RESILIENCE MANAGEMENT INFORMATION SYSTEMS

Inaugural-Disseration

zur

Erlangung der Doktorwürde

der Wirtschafts- und Verhaltenswissenschaftliche Fakultät

an der Albert-Ludwigs-Universität Freiburg i. Br.

Vorgelegt von

Diplom-Kaufmann

Thomas Günther Koslowski

Geboren in Bruchsal

SS 2014

RESILIENCE MANAGEMENT INFORMATION SYSTEMS –

ACHIEVING SUSTAINABILITY IN TURBULENT ENVIRONMENTS

Albert-Ludwigs-Universität Freiburg

Wirtschafts- und Verhaltenswissenschaftliche Fakultät

Druckdatum: 29.09.2014

Albert-Ludwigs-Universität Freiburg im Breisgau

Wirtschafts- und Verhaltenswissenschaftliche Fakultät

Kollegiengebäude II

Platz der Alten Synagoge

Dekan: Prof. Dr. Dieter K. Tscheulin

Erstgutachter: Prof. Dr. Dr. h.c. Günter Müller

Zweitgutachter: Prof. Dr. Dieter K. Tscheulin

Datum des Promotionsausschusses: 23.09.2014

To Charlotte and Alma Clara, my wonderful girls.

To my family and all my friends who have been my greatest support over the years. I am

grateful to have the opportunity to learn from you.

Acknowledgment "Seht, liebe Kinder, was wäre ich denn, wenn ich nicht immer mit klugen Leuten umgegangen wäre und von ihnen gelernt hätte? Nicht aus Büchern, sondern durch lebendigen Ideenaustausch, durch heitere Geselligkeit müßt ihr lernen."1

Johann Wolfgang Goethe – Letter to Julie von Egloffstein.

This dissertation would not have been possible in its present form without the continuous support and patience of many people2. It is to them that I owe my deepest gratitude.

First and Foremost, I would like to express my sincere gratitude to my advisor Prof. Dr. Dr. h.c. Günter Müller for his mentorship and professional advice. I am very thankful for the time he invested in me notwithstanding his many other academic and professional commitments. His wisdom and commitment to the highest standards have always been an inspiration and motivation to me. Allied to my Supervisor, my sincere thanks also go to Prof. Patricia H. Longstaff, for offering me the scholarship opportunity at Newhouse School of Public Communications. I am much obliged for her wisdom, humor, and her constant belief in me. I am also grateful to Dres. Stefan Fenz, Florian Kerschbaum, and Will Geoghegan for their productive and stimulating collaboration on some parts of this underlying thesis.

I would also like to mention my colleagues and friends in Freiburg: primarily, I want to thank Dr. Rafael Accorsi and Prof. Dr. Jens Strüker for their encouragement and the invaluable discussions. Their guidance helped me through the research and writing of this thesis. I would like to express my sincere gratitude to my fellow colleagues Arnt, Christian, Thomas, Julius, Marco, Jonas, and Maria for their loyalty and continuous support along all stages of my dissertation. In particular, I would like to thank Christian and Richard, for all busy days we worked together before deadlines, and for all the fun we have had in the last years, inside and outside the office. To sum up, I could not have imagined having better colleagues for my Ph.D. study.

Last but by no means least, my biggest gratitude go to my family who have supported me throughout my life. I wish to thank my parents, who were my first teachers and my inspiration to continue to learn. To my wife Charlotte, and my daughter Alma Clara, who taught me about love. They all have always been my safety net on which I was able to develop and experiment without the fear of failing. I wish to hopefully show you with this thesis, that all the efforts undertaken have led to a fruitful endeavor.

1 “Look, dear children, what would I be if I were not always surrounded with wise people and learned from them? One must learn not from books, but through the vital exchange of ideas, by cheerful conviviality.”

2 I would like to gratefully acknowledge the the financial support from sdw - Stiftung der Deutschen Wirtschaft (Foundation of German Business) and Wissenschaftliche Gesellschaft (Scientific Society) Freiburg.

this thesis, that all the efforts undertaken have led to a fruitful endeavor.

i

Table of Contents

List of Figures .......................................................................................................................... vi

List of Tables ............................................................................................................................ ix

Abbreviations ............................................................................................................................ x

1 Managing turbulent enterprise environments ............................................................... 1

1.1 Resilience Management Information Systems ........................................................... 3

1.2 Research questions and objectives ............................................................................. 6

1.3 Outline ...................................................................................................................... 13

1.4 Contributions ............................................................................................................ 17

1.4.1 Multidisciplinary Resilience Framework ..................................................... 17

1.4.2 Organizational Resilience Framework ......................................................... 17

1.4.3 Information Systems and Resilience ............................................................ 18

1.4.4 Process-Centered Resilience Detection ........................................................ 18

1.4.5 Secure Sustainability Benchmarking Service .............................................. 19

1.5 Related and unrelated publications ........................................................................... 21

2 Theoretical and Conceptual Foundations .................................................................... 23

2.1 Resilience – a fresh perspective for sustainability.................................................... 23

2.1.1 VUCA environments .................................................................................... 24

2.1.2 Resilience and sustainability ........................................................................ 27

ii

2.2 Essential semantics of resilience .............................................................................. 31

2.2.1 Walk in the definitional thicket .................................................................... 35

2.2.2 Multidisciplinary Resilience Framework ..................................................... 47

2.2.3 Application of the framework and conclusion ............................................. 51

3 Organizational Resilience .............................................................................................. 53

3.1 A review and reconceptualization ............................................................................ 55

3.1.1 Descriptive analysis ..................................................................................... 55

3.1.2 Critical analysis ............................................................................................ 63

3.1.3 Resilience elements and organizational capabilities .................................... 69

3.2 Framing organizational resilience types ................................................................... 79

3.2.1 The underlying puzzle .................................................................................. 80

3.2.2 Organizational resilience dimensions .......................................................... 84

3.2.3 Organizational Resilience Framework ......................................................... 95

3.2.4 Discussion and conclusion ......................................................................... 106

4 Resilience Management and Information Systems ................................................... 110

4.1 From risk management to resilience management ................................................. 111

4.1.1 Risk concept ............................................................................................... 113

4.1.2 Protection goal ........................................................................................... 118

4.1.3 Management and design ............................................................................. 120

4.2 IT-induced sources of stress and disruption ........................................................... 126

4.3 IS management fundamentals ................................................................................. 130

iii

4.3.1 ERP and WFMS ......................................................................................... 132

4.3.2 IS risk management .................................................................................... 135

4.3.3 Limitations of IS risk management ............................................................ 143

4.4 Resilience and IS research ...................................................................................... 144

4.4.1 Status quo and shortcomings ...................................................................... 145

4.4.2 Implications for IS research ....................................................................... 147

5 Process-centered Resilience Management .................................................................. 152

5.1 Resilient BPM ........................................................................................................ 152

5.2 Research context and design .................................................................................. 156

5.2.1 Status quo and shortcomings ...................................................................... 156

5.2.2 Research questions and objectives ............................................................. 159

5.3 PREDEC framework .............................................................................................. 160

5.3.1 Event logs and elicitation techniques ......................................................... 161

5.3.2 Resilience Measures ................................................................................... 164

5.3.3 Analysis techniques .................................................................................... 173

5.4 Design and implementation .................................................................................... 174

5.4.1 Review of temporal aspects of workflows ................................................. 176

5.4.2 Methodology and research design .............................................................. 178

5.4.3 Case study .................................................................................................. 182

5.4.4 Evaluation and discussion .......................................................................... 187

5.5 Concluding remarks ................................................................................................ 189

iv

6 Secure Sustainability Benchmarking Service ............................................................ 191

6.1 Sustainability quest for enterprises ......................................................................... 193

6.1.1 Sustainability performance management systems ..................................... 194

6.1.2 IT-based SBM ............................................................................................ 197

6.2 Integration into an ERP on-demand platform......................................................... 199

6.2.1 ERP as a platform ....................................................................................... 200

6.2.2 Literature on ERP on-demand .................................................................... 201

6.3 System dynamics model ......................................................................................... 203

6.3.1 Methodology .............................................................................................. 203

6.3.2 Model development and analysis ............................................................... 205

6.3.3 Discussion .................................................................................................. 211

6.4 Towards a confidential SBS ................................................................................... 213

6.4.1 Research design .......................................................................................... 214

6.4.2 Automated data gathering .......................................................................... 215

6.4.3 Tackling the data heterogeneity and quality problem ................................ 217

6.4.4 Unsolved information-sharing problem ..................................................... 219

6.5 Design of a confidential SBS ................................................................................. 221

6.5.1 Benchmarking types ................................................................................... 222

6.5.2 Security objectives ..................................................................................... 224

6.5.3 Implementation .......................................................................................... 225

6.6 Analysis and evaluation .......................................................................................... 230

v

6.7 Discussion ............................................................................................................... 232

