of SBM (Hervani et al., 2005). Overall,
providers of larger enterprise solutions appear superior compared to specialized
benchmarking service providers, since the latter must first develop interfaces for
greater automation with customer information systems. In addition, ERP and
SCM providers may, possibly in interaction with their own benchmarking
services, draw upon existing competencies in the design of business processes and
better ensure syntactic and semantic comparability of data
6.3 System dynamics model 211
(database_for_operational_and_sustainability_ information). In doing so,
ultimately also the proportion of quantitative information for sustainability
management can be increased.
Self-reinforcing effect of an integrated ERP platform: As the figure illustrates, the
combination of an ERP on-demand system and a complementary service such as
the SBM leads not only to complementary effects on the sides of both providers
and consumers. Instead, the combination also leads to a complex positive
feedback effect that mutually intensifies the diffusion of ERP on-demand and
SBM services. A combined ERP and benchmarking application duplicates the
scale effects as both services are provided completely digitized. The reason is to
be found in very large data centers which lead to considerable cost savings when
purchasing hardware, network bandwidth, and power compared to medium-sized
data centers (Armbrust et al., 2010). Theoretically, any on-demand benchmarking
provider may operate very large data centers and thus ultimately achieve low unit
costs. However, this requires a sufficient workload to actually achieve the targeted
reduction in unit costs.
This is exactly where the integrated ERP and benchmarking on-demand provider,
which can start from an existing ERP customers’ base, achieves a systematic
advantage. It begins with a higher workload than a service without ERP basis. In
this way, the provider is able to share realized unit cost reductions with the
customers through reduced prices and to gain additional customers. Consequently,
the unit costs decrease with each additional benchmarking customer so that again
more customers are attracted through price reductions. Such an extreme unit cost
digression is not possible for a traditional provider since a saturation point is
quickly reached and additional customers again increase costs at some point.
6.3.3 Discussion
According to the analysis, running an ERP software service as an application
platform also appears profitable for other services that are based on ERP data in a
similar way as benchmarking services. Given the central importance of an ERP
6.3 System dynamics model 212
system for corporate processes, the integration of applications requires a particular
accuracy (Benlian et al., 2009, p. 422). Applications, such as ERP systems and
benchmarking services, which have greater strategic importance and specificity,
should be offered by the platform provider. Due to its responsibility and liability
for the entire platform, this indicates more credibility for potential customers than
if offered by an individual complementary service provider. Such additional
applications would in turn lead to both a better utilization of computing capacity
and to a higher attractiveness of the offer for customers. In this context, it is
interesting for practice whether third-party providers similar to Apple’s App Store
should be approved, which consequences may result from the competition
between the applications on the platform, and thirdly, how they should be
positioned in regard to the platforms of ERP competitors. An answer to these
questions requires extending the presented model to competitors and intense
competition.
The admission of third-party providers makes it appear reasonable to evaluate the
impact on trust relationships. Since companies will not necessarily trust third-
party providers on a platform to the same extent as the ERP provider, trust
building measures such as reputation or isolation mechanisms, e.g., access
monitors (Schneider, 2000) or process analysis (Accorsi et al., 2011), must be
evaluated. In particular, the multi-party computation approach could play a central
role for this purpose (Yao, 1986) as this approach focuses on enabling the
comparison of data between systems without disclosing the data between these
systems. The threshold for participating companies to provide data would be
reduced significantly.
The increasing connection of objects to the Internet, such as cargo containers,
electricity and gas meters, or machines equipped with temperature, motion,
position, or moisture sensors, provides significant potential to further improve the
data base for SBM providers (Dedrick, 2010; Melville, 2010). Apart from direct
and detailed energy consumption that can be measured in an automated way,
precise tracking of containers and products allows for a more accurate
determination of CO2-emissions. However, the cross-company exchange and thus
6.4 Towards a confidential SBS 213
the provision of these data for an SBM require information exchange
infrastructures which are so far only rudimentarily available. Finally, the
availability of better data will not necessarily lead to higher benchmarking quality
(Wiedmann et al., 2009). To account for a large number of comparison criteria,
such as cost, CO2-emissions, waste, or product units, appropriate procedures
should be used. Therefore, it is necessary to examine to what extent they are
already available.
6.4 Towards a confidential SBS
The preceding sections have demonstrated the benefits of proactive sustainability
management and sustainability benchmarking in particular. Multiple benefits
associated with sustainability benchmarking are summarized below (e.g.,
(Björklund, 2010; Miakisz, 1999; Sarkis, 2010; Shaw et al., 2010):
• By tracing environmental impacts across the entire supply chain, sustainability benchmarking improves the accountability and transparency of an enterprise by fulfilling a cradle-to-grave perspective. It further allows measuring and communicating the improvements made and enables stakeholders to judge the level of responsibility of an enterprise.
• It identifies problem areas that might be overseen and therefore provides opportunities to improve environmental and economic performance simultaneously.
• Comparisons within and between entire supply chains allow enterprises to
choose suppliers according to sustainability criteria.
Although SBM is a promising approach of proactive sustainability management, it
faces a significant data input and information-sharing problem: The quantity and
availability of ecological data makes the benchmarking process very difficult to
execute today (Shaw et al., 2010). While typical challenges of benchmarking
exercises, such as scope selection, time, common accepted indicators and cost
(Shaw et al., 2010), are also relevant for sustainability benchmarking, cost and
6.4 Towards a confidential SBS 214
confidentiality, in particular, hinders sustainability benchmarking from a wide use
(Matthews and Lave, 2003).
The remainder of the subsequent chapter is structured as follows: The next section
describes the applied research approach. This is followed by a description of the
data input problem for sustainability benchmarking and the identification of
appropriate solutions to these data quality and quantity problems. A subsequent
literature survey reveals that there is, however, a lack of research on the
information-sharing problem. Finally, a solution for a secure sustainability
benchmarking service (SBS) is presented. The chapter ends with a discussion of
strengths and limitations for future research.
6.4.1 Research design
The problem which the remaining chapter tackles is the lack of data for
sustainability benchmarking due to cost-intensive manual data collection and
insufficient willingness of information-sharing across organizations. The problem
is addressed by using the well-known design science research approach (e.g.,
(Hevner et al., 2004) to develop an IT artifact that enables enterprises to measure
and compare sustainability performance in a confidential manner. Melville (2010)
states that “design research is essential to developing innovative IS-enabled
solutions to environmental problems and evaluating their effectiveness” (pp. 8).
The design science methodology seeks to create IT artifacts that are intended to
solve specific organizational problems and provide rigorous evaluation of these
artifacts based on utility rather than an empirical test of theories. This
encompasses successive steps of problem identification, definition of objectives
for a solution, design or development of a suitable IT artifact, and demonstration
of the proof of concept, evaluation, and communication (Hevner et al., 2004).
Accordingly, the chapter first identifies the data input problem and its relevance
by screening the literature. This is followed by a discussion of proposed solutions
to this problem and the introduction of a hybrid model based on homomorphic
encryption and differential privacy in order to overcome the information-sharing
6.4 Towards a confidential SBS 215
problem. Afterwards, functional and security objectives for the SBS are derived in
order to develop the corresponding method with an instantiation. The subsequent
section evaluates security using theoretical, cryptographic proofs, performance via
measuring a prototypical implementation, and functionality by comparing with
non-secure benchmarking initiatives. Rigorous cryptographic proofs for security
are followed. The proposed method is secure if the underlying encryption system
is secure and Paillier’s encryption is provably secure if the decisional composite
residuosity assumption holds (Paillier). The measurement of a prototypical
implementation is used applying the statistically sound methodology of (Georges
et al., 2007). Then the functionality with non-secure benchmarking initiatives
(e.g., SAP, 2011) is compared. Finally, the chapter discusses the proposed
solution and highlights implications for business practice and further research.
The following section will firstly show that data capturing and data adaptation are
so costly because both are still mainly manual operations.
6.4.2 Automated data gathering
Regardless of which of the sustainability benchmarking types is to be conducted,
the relevant data first has to be gathered from the actor(s) and reference object(s)
before the benchmark is processed. ERP systems are considered as key in order to
automate the data capturing process (Funk et al., 2009). They provide the
necessary data such as consumption of energy, water and materials (Makrinou et
al., 2008) as indicated in Table 13 and, in this manner, they can be used as a basis
for sustainability performance evaluations such as ISO 14000 series or
environmental reporting as Global Reporting Initiative (Shaw et al., 2010).
Important sources of data based on ERP modules are bills of material and work
plans for the production processes. The integration of this data enables assigning
environmental impacts to the corresponding business objects.
Automatingthe process of extracting and processing the necessary environmental
data requires specific sustainability management applications that are integrated
into ERP systems (compare the previous sections). Such applications are not only
6.4 Towards a confidential SBS 216
able to integrate management information including manufacturing, accounting,
or sales across an entire organization. They can also account for anthropogenic
material and energy flows occurring in production processes. This requires the
consideration of environmental impacts, for example in material management,
transport planning, or business process management.
Table 13: Data Collected and Indicators for SBM78
Although the systematic and deep integration of sustainability management
information systems and ERP systems is comprehensively discussed in IS (e.g.,
Funk et al., 2009), these conceptualizations and reference architectures have
mainly prototypical status at best, and are not yet widely diffused in companies.
Nevertheless, first experiences with business software solutions are promising.
For instance, Butler (2011) reports time savings of more than 90% when an ad
hoc evaluation of a product is calculated with SAP’s “Compliance for Product”
compared to the still dominating manual spreadsheet solution. These significant
savings in terms of working hours can be achieved when sustainability
applications comprise widely accepted environmental compliance repositories and
frameworks for reporting and management purposes (see Figure 45). Existing
conceptual IS architectures often suggest the extension of the ERP data model by
78 From Kerschbaum et al. (2011).
Categories Data Collected Sustainability Indicators
Energy Forms of
energy
Annual
consumption
Energy
costs
Emissions • Carbon productivity
• Product Carbon Footprint
• Percentage of recycled products
• Eco-Efficiency • Transport
intensity • …
Water Annual
consumption
Costs of
water
Effluent
Materials Material used Annual
consumption
Material costs
Waste Hazardous
waste
Recycled
waste
Disposal
costs
Recycling
revenues
Production Production costs Annual sales
6.4 Towards a confidential SBS 217
description rules (process libraries) to derive ecological transformations (Funk et
al., 2009). Against the background of current research and development activities
and the increasing number of software solutions on the market (Butler, 2011), it
seems to be only a question of time before data input cost will no longer be
prohibitively high.
Figure 45: Automating the Data Gathering Process79
6.4.3 Tackling the data heterogeneity and quality problem
Given a wide use of sustainability management applications that are integrated
with ERP systems, the data input problem is still not completely solved. As
sustainability benchmarking is an inter-organizational process, data gathering
from various enterprises is faced with specific challenges (Hoffmann and Busch,
2008). ERP systems integrated with sustainability management systems, in
principle, provide the necessary data. However, getting and making the data
79 From Kerschbaum et al.(2011).
6.4 Towards a confidential SBS 218
comparable and processable across different ERP and different sustainability
management systems requires interoperability, i.e., commonly accepted standards
on different layers. Otherwise, interoperability between applications across
enterprises needs time-consuming agreements on the business process level which
makes data gathering and adaptation very costly.
As mentioned above, current methodologies such as LCA or Carbon Footprint
demand a cradle-to-grave perspective. Therefore, the environmental impacts of
the upstream value chain must be determined, too. Today, the missing
sustainability data in the ERP systems (e.g., environmental impacts of the in-use
and end-of-life phases) has to be entered manually. Alternatively, they are either
replenished through external publicly available data sources like governmental
statistical inventories, e.g., US Environmental Protection Agency or the ELCD
core data base of the European Commission (European Comission, 2011). These
data sets usually rely on “typical” descriptions of material and energy flows that
are often not up-to-date and rather estimated than measured (Chatterji and Toffel,
2010).
As previously shown, ERP on-demand systems provide a promising solution to
the data heterogeneity problem. If sustainability management applications are
integrated with such an internet-based ERP software service, the data basis for
sustainability benchmarks could be unified and all ERP on-demand customer data
would be comparable. Assuming that ERP customers give access to their data, the
use of the same ERP software service would widely solve the data heterogeneity
problem. Such ERP on-demand applications have yet a low market share (Benlian
et al., 2009). However, the ERP market leaders SAP and Oracle meanwhile
provide their own ERP on-demand solutions and the platform integration model,
in particular, is seen as an auspicious business model.
According to previous system dynamic model, sustainability management
applications as independent software services are also an alternative to the
platform approach. On-demand providers could specialize in offering standardized
interfaces to a plethora of different ERP systems and sustainability management
information systems. Even though they are likely to gain a considerable market
6.4 Towards a confidential SBS 219
share, enabling sustainability benchmarks by using the least common denominator
between different applications comes with the price of quality-losses: As the
functionalities and semantic of different ERP systems differs, cost-intensive
adaptations and compromises seem to be inevitable. However, recent market
forecasts indicate that ERP on-demand platforms will establish on the market
(Gartner Research, 2014) and, in this way, the data heterogeneity problem for
sustainability benchmarking will be increasingly manageable for enterprises.
Matthews and Lave (2003) point out that sustainability benchmarking also
exhibits a considerable data quality problem. As soon as the data capturing for
several enterprises is automated though, the data reliability of sustainability
benchmarking is very likely to increase. This is because any data manipulation is
a serious intervention in automated processes. Consequently, the resultant costs of
data manipulation significantly rise compared to a world where excel spreadsheets
are exchanged.
Hereafter, one more obstacle for sustainability benchmarking will be illustrated.
6.4.4 Unsolved information-sharing problem
When it comes to exchanging sensitive data across enterprises, mistrust and fear
for opportunistic behavior hinder collaboration. Research on inter-organizational
systems shows how reserved and cautious enterprises are still today when it
comes to the exchange of sensitive data (Kumar and Diesel, 1996; Saunders et al.,
2004). In order to track inter-organizational data in a reasonable granularity and
precision for holistic sustainability assessments, a collaborative exchange of
sensitive data like environmental impacts and sustainability indicators is
necessary (Elliot, 2011). Enterprises will view sustainability benchmarking very
critically, since competitors could simply imitate best practices or communicate
superior performance to customers (Brewer and Speh, 2001; Hervani et al., 2005).
Apart from competitors, enterprises also regularly do not trust their supply chain
partners and third parties (Saunders et al., 2004) and could, therefore, also fear
opportunistic behavior of their partners.
6.4 Towards a confidential SBS 220
There are a number of techniques in computer science to share sensitive and
private data in a confidential manner. The underlying assumption is that trust in
organizations and people can be substituted through trust in a security mechanism
(cp. (Anderson and Needham, 1995). First, there are anonymization and
randomization techniques, such as k-anonymity (Samarati and Sweeney, 1998)
and l-diversity (Machanavajjhala et al., 2007), which remove or blur information
so that it is no longer identifiable. Such techniques lower the accuracy and utility
of the data in favor of privacy (Brickell and Shmatikov, 2008) and clearly prevent
applications such as competitive benchmarking for supplier evaluation and
selection. When using input randomization it is not clear whether the necessary
accuracy even for an average computation can be achieved using reasonable client
population sizes (Bohli et al., 2010). Furthermore, most attempts at anonymizing
data have been later broken (e.g., Narayanan and Shmatikov, 2009).
Secondly, cryptography developed secure multi-party computation (SMC) (Ben-
Or et al., 1988; Goldreich et al., 1987; Yao, 1986). SMC substitutes computation
with a trusted third party by an interactive protocol which achieves the same
security properties as the fully trusted third party. An interactive protocol requires
the simultaneous on-line availability of all parties, including all client enterprises,
for each computation which is likely infeasible in our ERP outsourcing scenario,
since the probability of all parties being available is negligible in the number of
parties. We therefore leverage homomorphic encryption which allows non-
interactive computations on the plaintext using the cipher-texts only. Recently,
fully homomorphic encryption, which enables any computation on the plaintext,
has been introduced by Gentry (Gentry, 2009), but is currently still too inefficient
for practical application (Gentry and Halevi, 2011; Liu et al., 2010b).
Thirdly, trusted computing (Anderson, 2011) can be used to verify a computer's
software integrity. It has been designed to protect digital rights on personal
computers and its application to secure remote services is not yet clear.
Furthermore, it cannot verify a computer's hardware integrity which always
remains under the control of the service provider.
6.5 Design of a confidential SBS 221
The subsequent parts of this chapter will introduce a solution for a sustainability
benchmarking service (SBS) addressing the lack of trust for information sharing.
For this, only additively homomorphic encryption will be extended (e.g., Paillier),
which is limited to plaintext addition in order to implement all necessary
benchmarking functionality, including comparison.
6.5 Design of a confidential SBS
The secure sustainability benchmarking service (SBS) is a software-as-a-service
that integrates the sustainability data from multiple on-demand or on-premise ERP
applications and provides the business user with the three types of benchmarking:
benchmarking as aggregation, generic benchmarking, and competitive
benchmarking for supplier evaluation and selection.
1) Benchmarking as aggregation of data along the supply chain: To assess the sustainability performance of products or processes adequately, a comprehensive approach, such as LCA or Carbon Footprint, is desirable. This means, the value of LCA increases with the integrity of data collected from actors involved in the production process. If sufficient supply chain partners participate in the SBS, we then can compute and compare aggregated indicators for the entire supply chain or the final product item (Hoffmann and Busch, 2008).
2) Second, generic benchmarking is considered where a market actor compares its performance to its direct competitors (Spendolini, 1992). Using generic benchmarking, an actor can compare its performance, determine improvement potential, and initiate measures to close the gap to the competition.
3) As supplier selection also plays an important role in the greening of a supply chain, also competitive benchmarking for supplier evaluation and selection will be implemented, which provides a comparative overview over several market actors (Sarkis and Talluri, 2002).
We refer to an actor as an enterprise either represented by an ERP system
providing the necessary input or a business user accessing the sustainability
benchmarking reports.
6.5 Design of a confidential SBS 222
6.5.1 Benchmarking types
The SBS must provide all three benchmarking types on the input data to enable
business users to compare and improve their performance. These functions must
respect the confidentiality requirements of the actors, but also implement the
benefit of collaboration for the actors. In the remainder of the subsequent section,
the implementation of the benchmarking types is presented in detail, since we
need to later reconciliate them with the confidentiality objectives.
Benchmarking as aggregation.Consider the example of Carbon Footprint where
the carbon emissions broken down to product items need to be aggregated along
the supply chain. Assume we have collected the sustainability data of all actors of
an entire supply chain. We can compute aggregated data for specific products. Let
xi,j be a sustainability indicator, e.g., Carbon Footprint, for an item of product i at
actor j. From the meta-data, i.e., the bill of material, we can recursively compute
an aggregate indicator yi,j. Let k ∈M(xi,j) be the materials, ak,i be the number of
units and Sj(k) be the supplier of k to actor j. Then if follows
.)(
)(,,,,,
∑∈
+=ji
jxMk
kSkikjiji yaxy
Aggregate indicators can be input to generic or competitive benchmarking.
Nevertheless, they require information from the entire supply chain as only
available in ERP systems.
Generic Benchmarking.In generic benchmarking, an actor j compares its
indicator xi,j to its peers. Peers are loosely formed groups of competitors offering
substitutable goods. Generic benchmarking can be used to judge one’s absolute
position for an indicator. It allows determining improvement potentials by
analyzing the absolute gap to the competition (Spendolini, 1992).
Due to data confidentiality requirements of the actors, the SBS cannot disclose
any actor-specific indicators. Instead, the SBS computes statistics about the peer
group and distributes these. Good candidates for a secure implementation are the
6.5 Design of a confidential SBS 223
mean μ and the variance σ². Let i ∈ P be the set of products in a peer group and
S’(i) be the set of suppliers for product i. Then μ and σ² can be computed as:
∑ ∑∈ ∈
∈
=Pi iSj
ji
Pi
xiS )('
,
)('
1
µ ( )∑ ∑
∈ ∈
∈
−−
=Pi iSj
ji
Pi
xiS )('
2,
2
1)('
1 µσ
All statistics are published anonymously, i.e., except the peer group, no individual
identifiers are attached to the data.
Competitive Benchmarking for Supplier Evaluation and
Selection.Competitive benchmarking can be used for supplier selection (Sarkis
and Talluri, 2002). The evaluation of suppliers will usually not only base on
sustainability criteria but also on traditional indicators, such as service levels,
prices, and responsiveness. Therefore, the supplier selection represents a multi-
attributive decision-making problem which requires a ranking of actors using
weighted indicators. A wide range of powerful decision-making approaches has
been proposed, e.g., Analytic Hierarchy Process or Data Envelopment Analysis
(Ho et al., 2010) which are also applied in sustainability performance
measurement and life cycle assessment (Pineda-Henson et al., 2002; Zhou et al.,
2008). Such a required weighted indicator zi,j is similar to an aggregated indicator.
The weights are public, such that all actors are aware of the scoring mechanism.
We chose fixed weights, since user-set weights may allow inferences about the
indicators. While user-set weights per se are not a problem – as long as they are
fixed –, the user’s choices must be rate-limited, i.e., he must be restricted to
perform at most a fixed number of weight updates per period. Balancing the rate
of updates and the implied inferences about private indicators is very delicate and
in order to avoid this issue we chose fixed, public weights.
Let wy be the weight for indicator y and Y be set of indicators. Then we obtain
.,∑∈
=Yy
jiyj ywz
6.5 Design of a confidential SBS 224
The result of the competitive benchmarking is a ranking of actors from best to
worst, i.e., it is not anonymous. Instead, no numerical data except the rank is
released.
6.5.2 Security objectives
A necessary objective of the SBS is to provide security of the sustainability
indicators (despite providing the types of benchmarking reports). As seen in
Section 6.4.3 it is required for the uptake of benchmarking by the market. The
main security objective is confidentiality of the indicators, i.e., no party other than
the source of the indicator should be able to learn its value. For this, two distinct
confidentiality objectives have to be distinguished:
Confidentiality During Processing. The SBS itself should not learn the indicator
values when computing the benchmarking reports. Instead, it should remain
oblivious to the values. The SBS should not be entrusted with the indicator values.
First, the actors may not trust the SBS provider to use the indicators for different
purposes than intended. Second, the SBS may not want to carry the burden of
securing such sensitive data. The collected storage may make the SBS an
attractive target for hackers. Third, if the SBS can be implemented adhering to
these security objectives, there is no reason not to do so. Nevertheless, trust the
SBS not to collaborate with individual actors on espionage of competitors.
Confidentiality Given Results.While confidentiality against the SBS is
necessary, it is not sufficient. Even given the results of the benchmarking reports,
the actors should not be able to discern additional information about another
actor’s indicator values. While this is not critical for competitive benchmarking,
which only releases the ranking of the actors, this can be difficult in generic
benchmarking where the actors learn statistics about the indicator values. These
statistics should disclose only limited information about a specific actor’s
indicator. The features and benefits of the SBS are summarized in Table 14.
6.5 Design of a confidential SBS 225
Table 14: Features and Benefits of SBS
SBS Features Benefits
Confidentiality During
Processing • No trust in service provider necessary • Simplified data management at service provider
Confidentiality Given Results • Collaborative Benchmarking functionality • Controlled leakage to competitors
6.5.3 Implementation
The implementation of the security objectives of the SBS uses two mechanisms:
(1) homomorphic encryption and (2) differential privacy. The choice can be
explained as follows. There are essentially two methods for providing
confidentiality during processing: homomorphic encryption and SMC.
Homomorphic encryption has the advantage that the computation can be
performed non-interactively as opposed to an interactive protocol. This allows us
to maintain the usual service communication pattern of submitting input and then
receiving the result. Among all methods to provide confidentiality given results,
differential privacy is the first that is independent of the previous knowledge of
the adversary. This allows us to design the SBS without making any assumption
about the knowledge of actors about each other’s indicators. Each indicator is
stored encrypted at the SBS. The data are processed in encrypted form computing
the three types of benchmarking reports. Subsequently, the results will be
prepared using differential privacy, if needed.
Homomorphic Encryption.Homomorphic encryption is an encryption technique
that allows certain operations on the cipher-texts mapping to homomorphic
operations on the plaintexts. Specifically, we use Paillier’s encryption scheme
(Paillier). Paillier’s encryption scheme allows the addition (modulo a key-
dependent constant) of plaintexts using the cipher-texts only. Let E(x) denote the
encryption of plaintext x and D(c) the decryption of cipher-text c. Then we can
compute:
.))()(( yxyExED +=⋅
6.5 Design of a confidential SBS 226
With simple arithmetic the following formula can be derived
yxxED y ⋅=))((
Paillier’s encryption scheme has several other interesting properties. First, it is a
public-key scheme, i.e., one can encrypt without being able to decrypt. Second, it
is proven secure against chosen plaintext attacks. Loosely speaking, an adversary
cannot distinguish any two cipher-texts, even if he knows the plain-texts. Third, it
can be implemented reasonably efficiently. Its performance is comparable to the
popular RSA encryption scheme.
Key Management.Key Management is critical for any encryption scheme. We
share the public key among all actors and the SBS, i.e., every party can encrypt
and perform homomorphic operations on the cipher-texts. We then offer two
choices for managing the private key. In the simple case each actor has access to
the same private key. Of course, this private key needs to be safeguarded, e.g., by
safely embedding it in the software. In the complex case, the key is shared among
several participants. We can use Damgård and Jurik’s variant of Paillier’s
encryption scheme (Damgård and Jurik, 2001) in order to facilitate the decryption
process without reconstructing the key first. It is a threshold scheme, i.e., any t out
of n actors can jointly decrypt a ciphertext.
Differential privacy.Differential privacy is a technique for protecting against
leakages from results of statistical functions (Dwork, 2006). It guarantees that the
difference in the probability of an output between two data sets differing in just
one element is at most a factor of eε. Then, the probability of successfully
deciding whether an actor’s data is in the set or becomes not negligible in ε. One
can achieve ε-differential privacy in any statistical function f by adding Laplacian
noise proportional to maximum difference ∆f any element can cause in the result.
An ε-differential private function f’ is then
,)()()(' εfLapxfxf ∆+=
6.5 Design of a confidential SBS 227
WhereLap(∆f/ε) is drawn from the symmetric exponential distribution with
standard deviation ∆f/ε.
Determining the impact on utility of differential privacy is multi-faceted. First, the
usefulness of the results depends on the usage of the results which can only be
assessed in a particular application context. Second, there are a number of
parameters that influence the distribution of random noise. There is the parameter
∆f which is computed as the fraction of the size of the domain of the indicators
over the number of peers in the group. Then one can also choose the privacy
parameter ε. This choice should be made according to the sensitivity of the
indicators. Using this parameter, we can provide exemplary calculations: For an
indicator domain size of 16 bits (indicator values ranging between 0 and 65535), a
peer group size of 50 and a privacy parameter of ε = 0.33, the random noise is in
the range [-6392, 6392] (less than 19,5% deviation from the expected mean) with
80% probability and in the range [-9144, 9144] (less than 27,9% deviation from
the expected mean) with 90% probability.
System architecture.Our SBS operates non-interactively on the encrypted input
by the ERP systems of the actors. It then computes the benchmarking reports on
this encrypted data and reports the results to the business users of the actors, i.e.,
our SBS has never access to the unencrypted sustainability data. Information
sharing across the supply chain – either on the product or item level – is
accomplished via ciphertexts encrypted under the same public key. The SBS can
aggregate these ciphertexts without granting the actors access to these
cipheretexts, but only the aggregated indicators. Any indicator value never leaves
an actor-controlled ERP system (be it on-demand or on-premise) in plaintext. The
actors can therefore be ensured that their data are not abused and the SBS provider
may not need to implement certain additional safeguards, such as file system or
hard disk encryption, for this data – presuming customer acceptance. A picture of
this system architecture is shown in Figure 46. Next, we describe how we can
implement the benchmarking report computation on encrypted data.
6.5 Design of a confidential SBS 228
Figure 46: SBS system architecture
Aggregation.We can now describe our implementation of the three benchmarking
types while meeting the confidentiality objectives using homomorphic encryption
and differential privacy. For the ease of the exposition we use a different
denotation of the indices in this section. Let xi be indicators stored at the SBS.
Recall that each indicator is stored encrypted as E(xi). Let wi be the weights for
each indicator. We can then compute an aggregated indicator y as
( ).)()( ∏ ∑ ⋅== iiw
i xwExEyE i
The same computation can be used for weighted indicators in competitive
benchmarking. Note that the result is encrypted and can only be used as such in
further processing.
Statistics.We first consider the generic benchmarking. For computing the mean µ,
we emphasize that the number n of actors in a peer group is known from
competitive benchmarking where a ranking is computed. So we can compute the
product-sum nµ instead. Furthermore, we now need to take care of differential
privacy, since we need to protect against inferences from the statistical quantity
itself. We therefore choose a random noise. Let d = max(xi) – min(xi) be the
domain-size of the indicators. Then we compute
( ) ( ).)()()()( ∏ ∑ +== εεµ dLapxExEdLapEnE ii
6.5 Design of a confidential SBS 229
The result of this computation can be sent to the actors where it is decrypted, i.e.,
the SBS never learns the results of its computations. It only stores the data,
performs the computation and provides the (encrypted) results to the actors. We
can perform a similar computation for the variance. We first note that the variance
can be computed from the power sums
( )2
222
nxxn ii∑ ∑−
=σ
We note that the actor has already received E(nµ) and knows n. We therefore need
to only send the (ε-differential private and encrypted) second power sum S2. We
store the (encrypted) square xi2 for each indicator xi at the SBS and compute
( ) ( )∏ ∑ +== )()()()( 22222 εε dLapxExEdLapESE ii
The (encrypted) second order moment is sent to the actor which can decrypt it and
compute the variance. The (encrypted) square can be submitted to the SBS along
with the encrypted indicators. The SBS maintains them in the same database of
ciphertexts.
Comparison.For competitive benchmarking we need to compare encrypted
(weighted) indicators. This is challenging, since additively homomorphic
encryption, such as Paillier’s encryption, does not directly support this operation.
Instead, we can use the technique of (Kerschbaum et al., 2009), which operates on
such data directly. It leaks information proportional to the bit length of the
plaintext, but nothing else. It works as follows: Choose a large random number r
> 0 (at least three times the bit length of d). Then choose a second random
number r’, such that 0 ≤ r’ < r. Given two indicators xi and xj we compute a
comparison operand c as
( ) ( )')()'()()()( 1 rxxrErExExEcE jir
ji +−=⋅= −
6.6 Analysis and evaluation 230
This comparison operand c can now be sent to an actor which decrypts it. It holds
that
,0 ji xxc <⇔<
but reveals nothing else about xi or xj. Using this comparison operation we can
implement a ranking of actors. Let xi(1 ≤ i ≤ n) be the set of (weighted) indicators
of the peer group. Then we compute a comparison operand cij for each pair xi and
xj(1 ≤ j ≤ n). Note that if cij ≥ 0 and cji ≥ 0, then xi = xj. We sent all comparison
operands to the actor for decryption, which can then compute the ranking.
6.6 Analysis and evaluation
All security objectives of the SBS are met and the computation of the three
benchmarking types succeeds. Regarding confidentiality during processing, it can
be noted that all stored and processed indicators by the SBS are encrypted. They
are submitted to the SBS as ciphertexts and later processed. Regarding
confidentiality given results, one can note that all revealed numerical values are ε-
differential private. The actors only learn ε-differential private statistics in generic
benchmarking and secure comparison operators in competitive benchmarking. In
summary, both security objectives are met by the SBS.
Performance.Performance remains a critical aspect for encrypted computations.
A single arithmetic operation in fully homomorphic encryption can take up to an
hour (Gentry and Halevi, 2011; Liu et al., 2010b), rendering enterprise-size
computations infeasible. This approach therefore uses only partially homomorphic
encryption, which has performance comparable to regular public-key
cryptography. Nevertheless, measurements are necessary in order to size the
computational resources. Furthermore, although many of our computations can be
performed off-line, some are tied to user interaction, such as decryption.
Additionally, benchmarking information is supposed to be available for a
proactive sustainability management at the time when decisions are made
(Matthews and Lave, 2003). Beside the customers, an SBS provider also has a
6.6 Analysis and evaluation 231
strong interest in keeping computing time as low as possible: the less computing
time needed, the lower the capital costs of computing. The performance of
operations is therefore critical for market acceptance of the SBS.
A benchmark of a prototypical implementation of the SBS is provided. The use
case is considered for one single indicator which may be either for a single
product or a single item and also may be either computed cross-company or intra-
company. The system scales linearly with the number of such indicators only. We
focus on the most performance-critical operation of competitive benchmarking.
We distinguish three phases: weighted indicator preparation, comparison operand
computation, and decryption. Weighted indicator preparation and comparison
operand computation are performed off-line by the SBS provider while decryption
is performed by each actor on-line. We can solely focus on the computational
performance, since our entire SBS operates non-interactively. The encrypted
indicators are submitted and – either on request or off-line – the benchmarking
reports are computed, i.e., the computational performance is the decisive factor for
our SBS.
All computations were performed single-threaded on a 2.4 GHz Intel Xeon
processor with 64 GB of memory. Java SDK 1.6 was used. We report the mean
and 99% confidence interval of 20 experiments. We used a 1024-bit RSA key for
the encryption. We depict the runtime in seconds of each of the three operations in
Table 4. Weighted indicator preparation (Aggregation) grows linearly with the
number of input indicators while the comparison operand computation
(Comparison) and decryption (Decryption) grow quadratically with the number of
actors in the peer group.