6.8 Concluding remarks ................................................................................................ 235

7 Outlook and Conclusion ............................................................................................... 236

7.1 Summary and main results ..................................................................................... 236

7.2 Implications for future research .............................................................................. 240

References................................................................................................................................. A

vi

List of Figures

Figure 1: Thesis Outline ...................................................................................................... 14

Figure 2: Overview of developed IS artifacts ..................................................................... 21

Figure 3: Changing Nature of Change ................................................................................ 26

Figure 4: Resilience, Sustainability, and Security .............................................................. 29

Figure 5: Resilience Publications (1996-2013) .................................................................. 33

Figure 6: Ball and Cup-Model ............................................................................................ 41

Figure 7: Multidisciplinary Resilience Framework ............................................................ 49

Figure 8: Publications onOrganizational Resilience (1993-2012) ..................................... 57

Figure 9: Organizational Resilience Research Methods .................................................... 57

Figure 10: Organizational Resilience Model Development ............................................... 58

Figure 11: Type of Empiricism Employed ......................................................................... 59

Figure 12: Multi-Disciplinary Background ........................................................................ 60

Figure 13: Business Sub-Disciplinary Perspective ............................................................. 61

Figure 14: Factors in Organizational Resilience Papers ..................................................... 62

Figure 15: Level of Analysis Employed ............................................................................. 65

Figure 16: Resilience Elements and Organizational Capabilities ...................................... 70

Figure 17: Normal Accident Theory ................................................................................... 77

Figure 18: Typology of Organizational Surprises .............................................................. 89

List of Figures vii

Figure 19: Three Types of Change and Resilience ............................................................. 92

Figure 20: Organizational Resilience Framework .............................................................. 96

Figure 21: The Resilience Delta. ......................................................................................... 97

Figure 22: Traditional Risk Management Instruments ..................................................... 115

Figure 23: Risk Elements and Management Implications ................................................ 117

Figure 24: Safety by constraints ........................................................................................ 119

Figure 25: Safety by Management .................................................................................... 120

Figure 26: Four cornerstones of Resilience Engineering ................................................. 124

Figure 27: IT-induced sources of stress and disruption .................................................... 128

Figure 28: WFMS and ERP systems................................................................................. 133

Figure 29. FORISK Modules ............................................................................................ 140

Figure 30: Foundations of IS Resilience ........................................................................... 146

Figure 31: Operational Resilience Management System ................................................. 148

Figure 32: Resilience Management Cycle ........................................................................ 150

Figure 33. BPM Life Cycle ............................................................................................... 154

Figure 34. Relation between Operational Risks and BPM ............................................... 158

Figure 35: Overview of the PREDEC framework ............................................................ 161

Figure 36: Log entry structure ........................................................................................... 162

Figure 37: Resilience Measurement Framework .............................................................. 167

Figure 38: Example Loan Application Process ................................................................ 167

Figure 39: Calculation for the quality of the given Workflow ......................................... 180

List of Figures viii

Figure 40: Example Workflow .......................................................................................... 184

Figure 41: PDF calculation of the example workflow ..................................................... 185

Figure 42: Cummulative calculation of the example workflow ....................................... 186

Figure 43: Simulation results ............................................................................................ 187

Figure 44: Feedback Loops ............................................................................................... 206

Figure 45: Automating the Data Gathering Process ......................................................... 217

Figure 46: SBS system architecture .................................................................................. 228

ix

List of Tables

Table 1: Definitions of key terms .......................................................................................... 6

Table 2: Related and unrelated publications ....................................................................... 22

Table 3: Definitions with Low Complexity, Low Normativity ......................................... 42

Table 4: Definitions with High Complexity, Low Normativity ......................................... 42

Table 5: Definitions with Low Complexity, High Normativity ......................................... 45

Table 6: Definitions with Low Complexity, High Normativity ......................................... 46

Table 7: From Protection to Resilience ............................................................................. 113

Table 8: WFMS vs. ERP Systems .................................................................................... 134

Table 9: Overview of existing Measurement Attempts .................................................... 166

Table 10: Examples of (BPM) Resilience Measures ........................................................ 170

Table 11: Time behavior of each single activity in the example workflow .................... 183

Table 12: Results of the literature review on “SaaS” ....................................................... 202

Table 13: Data Collected and Indicators for SBM ........................................................... 216

Table 14: Features and Benefits of SBS ........................................................................... 225

Table 15: Performance results in seconds ......................................................................... 232

x

Abbreviations

ARIS Architektur integrierter Informationssysteme

BPM Business Process Management

CIO Chief Information Officer

COO Chief Operations Officer

CSR Corporate Social Responsibility

CDF Cummulative Distribution Functions

DSS Decision-Support System

ERP Enterprise Resource Planning

FORISK Formalizing Information Security Risk & Compliance

HRO High Reliable Organization

ICT Information and Communication Technology

IS Information System

ISO International Organization for Standardization

IT Information Technology

KPI Key Performance Indicator

MIS Managements Information System

NAT Normal Accident Theory

NIST National Institute of Standards and Technology

ORM Operational Resilience Management

Abbreviations xi

PaaS Platform-as-a-Service

PDF Probability Distribution Functions

PM Process Mining

PRI Process Risk Indicators

PREDEC Process-Centered Resilience Detection

RMIS Resilience Management Information System

RQ Research Question

SaaS Software-as-a-Service

SBM Sustainability Benchmarking

SBS Secure Sustainability Benchmarking Service

SCM Supply-Chain-Management

SNA Social network analysis

VUCA Volatile, Uncertain, Complex and Ambiguous

WFMS Workflow Management Systems

1

1 Managing turbulent enterprise environments

Organizations around the globe have increasingly adopted sustainability goals by

recognizing not only long-lasting economic performance, but also environmental

protection and social responsibility. The pursuit of sustainability not only

concerns the reduction of negative externalities and the commitment to

obligations toward intra and intergenerational justice. In turbulent environments,

where organizations face too many and too frequent unanticipated shocks,

sustainability further address the survival and persistence of organizations itself

(Seager, 2008; WEF, 2013). Recent studies show that the survival rate of

businesses remain low, as 50-70 percent of all start-ups disband within five years

and more than 80 percent of corporate enterprises do not survive more than a

decade (Hollnagel, 2011; Geus, 1997; Zook and Allen, 2010). Although much

progress has been made in the organizational ‘sustainability’ discourse -

particularly upon resource-efficiency improvements (Walker and Salt, 2006;

Porter and van der Linde, 1995b), a still existing limitation refers to the

relationship between risks, uncertainty and sustainability, which has surprisingly

received little attention thus far (Krysiak, 2009). Moreover, conventional

approaches to risk-management addressing a wide set of organizational risks still

attempt to predict events by emphasizing an a priori evaluation of risks in

probabilistic and consequential terms (Smith and Fischbacher, 2009). However,

complexity and exponential pace of change of business call for better

understanding and mechanisms for navigating through turbulent environments, as

exemplified in case of organizational responses to climate change: “More and

more companies believe that they must learn to adapt to the unavoidable

consequences of climate change, rather than prevent it. […] such strategy […] is

attempting to manage the consequences, not causes of climate change (McCann

and Selsky, 2012, p. 5)”.

Beside ecological risks such as the consequences of climate change,

organizational efforts in achieving sustainability are jeopardized by manifold

1.1 Resilience Management Information Systems 2

man-made sources of turbulence and uncertainty: Modern societies operate in an

increasingly complex and turbulent world marked by interconnection and

interdependence across global networks (Boin and McConell, 2007; McCann and

Selsky, 2012). Information Technologies (IT) have an ambivalent effect on the

performability of organizations and its critical infrastructures, illustrating tensions

between opportunities for sustainable business practices at cost of increasing

turbulence: On the one hand, these platforms for innovation and economic growth

are supposed to coordinate and distribute information more efficiently and have

positive impacts on the functionality and sustainability of infrastructures and

institutions. In the field of environmental sustainability, this is possible for

instance through de-carbonization, rationalization, as well as data gathering and

provision in real-time (Elliot, 2011; Koslowski and Strüker, 2011). On the other

hand, the increasing IT-enabled interconnectedness and interdependence is

leading to the emergence of unintended, unpredictable safety, reliability and

security problems (Hollnagel et al., 2006; Müller et al., 2011; Tanriverdi et al.,

2010).