We can compare our performance results to fully homomorphic encryption and to
some extent to standard public-key encryption. For a peer group size of n and a bit
length l of the indicators, we need roughly 5l(n-1) gates for aggregation (without
any weights) and 5l(n log2 n) gates for comparison. We obtain circuit sizes for
n=10 (our smallest peer group size) and l=32 bits of 1440 gates and 12800 gates,
respectively. Using the implementation results of Gentry and Halevi (2010) for a
realistic key size of 32768 and assuming 30 gates per re-encryption operation, we
6.7 Discussion 232
can estimate the performance of fully homomorphic encryption to be roughly 24
hours for aggregation and 220 hours for comparison, respectively. Compared to
our results measured in seconds, this is a factor of more than 50.000. Standard
public-key encryption cannot implement aggregation or comparison, so we can
only compare decryption. Decrypting a single value in the homomorphic
encryption scheme takes approximately 0.024 seconds. Decrypting a single value
in standard RSA encryption with the same key length takes approximately 0.0045
seconds. This small factor of 5 is not surprising, since both encryption schemes
use the same key generation algorithm, but homomorphic encryption operates in
the double field size.
Table 15: Performance results in seconds
Peer
Group
Size
Aggregation Comparison Decryption
Mean 99% CI Mean 99% CI Mean 99% CI
10 0.47 ±0.003 11.19 ±0.043 2.16 ±0.003
20 0.94 ±0.003 47.10 ±0.033 9.10 ±0.005
30 1.42 ±0.005 107.82 ±0.112 20.83 ±0.005
40 1.89 ±0.005 193.14 ±0.137 37.35 ±0.006
50 2.36 ±0.006 303.21 ±0.180 58.65 ±0.008
6.7 Discussion
The starting point of this exploration has been the observation that sustainability
measurement and management is increasingly used to improve not only
sustainability but also productivity. As the automation of the data capturing
process is the necessary condition in order to overcome today’s expensive manual
data gathering, IS research comprehensively addressed this so-called data input
problem of sustainability benchmarking. Concretely, the focus has so far been on
the integration of sustainability management information systems and ERP
6.7 Discussion 233
systems within an enterprise. As have shown in the previous parts of the chapter, a
wide use of sustainability applications integrated with ERP systems at enterprise
level is likely to improve the quantity and availability of digital environmental
data.
However, the data input problem is still not completely solved: sustainability
benchmarking as a more and more inter-organizational process requires data
gathering from various enterprises. Thus, getting and making the data comparable
and processable across different ERP and different sustainability management
systems is very costly. This chapter has argued that a sustainability benchmarking
service integrated in an ERPon-demand platform can overcome this data
heterogeneity problem. The second part of this chapter has identified an additional
information-sharing problem as part of the inter-organizational data input problem
and has finally proposed a secure sustainability benchmarking service (SBS) as
solution.
The research contribution of this chapter is twofold: it has identified an inter-
organizational dimension of the data input problem as a yet underrepresented
research area. In spite of its importance for sustainability benchmarking, there has
been only little research into this question so far. Sustainability benchmarking as a
management tool aims to identify sustainability performance gaps between
business objects for facilitating continuous improvement and organizational
learning. All three sustainability benchmarking types that have been discussed –
benchmarking as aggregation of data along the supply chain, generic, and
competitive benchmarking – are based on real and precise data for the first time –
instead of rough estimates or obscure reference enterprises usually used.
Consequently, the validity of aggregated indicators such as LCA or Carbon
Footprint for the entire supply chain or the final product item is supposed to
significantly increase.
Besides the data heterogeneity problem, this chapter has also identified and
analyzed an information-sharing problem. This is likely to prevent a wide use of
sustainability benchmarking – even if the data heterogeneity problem is solved.
Based on a discussion about several techniques in computer science to exchange
6.7 Discussion 234
sensitive data in a confidential manner, this crucial hurdle for inter-organizational
sustainability benchmarking services have been tackled by developing a secure
sustainability benchmarking service (SBS). It uses homomorphic encryption to
protect the data during processing and differential privacy to protect against
leakages from the reports. The SBS has been implemented and the measurements
show that the performance is manageable for the business user as well as the
service provider.
The proposed security solution in the scope of an integrated ERP platform
primarily aims to solve the information-sharing problem of sensitive data known,
for instance, from business relationships in supply chains. Using the SBS,
enterprises can give a benchmarking service provider access to the relevant data
without the risk of revealing this sensitive data to other enterprises. Enterprises
then have to trust their provider’s security mechanisms instead of building
trustworthy relationships to the provider over time. However, this chapter not only
sees the security mechanism as a key element for a widespread use of automated
sustainability benchmarking services. Additionally, it could help ERP platform
providers to faster reach the critical mass of customers for utilizing self-
reinforcing effects of an ERP on-demand platform as proposed in the first part of
the chapter.
SBS that are integrated into ERP on-demand platforms are supposed to
significantly decrease the cost of gathering environmental data. So far, however,
as there are several competing platforms and supply chain partners use different
ones, there will remain considerable coordination costs: Ensuring interoperability
between different data formats and semantics of different ERP applications might
even outweigh the cost benefits of the ERP on-demand platforms.
With regard to its practical application, this conceptual SBS supports business
professionals in both discovering and evaluating possible applications in a
systematic way, which extends beyond juxtaposing concrete application
examples. Concretely, an SBS will enable procurement managers to base their
decisions on more accurate (unbiased) environmental data. In this context, we
work on a modified algorithm for applicability of advanced non-parametric
6.8 Concluding remarks 235
benchmarking methods such as DEA (Data Envelopment Analysis, for more
details see Hammerschmidt, 2005).
The holistic cross-organizational assessment of environmental impacts provided
by the SBS may encourage supply chain managers to rethink inventory and
response management: collaborative optimization of sustainability performance of
several actors within the value chain becomes much easier. This might pave the
way for realizing a more sustainable supply chain management. Finally, results
derived by the sustainability benchmarking service may also encourage corporate
sustainability officers or board members in their decision to defend superior
sustainable performance or to make up the gap in case of inferior performance.
6.8 Concluding remarks
Is there a solution to the information-sharing problem in the scope of inter-
organizational sustainability benchmarking? Based on chapter 6’s findings, the
answer to that question is yes: The proposed IT artifact, the secure sustainability
benchmarking service (SBS), integrates ERP sustainability data in a secure and
privacy-preserving manner. It uses homomorphic encryption to protect the data
during processing and differential privacy to protect against leakages from the
reports. The implementation of the SBS and the measurements show that the
performance is manageable for the business user as well as the service provider.
As the underlying assumption is that substituting trust in organizations and people
through trust in a security mechanism, the next attempt in the future is to build a
prototype with industry partners in order to evaluate the SBS in a real
environment. The current study offers a first step toward this goal.
7 Outlook and Conclusion
There are various topics and open research challenges that are out of the
dissertation’s scope. Consequently, this chapter firstly concludes this dissertation
with a summary of the results and contributions. Upon the discussion of the
results, the chapter draws theoretical and managerial implications and, finally
suggests directions for future research.
7.1 Summary and main results
Sustainability is one of the most important challenges for organizations. For
example the growing impacts of climate change affect the global economy highly
unpredictably. Moreover, our interconnected and interdependent world reinforces
the emergence of high-complexity and the exponential pace of change. Today,
organizational decision makers need to learn how to navigate through volatile,
uncertain, complex and ambiguous (VUCA) environments. This
dissertationpresents a “resilience perspective” as a complementary approach to IS
risk and sustainability management, which explicitly recognizes the unpredictable
and turbulent business reality.
Despite the growing spread of resilience across multiple disciplines, a number of
open research issues remain. These encompass conceptual and definitional
vagueness of resilience, a lack of empirical research and a lack of applicable
(organizational) solutions and IS-artifacts to bring resilience into action.
Accordingly, this dissertation project outlined a research agenda at the intersection
of organization science, information systems and computer science. Therefore, the
thesis articulated several research questions and offered novel perspectives to help
address them. Concretely, the investigations undertaken allow answer to the initial
research questions (RQ):
(RQ)1: “How does resilience manifest itself across multiple disciplines?” To
answer this question, Chapter 2 firstly provides a comprehensive literature
review of resilience scholars from different disciplines. Based on these
7.1 Summary and main results 237
observations, a Multidisciplinary Resilience Framework is developed that allows
for a categorization of four generic resilience types based on the two dimension
(1) level of complexity, and (2) degree of normativity.
Based on the aforementioned findings, the thesis has begun to concentrate on the
invistagation of resilience in organizations studies. This lead to the following
research question: RQ2: “How does resilience relate to other organizational
factors? More precisely, what are determinants and antecedents of organizational
resilience”? In order to “untangle the underlying puzzle of organizational
resilience and its related concepts” (Chapter 1, p.9), Chapter 3 has started with a
descriptive bibliographic analysis to identify the current state of the art of
resilience research in organization science. It has been found that organizational
research on resilience lack a common understanding of resilience by applying
very different, and event contrasting definitions of resilience. These findings have
initated the development of an Organizational Resilience Matrix that consists of
two dimensions (1) degree of turbulence, and (2) state of adaption. The result of
the matrix is not limited only to the identification of the four distinct types of
organizational resilience: Prevention and Absorption, Restoration, Strategic
Agility, and Robust Transformation and Renewal. Moreover, the framework
further provides suggestions regarding key actors, design strategies, and attempted
outcome for the corresponding resilience type.
On this basis, the dissertation has attempted to answer RQ3: “How can resilience
be translated to the principles and measurements of organizations and IS?”. To
answer this question, Chapter 4 has established an intial link between resilience
research and the IS research field. Based on prior observations of Chapter 3 and
the resilience engineering literature, the chapter introduces the notion of resilience
management as a complementary approach to prevailing security- and risk
management approaches. This has been followed by an illustration of limitations
of current approaches in IS risk and security management. Moreover, a
comprehensive review of the still immature IS resilience literature has been
concluded with a scientific-programmatic view of the upcoming research
questions in this area. Regarding the measurement issues, Chapter 3 has already
7.1 Summary and main results 238
begun to introduce initial ways to operationalize resilience in an organizational
context, such as the “four resilience factors” and the related “resilience delta”
(Sub-section 3.2.3.1). However, these measures remain on a high-level of
abstraction and faill to explicity address the research question. In contrast, this
dissertation answered this question tentatively by providing a list of concrete
measures for process-oriented resilience detection and assessment. While the list
of metrics and indicators - provided in Chapter 5 -is clearly not exhaustive, it has
allowed for the development of a measurement framework for resilient BPM in
Sub-section 5.3.2. Consequently, this developed measurement approach can be
used as a foundation for the design of resilience management information systems
(RMIS). More concretely, the proposed measurement framework is integrated in
PREDEC, a novel approach for process-oriented resilience management.
These works have provided the basis to tackle the next research challenge: RQ4:
“What are fundamental requirements for resilient BPM design? And what tools
and approaches are applicable to support and enhance IS (respectively BPM)
resilience?” Chapter 5 not only surveyed past research efforts regarding the
design of RMIS but also presented“Process-Centered Resilience Detection“
(PREDEC), a detective framework to assert the resilience of business process-
based management (BPM) systems. PREDEC has captured functional and non-
functional requirements for operational resilienice support in the phases of
detection and diagnosis. This encompasses requirements regarding event-logs,
elicitation techniques, and analytical tools for detecting and assessing resilience of
business-processes. Moreover, in order to validate the feasibility of PREDEC, a
case study has been carried out to quantify the resilience of workflows based on
timely and accurate estimations of completing times. The proposed IT artifact has
shown that an automated assessment tool for BPM resilience can support decision
makers along the whole operational resilience management cycle in multiple
ways: for instance, the quick and accurate provision of information enhances both,
the resourcefulness and rapidity of an information system. Moreover, the
proposed method enables process engineers to re-calibrate and re-design of given
workflows in a more cost-efficient and target-oriented manner.
7.1 Summary and main results 239
While the previous research questions focused on resilience and decision support
within the boundaries of an organization, the last research challenge has addressed
the applicability of IS for inter-organizational decision-support. Hence, Chapter 6
has attempted to answer the following question: RQ5a: “What is the economic
rationale for organizations to participate in sustainability benchmarking?”
Accordingly, the last chapter has thouroughfully surveyd the problem-domain of
Green IS and sustainability benchmarking in particular. Moreover, a system-
dynamics-model has been developed to analyze economic incentives for those
enterprises that rely on ERP on-demand solutions to participate in sustainability
benchmarking (SBM). Based on the results of the model, a number of positive
feedback-loops have been identified, which explain and substantiate how SBM (1)
can contribute to the success of ERP-on-demand platforms, and (2) how service
users can take advantage of cross-organizational comparisons.
However, despite multiple benefits related to SBM for organizations, significant
data input and information-sharing problems remain, leading to the additional
research question RQ5b: “What are functional and security objectives to make
confidential information-exchange feasible?”Accordingly, the sixth chapter has
first identified the data input problem and its relevance by screening the literature.
This has been followed by an analysis of prevailing solutions to this problem. In
order to address the research question, this disseration has further presented
another IT artifact, namely a secure sustainability benchmarking service (SBS) to
overcome the information-sharing problem. A hybrid model based on
homomorphic encryption and differential privacy constitutes the SBS. The chapter
has derived functional and security objectives for the SBS in order to develop the
corresponding method with an instantiation. Security has been evaluated by using
theoretical, rigorous cryptographic proofs: The proposed method is secure as the
underlying encryption system is secure and Paillier’s encryption is provably
secure if the decisional composite residuosity assumption holds.In addition, the
performance has been evulated via measuring a prototypical implementation. For
this, the statistically sound methodology of (Georges et al., 2007) has been
applied.Then,functionality has been evaluated by comparing the SBS with non-
secure benchmarking initiatives (e.g., SAP, 2011). Finally, the chapter discusses
7.2 Implications for future research 240
the proposed solution and highlights implications for business practice and further
research.
7.2 Implications for future research
Verehrtes Publikum, jetzt kein Verdruß Wir wissen wohl, das ist kein rechter
Schluß. [...]
Wir stehen selbst enttäuscht und seh‘n betroffen
Den Vorhang zu und alle Fragen offen“
(Brecht, 1964)80.
“You're thinking, aren't you, that this is no right;
Conclusion to the play you've seen tonight?
[...] We feel deflated too. We too are nettled
To see the curtain down and nothing settled.”
(Brecht and Bentley, 2007)
In contrast to the introductory quote from the play “The Good Person of
Szechwan” by Berthold Brecht, several research issues of this dissertation can be
declared as “settled”. The previous section presented a summary of the identified
research problems and this dissertation’s main contributions spanning conceptual
perspectives, research methods and prototypical implementations of resilience and
sustainability management. However, there remain a number of unanswered
questions and challengesthat are out of this dissertation’s scope. Some of this
limitations and open questions will be discussed in this section.
This dissertation developed the Multidisciplinary Resilience Framework as a tool
for translation and communication between stakeholders with different
professions and scientificresearch background. The derived four resilience
categories will allow participants to ask questions about how the other participants
see the level of complexity or predictability of the system(s) they are trying to
deal with. The framework will also help them discuss how they see the role of
80From “Der gute Mensch von Sezuan“
7.2 Implications for future research 241
shared norms. A discussion of the four resilience types will further identify shared
or differing goals (e.g., bounce back or bounce forward).
However, the development of the Multidisciplinary Framework opens up many
questions for policy makers and researchers:For example, once the similarities and
differences have been identified the next steps are to make clear what the goal is
in each case, how success will be judged (or measured), and how (or if) the
“lessons learned” in one place can be transferred into another place or knowledge
domain. Does the system have to be maintained as it is or should it be capable of
adaptation? How will that adaptation be judged? Can the adaptation be designed
in advance or will it have to emerge from the conditions that are presented? Once
these questions are answered the group can narrow down its search for definitions
and mechanisms that are found in similar systems to the Resilience Type they are
dealing with.
There is certainly the possibility that a particular problem (either for research or
practical purposes) will involve multiple types of resilience. In those cases the role
of translators becomes critical as stakeholders with different perspectives attempt
to work in consort toward resilience. If the resilience of one (sub-)system requires
the rules of the other to be ignored for a time how does that get decided and by
whom? If action by one or both is called for in response to some danger (or
opportunity) does this require the measurement of something that they measure
differently? This does not require that the two systems (or disciplines or
organizations) respect each other’s methods but it does require agreement on the
goals and a mutual understanding with respect to terminologies.
It seems obvious that the need to find ways to make “things” bounce back will
only continue to grow. The groups who come together to deal with these issues
will only become more diverse. The Multidisciplinary Framework proposed here
allows researchers and practitioners from various disciplines and/or economic
sectors to communicate and concentrate their efforts on specific types for
resilience goals by allowing broad definitions where that is possible and
identifying where specific definitions are necessary to deal with the issues at hand.
The words used to designate these efforts will undoubtedly adapt, splinter into
7.2 Implications for future research 242
subgroups, and go in and out of fashion. Translation and translators will only
become more important.
Nonetheless, Chapter 3 of this dissertation raised the assertion, that there
existsdisagreement on the understanding of resilience even within a scientific
domain such as organizational science. The identified knowledge gaps, critical
appraisals and inconsistencies within organizational resilience may help
counteract the construct proliferation that has become apparent within the domain.
Moreover, the organizational resilience framework presented is one solution to
advance a clear method to help distinguish the specific context for the application
of resilience principles in different organizational contexts. However, since the
proposed tool presents primarily conceptual and exploratory contributions, it
needs toproceed further empirical research to validate the suggested framework.
For this, the proposed organizational resilience types pave the way for the
selection of appropriate operationalizations and measurements: For instance,
indicators for outcomes of defensive/reactive resilience types such as “robustness”
and “recovery” are available for different contexts. The future research challenge
is to link them to an explanatory framework that considers antecedents and other
determinants such as in (Jüttner et al., 2010; McCann et al., 2009; McDonald,
2006). But as the descriptive analysis indicated, a more rigorous consideration of
contextual factors is required for both, conceptual as well as empirical studies.
Hence, in the future, fruitful insights are too expected by a deeper investigation
into the role of unique contextual settings, such as the comparative studies of
resilience frameworks between different organization types (business vs. non-
profit, service vs. industrial, etc.). Such new directions in organizational resilience
will help to untangle the underlying puzzle of resilience and its related concepts
such as vulnerability and adaptability.
This dissertation introduced Resilience Management Information Systems (RMIS)
and an operational resilience management cycle as novel approaches to support
decision makers for managing operational resilience. Chapter 4 sets a research
agenda for IS resilience by introducing a number of research challenges. The
chapter further argued that business process management (BPM) provides a lot of
7.2 Implications for future research 243
opportunities for future resilience research. For instance, the literature review has
shown that prevailing works still lack empirical validation, concrete
implementation guidelines, as well as artifacts to support the implementation of
resilience in IS. As a consequence, concrete measures are mostly missing, leading
to inefficient or even misleading resilience strategies. Therefore, Chapter 5 has
introduced “Process-Centered Resilience Detection“ (PREDEC) as a detective
framework for the assertion of resilience of BPM systems. Based on log-data,
generated from business process model executions, and the resilience
requirements derived from operational resilience objectives, resilience measures
are automatically generated. As shown in the case study, either quantitatively
(e.g., transactions per hour, number of activities executed in parallel, total number
of activities) or qualitative (e.g., High, Medium, and Low) susceptibility values
respective resilience indicators are extracted and assigned with the help of the
elicitation techniques for business processes and associated resources. With this
input data at hand for each resource, a business process-wide resilience value is
calculated. Certainly, there are techniques and formal foundations available that
can, when assembled, provide for resilience mechanisms at the level of BPM.
However, the current state-of -art does not offer corresponding mechanisms yet.
One extension refers to the possibility to merge detection approaches with
techniques to analyze sociometric data. Techniques to analyze sociometric data,
i.e., social networks, build on the techniques of social network analysis (SNA).
SNA refers to the collection of methods, techniques and tools aiming at the
analysis of social networks. These are based on the methods and techniques of
graph theory and have been subject to research for decades, e.g., by (Scott, 1991;
Wasserman and Faust, 1994). The suitability of social network detection and
analysis in order to discover information flows within organizations has been
subject to extensive research. Discovery of social network by analysis of e-mail
interaction has been examined by, e.g., (Fisher and Dourish, 2004)(Ogata et al.,
2001). Diesner et al. examine organizational crises from a social network analysis
perspective based on analysis of communication flow via e-mail (Diesner et al.,
2005). In (Fischbach et al., 2009), the authors present an approach to discover
social networks from employees’ interactions by tracking these interactions via
7.2 Implications for future research 244
wearable sensors. Van der Aalst and Song introduced an approach to discover
social networks from event logs (Reijers et al., 2005).
However, while the suitability of network analysis techniques for resilience
detection has been addressed, e.g., in the fields of social-ecological systems
(Janssen et al., 2006) or computer networks (Sterbenz et al., 2011), the
implications of social structures with regard to the resilience of business processes
have not been considered by research yet.
In order to constitute suitable tools to support resilience detection in process-
centered information infrastructures, the techniques of SNA have to be able to
assess subjects’ positions within the social network with respect to actual process
executions and resilience measures. The SNA techniques for resilience detection
envisaged for the realization of PREDEC could built on centrality measures and
measures based on co-worker ship and event types, e.g., (Reijers et al., 2005).
Calculation of resilience measures such as, e.g., capacity measures or
interdependence measures, such as “Organizational Interfaces” (cf. Table 10), can
be supported by SNA techniques. For example, betweenness analyses of social
networks can support detection of bottlenecks while SNA metrics custom crafted
for social networks elicited from event logs, such as handover of work metrics
(Reijers et al., 2005), can support calculation of interdependence measures.
Hence, techniques of social network analysis are well suited for enhancing
resilience detection with PREDEC. Moreover, SNA results can lucidly be
visualized by tools like, e.g., (Borgatti et al., 2002), in order to provide decision
makers with intuitive insight into resilience measures.
More limitations and future research areas refer to the aforementioned resilience
management cycle: Although the cycle is based on related work it has not been
explored empirically yet. Future studies may conduct surveys or carry out case
studies to evaluate the robustness of the proposed model. Since the management
cycle also captures the establishment of maturity levels and “resilience culture”,
such studies would benefit fromlongitudinal design to explore the evolution of
operational resilience levels over the time. Furthermore, the management cycle
basically suggest the recognition of four distinct phases for operational resilience
7.2 Implications for future research 245
support. However, this thesis only focuses on the first two stages (i) Detection and
(ii) Diagnosis and Evaluation. The attempt to complete the management cycle by
incorporating (iii) Treatment and Recovery, as well as, (iv) Escalation and
Instutionalization offers a number of research opportunities. For instance, future
work could elaborate to which extent recent approaches for automated corrections
(such as introduced by Fenz et al. (2013)) and for knowledge enrichment (such as
in Fenz and Ekelhart (2009)) are applicable.
The subject of the last chapter has been the integration of a sustainability
benchmarking application into an ERP-on-demand platform. It focuses on the
potential added value and market penetration of the services offered. Drawing on
network and information economy as well as diffusion and adaptation research,
the chapter identifies and describes feedback effects and key variables between
the core ERP application and the benchmarking service. As a result, the developed
system dynamic model allows a holistic view on interdependencies. It shoes that
an ERP on-demand platform with an integrated SBM service promises a more
rapid and deeper market penetration for both applications compared to a separate
offer. But the results of the demonstrated advantages of an integrated ERP on-
demand platform have to be put into perspective in several respects:
By means of the developed qualitative model we achieve the objective to visualize
decision-making possibilities for researchers and practitioners through the
identified structures and patterns of behavior. However, no statements about the
extent and strength of the effects can be made. This would require a further step
involving the extension of the qualitative model to a parameterization and
quantification in the form of mathematical simulations according to the traditional
system-dynamics approach (Forrester, 1994). This would allow for an evaluation
by means of iterative simulation runs and ultimately a market forecast for the
optimization of marketing strategies and capacity planning.
Another limitation arises from the assumptions about the willingness of
companies to provide data for the ERP on-demand provider. This “optimistic”
assessment is based on the fact that companies already using SaaS applications
must rely on a trustful handling of their data. The subsequently introduced secure
7.2 Implications for future research 246
sustainability benchmarking service (SBS) is a first attempt to tackle this obstacle.
However, the proposed SBS is still limited by its assumptions regarding trust:
While research clearly shows that enterprises in supply chains regularly refrain
from exchanging sensitive data, attitudes as well as routines of organizational
members can significantly change over time. Moreover, substituting trust in
organizations and people by trust in technology, as has been proposes to do with
the SBS, is merely one solution - an alternative are trust-building measures, such
as reputation - and has strong assumptions with regard to individual’s behavior.
Accordingly, empirical evaluation, and for this testing the behavioral assumptions,
is an important next step.
Beside these limitations and options for future research, introducing resilience into
practice will remain a substantial challenge as it first requires a cognitive and
cultural shift on all organizational levels, from leaders to employers on the “sharp
end” (Weick and Sutcliffe, 2001; Woods, 2006b). Similar to, for example
ecological sustainability, recognizing resilience in management will shape aspects
such as strategy, the modus operandi and the skills of the workforce (Coutu, 2002;
Hollnagel, 2011; Weick and Sutcliffe, 2007). Moreover, investing in redundancy
and mindfulness to improve organizational resilience in times of lean management
and high-efficient processing is particularly difficult to justify to investors and
other stakeholders (Staber and Sydow, 2002; Weick and Sutcliffe, 2001). As a
consequence, realizing the need for resilience often requires the hard lesson of
crisis or accidents (Walker and Salt, 2006). However, the growing
(inter)dependence and complexity of the highly–connected business world is
accompanied by an increased sense of vulnerability to new and future threats, all
with the potential to trigger interrelated cascading disturbances and even
organizational decline.
One cannot doubt that most organizations cannot afford to wait for crises as a
method of galvanizing action. It is becoming increasingly clear that the
organizations best able to sustain and cope with increasing uncertainty will be
those that incorporate resilience goals into their business practices.
References
Accorsi, R., “Safe-Keeping Digital Evidence with Secure Logging Protocols: State of the Art and Challenges”, Stuttgart, Germany.
Accorsi, R. (2013), “Sicherheit im Prozessmanagement”, digma Zeitschrift für Datenrecht und Informationssicherheit.
Accorsi, R. and Lehmann, A. (2012), “Automatic Information Flow Analysis of Business Process Models”, in Hutchison et al., David (Ed.), Business Process Management, Lecture Notes in Computer Science, Vol. 7481, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 172–187.
Accorsi, R. and Stocker, T. (2012), “On the exploitation of process mining for security audits: the conformance checking case”, in Ossowski, S. and Lecca, P. (Eds.), SAC, ACM, pp. 1709–1716.
Accorsi, R., Stocker, T. and Müller, G. (2013), “On the exploitation of process mining for security audits: the process discovery case”, in Proceedings of the 28th Annual ACM Symposium on Applied Computing, ACM, New York, NY, USA, pp. 1462–1468.
Accorsi, R., Ullrich, M. and van der Aalst,Wil M. P. (2012), “Process Mining”, Informatik-Spektrum, Vol. 35 No. 5, pp. 354–359.
Accorsi, R., Wonnemann, C., Chu, W., Wong, W.E., Palakal, M.J. and Hung, C.-C. (2011), “Strong non-leak guarantees for workflow models”, ACM symposium on applied computing, pp. 308–314.
Adger, W. (2000), “Social and ecological resilience: are they related?”, Progress in Human Geography, Vol. 24 No. 3, pp. 347–364.
Adger, W.N. (2006), “Vulnerability. A Cross-Cutting Theme of the International Human Dimensions Programme on Global Environmental Change Resilience”, Global Environmental Change, Vol. 16 No. 3, pp. 268–281.
Aiginger, K. (2009), “Strengthening the resilience of an economy”, Intereconomics, Vol. 44 No. 5, pp. 309–316.
Allen, J.H. and Cebula, J.J. (2011), Risk and Resilience: Considerations for Information Security Risk Assessment and Management, 14th-18th February San Francisco.
Allen, J.H. and Curtis, P.D. (2011), Measures for Managing Operational Resilience, Technical Report. Allen, J.H., Curtis, P.D. and Gates, L.P. (2011), Using Defined Processes as a Context for Resilience
Measures, CMU/SEI-2011-TN-029, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pa.
Allen, J.H. and Davis, N. (2010), Measuring Operational Resilience Using the CERT Resilience Management Model, CMU/SEI-2010-TN-030, Pittsburgh, Pa.
Anderson, R. (2011), “Trusted Computing FAQ”, available at: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html (accessed 28 April 2011).
Anderson, R. and Needham, R. (1995), “Programming Satan's computer”, in van Leeuwen, J. (Ed.), Computer Science Today: Recent trends and developments, Springer, Berlin, New York, pp. 426–440.
Angst, C.M., Agarwal, R., Sambamurthy, V. and Kelley, K. (2010), “Social Contagion and Information Technology Diffusion: The Adoption of Electronic Medical Records in U.S. Hospitals”, Management Science, Vol. 56 No. 8, pp. 1219–1241.
Ansoff, I. and Sullivan, P. (1993), “Optimizing profitability in turbulent environments. A formula for strategic success”, Long Range Planning, Vol. 26 No. 5, pp. 11–23.
Antunes, P. (2011), “BPM and Exception Handling: Focus on Organizational Resilience”, IEEE Transactions on Systems, Man & Cybernetics: Part C - Applications & Reviews, Vol. 41 No. 3, pp. 383–392.
Antunes, P. and Mourão, H. (2011), “Resilient Business Process Management: Framework and services”, Intelligent Collaboration and Design, Vol. 38 No. 2, pp. 1241–1254.
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A. and Stoica, I. (2010), “A view of cloud computing”, Communications of the ACM, Vol. 53 No. 4, pp. 50–58.
Arthur, W.B. (1996), “Increasing returns and the new world of business”, Harvard Business Review, Vol. 74 No. 4, pp. 100–109.
Ates, A. and Bititci, U. (2011), “Change process: a key enabler for building resilient SMEs”, International Journal of Production Research, Vol. 49 No. 18, pp. 5601–5618.
Aven, T. (2011), “On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience”, Risk Analysis: An International Journal, Vol. 31 No. 4, pp. 515–522.
Avizienis, A., Laprie, J.-C., Randell, B. and Landwehr, C. (2004), “Basic Concepts and Taxonomy of Dependable and Secure Computing”, IEEE Trans. Dependable Secur. Comput, Vol. 1 No. 1, pp. 11–33.
Baker, S.M. (2009), “Vulnerability and Resilience in Natural Disasters. A Marketing and Public Policy Perspective”, Journal of Public Policy & Marketing, Vol. 2009 No. 28, pp. 114–123.
Balasubramanian, S. and Gupta, M. (2005), “Structural metrics for goal based business process design and evaluation”, Business Process Management Journal, Vol. 11 No. 6, pp. 680–694.
Barki, H. and Pinsonneault, A. (2005), “A Model of Organizational Integration, Implementation Effort, and Performance”, Organization Science, Vol. 16 No. 2, pp. 165–179.
Basili, V.R., Caldiera, G. and Rombach, H.D. (1994), “Goal Question Metric Paradigm”, Encyclopedia of Software Engineering No. 2, pp. 528–532.
Basin, D., Burri, S.J. and Karjoth, G. (2012), “Optimal workflow-aware authorizations”, in Proceedings of the 17th ACM symposium on Access Control Models and Technologies, ACM, New York, NY, USA, pp. 93–102.
Baum, N. (2005), “Building Resilience”, Journal of Aggression, Maltreatment & Trauma, Vol. 10 No. 1, pp. 487–498.
Bayuk, J. and Silverstein, K. (2007), “Utilising information security to improve resilience”, Journal of Business Continuity & Emergency Planning, Vol. 2 No. 1, pp. 7–12.
Beer, M. (2002), Building Organizational Fitness in the 21st Century, Division of Research, Harvard Business School.
Beermann, M. (2011), “Linking corporate climate adaptation strategies with resilience thinking”, Journal of Cleaner Production, Vol. 19 No. 8, pp. 836–842.
Benlian, A., Hess, T. and Buxmann, P. (2009), “Drivers of SaaS-Adoption – An Empirical Study of Different Application Types”, Business & Information Systems Engineering, Vol. 1 No. 5, pp. 357–369.
Benner, M.J. and Tushman, M.L. (2003), “Exploitation, Exploration, and Process Management. The Productivity Dilemma Revisited”, The Academy of Management Review, Vol. 28, pp. 238–256.
Ben-Or, M., Goldwasser, S. and Wigderson, A. (1988), “Completeness theorems for non-cryptographic fault-tolerant distributed computation”, in Proceedings of the twentieth annual ACM symposium on Theory of computing, ACM, Chicago, Illinois, USA, pp. 1–10.
Berkes, F. (2007), “Understanding uncertainty and reducing vulnerability: lessons from resilience thinking”, Natural Hazards, Vol. 41 No. 2, pp. 283–295.
Bhamra, R., Dani, S. and Burnard, K. (2011), “Resilience: the concept, a literature review and future directions”, International Journal of Production Research, Vol. 49 No. 18, pp. 5375–5393.
Bichler, M. (2006), “Design science in information systems research”, WIRTSCHAFTSINFORMATIK, Vol. 48 No. 2, pp. 133–135.
Bikhchandani, S., Hirshleifer, D. and Welch, I. (1992), “A Theory of Fads, Fashion, Custom, and Cultural Change as Informational Cascades”, Journal of Political Economy, Vol. 100 No. 5, pp. 992–1026.
Birkland, T.A. and Waterman, S. (2009), “The Policy and Policy Challenges of Disaster Resilience”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 15–38.
Björklund, M. (2010), “Benchmarking tool for improved corporate social responsibility in purchasing”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 340–362.