As a consequence, organizations and its underlying socio-technological

infrastructures are fail-prone with respect to system breakdowns to new and future

threats such as terrorism, pandemic potential, energy volatility, and climate (Risk

Response Network, 2012; WEF, 2013). While such failures and breakdowns have

proven relatively rare, the consequences of failures within an interconnected

world can cause serious problems beyond geographical and functional borders of

organizations (Boin and McConell, 2007; WEF, 2013).

Today, most decision makers, either public administrators or private

organizations, have come to understand that protection of information systems

(IS) as backstones of multiple infrastructures is of high priority. But the

expanding landscape of emerging risks illustrates the borderless and unpredictable

nature of risk and uncovers the limits of traditional risk management practices and

theories.In the face of highly interconnected systems new emerging risks or new

surprises lack a priori indication of occurrence, they exhibit the potential to

“cascade” systems at different speeds and their relation between origin, evolution


and final consequence are frequently ill-understood, e.g. (Hollnagel et al., 2006;

McCann and Selsky, 2012; Smith and Fischbacher, 2009). But just because some

systems are complex and turbulent does not mean they are unmanageable or

impossible to govern: Though, managing them requires different methods and

rests on other assumptions than predominated in classical risk and security

management. Where we had often come to expect predictability and consistency,

we now must accept the necessity of dealing with the consequences of uncertainty

(Grote, 2009; McCann and Selsky, 2012; Milliken, 1987).

Against this background, decision makers at different levels are forced to consider

how to respond to different kinds of emerging risks with regard to sustainability3

in a more holistic manner (Levin, 1998; Walker and Salt, 2006). The concept of

resilience is gaining ground as a denominator to move beyond survival and even

prosper in face of challenging conditions (Hamel and Välikangas, 2003; Hollnagel

et al., 2006; Kahan et al., 2009; Longstaff et al., 2013). A recent article4 briefly

summarized the differences between resilience and sustainability: "Where

sustainability aims to put the world back into balance, resilience looks for ways to

manage in an imbalanced world." Resilience has been a prominent topic in

various scientific fields but also on the agenda of public and private institutions,

recognizing the complex and uncertain nature of social systems.

1.1 Resilience Management Information Systems

Resilience is basically an emergent property associated with an organization's

capacity to pursue its goals despite disruption through mindfulness (Weick and

Sutcliffe, 2007), resourceful agility, elastic infrastructures and recoverability, e.g.

(Caralli et al., 2010; Hollnagel et al., 2006). Hence, resilience is a combination of

technical design features, such as fault-tolerance and dependability (Avizienis et

al., 2004), with organizational features, such as mindfulness, training and

3According to Krysiak (2009, p.483-484), any definition of sustainability has to consider the future but uncertain consequences of present actions in order to limit the probability that a future generation is harmed.

4Andrew Zolli (2012) “Learning to Bounce Back”, New York Times November 2, 2012.


decentralized decision making (Antunes and Mourão, 2011; Weick and Sutcliffe,

2007) and therefore a topic that perfectly fits for IS research and practice.

Presently, decision makers are already equipped with a broad set of tools and

models to enhance organizational resilience and sustainability. However, there is

an ongoing demand for more powerful systems to address sustainability and

operational risks by means of quick information provision and automated decision

support. Apparently, IS can significantly contribute to environmental

sustainability (often called “Green IS” Melville, 2010, p. 3; Müller et al., 2011)

but also for organizational risk and resilience management (Caralli et al., 2010;

Zobel and Khansa, 2012). Apart from increased data quantity and quality, also

shorter reaction times constitute an essential benefit of information systems for

sustainability management (Koslowski and Strüker, 2011) as well as conventional

risk management (Ekelhart and Neubauer, 2011) in comparison with manual data

capturing and analysis. Although IS-architectures such as Enterprise Resource

Planning (ERP) and Business Process Management (BPM) Systems for integrated

management support already exist for decades, most organizations address

security/risk management, business continuity and sustainability, as well as IT

operations siloes, with little integration and communication (Caralli et al., 2010,

p. 17).

Nowadays, many organizations are realizing that these activities are

complementary and collaborative functions having the same goal, namely to

enhance organizational resilience and sustainability (Caralli et al., 2010, p. 17;

Seager, 2008). Corresponding to the increasing attention to more holistic

responses to different kinds of emerging risks with regard to sustainability, an

integrated approach, subsequently termed as “resilience management”, is expected

as a potential panacea to achieve organizational sustainability in turbulent

environments (Lewin, 1998; Park et al., 2013; Seager, 2008). In line with

researchers of the Software Engineering Institute at Carnegie Mellon University5,

resilience management defines “the processes by which an organization designs,

5http://www.sei.cmu.edu/


develops, implements, manages, and improves strategies for protecting and

sustaining high-value services and associated assets such as people, information,

technology, and facilities” (Caralli et al., 2010, p. 19).

This definition already signals the crucial role of IT and IS for organizational

resilience and sustainability: as the pervasiveness of IT provides a myriad of

opportunities and productivity improvements, IT also increases complexity and

interdependences of organizational services and assets (Butler and Gray, 2006;

Caralli et al., 2010). As a consequence, managing complexity and uncertainty is

imperative for modern organizations to ensure resilient operation and to protect

the transmitted and stored data (Butler and Gray, 2006). Thus, there is a pressing

need for an integration of organizational and technological views, as well as the

integration of related, but usually disjointed activities of IS security, business

continuity and IT operations (Allen et al., 2011; Caralli et al., 2010). Accordingly,

this dissertation introduces Resilience Management Information Systems (RMIS)

as a novel approach for the IT-enabled support of all phases along the resilience

management cycle on the level or processes (Accorsi and Stocker, 2012).

As contrasted with traditional risk and security management approaches that

usually attempt to assess operational risks based on (either subjective or

historical) threat probabilities (focus on the cause of events), operational resilience

management focus on the realized risks and its consequences (Caralli et al.,

2010). The proposed resilience management cycle thus begins with (i) Detection

in order to identify failures, potential weaknesses and exceptional process

executions. (ii) The purpose of Diagnosis and Evaluation is to collect and assess

vulnerabilities, and consequently to determine a set of intervention types. (iii) The

next stage covers Treatment and Recovery, including the actual selection and

implementation of supportive actions and automatic corrections. (iv) Finally, the

phase of Escalation and Institutionalization guarantees enrichment or revision of

the current knowledge base, and aims to establish and facilitate an organization-

wide resilience culture.

However, since safety and security standards and reliable IT operations are a

complex range of requirements to which decision makers have to respond,

1.2 Research questions and objectives 6

organizations are increasingly forced to rethink how they address the security and

resilience of their business processes. In the following, RMIS can be understood

as an arsenal of interrelated components that collect, process, store, and distribute

information to support resilience management in an organization. In detail, RMIS

coordinate and orchestrate the activities along the resilience management cycle.

RMIS ideally empower firms to automatically detect abnormal system behaviors,

provide quickly filtered information to operators, and consequently enable an

automated decision-making process.

The following table captures a set of key terms used in this dissertation.

Table 1: Definitions of key terms

Sustainability

the capacity of sth. to endure; linked to the simultaneous recognition of (mostly three) sustainability dimensions (economic, environmental and social)

(adapted from Visser 2007)

Sustainable Development

development that meets the needs of the present without compromising the ability of future generations to meet their own needs.

(Visser 2007)

Resilience "the capacity of a system to absorb disturbance, undergo change, and retain the same essential functions, structure, identity, and feedbacks.”

(Gundersson/Holling 2002)

Turbulent Environments

evolves from the mixture of a hostile, heterogeneous, and dynamic environment that create uncertainty and unpredictability.

(adapted from Calantone et

al. 2003)

Operational Resilience

associated with an organization’s capacity to continue its mission despite disruption through mindfulness, resourceful agility and recoverability

(Caralli et al. 2010)

Operational Resilience Management (ORM)

the process by which an organization designs, implements, and manages the operational resilience of related business processes, and associated assets.

(Caralli et al. 2010)

Resilience Management Information Systems (RMIS)

a complex set of interrelated components (technology, people…) that collect, process, store, and distribute information to support the Operational Resilience Management.

own definition

1.2 Research questions and objectives

The overall objective of the dissertation is to galvanize IS research and research in

sustainable business on organizational resilience. Therefore, the dissertation

provides a “resilience perspective” as a complementary approach to sustainability


management that explicitly recognizes the unpredictable and turbulent business

reality. Despite the wide spread of resilience across multiple disciplines, a number

of open research issues remain. These encompass conceptual and definitional

vagueness of resilience, a lack of empirical research and a lack of applicable

(organizational) solutions and IS-artifacts to bring resilience into action.