Bohli, J.-M., Sorge, C. and Ugus, O. (2010), “A Privacy Model for Smart Metering”, in Proceedings of the 1st IEEE International Workshop on Smart Grid Communications, Capetown, South Africa, pp. 1–5.
Boin, A. and McConell, A. (2007), “Preparing for Critical Infrastructure Breakdowns. The Limits of Crisis Management and the Need for Resilience”, Journal of Contingencies and Crisis Management, Vol. 15 No. 1, pp. 50–59.
Boisot, M. and McKelvey, B. (2011), “Connectivity, Extremes, and Adaptation: A Power-Law Perspective of Organizational Effectiveness”, Journal of Management Inquiry, Vol. 20 No. 2, pp. 119–133.
Borgatti, S. (2003), “The Network Paradigm in Organizational Research: A Review and Typology”, Journal of Management, Vol. 29 No. 6, pp. 991–1013.
Borgatti, S.P., Everett, M.G. and Freeman, L.C. (2002), “UCINET for windows: Software for social network analysis”, Harvard, MA: Analytic Technologies.
Boudreau, M.-C., Chen, A. and Huber, M. (2008), “Green IS: Building sustainable business practices”, Information Systems: A Global Text, pp. 1–17.
Brand, F.S. and Jax, K. (2007), “Focusing the meaning(s) of resilience. resilience as a descriptive concept and a boundary object”, Ecology and Society, Vol. 12 No. 1.
Brecht, B. (1964), Der gute Mensch von Sezuan: Parabelstück, Edition Suhrkamp, Vol. 73, 1. Aufl, Suhrkamp, Frankfurt am Main.
Brecht, B. and Bentley, E. (2007), The good woman of Setzuan, Modern classics, Penguin Books, London.
Brewer, P.C. and Speh, T.W. (2001), “Adapting the Balanced Scorecard to Supply Chain Performance”, Supply Chain Management: An International Journal (Supply Chain Management Review, Vol. 5 No. 5, pp. 48–56.
Brickell, J. and Shmatikov, V. (2008), “The cost of privacy: destruction of data-mining utility in anonymized data publishing”, in Proceedings of the 14th ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, Las Vegas, Nevada, USA, pp. 70–78.
Briguglio, L., Cordina, G., Farrugia, N. and Vella, S. (2009), “Economic Vulnerability and Resilience: Concepts and Measurements”, Oxford Development Studies, Vol. 37 No. 3, pp. 229–247.
Bruneau, M., Chang, S.E., Eguchi, R.T., Lee, G.C., O’Rourke, T.D., Reinhorn, A.M., Shinozuka, M., Tierney, K., Wallace, W.A. and Winterfeldt, D. von (2003), “A Framework to Quantitatively Assess and Enhance the Seismic Resilience of Communities”, Earthquake Spectra, Vol. 19 No. 4, pp. 733–752.
Brynjolfsson, E. and Kemerer, C.F. (1996), “Network Externalities in Microcomputer Software: An Econometric Analysis of the Spreadsheet Market”, Management Science, Vol. 42 No. 12, pp. 1627–1647.
Burnard, K. and Bhamra, R. (2011), “Organisational resilience: development of a conceptual framework for organisational responses”, International Journal of Production Research, pp. 1–19.
Burnett, R.D. and Hansen, D.R. (2008), “Ecoefficiency: Defining a role for environmental cost management”, Accounting, Organizations and Society, Vol. 33 No. 6, pp. 551–581.
Burns, T. and Stalker, G. (2000), “Mechanistic and organic systems of management”, in McLoughlin, I., Preece, D. and Dawson, P. (Eds.), Technology, organizations, and innovation: Critical perspectives on business and management, Routledge, London, New York, pp. 24–50.
Butler, B.S. and Gray, P.H. (2006), “Reliability, Mindfulness, and Information Systems”, MIS Quarterly, Vol. 30 No. 2, pp. 211–224.
Butler, T. (2011), “Compliance with institutional imperatives on environmental sustainability: Building theory on the role of Green IS”, Journal of Strategic Information Systems, Vol. 20 No. 1, pp. 6–26.
Buys, P.W. (2012), “Developing Corporate Strategies To Enable Resilience In The South African Information Systems And Technology Industry”, Journal of Applied Business Research, Vol. 28 No. 5.
Calantone, R., Garcia, R. and Dröge, C. (2003), “The Effects of Environmental Turbulence on New Product Development Strategy Planning”, Journal of Product Innovation Management, Vol. 20 No. 2, pp. 90–103.
Camp, R.C. (1989), Benchmarking: the search for industry best practices that lead to superior performance, Quality Press, White Plains.
Campbell, F.C. (2008), Elements of metallurgy and engineering alloys, ASM International, Materials Park, Ohio.
Caralli, R.A., Allen, J.H., Curtis, P.D. and Young, L.R. (2010), CERT resilience management model, version 1.0, CMU/SEI-2010-TR-012, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pa.
Cardoso, J., Bostrom, R. and Sheth, A. (2004), “Workflow Management Systems and ERP Systems: Differences, Commonalities, and Applications”, Information Technology and Management, Vol. 5 3-4, pp. 319-338.
Cardoso, J., Mendling, J., Neumann, G. and Reijers, H.A. (2006), “A Discourse on Complexity of Process Models”, in Hutchison, D. and et al. (Eds.), Lecture Notes in Computer Science, Business Process Management Workshops, Springer, Berlin, Heidelberg, pp. 117–128.
Carmeli, A. and Markman, G.D. (2011), “Capture, governance, and resilience: strategy implications from the history of Rome”, Strategic Management Journal, Vol. 32 No. 3, pp. 322–341.
Carpenter, S., Walker, B., Anderies, J.M. and Abel, N. (2001), “From Metaphor to Measurement: Resilience of What to What?”, Ecosystems, Vol. 4 No. 8, pp. 765–781.
Carpenter, S.R., Arrow Kenneth J., Barrett, S., Biggs, R., Brock, W.A. and Crépin, A.-S. (2012), “General Resilience to Cope with Extreme Events”, Sustainability, Vol. 12 No. 4, pp. 3248–3259.
Chakravarthy, B.S. (1982), “Adaptation: A Promising Metaphor for Strategic Management”, Academy of Management Review, Vol. 7 No. 1, pp. 35–44.
Chatterji, A.K. and Toffel, M.W. (2010), “How firms respond to being rated”, Strategic Management Journal, Vol. 31 No. 4, pp. 917–945.
Cho, C.H. and Patten, D.M. (2007), “The role of environmental disclosures as tools of legitimacy: A research note”, Accounting, Organizations and Society, Vol. 32 7-8, pp. 639–647.
Christopher, M. and Peck, H. (2004), “Building the Resilient Supply Chain”, The International Journal of Logistics Management, Vol. 15 No. 2, pp. 1–14.
Church, M. (1999), “Organizing simply for complexity. Beyond metaphor towards theory”, Long Range Planning, Vol. 32, pp. 425–440.
Colbert, B.A. (2004), “The complex resource-based view: implications for theory and practice in strategic human resource management”, Academy of Management Review, Vol. 29 No. 3, pp. 341–358.
Comfort, L.K., Sungu, Y., Johnson, D. and Dunn, M. (2001), “Complex Systems in Crisis: Anticipation and Resilience in Dynamic Environments”, Journal of Contingencies and Crisis Management, Vol. 9 No. 3, pp. 144–158.
Cook, R. and Rasmussen, J. (2005), “Going solid: a model of system dynamics and consequences for patient safety”, Quality and Safety in Health Care, Vol. 14 No. 2, pp. 130–134.
Cord, D.J. (2014), The Decline and Fall of Nokia, 1st ed., Schildts & Söderströms. Coutu, D.L. (2002), “How Resilience Works”, Harvard Business Review, Vol. 80 No. 5, pp. 46–51. Coyle, R.G. (2000), “Qualitative and quantitative modelling in system dynamics: some research
questions”, System Dynamics Review, Vol. 16 No. 3, pp. 225–244. Coyle, R.G. (2001), System dynamics modelling: A practical approach, Chapman & Hall, London. Crichton, M.T., Ramsay, C.G. and Kelly, T. (2009), “Enhancing Organizational Resilience Through
Emergency Planning: Learnings from Cross-Sectoral Lessons”, Journal of Contingencies and Crisis Management, Vol. 17 No. 1, pp. 24–37.
Crnkovic, I. (2011), “Predictability and Evolution in Resilient Systems. Software Engineering for Resilient Systems”, in Troubitsyna, E. (Ed.), Lecture Notes in Computer Science, Vol. 6968, Springer Berlin / Heidelberg, pp. 113–114.
Cumming, G.S., Barnes, G., Perz, S., Schmink, M., Sieving, K.E., Southworth, J., Binford, M., Holt, R.D., Stickler, C. and Holt, T. (2005), “An Exploratory Framework for the Empirical Measurement of Resilience”, Ecosystems, Vol. 8 No. 8, pp. 975–987.
Cunha, M.P.E., Clegg, S.R. and Kamoche, K. (2006), “Surprises in Management and Organization. Concept, Sources and A Typology*”, British Journal of Management, Vol. 17, pp. 317–329.
Cunha, M.P.E. and Da Cunha, J.V. (2006), “Towards a complexity theory of strategy”, Management Decision No. 44, pp. 839–850.
Cusumano, M.A. (2010), “Will SaaS and Cloud Computing become a new Industry Platform?”, in Benlian, C., Hess, A. and Buxmann, P. (Eds.), Software-as-a-Service: Anbieterstrategien, Kundenbedürfnisse und Wertschöpfungsstrukturen, Gabler, Wiesbaden, pp. 3–13.
Damgård, I. and Jurik, M. (2001), “A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System”, in Kim, K. (Ed.), Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography, Cheju Island, Korea, pp. 119–136.
Davenport, T.H. (1993), Process innovation: Reengineering work through information technology, Harvard business school, Boston (Mass.).
Dedrick, J. (2010), “Green IS: concepts and issues for information systems research”, Communications of AIS, Vol. 27 No. 1, pp. 173–184.
Dekker, S. (2003), “Failure to adapt or adaptations that fail: contrasting models on procedures and safety”, Applied ergonomics, Vol. 34 No. 3, pp. 233–238.
Demirkan, H., Cheng, H.K. and Bandyopadhyay, S. (2010), “Coordination Strategies in an SaaS Supply Chain”, Journal of Management Information Systems, Vol. 26 No. 4, pp. 119–143.
Derissen, S., Quaas, M.F. and Baumgärtner, S. (2011), “The relationship between resilience and sustainability of ecological-economic systems”, Ecological Economics, Vol. 70 No. 6, pp. 1121–1128.
Dewald, J. and Bowen, F. (2010), “Storm Clouds and Silver Linings: Responding to Disruptive Innovations Through Cognitive Resilience”, Entrepreneurship Theory and Practice, Vol. 34 No. 1, pp. 197–218.
Diesner, J., Frantz, T.L. and Carley, K.M. (2005), “Communication Networks from the Enron Email Corpus “It's Always About the People. Enron is no Different””, Computational and Mathematical Organization Theory, Vol. 11 No. 3, pp. 201–228.
DiMaggio, P.J. and Powell, W.W. (1983), “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields”, American Sociological Review, Vol. 48 No. 2, pp. 147–160.
Dongen, B.F., Crooy, R.A. and Aalst, W.M.P. (2008), “Cycle Time Prediction: When Will This Case Finally Be Finished?”, in Meersman, R. and Tari, Z. (Eds.), On the Move to Meaningful Internet Systems: OTM 2008, Lecture Notes in Computer Science, Vol. 5331, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 319–336.
Dorner, D. (1996), The Logic of Failure: Recognizing and Avoiding Error in Complex Situations, Metropolitan Books, New York.
Dosi, G., Nelson, R.R. and Winter, S.G. (2000), The nature and dynamics of organizational capabilities, Oxford University Press, New York.
Drucker, P.F. (1980), Managing in turbulent times, Butterworth Heinemann, Oxford. Duan, W., Gu, B. and Whinston, A.B. (2009), “Informational Cascades and Software Adoption on the
Internet. An Empirical Investigation”, MIS Quaterly, Vol. 33 No. 1, pp. 23–48. Dumas, M., La Rosa, M., Mendling, J. and Reijers, H.A. (2013), Fundamentals of business process
management, Springer, Berlin, Heidelberg. Dutton, J.M. and Thomas, A. (1984), “Treating Progress Functions as a Managerial Opportunity”, The
Academy of Management Review, Vol. 9 No. 2, pp. 235–247. Dwork, C. (2006), “Differential Privacy”, in Bugliesi, M., Preneel, B., Sassone, V. and Wegener, I.
(Eds.), Automata, Languages and Programming, Lecture Notes in Computer Science, Vol. 4052, Springer Berlin Heidelberg, pp. 1-12.
Eder, J., Panagos, E., Pozewaunig, H. and Rabinovich, M. (1999), “Time management in workflow systems”, in BIS'99, Springer Verlag, pp. 265–280.
Edson, M.C. (2012), “A Complex Adaptive Systems View of Resilience in a Project Team”, Systems Research and Behavioral Science, Vol. 29 No. 5, pp. 499–516.
Efatmaneshnik, E. and Reidsema, C. (2007), “Immunity as a Design Decision Making Paradigm for Complex Systems. A Robustness Approach”, Cybernetics and Systems: An International Journal No. 38, pp. 759–780.
Ekelhart, A. and Neubauer, T. (2011), “Information Security Risk Management: In Which Security Solutions Is It Worth Investing?”, Communications of the Association for Information Systems, Vol. 28 No. 1.
Elliot, S. (2011), “Transdisciplinary perspectives on environmental sustainability: a resource base and framework for IT-enabled business transformation”, MIS Quarterly, Vol. 35 No. 1, pp. 197–236.
Endsley, M.R. (1995), “Toward a Theory of Situation Awareness in Dynamic Systems”, Human Factors: The Journal of the Human Factors and Ergonomics Society, Vol. 37 No. 1, pp. 32–64.
Erol, O., Henry, D., Sauser, B. and Mansouri, M. (2010a), “Perspectives on measuring enterprise resilience”, San Diego, CA.
Erol, O., Sauser, B.J. and Mansouri, M. (2010b), “A framework for investigation into extended enterprise resilience”, Enterprise Information Systems, Vol. 4 No. 2, pp. 111–136.
Etzion, O. (2009), “Complex event processing”, in Liu, L. and M. T. Özsu, M. T. (Eds.), Encyclopedia of Database Systems, Springer, pp. 412--413.
European Comission (2011), “ELCD core database version II”, available at: http://lca.jrc.ec.europa.eu/lcainfohub/datasetArea.vm. (accessed 15 April 2011).
Fava, J., Baer, S. and Cooper, J. (2009), “Increasing Demands for Life Cycle Assessments in North America”, Journal of Industrial Ecology, Vol. 13 No. 4, pp. 491–494.
Fdhila, W., Rinderle-Ma, S., Reichert and M. (2012), “Change propagation in collaborative processes scenarios”, in Proceedings of the 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing, Pittsburgh, United States, pp. 452--461.
Fenz, S. and Ekelhart, A. (2009), “Formalizing information security knowledge”. Fenz, S., Ekelhart, A. and Neubauer, T. (2009), “Business Process-based Resource Importance
Determination”, in Proceedings of the 7th International Conference on Business Process Management (BPM’2009), Springer-Verlag Berlin, Heidelberg, pp. 113–127.
Fenz, S., Ekelhart, A. and Neubauer, T. (2011), “Information Security Risk Management. In which security solutions is it worth investing?”, Communications of the Association for Information Systems, Vol. 28 No. 1, pp. Article 22, 329–356.
Fenz, S., Neubauer, T., Accorsi, R. and Koslowski, T.G. (2013), “FORISK: Formalizing Information Security Risk and Compliance Management”, 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W) 24-27 June, Budapest.
Fichman, R.G. and Kemerer, C.F. (1997), “The Assimilation of Software Process Innovations: An Organizational Learning Perspective”, Management Science, Vol. 43 No. 10, pp. 1345–1363.
Figge, F. and Hahn, T. (2005), “The Cost of Sustainability Capital and the Creation of Sustainable Value by Companies”, Journal of Industrial Ecology, Vol. 9 No. 4, pp. 47–58.
Fiksel, J. (2003), “Designing Resilient, Sustainable Systems”, Environmental Science & Technology, Vol. 37 No. 23, pp. 5330–5339.
Fischbach, K., Gloor, P.A. and Schoder, D. (2009), “Analysis of Informal Communication Networks – A Case Study”, Business & Information Systems Engineering, Vol. 1 No. 2, pp. 140–149.
Fisher, D. and Dourish, P. (2004), “Social and temporal structures in everyday collaboration”, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York, NY, USA, pp. 551–558.
Folke, C. (2006), “Resilience: The emergence of a perspective for social-ecological systems analyses. Resilience, Vulnerability, and Adaptation: A Cross-Cutting Theme of the International Human Dimensions Programme on Global Environmental Change”, Global Environmental Change, Vol. 16 No. 3, pp. 253–267.
Forrest, J. (2010), “Introduction of qualitative system dynamics”, available at: http://jayfor.site.aplus.net/qualsd/id11.html (accessed 12 December 2010).
Forrester, J.W. (1961), Industrial dynamics, MIT, Camebridge. Forrester, J.W. (1994), “System dynamics, systems thinking, and soft OR”, System Dynamics Review,
Vol. 10 2-3, pp. 245–256. Frank, U. (2006), Towards a pluralistic conception of research methods in information systems research,
ICB-Research Report. Freeman, S., Hirschhorn, L. and Matty, M. (2003), “Organizational resilience and moral purpose. Sandler
O'Neill and Partners, L.P. in the aftermath of September 11, 2001”, D. Nagao (Ed.) Academy of Management (best papers), Madison, WI.
Freiling, F.C. and Schwittay, B. (2007), “A Common Process Model for Incident Response and Computer Forensics”, IMF, Vol. 7, pp. 19–40.
Friedman, M. (1993), “The "plucking model" of business fluctuations revisited”, Economic Inquiry, Vol. 31 No. 2, pp. 171–177.
Funk, B., Möller, A. and Niemeyer, P. (2009), “Integration of Environmental Management Information Systems and ERP systems using Integration Platforms”, in Athanasiadis, I., Mitkas, P., Rizzoli, A. and Marx Gómez, J. (Eds.), Information Technologies in Environmental Engineering, Thessaloniki, Greece, pp. 53–63.
Gartner (2010), “Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update”, available at: http://www.gartner.com/id=2332215 (accessed 13 August 2013).
Gartner Research (2014), Survey Analysis: Adoption of Cloud ERP, 2013 Through 2023. Gatignon, H. and Robertson, T.S. (1985), “A Propositional Inventory for New Diffusion Research”,
Journal of Consumer Research, Vol. 11 No. 4, pp. 849–867. Gentry, C. (2009), “Fully homomorphic encryption using ideal lattices”, in Mitzenmacher, M. and
Bethesda, M.D. (Eds.), Proceedings of the 41st ACM Symposium on Theory of Computing, pp. 169–178.
Gentry, C. and Halevi, S. (2011), “Implementing Gentry’s Fully-Homomorphic Encryption Scheme”, Advances in Cryptology – EUROCRYPT, pp. 129–148.
Geoffrey Love, E. and Nohria, N. (2005), “Reducing slack: the performance consequences of downsizing by large industrial firms, 1977–93”, Strategic Management Journal, Vol. 26 No. 12, pp. 1087–1108.
Georges, A., Buytaert, D. and Eeckhout, L. (2007), “Statistically rigorous java performance evaluation”, in Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications, ACM, Montreal, Quebec, Canada, pp. 57–76.
Geus, A. de (1997), “The Living Company”, Harvard Business Review, Vol. 75 No. 2, pp. 51–59. Ginsberg, A. and Buchholtz, A. (1990), “Converting to For-Profit Status. Corporate Responsiveness to
Radical Change”, The Academy of Management Journal, Vol. 33 No. 3, pp. 445–477. Goldreich, O., Micali, S. and Wigderson, A. (1987), “How to play ANY mental game”, Proceedings of
the 19th annual ACM symposium on Theory of computing, pp. 218–229. González, L.S., Rubio, F.G., González, F.R. and Velthuis, M.P. (2010), “Measurement in business
processes. a systematic review”, Business Process Management Journal, Vol. 16 No. 1, pp. 114–134. Graafland, J.J., Eijffinger, S. and Smid-Johan, H. (2004), “Benchmarking of Corporate Social
Responsibility: Methodological Problems and Robustness”, Journal of Business Ethics, Vol. 53 1/2, pp. 137–152.
Griffiths, D.J. (2013), Revolutions in twentieth-century physics, Cambridge University Press, Cambridge, U.K.
Grote, G. (2009), Management of uncertainty: Theory and application in the design of systems and organizations, Decision engineering, Springer, London.
Gunderson, L. (2009), Comparing Ecological and Human Community Resilience: CARRI Research Report No. 5, Oak Ridge, TN.
Gunderson, L.H. (Ed.) (2002), Panarchy: Understanding transformations in human and natural systems, Island Press, Washington, DC [u.a].
Haimes, Y.Y. (2009a), “On the Complex Definition of Risk: A Systems-Based Approach”, Risk Analysis: An International Journal, Vol. 29 No. 12, pp. 1647–1654.
Haimes, Y.Y. (2009b), “On the Definition of Resilience in Systems”, Risk Analysis: An International Journal, Vol. 29 No. 4, pp. 498–501.
Hale, A. and Heijer, T. (2006), “Defining Resilience”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.
Hamel, G. and Välikangas, L. (2003), “The Quest for Resilience.”, Harvard Business Review, Vol. 81 No. 9, pp. 52–63.
Hammer, M. and Champy, J. (2003), Reengineering the corporation: A manifesto for business revolution, 1st HarperBusiness Essentials pbk. ed, HarperBusiness Essentials, New York.
Hammerschmidt, M. (2006), Effizienzanalyse im Marketing: Ein produktionstheoretisch fundierter Ansatz auf Basis von Frontier Functions, 1st ed., Dt. Univ.-Verl., Wiesbaden.
Handmer, J., Dovers, S. and Downing, T. (1999), “Societal Vulnerability to Climate Change and Variability”, Mitigation and Adaptation Strategies for Global Change, Vol. 4 3/4, pp. 267–281.
Handmer, J.W. and Dovers, S.R. (1996), “A Typology of Resilience: Rethinking Institutions for Sustainable Development”, Organization & Environment, Vol. 9 No. 4, pp. 482–511.
Hannan, M.T. and Freeman, J. (1977), “The Population Ecology of Organizations”, American Journal of Sociology, Vol. 82 No. 5, pp. 929–964.
Harrington, H.J. (1991), Business process improvement: The breakthrough strategy for total quality, productivity, and competitiveness, McGraw-Hill, New York.
Helper, S., MacDuffie, J. and Sabel C. (2000), “Pragmatic collaborations: advancing knowledge while controlling opportunism”, Industrial and Corporate Change, Vol. 9 No. 3, pp. 443–488.
Hervani, A.A., Helms, M.M. and Sarkis, J. (2005), “Performance measurement for green supply chain management”, Benchmarking: An International Journal, Vol. 12 No. 4, pp. 330–353.
Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004), “Design science in information systems research”, MIS Quarterly, Vol. 28 No. 1, pp. 75–105.
Hitt, M.A., Ireland, R.D. and Hoskisson, R.E. (2011), Strategic management: Competitiveness and globalization concepts and cases, 9th ed, South-Western Cengage Learning, Mason (OH).
Ho, W., Xu, X. and Dey, P.K. (2010), “Multi-criteria decision making approaches for supplier evaluation and selection: A literature review”, European Journal of Operational Research, Vol. 202 No. 1, pp. 16–24.
Hoffer, C.W. (1975), “Toward a Contingency Theory of Business Strategy”, Academy of Management Journal, Vol. 18 No. 4, pp. 784–810.
Hoffer Gittell, J., Cameron, K., Lim, S. and Rivas, V. (2006), “Relationships, Layoffs, and Organizational Resilience. Airline Industry Responses to September 11”, The Journal of Applied Behavioral Science, Vol. 42 No. 3, pp. 300–329.
Hoffmann, V.H. and Busch, T. (2008), “Corporate Carbon Performance Indicators”, Journal of Industrial Ecology, Vol. 12 No. 4, pp. 505–520.
Hofmann, P. (2008), “ERP is Dead, Long Live ERP”, IEEE Internet Computing, Vol. 12 No. 4, pp. 84–88.
Holland, J.H. (1998), Emergence: From chaos to order, Addison-Wesley, Reading, Mass. Holling, C.S. (1973), Resilience and stability of ecological systems, International Institute for Applied
Systems Analysis, Laxenburg, Austria. Holling, C.S. (1996), “Engineering resilience versus ecological resilience”, in Schulze, P.C. (Ed.),
Engineering Within Ecological Constraints, The National Academies Press, Washington, D.C. Holling, C.S. (2001), “Understanding the Complexity of Economic, Ecological, and Social Systems”,
Ecosystems, Vol. 4 No. 5, pp. 390–405. Holling, C.S. and Gunderson, L.H. (2002), “Resilience and Adaptive Cycles”, in Gunderson, L.H. (Ed.),
Panarchy: Understanding transformations in human and natural systems, Island Press, Washington, DC [u.a], pp. 25–62.
Hollnagel, E. (2008), “From protection to resilience: Changing views on how to achieve safety”, Proceedings of the 8th International Symposium of the Australian Aviation Psychology Association.
Hollnagel, E. (2009), The ETTO principle: Efficiency-thoroughness trade-off why things that go right sometimes go wrong, Ashgate, Farnham, England, Burlington, VT.
Hollnagel, E. (2011), Resilience engineering in practice: A guidebook, Ashgate studies in resilience engineering, Ashgate, Farnham, Surrey, England, Burlington, VT.
Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.) (2006), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.
Horne III, J.F. (1997), “The coming age of organizational resilience”, Business Forum, Vol. 22, p. 24. Horne III, J.F. and Orr, J.E. (1998), “Assessing Behaviors That Create Resilient Organizations”,
Employment Relations Today (Wiley), Vol. 24, pp. 29–39. Houy, C., Fettke, P., Loos, P., Aalst, W.M.P. and Krogstie, J. (2011), “Business Process Management in
the Large”, Business & Information Systems Engineering, Vol. 3 No. 6, pp. 385–388. IF4IT (2014), “IF4IT Glossary / Dictionary of IT Terms and Phrases”, available at:
http://if4it.com/SYNTHESIZED/GLOSSARY/C/Capability.html. Jackson, S. (2009), Architecting resilient systems: Accident avoidance and survival and recovery from
disruptions, Wiley series in systems engineering and management, Wiley, Hoboken, NJ. Jakoubi, S., Tjoa, S., Goluch, G. and Quirchmayr, G. (2009), “A Survey of Scientific Approaches
Considering the Integration of Security and Risk Aspects into Business Process Management”, in DEXA Proceedings of the 20th International Workshop on Database and Expert Systems Application, pp. 127–132.
Janssen, M.A., Bodin, O., Anderies, J.M., Elmqvist, T., Ernstson, H., McAllister, R.R.J., Olsson, P. and Ryan, P. (2006), “Toward a network perspective of the study of resilience in social-ecological systems”, Ecology and Society, Vol. 11 No. 1, p. 15.
Jüttner, U., Christopher, M. and Godsell, J. (2010), “A strategic framework for integrating marketing and supply chain strategies”, The International Journal of Logistics Management, Vol. 21 No. 1, pp. 104–126.
Kahan, J.H., Allen, A.C. and George, J.K. (2009), “An Operational Framework for Resilience”, Journal of Homeland Security and Emergency Management, Vol. 6 No. 1.
Katz, M.L. and Shapiro, C. (1985), “Network externalities, competition, and compatibility”, The American Economic Review, Vol. 75 No. 3, pp. 424–440.
Kemfert, C., “The coming German energy turnaround”, available at: http://www.thebulletin.org/web-edition/op-eds/the-coming-german-energy-turnaround (accessed 30 April 2012).
Kendra, J.M. and Wachtendorf, T. (2003), “Elements of Resilience After the World Trade Center Disaster. Reconstituting New York City's Emergency Operations Centre”, Disasters, Vol. 27 No. 1, pp. 37–53.
Kerschbaum, F., Dahlmeier, D., Schröpfer, A., Biswas, D. and (Keine Angabe) (2009), “On the practical importance of communication complexity for secure multi-party computation protocols”, in
Proceedings of the ACM Symposium on Applied Computing, ACM, Honolulu, Hawaii, pp. 2008–2015.
Kerschbaum, F., Strüker, J. and Koslowski, T. (2011), “Confidential Information-Sharing for Automated Sustainability Benchmarks”, ICIS Proceedings Paper 4.
Kim, H., Lee, J.-N. and Han, J. (2010), “The role of IT in business ecosystems”, Communications of the ACM, Vol. 53 No. 5, p. 151.
King, A. (1995), “Avoiding Ecological Surprise: Lessons from Long-Standing Communities”, The Academy of Management Review, Vol. 20 No. 4, pp. 961–985.
Klein, G., Moon, B. and Hoffman, R.R. (2006), “Making Sense of Sensemaking 1: Alternative Perspectives”, IEEE Intelligent Systems, Vol. 21 No. 4, pp. 70–73.
Klein, R.J.T., Nicholls, R.J. and Thomalla, F. (2003a), “Resilience to natural hazards. How useful is this concept?”, Global Environmental Change Part B: Environmental Hazards No. 5, pp. 35–45.
Klein, R.J.T., Nicholls, R.J. and Thomalla, F. (2003b), “The Resilience of Coastal Megacities to Weather-Related Hazards”, in Kreimer, A., Arnold, M. and Carlin, A. (Eds.), Building safer cities: The future of disaster risk, World Bank, Washington, D.C, pp. 101–120.
Kolk, A. and Mauser, A. (2002), “The evolution of environmental management: from stage models to performance evaluation”, Business Strategy and the Environment, Vol. 11 No. 1, pp. 14–31.
Koslowski, T. (2011), “Interorganisationale Nachhaltigkeitsmessung als Softwaredienst”, in Eymann, T. (Ed.), Proceedings of the Doctoral Consortium of the Wirtschaftsinformatik, Vol. 2011, Zürich (CH), pp. 115–124.
Koslowski, T. and Strüker, J. (2011), “ERP On Demand Platform”, Business & Information Systems Engineering, Vol. 3 No. 6, pp. 359–367.
Koslowski, T. and Zimmermann, C. (2013), “Towards a Detective Approach to Process-Centered Resilience”, in Accorsi, R. and Ranise, S. (Eds.), Security and Trust Management, Lecture Notes in Computer Science, Vol. 8203, Springer Berlin Heidelberg, pp. 176-190.
Koslowski, T.G. (2013), “Resilience Management – Achieving Sustainability in Turbulent Environments”, 29th Apr - 1st May, Berkeley, CA.
Koslowski, T.G., Geoghegan, W. and Longstaff, P.H. (2013a), “Organizational Resilience: A Review and Reconceptualization”, paper presented at 33rd Annual International Conference of the Strategic Management Society, Sept 28 - Oct 1, Atlanta, VA.
Koslowski, T.G., Strüker, J. and Brenig, C. (2013b), “Mastering the Energiewende – A Cross-disciplinary Teaching Approach”, European Conference on Information Systems, ECIS No. 2013.
Krysiak, F.C. (2009), “Risk Management as a Tool for Sustainability”, Journal of Business Ethics, Vol. 85, pp. 483–492.
Kumar, K. and Diesel, H.G. (1996), “Sustainable Collaboration: Managing Conflict and Cooperation in Interorganizational Systems”, MIS Quarterly, Vol. 20 No. 3, pp. 279–300.
Laudon, K.C. and Laudon, J.P. (2010), Management information systems: Managing the digital firm, 11th ed, Pearson, Upper Saddle River, N.J, London.
Le Coze, J.-C. and Dupré, M. (2008), “The Need for "Translators" and for new Models of Safety”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT.
Lee, D. and Mendelson, H. (2007), “Adoption of Information Technology Under Network Effects”, Information Systems Research, Vol. 18 No. 4, pp. 395–413.
Lehmann, S. and Buxmann, P. (2009), “Pricing Strategies of Software Vendors”, Business & Information Systems Engineering, Vol. 1 No. 6, pp. 452–462.
Lengnick-Hall, C.A. and Beck, T.E. (2005), “Adaptive Fit Versus Robust Transformation: How Organizations Respond to Environmental Change”, Journal of Management, Vol. 31 No. 5, pp. 738–757.
Lengnick-Hall, C.A. and Beck, T.E. (2009), “Resilience Capacity and Strategic Agility: Prerequisites for Thriving in a Dynamic Environment”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 39–70.
Lengnick-Hall, C.A., Beck, T.E. and Lengnick-Hall, M.L. (2011), “Developing a capacity for organizational resilience through strategic human resource management”, Human Resource Management Review, Vol. 21 No. 3, pp. 243–255.
Lentzos, F. and Rose, N. (2009), “Governing insecurity: contingency planning, protection, resilience”, Economy & Society, Vol. 38 No. 2, pp. 230–254.
Leonard-Barton, D. (1992), “Core capabilities and core rigidities: A paradox in managing new product development”, Strategic Management Journal, Vol. 13 S1, pp. 111–125.
Leveson, N., Dulac, N., Zipkin, D., Cutcher-Gershenfeld, J., Carroll, J. and Barrett, B. (2006), “Engineering resilience into safety-critical systems”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 95–123.
Levin, S.A. (1998), “Ecosystems and the Biosphere as Complex Adaptive Systems”, Ecosystems, Vol. 1 No. 5, pp. 431–436.
Levinthal, D.A. (1997), “Adaptation on Rugged Landscapes”, Management Science, Vol. 43 No. 7, pp. 934–950.