Accordingly, the following section introduces a research agenda on resilience and

resilience management comprising five research questions spanning conceptual

perspectives, research methods and prototypical implementations of resilience and

sustainability supporting IS6.

The first research gap refers to the conceptual vagueness of resilience and

organizational/IS resilience in particular. Researchers in different disciplines have

struggled with the concept of resilience in their respective fields for decades.

Against the background of manifold conceptual usage across multiple fields, it is

not surprising that extant resilience research is surrounded by diversity and

ambiguity of definitions, scope conditions, antecedents and outcomes. Is

resilience a metaphor, a capability, a strategy, a goal, a measure or a behavior?

Although an elastic notion of resilience may facilitate communication across

disciplines (or even divergent lines of research within a discipline), a trade-off

may exist due to terminological confusion that may hinder operationalization and

lead to unclear or even contradicting evaluations of results.

A definition that is too broad could hinder empirical research results and even

cause some to question the relevance of the concept (Suddaby, 2010). Thus, as

stated by Suddaby, a clear construct might not only facilitate communication

between scholars, it also “enhances researchers' ability to empirically explore the

phenomena” and further to enhance research creativity by “allowing managers to

redefine problems in ways that are more amenable to resolution”. As a

consequence, a deeper investigation and development of a wide-accepted

definition and specification of (IS) resilience is crucial for both, theory

6This chapter entails revised parts of the conference papers Müller et al. (2013) and Koslowski (2013).


development as well as further empirical analysis and artifact developments. This

raises the following research questions (RQ):

RQ1: How does resilience manifestitself across multiple disciplines?

The lack of construct clarity also impedes empirical exploration of organizational

resilience. In their review of organizational resilience, (Bhamra et al., 2011)

highlight that “there appears to be a strong focus around building theories and

definitions of resilience. However, the literature is lacking in empirically proving

the theories.” Vogus and Sutcliffe (2007) further posit that “given the dearth of

empirical work exploring resilience in organization theory, many (if not all)

avenues are open for future research in resilience”. Dependent on the underlying

theoretical assumptions, the nature of resilience will change. As for example

Colbert (2004) highlights changing implications for strategic human resource

management due to a complex theory perspective of resource-based-view

(Colbert, 2004). Also, Boisot and McKelvey (2011) exemplify the fundamental

re-evaluation of organizational effectiveness based on the network-structure of the

organizational system. Applying either a stable perspective marked by linearity

and predictability or emphasizing turbulence and emergence has strong

implications for the analysis of system behaviors and structures and therefore

substantially modifies the required variety to adapt and survive (both widely

described as related concepts of resilience).

Thus, scholars should aim to untangle the underlying puzzle of organizational

resilience and its related concepts, for instance vulnerability and adaptability by

recognizing underlying assumptions about stability and normativity (Mamouni

Limnios et al., 2014; Tanriverdi et al., 2010). Furthermore, this requires to

acknowledge different levels of abstraction (ranging from vague principles to less

abstract policies, practices and outcomes) of resilience as well as the contextual

scope of different levels of analysis (Colbert, 2004; Koslowski et al., 2013a). This

research challenge leads to the following research questions:

RQ2:How does resilience relate to other organizational factors? More precisely,

what are determinants and antecedents of organizational resilience?


The aforementioned trade-off between the potential of complex perspectives to

enrich and question simpler assumptions at the expenses of academic rigor and a

wide repertoire of quantitative statistics is already acknowledged in organization

science, e.g. (Boisot and McKelvey, 2011), as well as IS research (Tanriverdi et

al., 2010). A similar problem is to be expected when operationalizing and

measuring organizational resilience. For example, a simple conception of

resilience (as bounce back) may be well served in the more stable “Gaussian

worlds” but may bring limits to a more complex or “Paretian world” (Boisot and

McKelvey, 2011). While in particular technical indicators for the earlier resilience

types are already established, e.g. by (Zobel and Khansa, 2012), the development

of more complex indicators and modeling techniques still remain at a formative

stage(Meyer, 2013). Along with measurement issues, new method-sets from other

disciplines such as computer science and information systems may enable new

streams of resilience research in an organizational context. Future efforts may

increasingly include simulation modeling and empirical validation of resilience

and its interaction with related constructs (Meyer, 2013).

We can expect that the incorporation of resilience as an important system feature

will change the organizational object function and therefore leads to a re-

evaluation and extension of organizational effectiveness. Evaluating effectiveness

involves transforming managerial decisions into action and measuring the

performance of that action.

Performance measurement requires a systematic and deep analysis of business

objects, which includes not only a re-structuring of processes but also the

development of innovations in the light of resilience (Allen et al., 2011) and

sustainability issues (Sharma and Henriques, 2005, p. 160; Koslowski and

Strüker, 2011). Hence, both researchers and practitioners need to derive a set of

meaningful indicators of organizational resilience on both, operational and

strategic levels. As resilience is contextualized given a specific challenge, it is

crucial to identify factors that are believed to enhance IS resilience, such as

margin tolerance, buffering capacity and flexibility. Depending on the specific

purpose, the expressive indicators might be either quantitative or qualitative and


claim to determine the gap between the expected and current status of the relevant

business unit (Allen et al., 2011; Somers, 2009). This leads to the following

question:

RQ3: How can resilience be translated to the principles and measurements of

organizations and IS?

The foundations of IS resilience derived in Chapter 3 and 4 will also have a

variety of implications for the design of IS. Recent studies on resilience

management emphasize the integration of organizational and technological views,

as well as the integration of related, but usually disjoint activities of IS security,

business continuity and IT operations (Allen et al., 2011; Caralli et al., 2010).

As a central aspect of modern IS, Business Process Management (BPM) has

attracted considerable attention in recent years, both in academia and practice

(Houy et al., 2011). The rationale to investigate resilience in the context of BPM

arises from the fact that business processes link the different levels of

management and information systems infrastructures by automating or at least

digitalizing the execution of flexible business processes. By decoupling IT from

core organizational competencies, business processes can be thus seen as enablers

of change. Therefore, improvements of business processes can lead to

improvements of both, the management and the underlying IS. Business process

models are virtual representations of an enterprise’s core activities, which include

organizational assets (such as people, information, and technology) connected to

multiple tasks and activities. Existing approaches of BPM mainly assume stable,

predictable and isolated process types. This is sometimes in contrast to the

business reality, as large organizations have often hundreds or more processes in

place, and increasingly invest in the new opportunities of ubiquitous computing

and “big data” (McAfee and Brynjolfsson, 2012). Against this backdrop, more

complex modeling and exploratory analytical techniques such as Process Mining

(Accorsi and Stocker, 2012; van der Aalst and Weijters, 2004) seem promising

developments for identifying and designing business processes more resiliently.


Recent frameworks for resilient BPM such as (Antunes and Mourão, 2011) tend

to state very abstract implementation suggestions. For example, (Antunes and

Mourão, 2011) and (Caralli et al., 2010) provide a set of fundamental

requirements for supporting resilient BPM. While these works capture basic

requirements for resilient IS design, they lack empirical validation, concrete

implementation guidelines, as well as artifacts to support the implementation of

resilience in IS. Thus, concrete measures are mostly missing, leading to inefficient

or even misleading resilience strategies. Effective and cost-efficient tools that

could be used for the (semi-)automated detection of BPM resilience are missing.

Furthermore, existing methods provide decision makers with limited intuitive

support-tools at high personnel costs and, thus, fail to assist them in enhancing

and maintaining resilience of BPM.

Up to now, there are techniques and formal foundations that can, when assembled,

provide for resilience mechanisms at the level of BPM. However, the current

state-of -art do not offer corresponding mechanisms. Similarly, vendors of BPM

systems and workflow management systems have not yet focused their solutions

on resilience. These gaps lead to the following questions:

RQ4: What are fundamental requirements for resilient BPM design? And what

tools and approaches are applicable to support and enhance IS (respectively

BPM) resilience?

Both, sustainability management as well as resilience management have evolved

over the years by expanding from asolely internal to an external, inter-

organizational perspective. For instance, by establishing methods like Life Cycle

Assessment (LCA) (Reap et al., 2008) or Carbon Footprint, a more systematic and

comprehensive covering of environmental impacts increasingly gains attraction.

The basic idea is that environmental impacts are always assigned to the segment

that caused them. This so-called cradle-to-grave principle means to assess

environmental impacts associated with all the stages of a product's life cycle (i.e.

from raw material extraction through manufacturing to disposal or recycling).

Thus, the scope of environmental sustainability is far beyond a single organization

and requires a systematic understanding of an organization’s interconnected value


net (Watson et al., 2010). Due to the growing interconnectedness and

interdependency of organizations, this assumption also holds for resilience

considerations (e.g. (Fiksel, 2003). Hence, inter-organizational collaboration and

networking are seen as crucial enablers for achieving organizational resilience

(e.g. McCann and Selsky, 2012; Weick and Sutcliffe, 2007; Longstaff et al.,

2010).

Although a multitude of benefits are associated with cross-organizational

collaboration in the context of sustainability (e.g. Matthews and Lave, 2003;

Sarkis, 2010) and resilience (e.g. Stephenson et al., 2010; Wolter, 2012),

organizations still face two major obstaclesto take full advantage of such cross-

functional comparisons: First, the heterogeneity of the data requires significant

pre-processing, and, second, the sensitivity of the data causes enterprises to

reluctantly share this data. Interestingly, research on inter-organizational systems

shows how reserved and cautious enterprises are still today when it comes to the

exchange of sensitive data (Kerschbaum et al., 2011). Ideally, in order to track

inter-organizational data in a reasonable granularity and precision for holistic

sustainability assessments, a collaborative exchange of sensitive data like

environmental impacts and sustainability indicators will be necessary (Elliot,

2011). For this purpose, the thesis further provides a second IS artifact, namely a

secure sustainability benchmarking service (SBS) to overcome the information-

sharing problem. Such an automated, collaborative data exchange would need to

be respected by answering the fifth research questions:

RQ5a: What is the economic rationale for organizations to participate in

sustainability benchmarking?

RQ5b: What are functional and security objectives to make confidential

information-exchange feasible?

1.3 Outline 13

1.3 Outline

According to the research questions above, each of the following chapters focus

on different aspects of organizational resilience and sustainability at the

intersection of organization science, information systems, and computer science.

Nonetheless, all chapters address the topic of this thesis: Information systems for

organizational resilience and sustainability management. However, there exists a

controversial discussion over the direction in the fields of IS research for years

(Hevner et al., 2004; Müller, 2009; Simon, 1996). Whereas the Anglo-American

community is dominated by a behavioral science perspective seeking to explore

implications of IT for individuals, organizations and society, the design-science

oriented perspective of IS research (predominant in German-speaking countries)

is marked by creating and evaluating IT-artifacts7 with respect to their utilization

for IS (Bichler, 2006). A simplified distinction is given by Hevner et al. (2004)

who states that “The behavioral-science paradigm relies on truth, the discovery of

truth. In contrast, the design-science paradigm seeks to create what is effective”.

Consequently, in order to address the different research problems, a pluralistic

research approach with different methodological orientations is chosen (Frank,

2006).

Figure 2 depicts the outline of the thesis and further indicates the relationships

between the various chapters, namely theoretical and conceptual foundations

(Chapter 2 – 4) as well as the design and evaluation of IS artifacts (Chapter 5 &6).

7 An overview of the IT-artifacts is deptived in Figure 3.

1.3 Outline 14

Figure 1: Thesis Outline

Chapter 2 explores conceptual foundations and historical development of

resilience across disparate research disciplines and fields of application. For this,

it firstly elaborates the differences of commonalities of resilience and

sustainability, and its mutual relationship (Section 2.1). Subsequently, a

framework is introduced to specify different resilience-types according underlying

assumptions about system’s complexity and normativity (Section 2.2).

Chapter 3 substantiates several claims with related work: First, the claim, that

resilience is still theoretically undeveloped in organizational literature. Therefore,

1.3 Outline 15

a descriptive bibliographic analysis has been applied to identify the current state

of the art of resilience research in organization science (Section 3.1). Second, the

chapter shows that current research on organizational resilience lack concrete

guidelines for designing and implementing resilience in organizations. Moreover,

the chapter provides an overview of four types of organizational resilience

(Section 3.2). The characteristics of resilient organizations derived further present

initial recommendations for organizational structures and governance

mechanisms. These observations pave the way for a deeper investigation of

operational resilience in IS research.

Based on the prior investigation, Chapter 4 then transfers the concept of

resilience to Information Systems (IS) research respectively Business Informatics.

Concretely, the primary objective of this chapter is to capture and to establish a

relationship between resilience research and the IS research field. Resilience

Management Information Systems (RMIS) are introduced to provide managers

and decision makers with suitable information and tools to managing

organizational resilience. For this, the chapter firstly introduces the notion of

resilience management as a complementary approach to prevailing security- and

risk management approaches (Section 4.1). The next section will discuss various

sources of stress and disruption associated with IT-diffusion (Section 4.2). Section

4.3 firstly provides some basics on different types of IS architectures.

Subsequently, it provides an overview of current challenges and limitations of

prevailing IS risk and security approaches. These shortcomings stress the need to

extend IS risk management with resilience. Consequently, this is followed by a

report on the status quo with respect to IS research and a scientific-programmatic

view of the upcoming research questions in this area (Section 4.4). Finally, the

chapter derives foundational requirements for the design and of RMIS.

Chapter 5 is dedicated to introduce “Process-Centered Resilience Detection“

(PREDEC), a detective framework to assert the resilience of business process-

based management (BPM) systems. The chapter starts with a motivation and

exploration of operational resilience in the context of BPM (Section 5.1).

Subsequently, the chapter substantiates the claim with related work that tools and

1.3 Outline 16

artifacts for resilient BPM are rare (Section 5.2). Section 5.3 introduces the

PREDEC framework that serves as a common denominator for the design of IT

artifacts to support operational resilience management in the phases of detection,

diagnosis, and evaluation. Furthermore, the components and requirements towards

process-resilience detection are described. Time-behavior represents one crucial

indicator for process-resilience. Therefore, an IT artifact as an example of

resilience management information systems (RMIS) is introduced. This artifact

enables to model the amount of resources required as a stochastic function and to

sum up the need for the whole business process, including its branches.

Eventually, a case study from the manufacturing sector will be carrying out to

evaluate the performance, feasibility, and effectiveness of the developed IT

artifact. The simulation results show that modeling the time behavior of a

workflow as stochastic variable makes it possible to grasp the concept of

resilience by providing a mathematically framework to deduce resilience

indicators.The chapter concludes with a discussion of the findings and future

research work.

While the instantiation of PREDEC in the previous chapter solely focus

ondecision support within the boundaries of an organization, Chapter 6

elaborates the suitability of information systems for inter-organizational data

exchange. The chapter thus explores a further problem domain – the application

of a benchmarking service for proactive sustainability management. Accordingly,

sections 6.1-3 firstly investigate the economic potential of the integration of an

ERP on-demand provider with a sustainability-benchmarking (SBM) provider.

Throughout the investigation, a system-dynamics model will be developed to

illustrate how SBM can contribute to the lasting success of ERP on-demand

platforms. However, despite multiple benefits related to SBM for organizations,

significant data input and information-sharing problems remain. The chapter’s

concluding research question is how to overcome those problems. This question

drives the remaining sections. For this purpose, the subsequent Sections (6.4 - 6.8)

introduce another IT artifact, namely a secure sustainability benchmarking service

(SBS) to overcome the information-sharing problem.

1.4 Contributions 17

1.4 Contributions

Parts of this thesis are based on several research papers, having been published in

different journals and proceedings or presented on international conferences (a

detailed overview is provided in Section 1.5).

Concretely, this dissertation makes the following contributions:

1.4.1 Multidisciplinary Resilience Framework

The second chapter introduces the “Multidisciplinary Resilience Framework”

which has been presented at the 5th International Symposium on Resilience

Engineering 2013. Therefore, section 2.2 will reassess the multiple definitions of

resilience against the background of the multidisciplinary evolution of the

terminology to advance and clarify the construct of resilience within different

contexts and cases. It utilizes a wide variety of literature research methods to

explore the basic appreciation of resilience. Notwithstanding communalities,

substantial distinctions of the concept exist with regard to (1) the level of

complexity and (2) the degree of normativity included in the perspective. After

analyzing these diametrical meanings, a conceptual framework is developed as a

blueprint for facilitating real-world problem solving and cross-disciplinary

resilience research by giving options for re-contextualizing the appropriate

resilience type to the respective object of investigation.