Lewin, R. (Ed.) (1998), Complexity: Life at the edge of chaos, 2nd ed., Wiley, S, Chicago. Lewin, R. and Regine, B. (1998), “On the Edge in the World of Business”, in Lewin, R. (Ed.),
Complexity: Life at the edge of chaos, 2nd ed., Wiley, S, Chicago, pp. 197–211. Linnenluecke, M. and Griffiths, A. (2010), “Beyond Adaptation: Resilience for Business in Light of
Climate Change and Weather Extremes”, Business & Society, Vol. 49 No. 3, pp. 477–511. Linton, J.D., Klassen, R. and Vaidyanathan, J. (2007), “Sustainable supply chains: An introduction”,
Journal of Operations Management, Vol. 25 No. 6, pp. 1075–1082. Liu, D., Deters, R. and Zhang, W.J. (2010a), “Architectural design for resilience”, Enterprise Information
Systems, Vol. 4 No. 2, pp. 137–152. Liu, J., Lu Y.-H and Koh C.-K (2010b), “Performance Analysis of Arithmetic Operations in
Homomorphic Encryption”, Purdue Technical Report TR-ECE-10-08. Longstaff, P.H. (2005), Security, resilience, and communication in unpredictable environments such as
terrorism, natural disasters, and complex technology, Center for Information Policy Research, Harvard University.
Longstaff, P.H., Armstrong, N., Perrin, K., Parker, W.M. and Hidek, M.A. (2010), “Building Resilient Communities: A Preliminary Framework for Assessment”, Project on Resilience and Security white paper, Homeland Security Affairs, Vol. 4 No. 3, pp. 1–23.
Longstaff, P.H., Koslowski, T.G. and Geoghegan, W. (2013), “Translating Resilience: A Framework to Enhance Communication and Implementation”, 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, June 25-27, 2013.
Lorenz, D.F. (2010), “The diversity of resilience: contributions from a social science perspective”, Natural Hazards, pp. 1–18.
Luthans, F., Avey, J.B., Avolio, B.J. and Peterson, S.J. (2010), “The development and resulting performance impact of positive psychological capital”, Human Resource Development Quarterly, Vol. 21 No. 1, pp. 41–67.
Luthar, S.S., Cicchetti, D. and Becker, B. (2000), “The Construct of Resilience: A Critical Evaluation and Guidelines for Future Work”, Child Development, Vol. 71 No. 3, pp. 543–562.
Lynn, M.L. (2005), “Organizational Buffering. Managing Boundaries and Cores”, Organization Studies, Vol. 26 No. 1, pp. 37–61.
Machanavajjhala, A., Kifer, D., Gehrke, J. and Venkitasubramaniam, M. (2007), “L-diversity: Privacy beyond k-anonymity”, ACM Trans. Knowl. Discov. Data, Vol. 1 No. 1, pp. 24–35.
Madni, A.M. and Jackson, S. (2009), “Towards a Conceptual Framework for Resilience Engineering”, IEEE Systems Journal, Vol. 3 No. 2, pp. 181–191.
Makrinou, A., Mandaraka, M. and Assimakopoulos, D. (2008), “Environmental benchmarking for management of energy and water use: A study of SMEs in the Mediterranean region”, Environmental Quality Management, Vol. 17 No. 3, pp. 31–44.
Mallack, L. (1998), “Putting organizational resilience to work”, Industrial Management, Vol. 40 No. 8. Mamouni Limnios, E.A., Mazzarol, T., Ghadouani, A. and Schilizzi, Steven G. M. (2014), “The
Resilience Architecture Framework: Four organizational archetypes”, European Management Journal, Vol. 32 No. 1, pp. 104–116.
Marczyk, J. (2002), Beyond Optimization in Computer-Aided Engineering, Barcelona. Margolis, J.D. and Stoltz, P.G. (2010), “How to Bounce Back from Adversity. (cover story)”, Harvard
Business Review, Vol. 88 1/2, pp. 86–92. Markides, C.C. and Williamson, P.J. (1996), “Corporate diversification and organizational structure: A
resource-based view”, Academy of Management Journal, Vol. 39 No. 2, pp. 340–367. Maruyama, H. (Ed.) (2013), Towards Systems Resilience.
Masten, A.S. (2001), “Ordinary magic: Resilience processes in development”, American Psychologist, Vol. 56 No. 3, pp. 227–238.
Mathew, M. and Sumesh, N. (2010), “Pricing SaaS models: perceptions of business service providers and clients”, Journal of Services Research, Vol. 10 No. 1, pp. 51–68.
Matthews, H.S. and Lave, L.B. (2003), “Using input-output analysis for corporate benchmarking”, Benchmarking: An International Journal, Vol. 10 No. 2, pp. 153–168.
McAfee, A. and Brynjolfsson, E. (2012), “Big Data: The Management Revolution”, Harvard Business Review, Vol. 1.
McCann, J., Selsky, J. and Lee, J. (2009), “Building Agility, Resilience and Performance in Turbulent Environments”, People & Strategy, Vol. 32 No. 3, pp. 44–51.
McCann, J.E. (2004), “Organizational Effectiveness. Changing Concepts for Changing Environments”, Human Resource Planning, Vol. 27, pp. 42–50.
McCann, J.E. and Selsky, J.W. (2012), Mastering turbulence: The essential capabilities of agile and resilient individuals, teams, and organizations, First edition., Jossey-Bass, San Franciso.
McCoy, J. and Elwood, A. (2009), “Human factors in organisational resilience. Implications of breaking the psychological contract”, Journal of Business Continuity & Emergency Planning, Vol. 3 No. 4, pp. 368–375.
McDaniels, T., Chang, S., Cole, D., Mikawoz, J. and Longstaff, H. (2008), “Fostering resilience to extreme events within infrastructure systems: Characterizing decision contexts for mitigation and adaptation”, Global Environmental Change, Vol. 18 No. 2, pp. 310–318.
McDonald, N. (2006), “Organizational Resilience and Industrial Risk”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 155–179.
Melcher, J. (2012), Process measurement in business process management: Theoretical framework and analysis of several aspects, KIT Scientific Publishing, Karlsruhe.
Melville, N.P. (2010), “Information systems innovation for environmental sustainability”, MIS Quaterly, Vol. 34 No. 1, pp. 1–21.
Mendoca, D. (2008), “Measures of Resilient Performance”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 29–46.
Meyer, A.D. (1982), “Adapting to Environmental Jolts”, Administrative Science Quarterly, Vol. 27, pp. 515–537.
Meyer, J.F. (2013), “Model-based evaluation of system resilience”, paper presented at Annual IEEE/IFIP Conference on Dependable Systems and Networks, Budapest.
Miakisz, J.A. (1999), “Measuring and Benchmarking Environmental Performance in the Electric Utility Sector: The Experience of Niagara Mohawk”, in Bennett, M., James, P. and Klinkers, L. (Eds.), Sustainable Measures - Evaluation and Reporting of Environmental and Social Performance, Greenleaf Publishing, Sheffield, pp. 221–245.
Milliken, F.J. (1987), “Three Types of Perceived Uncertainty about the Environment: State, Effect, and Response Uncertainty”, The Academy of Management Review, Vol. 12 No. 1, pp. 133–143.
Mitleton-Kelly, E. (2003), Complex systems and evolutionary perspectives on organisations: The application of complexity theory to organisations, Pergamon, Oxford.
Moore, G.C. and Benbasat, I. (1991), “Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation”, Information Systems Research, Vol. 2 No. 3, pp. 192–222.
Müller, G. (2009), “War Internet die einzige Option? Welchen Weg soll die Wirtschaftsinformatik gehen?”, WIRTSCHAFTSINFORMATIK, Vol. 51 No. 1, pp. 53–60.
Müller, G. and Koslowski, T. (2012), Resilience: A useful Paradigm for IT-Social Infrastructures?, Research Cooperation YRL Hitachi and University of Freiburg, Deliverable No. 1, Freiburg.
Müller, G., Koslowski, T.G. and Accorsi, R. (2013), “Resilience - A New Research Field in Business Information Systems?”, in Abramowicz, W. (Ed.), Business Information Systems Workshops, Lecture Notes in Business Information Processing, Vol. 160, Springer Berlin Heidelberg, pp. 3–14.
Müller, G., Sonehara, N., Echizen, I. and Wohlgemuth, S. (2011), “Sustainable Cloud Computing”, Business & Information Systems Engineering, Vol. 3 No. 3, pp. 129–131.
Narayanan, A. and Shmatikov, V. (2009), “De-anonymizing Social Networks”, in Security and Privacy, 2009 30th IEEE Symposium on, pp. 173–187.
Nelson, D.R., Adger, W.N. and Brown, K. (2007), “Adaptation to Environmental Change: Contributions of a Resilience Framework”, in Matson, P.A. and Gadgil, A. (Eds.), Annual review of environment and resources, Annual Reviews, Inc., Palo Alto, Calif, pp. 395–419.
Nemeth, C.P. (2008), “Resilience Engineering: the Birth of a Notion”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 3–9.
Nemeth, C.P. (2009), “The Ability to Adapt”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 1–12.
Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.) (2009), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham.
Neubauer, T., Ekelhart, A. and Fenz, S. (2008), “Interactive Selection of ISO 27001 Controls under Multiple Objectives”.
Nohria, N. (2006), “Survival of the Adaptive”, Harvard Business Review, Vol. 84 No. 5, p. 23. Norris, F.H., Stevens, S.P., Pfefferbaum, B., Wyche, K.F. and Pfefferbaum, R.L. (2008), “Community
Resilience as a Metaphor, Theory, Set of Capacities, and Strategy for Disaster Readiness”, American Journal of Community Psychology, Vol. 41 1-2, pp. 127–150.
Ogata, H., Yano, Y., Furugori, N. and Jin, Q. (2001), “Computer supported social networking for augmenting cooperation”, Computer Supported Cooperative Work (CSCW), Vol. 10 No. 2, pp. 189–209.
O'Reilly III, C.A. and Tushman, M.L. (2004), “The Ambidextrous Organization”, Harvard Business Review, Vol. 82, pp. 74–81.
Orton, J.D. and Weick, K.E. (1990), “Loosely Coupled Systems: A Reconceptualization”, The Academy of Management Review, Vol. 15 No. 2, pp. 203–223.
Ott, K. and Döring, R. (2008), Theorie und Praxis starker Nachhaltigkeit, Metropolis-Verl., Marburg. Paillier, P., “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes”, pp. 223–238. Palin, P. (2012), “Homeland Security Watch » Resilience on the (Deepwater) Horizon?”, available at:
http://www.hlswatch.com/2010/06/11/resilience-on-the-deepwater-horizon/ (accessed 29 May 2012). Panzar, J.C. and Willig, R.D. (1981), “Economies of Scope”, The American Economic Review, Vol. 71
No. 2, pp. 268–272. Park, J., Seager, T.P., Rao, P. S. C., Convertino, M. and Linkov, I. (2013), “Integrating Risk and
Resilience Approaches to Catastrophe Management in Engineering Systems”, Risk Analysis, Vol. 33 No. 3, pp. 356–367.
Perelman, L.J. (2006), “Shifting Security Paradigms: Toward Resilience”, in The Critical Infrastructure Protection Program (Ed.), Critical Thinking: Moving from Security to, George Mason University, Arlington, VA, pp. 22–47.
Perrow, C. (1984), Normal accidents: Living with high-risk technologies, Basic Books, New York. Petersen, K.E. and Johannson, H. (2008), “Designing Resilient Critical Infrastructure Systems using Risk
and Vulnerability Analysis”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 159–170.
Pettit, T.J., Fiksel, J. and Croxton, K.L. (2010), “Ensuring Supply Chain Resilience: Development Of A Conceptual Framework”, Journal of Business Logistics, Vol. 31 No. 1, pp. 1–21.
Pika, A., Aalst, W.M.P., Fidge, C.J., Hofstede, A.H.M. and Wynn, M.T. (2013), “Profiling Event Logs to Configure Risk Indicators for Process Delays”, in Hutchison, H. and et al. (Eds.), Advanced Information Systems Engineering, Lecture Notes in Computer Science, Vol. 7908, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 465–481.
Pimm, S.L. (1984), “The Complexity and Stability of Ecosystems”, Nature, Vol. 307 No. 5949, pp. 321–326.
Pineda-Henson, R., Culaba, A.B. and Mendoza, G.A. (2002), “Evaluating Environmental Performance of Pulp and Paper Manufacturing Using the Analytic Hierarchy Process and Life-Cycle Assessment”, Journal of Industrial Ecology, Vol. 6 No. 1, pp. 15–28.
Ponomarov, S.Y. and Holcomb, M.C. (2009), “Understanding the concept of supply chain resilience”, International Journal of Logistics Management, Vol. 20 No. 1, pp. 124–143.
Porter, M.E. (op. 1998), Competitive strategy, Free Press, New York, London, Toronto. Porter, M.E. and Reinhardt, F.L. (2007), “A Strategic Approach to Climate”, Harvard Business Review,
Vol. 85 No. 10, pp. 22–26.
Porter, M.E. and van der Linde, C. (1995a), “Green and Competitive: Ending the Stalemate”, Harvard Business Review, Vol. 73 No. 5, pp. 120–134.
Porter, M.E. and van der Linde, C. (1995b), “Toward a New Conception of the Environment-Competitiveness Relationship”, The Journal of Economic Perspectives, Vol. 9 No. 4, pp. 97–118.
Power, D.J. (2002), Decision support systems: Concepts and resources for managers, Quorum Books, Westport, Conn.
Power, D.J. (2008), “Decision Support Systems: A Historical Overview”, in Handbook on Decision Support Systems 1, International Handbooks Information System, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 121–140.
Powley, E.H. (2009), “Reclaiming resilience and safety: Resilience activation in the critical period of crisis”, Human Relations, Vol. 62 No. 9, pp. 1289–1326.
Pozewaunig, H., Eder, J. and Liebhart, W. (1997), “ePERT. extending Pert for workflow management system”, in ADBIS, pp. 217–224.
Prokein, O. (2008), IT-Risikomanagement: Identifikation, Quantifizierung und wirtschaftliche Steuerung, Gabler Edition Wissenschaft Markt- und Unternehmensentwicklung, 1. Aufl, Gabler, Wiesbaden.
Pruijt, H. (2000), “Repainting, modifying, smashing Taylorism”, Journal of Organizational Change Management, Vol. 13 No. 5, pp. 439–451.
Ramchandani, C. (1974), Aalysis of asynchronous concurrent system be timed petri nets: Technical Report, Massachusetts Institute of Technology, Cambridge, MA, USA.
Reap, J., Roman, F., Duncan, S. and Bras, B. (2008), “A survey of unresolved problems in life cycle assessment”, The International Journal of Life Cycle Assessment, Vol. 13 No. 5, pp. 374–388.
Reid, E.M. and Toffel, M.W. (2009), “Responding to public and private politics: corporate disclosure of climate change strategies”, Strategic Management Journal, Vol. 30 No. 11, pp. 1157–1178.
Reijers, H.A., Song, M. and van der Aalst, W.M.P. (2005), “Discovering Social Networks from Event Logs”, Computer Supported Cooperative Work (CSCW), Vol. 14 No. 6, pp. 549–593.
Reinmoeller, P. and van Baardwijk, N. (2005), “The Link Between Diversity and Resilience”, MIT Sloan Management Review, Vol. 46 No. 4, pp. 61–65.
Rice, J.B., JR and Caniato, F. (2003), “Building a secure and resilient supply network”, Supply Chain Management Review, Vol. 7 No. 5, pp. 22–30.
Richmond, B. (1997), “TheStrategic Forum: aligning objectives, strategy and process”, System Dynamics Review, Vol. 13 No. 2, pp. 131–148.
Rid, T. (2012), “Cyber War Will Not Take Place”, Journal of Strategic Studies, Vol. 35 No. 1, pp. 5–32. Riolli, L. and Savicki, V. (2003), “Information system organizational resilience”, Omega, Vol. 31 No. 3,
p. 227. Risk Response Network (2012), Global risks 2012, 7th ed., World Economic Forum, Cologny,
Switzerland. Roberts, K.H. (1990), “Some Characteristics of One Type of High Reliability Organization”,
Organization Science, Vol. 1 No. 2, pp. 160–176. Rogers, E.M. (2003), Diffusion of innovations, 5th ed., Free Press, New York. Rose, A. (2004), “Defining and measuring economic resilience to disasters”, Disaster Prevention and
Management, Vol. 13 No. 4, pp. 307–314. Rosenberg, N. (1982), Inside the black box: technology and economics. Runeson, P. and Höst, M. (2009), “Guidelines for conducting and reporting case study research in
software engineering”, Empirical Software Engineering, Vol. 14 No. 2, pp. 131–164. Salzmann, O., Ionescu-somers, A. and Steger, U. (2005), “The Business Case for Corporate
Sustainability: Literature Review and Research Options”, European Management Journal, Vol. 23 No. 1, pp. 27–36.