1.4.2 Organizational Resilience Framework

The third chapter is dedicated to presenting an “Organizational Resilience

Framework” which is a substantial extension of the framework previously

presented. Parts of this chapter are based on the paper (Koslowski et al.,

2013a)presented at the 33rd Annual International Conference of the Strategic

Management Society.The purpose of this chapter is to rigorously systematize the

literature of organizational resilience in order to make the following contributions:

First, a comprehensive review on organizational resilience based on descriptive


analysis is provided. Thus helping scholars recognize and segment the different

philosophies and approaches to organizational resilience. Second, this chapter

further identifies knowledge gaps, critical appraisals and inconsistencies within

organizational resilience to help counteract the construct proliferation that has

become apparent within the domain. Third, an organizational resilience

framework based on systematic research is presented. The framework allows a

conceptual tool that will advance a clear method to help distinguish the specific

context for resilience. Finally, the framework will help executives to comprehend

the specific circumstances that characterize their own context for resilience.

1.4.3 Information Systems and Resilience

This dissertation introduces the notion of Resilience Management Information

Systems (RMIS). Therefore, the fourth chapter firstly captures and establishes a

relationship between organizational resilience research and the IS

Research/business informatics field. Parts of this chapter have been previously

published in the proceedings of the Business Information Systems Workshops

2013, and the proceedings of the 43rd Annual IEEE/IFIP Conference on

Dependable Systems and Networks Workshop 2013. The fourth chapter identifies

a number of open research issues and proposes a research agenda on resilience

and resilience management and provides the foundation for resilient IS design in

particular. The chapter sets out to argue that resilience can be featured as a new

and valuable research field in Information Systems. Despite the wide spread of

resilience across multiple disciplines, IS are a crucial but still inadequately

explored enabler for organizational resilience.

1.4.4 Process-Centered Resilience Detection

This thesis presents the Process-Centered Resilience Detection service

(PREDEC), a detective framework to realize resilience in the context of business

processes. Parts of the fifth chapter are based on a preliminary version of the

paperby (Koslowski and Zimmermann, 2013) which has been published in the

Lecture Notes in Computer Science Volume 8203. This paper is one of the first


that attempt to combine and systematize the related but still disconnected fields of

IS resilience and process-orientation. The development of a BPM resilience cycle

corresponds with the BPM lifecycle and enables and proposes how to build and

enhance resilient BPM. PREDEC is a novel approach providing event log

specifications to enable process-centric resilience detection. The requirements and

measures developed serve as basis for eliciting and subsequently assessing

structural characteristics of information infrastructures. Consequently, the

framework makes a major step beyond the state of the art by introducing a

methodology that allows for a (semi-)automated conformance check based on

resilient BPM principles. Moreover, a conducted case study from the

manufacturing sector based on experimental simulations illustrates how decision

makers get equipped with a comprehensive methodology for analyzing and

diagnosing the resilience of information infrastructures and thereby generating

meaningful insights and evidences in an intuitive and economic manner. The latter

sections are based on the paper (Zahoransky et al., 2014) that has been accepted

for publication in Lecture Notes in Computer Science. Eventually, these

contributions serve as groundwork for supporting subsequent steps of the

resilience management cycle, such as escalation and institutionalization.

Moreover, PREDEC set the basis for rendering the tedious work of manually

combing the knowledge from best practice guidelines with the actual

infrastructure obsolete. Is also enables the objective detection of vulnerabilities on

executed processes instead of intended process models.

1.4.5 Secure Sustainability Benchmarking Service

The sixth chapter presents a secure sustainability benchmarking service (SBS).

This chapter comprises two articles that have been previously published in

Business & Information Systems Engineering 3/2011 (Koslowski and Strüker,

2011) and in the Proceedings of the International Conference on Information

Systems 2011 (Kerschbaum et al., 2011). The pressure on enterprises to manage

and improve their environmental sustainability is steadily increasing. This has

resulted in a growing awareness that Green Information Systems (Green IS)


solutions can significantly contribute to more sustainable business processes by

using modern IT-Applications. In this context, the chapter provides a “green

perspective” on IS-enabled sustainability. For this, the chapter firstly analyzes the

economic benefits of the platform principle for an ERP on-demand provider.

Beside possible cost savings for providers and users, the focus lies on the specific

potential provided by an ERP on-demand platform. This mainly consists of the

integration of complementary enterprise applications with the core ERP

application and the resulting added value for service users as well as platform and

service providers. This value is examined by using the example of a software

service for sustainability benchmarking (SBM). The results of a system-dynamics

model indicate that the quality of the SBM application as well as of corporate

management can be significantly improved. In particular, a SBM software service

that is integrated into an ERP on-demand platform is able to accelerate market

penetration.

However, sustainability benchmarking still faces two major obstacles: First, the

heterogeneity of the data requires significant pre-processing, and, second, the

sensitivity of the data causes enterprises to reluctantly share this data. Hence, the

contribution of a subsequently developed IS artifact is twofold: After analyzing

the data input problem and identifying appropriate and available solutions, the

chapter further presents a secure sustainability benchmarking service (SBS) to

overcome the information-sharing problem. The service uses homomorphic

encryption to protect the data during processing and differential privacy to protect

against leakages from the reports. The evaluation, based on a prototypical

implementation of the SBS, illustrate its applicability in industry: More generally,

the security is evaluated using theoretical, cryptographic proofs, performance via

measuring a prototypical implementation and functionality by comparing to non-

secure benchmarking initiatives. The implemented SBS and derived

measurements show that the performance is manageable for the business user as

well as the service provider. Moreover, the SBS allows companies to mutually

share environmental sustainability data in a confidential manner and therefore

significantly reduces the risk of leakages from existing practices of information-

sharing.

1.5 Related and unrelated publications 21

Figure 3 depicts an overview of the ITartifacts provided in this thesis and the

mutual relations between the previous chapters.

Figure 2: Overview of developed IS artifacts

1.5 Related and unrelated publications

This thesis is based on several research papers, having been published in different

journals and proceedings or presented on international conferences (a summary is

depicted in Table 2).

1.5 Related and unrelated publications 22

Table 2: Related and unrelated publications8

Publications (double-blind peer-reviewed) Koslowski, T. G., Longstaff, P. H. (2014). Resilience Undefined: A Framework for Interdisciplinary Communication and Application to Real-World Problems. In Masys, A. J. (ed.), Disaster Management: Enabling Resilience, (Lecture Notes in Social Networks 8768): Springer (New York), forthcoming. Zahoransky, R., Koslowski, T.G., Accorsi, R. (2014), Resilience Assessment in Business Process Architectures, In Bondavalli, A., Ceccarelli, A., Ortmeier, F. (eds.) 1st International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection, (LNCS): accepted. Berlin, New York: Springer, forthcoming. Koslowski, T. G., Geoghegan, W., Longstaff, P. H. (2013). Organizational Resilience: A Review and Reconceptualization. 33rd Annual International Conference of the Strategic Management Society, Atlanta, VA. Sept 28-Oct 1 2013. Koslowski, T., Zimmermann, C. (2013). Towards a Detective Approach to Process-Centered Resilience. In R. Accorsi & S. Ranise (Eds.), Security and Trust Management, (LNCS 8203): 176-190. Springer (Berlin Heidelberg). Müller, G., Koslowski, T. G., Accorsi, R. (2013).Resilience - A New Research Field in Business Information Systems?. In W. Abramowicz (ed.), Business information systems 2013 Workshops, (LNBIP 160): 3-21. Springer (New York). Longstaff, P. H., Koslowski, T. G., Geoghegan, W. (2013). Translating Resilience: A Framework to Enhance Communication and Implementation. In 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, 25-27 Jun 2013. Fenz, S., Neubauer, T., Accorsi, R., Koslowski, T. G. (2013).FORISK: Formalizing Information Security Risk and Compliance Management. In 43rd annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), Budapest, 24-27 Jun 2013. Koslowski, T., Strüker, J., Brenig, C. (2013), Mastering the Energiewende – A Cross-disciplinary Teaching Approach, In 21st European Conference on Information Systems (ECIS 2013), Utrecht, Netherlands, 6-8 Jun. Koslowski, T. G. (2013) “Resilience Management – Achieving Sustainability in Turbulent Environments. In 5th Annual ARCS Research Conference (Alliance for Research on Corporate Sustainability), Berkeley, CA. 29 Apr – 1 May 2013. Koslowski, T., Longstaff, P., Vidal, M., Grob, T. (2012), Resilience Analysis of the ICT Ecosystem. In 23rd European Regional Conference of the International Telecommunication Society (ITS), Vienna, Austria, 1-4 Jul 2012. Koslowski, T., Strüker J. (2011). ERP-On-Demand-Platform: Complementary Effects at the Example of a Sustainability Benchmarking Service. Business & Information Systems Engineering 53 (6): 359–367. (additional German version: ERP-On-Demand-Plattform, Wirtschaftsinformatik, (53:6), 347-356.) Kerschbaum, F., Strüker, J., Koslowski, T. (2011) Confidential Information-Sharing For Automated Sustainability Benchmarks. In 32nd International Conference on Information Systems (ICIS), Shanghai, China, 4-7 December 2011. Koslowski, T. (2011), Interorganisationale Nachhaltigkeitsmessung als Softwaredienst, In Eymann, T. (ed.) Proceedings of the Doctoral Consortium of the Wirtschaftsinformatik 2011, Zürich (CH), 115-124.

8 Underlined publications are included or partially included in this thesis.

23

2 Theoretical and Conceptual Foundations

2.1 Resilience – a fresh perspective for sustainability

Global business is recognized as being a critical contributor in realizing the

challenges of sustainability (Porter and Reinhardt, 2007; Koslowski and Strüker,

2011). Consequently, organizations have been increasingly faced with

requirements from different stakeholders to reconsider the direction of

sustainability issues by the adoption of sustainability goals to commit to the

obligations toward intra- and inter-generational justice (Sharma and Henriques,

2005). Practical implications encompass mainly the compliance to a variety of

environmental and social laws and standards in order to reduce liability or to

secure access to relevant resources. Additionally, cap-and-trade, the demand for

green and fair-traded products and the spread of sustainable investment funds

demonstrate the business case of sustainability (Linton et al., 2007; Porter and

Reinhardt, 2007; Porter and van der Linde, 1995a; Salzmann et al., 2005; Visser

et al., 2007). Hence, business organizations aim increasingly to improve their

sustainability performance such as eco-efficiency and resource productivity

(Hervani et al., 2005, p. 330; Koslowski and Strüker, 2011, p. 360). Theseefforts

require a systematic and deep analysis and control of all business objects, which

includes not only a re-structuring of processes but also the development of

innovations in the light of sustainability (Sharma and Henriques, 2005, p. 160).

However, the sustainable transformation of business remains a significant

challenge, as highlighted by Fiksel (2003) who identified barriers that limit the

application of sustainable development in practice: the difficulty of balancing the

needs of future generations against daily business pressure; the strong emphasis

on resource constraints rather than innovation; the danger of neglecting the

synergistic relations between the economic, ecological and social aspects of

sustainability.Although much progress has been made in the ‘sustainability’

discourse - particularly upon resource-efficiency improvements (Walker and Salt,

2.1 Resilience – a fresh perspective for sustainability 24

2006; Porter and van der Linde, 1995b), a further limitation refers to the

relationship between risks, uncertainty and sustainability, which has surprisingly

received little attention thus far (Lewin, 1998; Krysiak, 2009). Moreover,

conventional approaches to sustainability and risk-management still attempt to

predict events by emphasizing an ex ante evaluation of risks in probabilistic and

consequential terms (Smith and Fischbacher, 2009; Seager, 2008). But this

dominant approach of conventional sustainable and risk management in modern

complex and dynamic systems are inadequate because threats and hazards are

often unknown since risks emerge through nonlinear interactions of different

system components, e.g. (Fiksel, 2003; Lewin, 1998; McCann and Selsky, 2012;

Walker and Salt, 2006).

2.1.1 VUCA environments

Long before the growing interest of business actors towards sustainability,

management theorists and practitioners have long acknowledged the unique

characteristics of organizations that must exist in environments characterized by

turbulence (Drucker, 1980; Meyer, 1982), discontinuity(Boisot and McKelvey,

2011), and uncertainty (Grote, 2009; Milliken, 1987). These can also be termed as

volatile, uncertain, complex and ambiguous (VUCA) environments (McCann and

Selsky, 2012, p. 10) and illustrate the borderless and unpredictable nature of

diverse risk and uncovers the limits of traditional risk management practices and

theories: ‘New emerging risks’ or ‘new surprises’ lack of a priori indication of

occurrence.They exhibit the potential to cascade through time and space at

different speeds and their relation between origin, evolution and final

consequences are frequently misunderstood (Smith and Fischbacher, 2009).

Consequently, we are confronted by a propensity for system breakdowns and

sense of vulnerability to new and future threats such as terrorism, pandemic

potential, energy volatility, and climate change, all with the potential to trigger

interrelated cascading disturbances (The Critical Infrastructure Protection

Program, 2006). As a result, there are a myriad examples of disasters and

accidents, ranging from natural disasters such as the destruction of New Orleans


by Hurricane Katrina, cyber-attacks, such as the Stuxnet virus (Rid, 2012) or

human-made disasters such as the Deepwater Horizon oil spill (Palin, 2012), to

systematic failures such as the currently ongoing financial crisis (Smith and

Fischbacher, 2009). While such failures and breakdowns have proven relatively

rare, the consequences of failures within a hyper-connected world can cause

serious problems beyond geographical and functional borders (Boin and

McConell, 2007; McCann and Selsky, 2012, p. 8). For instance, the discussion

regarding the safety of nuclear power has been reignited worldwide, leading to the

immediate shutdown of some nuclear plants in Germany (Risk Response

Network, 2012; Kemfert). Furthermore, the Deepwater Horizon oil spill not only

caused significant financial and reputational loss for the participating companies

of the industrial consortium, but also led to serious ecological and social harm of

people and the environment along the Gulf of Mexico (Palin, 2012).

Against this backdrop, decision makers at different levels are forced to consider

how to respond to different kinds of emerging risks with regard to sustainability9

in a more holistic manner (Walker and Salt, 2006). The concept of resilience is

gaining ground as a denominator to move beyond survival and even prosper in

face of highly diverse risks and surprises (e.g.(Beermann, 2011; Derissen et al.,

2011; Fiksel, 2003; King, 1995; Smith and Fischbacher, 2009). Resilience has

been a prominent and emerging topic in various scientific fields but also on the

agenda of public and private institutions, recognizing the complex and uncertain

nature of social systems.

However,an increasing tendency for systems to become turbulent and complex

does not infer that they are unmanageable or impossible to govern (Mitleton-

Kelly, 2003). Managing them solely requires different forms and may rest upon

other assumptions. Where we had used to expect predictability and consistency,

we now must accept the necessity of dealing with uncertainty.To survive, persist

and even thrive in the face of unexpected changes represents a significant

9 According to Krysiak (2009, p.483 & 484), any definition of sustainability has to consider the future but uncertain consequences of present actions in order to limit the probability that a future generation is harmed.


challenge and have resulted in calls for understanding and developing of

mechanisms for coping with unexpected and disruptive events (McCann and

Selsky, 2012; Longstaff, 2005; Weick and Sutcliffe, 2007). In their book

“Mastering Turbulence”, McCann and Selsky (2012) describe the evolving nature

of change and appropriate strategic shifts to cope within these environments: from

controlling episodic change inspired by the scientific management movement;

embracing continuous change through agility and outsourcing; to prepare for

disruptive change through resilience mechanisms (see Figure 4).

Figure 3: Changing Nature of Change10

Hence, the discourse about security, safety and ecosystem management among

others is currently undergoing fundamental changes. While for instance security

research in the 20th century tended to focus on security through control and

prevention, more recent streams emphasis the development of adaptive and

resilient capacities to absorb and adapt to a variety of threats in high-complex

systems (Lentzos and Rose, 2009). Similar in the field of sustainability studies,

there is evidence of adopting complementary “fresh perspectives” (Fiksel, 2003,

10 Adapted and modified from McCann/Selsky (2012), p.25


p. 5330) to sustainability management that takes a more integrated complex

system view11 (Mitleton-Kelly, 2003) to generally manage social-ecological

systems (Holling and Gunderson, 2002; Walker and Salt, 2006) and respond to

climate change (Beermann, 2011) rather by self-organization, adaption and

learning than control resource efficiency.

Before providing a deeper investigation on resilience across multiple disciplines,

the next section will brieflycover the relationship between sustainability and

resilience (more comprehensive discussions are given by Derissen et al., 2011;

Brand and Jax, 2007).