Samarati, P. and Sweeney, L. (1998), “Generalizing data to provide anonymity when disclosing information (Abstract)”, in 17th Proceedings of the ACM Symposium on Principles of Database Systems, Seattle, p. 188.
SAP (2011), “SAP Benchmarking - EMEA”, available at: http://benchmarking.sap.com/emea/ (accessed 28 April 2011).
Sarkis, J. (2003), “A strategic decision framework for green supply chain management”, Journal of Cleaner Production, Vol. 11 No. 4, pp. 397–409.
Sarkis, J. (2010), “Benchmarking the greening of business”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 421–434.
Sarkis, J. and Talluri, S. (2002), “A Model for Strategic Supplier Selection”, The Journal of Supply Chain Management, Vol. 38 No. 1, pp. 18–28.
Saunders, C., Wu, Y., Li, Y. and Weisfeld, S. (2004), “Interorganizational trust in B2B relationships”, in Proceedings of the 6th international conference on Electronic commerce, ACM, Delft, The Netherlands, pp. 272–279.
Schneider, F.B. (2000), “Enforceable security policies”, ACM Transactions on Information and System Security, Vol. 3 No. 1, pp. 30–50.
Schweitzer, F., Fagiolo, G., Sornette, D., Vega-Redondo, F., Vespignani, A. and White, D.R. (2009), “Economic Networks: The New Challenges”, Science, Vol. 325 No. 5939, pp. 422–425.
Scott, J. (1991), Social network analysis, Sage, Newbury Park, CA, Seager, T.P. (2008), “The sustainability spectrum and the sciences of sustainability”, Business Strategy
and the Environment, Vol. 17 No. 7, pp. 444–453. Seligman, M.E.P. (2011), “Building Resilience”, Harvard Business Review, Vol. 89 No. 4, pp. 100–106. Senge, P.M. (1997), The fith discipline, 1st ed., Doubleday, New York. Seo, D. and La Paz, Ariel I. (2008), “Exploring the dark side of IS in achieving organizational agility”,
Communications of the ACM, Vol. 51 No. 11, p. 136. Sharma, S. and Henriques, I. (2005), “Stakeholder influences on sustainability practices in the Canadian
forest products industry”, Strategic Management Journal, Vol. 26 No. 2, pp. 159–180. Shaw, S., Grant, D.B. and Mangan, J. (2010), “Developing environmental supply chain performance
measures”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 320–339. Sheffi, Y. (2007), “The Resilient Enterprise. Overcoming Vulnerability for Competitive Advantage”, MIT
Press Books. Simon, H.A. (1996), The sciences of the artificial, 3rd ed, MIT Press, Cambridge, Mass. Smit, B. and Wandel, J. (2006), “Adaptation, adaptive capacity and vulnerability”, Global Environmental
Change, Vol. 16 No. 3, pp. 282–292. Smith, D. and Fischbacher, M. (2009), “The changing nature of risk and risk management: The challenge
of borders, uncertainty and resilience”, Risk Management, Vol. 11 No. 1, pp. 1–12. Somers, S. (2009), “Measuring Resilience Potential: An Adaptive Strategy for Organizational Crisis
Planning”, Journal of Contingencies & Crisis Management, Vol. 17 No. 1, pp. 12–23. Spendolini, M. (1992), The benchmarking book, Amacom, New York. Staber, U. and Sydow, J. (2002), “Organizational Adaptive Capacity”, Journal of Management Inquiry,
Vol. 11 No. 4, pp. 408–424. Stephenson, A., Vargo, J. and Seville, E. (2010), “Measuring and Comparing Organisational Resilience in
Auckland”, Australian Journal of Emergency Management, Vol. 25 No. 2, pp. 27–32. Sterbenz, J.P.G., C, E.K., Hameed, M.A., Jabbar, A. and Rohrer, J.P. (2011), “Modelling and analysis of
network resilience”, Bangalore. Sterbenz, J.P.G., Hutchison, D., Çetinkaya, E.K., Jabbar, A., Rohrer, J.P., Schöller, M. and Smith, P.
(2010), “Resilience and Survivability in Communication Networks. Strategies, Principles, and Survey of Disciplines”, Computer Networks: Special Issue on Resilient and Survivable Networks (COMNET), Vol. 54 No. 8, pp. 1245–1265.
Stolker, R.J., Karydas, D.M. and Rouvroye, J.L. (2008), “A comprehensive approach to assess operational resilience”, in Proceedings of the third resilience engineering symposium, Antibes-Juan-les-Pins, France.
Strunz, S. (2012), “Is conceptual vagueness an asset? Arguments from philosophy of science applied to the concept of resilience”, Ecological Economics, Vol. 76, pp. 112–118.
Subashini, S. and Kavitha, V. (2011a), “A survey on security issues in service delivery models of cloud computing”, Journal of Network and Computer Applications, Vol. 34 No. 1, pp. 1–11.
Subashini, S. and Kavitha, V. (2011b), “A survey on security issues in service delivery models of cloud computing”, Journal of Network and Computer Applications, Vol. 34 No. 1, pp. 1–11.
Suddaby, R. (2010), “Editor's Comments. Construct Clarity in Theories of Management and Organization”, Academy of Management Review, Vol. 35 No. 3, pp. 346–357.
Suriadi, S., Weiss, B., Winkelmann, A., terHofstede, A., Wynn, M., Ouyang, C., Adams, M., Conforti, R., Fidge, C., La Rosa, M. and et al. (2012), Current research in risk-aware business process management - overview, comparison, and gap analysis, 50606, QUT ePrints.
Susarla, A., Barua, A. and Whinston, A.B. (2010), “Multitask Agency, Modular Architecture, and Task Disaggregation in SaaS”, Journal of Management Information Systems, Vol. 26 No. 4, pp. 87–118.
Sutcliffe, K.M. and Vogus, T. (2003), “Organizing for resilience”, in Cameron, K.S., Dutton, J.E. and Quinn, R.E. (Eds.), Positive Organizational Scholarship, Berrett-Koehler, San Francisco.
Sydow, J., Schreyögg, G. and Koch, J. (2009), “Organizational path dependence: opening the black box”, Academy of Management Review, Vol. 34 No. 4, pp. 689–709.
Taleb, N.N. (2008), The black swan: The impact of the highly improbable, Penguin, London. Tanriverdi, H., Rai, A. and Venkatraman, N. (2010), “Research Commentary - Reframing the Dominant
Quests of Information Systems Strategy Research for Complex Adaptive Business Systems”, Information Systems Research, Vol. 21 No. 4, pp. 822–834.
Teece, D. and Pisano, G. (1994), “The Dynamic Capabilities of Firms: an Introduction”, Industrial and Corporate Change, Vol. 3 No. 3, pp. 537–556.
The Critical Infrastructure Protection Program (Ed.) (2006), Critical Thinking: Moving from Security to, George Mason University, Arlington, VA.
Timmerman, P. (1981), Vulnerability, resilience and the collapse of society: A review of models and possible climatic applications, Toronto, Canada.
Tjaden, G.S. (1999), Business Process Structural Analysis. Tjoa, S., Jakoubi, S. and Quirchmayr, G., “Enhancing Business Impact Analysis and Risk Assessment
Applying a Risk-Aware Business Process Modeling and Simulation Methodology”, March 4th-7th, Barcelona Spain.
Travassos, G.H., Maldonado, J.C., Wohlin, C., Mendes, E., Berander, P. and Jönsson, P. (2006), “A goal question metric based approach for efficient measurement framework definition”, in Proceedings of the 2006 ACM/IEEE International Symposium on Empirical Engineering, New York, pp. 316–325.
Tsai, J., Jennhwa Yang, S. and Yao-Hsiung Chang (1995), “Timing constraint Petri nets and their application to schedulability analysis of real-time system specifications”, IEEE Transactions on Software Engineering, Vol. 21 No. 1, pp. 32–49.
Tukker, A. and Jansen, B. (2006), “Environmental Impacts of Products: A Detailed Review of Studies”, Journal of Industrial Ecology, Vol. 10 No. 3, pp. 159–182.
Välikangas, L. (2007), “Rigidity, exploratory patience, and the ecological resilience of organizations”, Scandinavian Journal of Management, Vol. 23 No. 2, pp. 206–213.
Välikangas, L. and Romme, A.G.L. (2013), “How to Design for Strategic Resilience. A Case Study in Retailing”, Journal of Organization Design, Vol. 2 No. 2, pp. 44–53.
van der Aalst, W.M.P. (2004), “Business process management: a personal view”, Business Process Management Journal, Vol. 10 No. 2, pp. 1–12.
van der Aalst, W.M.P. (2011), Process mining: Discovery, conformance and enhancement of business processes, Springer, Berlin [u.a.].
van der Aalst, W.M.P. and Weijters, A.J.M.M. (2004), “Process mining: a research agenda”, Process / Workflow Mining, Vol. 53 No. 3, pp. 231–244.
van der Aalst, W.M.P., Schonenberg, M.H. and Song, M. (2011), “Time prediction based on process mining”, Information Systems, Vol. 36 No. 2, pp. 450–475.
Vanderfeesten, I., Reijers, H.A. and van der Aalst, Wil M.P. (2008), “Evaluating workflow process designs using cohesion and coupling metrics”, Computers in Industry, Vol. 59 No. 5, pp. 420–437.
Varian, H., Farrell, J. and Shapiro, C. (2005), The economics of information technology: an introduction, Camebridge.
Venkatraman, N. and Camillus, J.C. (1984), “Exploring the Concept of "Fit" in Strategic Management”, Academy of Management Review, Vol. 9 No. 3, pp. 513–525.
Victor, B. and Blackburn, R.S. (1987), “Interdependence: An Alternative Conceptualization”, Academy of Management Review, Vol. 12 No. 3, pp. 486–498.
Visser, W., Matten, D., Pohl, M. and Tolhurst, N. (2007), The A to Z of corporate social responsibility a complete reference guide to concepts, codes and organizations, Wiley, Chichester (UK).
Vogus, T.J. and Sutcliffe, K.M. (2007), “Organizational resilience: Towards a theory and research agenda”, IEEE International Conference on Systems, Man and Cybernetics, pp. 3418–3422.
Vom Brocke, J. and Rosemann, M. (2010), Handbook on business process management 1: Introduction, methods and information systems, International handbooks on information systems, Springer, Berlin, London.
Walker, B., Carpenter, S., Anderies, J., Abel, N., Cumming, G., Janssen, M., Lebel, L., Norberg, J., Peterson, G.D. and Pritchard, R. (2002), “Resilience management in social-ecological systems: a working hypothesis for a participatory approach”, Conservation Ecology, Vol. 6 No. 1, p. 14.
Walker, B., Gunderson, L.H., Kinzig, A.P., Folke, C., Carpenter, S.R. and Schultz, L. (2006), “A Handful of Heuristics and Some Propositions for Understanding Resilience in Social-Ecological Systems”, Ecology and Society, Vol. 11 No. 1.
Walker, B., Holling, C.S., Carpenter, S.R. and Kinzig, A. (2004), “Resilience, adaptability and transformability in social--ecological systems”, Ecology and Society, Vol. 9 No. 2, p. 5.
Walker, B. and Salt, D. (2012), Resilience practice: Building capacity to absorb disturbance and maintain function, Island Press, Washington and London.
Walker, B.H. and Salt, D. (2006), Resilience thinking: Sustaining ecosystems and people in a changing world, Island Press, Washington, DC.
Wang, J.W., Gao, F. and Ip, W.H. (2010), “Measurement of resilience and its application to enterprise information systems”, Enterprise Information Systems, Vol. 4 No. 2, pp. 215–223.
Wang, Q. and Li, N. (2010), “Satisfiability and Resiliency in Workflow Authorization Systems”, ACM Trans. Inf. Syst. Secur., Vol. 13 No. 4, pp. 40:1‐40:35.
Wasserman, S. and Faust, K. (1994), Social network analysis: Methods and applications, Structural analysis in the social sciences, Vol. 8, Cambridge University Press, Cambridge, New York.
Wastell, D.G., McMaster, T. and Kawalek, P. (2006), “The rise of the phoenix: methodological innovation as a discourse of renewal”, Journal of Information Technology, Vol. 22 No. 1, pp. 59–68.
Watson, R.T., Boudreau, M.-C. and Chen, A.J. (2010), “Information Systems And Environmentally Sustainable Development: Energy Informatics and new Directions for the IS Community”, MIS Quarterly, Vol. 34 No. 1, pp. 23–38.
WEF (2013), Global risks 2013 - Insight Report, Vol. 8, 8th, World Economic Forum, Cologny/Geneva, Switzerland.
Weick, K.E. (1995), Sensemaking in organizations, Foundations for organizational science, Sage Publications, Thousand Oaks.
Weick, K.E. and Sutcliffe, K.M. (2001), Managing the unexpected: Assuring high performance in an age of complexity, 1st ed., Jossey-Bass, San Francisco.
Weick, K.E. and Sutcliffe, K.M. (2006), “Mindfulness and the Quality of Organizational Attention”, Organization Science, Vol. 17 No. 4, pp. 514–524.
Weick, K.E. and Sutcliffe, K.M. (2007), Managing the unexpected: Resilient performance in an age of uncertainty, 2nd ed., Jossey-Bass, San Francisco.
Weick, K.E., Sutcliffe, K.M. and Obstfeld, D. (2005), “Organizing and the Process of Sensemaking”, Organization Science, Vol. 16 No. 4, pp. 409–421.
Weidema, B.P., Thrane, M., Christensen, P., Schmidt, J. and Løkke, S. (2008), “Carbon Footprint”, Journal of Industrial Ecology, Vol. 12 No. 1, pp. 3–6.
Wernerfelt, B. (1984), “A resource-based view of the firm”, Strategic Management Journal, Vol. 5 No. 2, pp. 171–180.
Wiedmann, T.O., Lenzen, M. and Barrett, J.R. (2009), “Companies on the Scale”, Journal of Industrial Ecology, Vol. 13 No. 3, pp. 361–383.
Wildavsky, A.B. (1988), Searching for safety, Studies in social philosophy & policy, no. 10, Transaction Books, New Brunswick, USA.
Winkler, U., Gilani, W., Guitman, A. and Marshall, A. (2012), “Models and Methodology for Automated Business Continuity Analysis”, 17th IEEE International Conference on Engineering of Complex Computer Systems, July 18 - 20, Paris, pp. 57–64.
Wolfram, S. (1986), “How Can Complex Systems Be Used in Engineering? Approaches to Complexity Engineering”, Physica D: Nonlinear Phenomena, Vol. 22, pp. 385–399.
Wolstenholme, E.F. (1999), “Qualitative vs Quantitative Modeling: The Evolving Balance”, The Journal of the Operational Research Society, Vol. 50 No. 4, pp. 422–428.
Wolter, K. (2012), Resilience assessment and evaluation of computing systems, Springer, Berlin, London. Woods, D. (2006a), “Engineering Organizational Resilience to Enhance Safety. A Progress Report on the
Emerging Field of Resilience Engineering”, Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 50, pp. 2237–2241.
Woods, D. (2006b), “Resilience and the Ability to Anticipate”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.
Woods, D.D. (2006c), “Essential charactersistics of resilience”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 21–35.
Wreathall (2006), “Properties of Resilient Organizations: An Initial View”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 275–285.
Yao, A.C.-C. (1986), “How to generate and exchange secrets”, in Proceedings of the 27th IEEE symposium on foundations of computer science, pp. 162–167.
Yen, V.C. (2009), “An integrated model for business process measurement”, Business Process Management Journal, Vol. 15 No. 6, pp. 865–875.
Zahoransky, R., Koslowski, T.G. and Accorsi, R. (2014), “Resilience Assessment in Business Process Architectures”, in Bondavalli, A., Ceccarelli, A. and Ortmeier, F. (Eds.), SAFECOMP 2014 - 1st International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection (ReSA4CI 2014), Firenze, Italy, 9th Sept, Springer, Berlin, New York, pp. accepted.
Zhang, W.J. and Lin, Y. (2010), “On the principle of design of resilient systems – application to enterprise information systems”, Enterprise Information Systems, Vol. 4 No. 2, pp. 99–110.
Zhou, P., Ang, B.W. and Poh, K.L. (2008), “A survey of data envelopment analysis in energy and environmental studies”, European Journal of Operational Research, Vol. 189 No. 1, pp. 1–18.
Zhu, F. (2010), “A study of Green Manufacturing in workshop Production scheduling system”, International conference on future information technology and management engineering (FITME), Vol. 1, pp. 28–30.
Zobel, C.W. (2011), “Representing perceived tradeoffs in defining disaster resilience”, Decision Support Systems, Vol. 50 No. 2, pp. 394–403.
Zobel, C.W. and Khansa, L. (2012), “Quantifying Cyberinfrastructure Resilience against Multi-Event Attacks”, Decision Sciences, Vol. 43 No. 4, pp. 687–710.
Zook, C. and Allen, J. (2010), Profit from the core: A return to growth in turbulent times, rev. ed, Harvard Business, Boston, Mass.