2.1.2 Resilience and sustainability

Sustainability and resilience are both two highly abstract and complex concepts

with a variety of interpretations and definitions(Seager, 2008). Sustainability can

be defined in a variety of ways. While it is nowadays common to link

sustainability with the simultaneous recognition of (three) sustainability

dimensions (e.g. economic, environmental and social) (Visser et al., 2007), the

term is basicallyconsidered as a “capacity to sustain” or “capacity to endure”. In

particular, sustainability is often described in terms of resource stocks necessary

to sustain life. Therefore, sustainable practicesshift attention to the maintenance of

adequate stocks of renewable and non-renewable resources.One of the most

popular definition of sustainable development dates from the

BrundtlandCommission in 1987 as “development that meets the needs of the

present without compromising the ability of future generations to meettheir own

needs" (Melville, 2010). Following this definition, sustainability is a normative

concept capturing the basic ideas of inter- and intergenerational justice (Derissen

et al., 2011). Corporate Social Responsibility (CSR) describes organizational

attempts to commit to sustainable development by integrating a wide set of

11 Complex adaptive systems exhibit properties such as diversity, feedback, emergence and openness, e.g. Levin (1998); Mitleton-Kelly (2003).


regulating mechanisms into their business activities e.g. (Salzmann et al., 2005;

Visser et al., 2007).

Resilience is often defined as “the capacity of a system to absorb disturbance,

undergo change, and retain the same essential functions, structure, identity, and

feedbacks.”12 But as it will be shown in the next sub-sections, the definition and

conceptualization of resilience significantly vary across different disciplines and

fields of application (and even within disciplines, cf. chapter 3). However,

resilience fundamentally describes a property/quality of a system to cope with

change (Brand and Jax, 2007; Haimes, 2009a; Lorenz, 2010) and emphasizes

persistence either by recoverability (resilience as bounce back)13 or by adoption

and transformation (resilience as bounce forward).

As both concepts show similarities by focusing on the survival and longevity of

systems, it is no surprise that many scholars have frequently drawn a connection

between resilience and sustainable development: often the two terms are used

interchangeably, sometimes resilience is conceptualized as a necessary

precondition for sustainably (Derissen et al., 2011; Brand and Jax, 2007).

However, as we described in the earlier section, the growing complexity and

turbulence of modern systems have resulted in calls to encourage resilience

research as a complementary, system-based perspective to sustainability (e.g.

(Fiksel, 2003; Walker and Salt, 2006). In line with this view, the pursuit of

sustainable development and human well-being remain a major desirable goal

while managing and designing for resilience puts stronger emphasizes a process

of preparedness, adaption and renewal in face of unpredictable perturbations and

disruptions (e.g. Norris et al., 2008; Lorenz, 2010).

The following Figure 5depicts two different views of sustainability. On the left-

hand side of the spectrum, sustainability is expressed as securing longevity

(Seager, 2008, pp. 445ff.): sustainability equals the maintainenance of a desirable

system state by preserving the status quo, optimizing functionality and

12 The concept of “resilience thinking” was spread by the Resilience Alliance Gunderson (2002). 13 The next sub-section will deal with the differences between resilience as bounce back vs. bounce forward.


enhancingsystem performance for instance through improving eco-efficiency or

resource-productivity (Porter and van der Linde, 1995b). In contrast, on the right-

hand side of the spectrum, sustainability in environments, marked by dynamic and

disruptive changes, is rather approachable through resilience. From this point of

view, adaption to changing conditions and the acknowledgment of uncertainty

become more important.

Figure 4: Resilience, Sustainability, and Security14

For decision makers, it is crucial to recognize the unique differences of both sides

of the sustainability spectrum: Each perspective comes along with different

14 Adapted and modified from Seager (2008, p. 445).


assumptions regarding the nature of change: In systems marked by higher stability

and predictability, traditional management approaches such as risk analysis and

quality management provide valuable support for decision makers. For example,

risk assessment starts with hazard or failure identification and typically deals with

a relative small amount of scenarios that are considered as a moment in time(Park

et al., 2013, p. 359). Maintenance and protective actions then aim to minimize

different kinds of performance loss by securing status quo and maximizing

functioning, e.g. through improved eco-efficiency. In contrast, a resilient

perspective of sustainability shifts attention to an impending view by anticipating

possible consequences of unforeseeable disruptions. The emphasis lies not in the

(static) optimization of identified factors (e.g. based on probabilistic risk

calculation or ecological life-cycle assessments) but in accepting temporary

failures and loss and moreover, in restorative and even adaptive actions (Walker

and Salt 2006). Consequently, rapid recovery and system adaption are outcomes

of resilient mechanisms such as redundancy, detection, and innovation (e.g.

Hollnagel 2006; Walker and Salt 2006)

Thus, the current resilience discourse attempts to acknowledge the “changing

changes” more comprehensively: to combat the actual causes of threats (e.g.

environmental issues such as reducing carbon emissions or improving eco-

efficiency15), and to prevent their deployment through a variety of control

mechanisms and defensive measures (such as workforce’ safety regulation) will

certainly remain important sustainability strategies. They are, however, placed in

relational perspective by the acknowledgement that absolute protection in a

rapidly changing world must necessarily remain unreachable. Rather than relying

on preventive and mitigating strategies alone, the concept of resilience is linked to

the potentials of open and connected socio-technological systems (Walker and

Salt 2006). As a strategy, it takes systemic risks seriously by not reacting to new

forms of vulnerability with a flexible and open risk management. The aim is not

just to overcome crises as quickly as possible and without extensive social

agitation. The ambition is ratherto lower the brittleness of systems, and in doing

15 A more comprehensive explanation of eco-efficiency and carbon reduction is given in Chapter 6.

2.2 Essential semantics of resilience 31

so to increase the resilience. This rationale in the context of climate change

mitigation is illustrated by (McCann and Selsky, 2012, p. 5): “More and more

companies believe that they must learn to adapt to the unavoidable consequences

of climate change, rather than prevent it. […] such strategy is reactive, not

proactive, in that it is attempting to manage the consequences, not causes of

climate change.”

Summing up, across a wide spectrum of disciplines and fields of application -

resilience as a complementary approach to the conventional management streams

of sustainability and risk management - is gaining ground as a facilitator to move

beyond survival and even prosper in face of challenging conditions(Seager, 2008;

Smith and Fischbacher, 2009).

In order to examine what this complementary approach will be and what concepts

and mechanisms are required is not only useful but also necessary to delineate the

meaning, disambiguate the definitions and contextual specifications of the

resilience concept. Scholars from different fields have already attempted to deal

with conceptual and definitional ambiguity of resilience within their own

disciplines. However, such attempts remain usually within the boundaries of their

respective field and do not take sufficiently the accumulated knowledge as well as

the existing obfuscation across different disciplines and fields of application into

account. Thus, thenext section aims to tackle the blurred conceptual boundaries

caused by tautologies, complementarities and mixing normative aspects.

2.2 Essential semantics of resilience

Most of us are familiar with the translation of languages. Many have been

surprised at how a word or concept from another language gets converted by

translation software or even professional translators who are proficient in both.16

Sometime words carry with them the culture and/or conceptual orientation of the

16 This chapter is a revised version of the paper Longstaff, P. H., Koslowski, T. G., & Geoghegan, W. (2013), Translating Resilience: A Framework to Enhance Communication and Implementation. 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, 25-27 June 2013.


speaker that are not shared by the listener. Misunderstanding is almost certain in

such cases. But centuries of dealing with people who speak other languages or

speak the same language but come from other cultures have given us some tools

for managing the potential confusion and misconstructions. Interdisciplinary and

international problem-solving is hard work and there are often communication

errors so it is important to know what level of translation matters for the problem

at hand. Does the problem require the participants to share broad definitions or to

agree on very precise ones? In the following, and alternative approach is

provided. And while the definitional framework proposed here does not solve all

problems it allows us to make progress in areas that are critical to human and

technical systems now.

The increasing complexity of today’s inter-connected social systems has resulted

in calls for greater understanding and development mechanisms for coping with

turbulence and uncertainty (Longstaff, 2005; Weick and Sutcliffe, 2007).

Resilience has been studied and described by various academic disciplines as a

potential answer to move beyond survival and even prosper in the face of

challenging conditions (Carpenter et al., 2012). These disciplines include: ecology

(Holling, 1996; Walker and Salt, 2012), psychology (Masten, 2001), socio-

technical studies related inter alia to safety management (Hollnagel et al., 2006),

disaster research(Norris et al., 2008) and a broad range of organizational studies

(Lengnick-Hall and Beck, 2005; McCann and Selsky, 2012; Sheffi, 2007; Weick

and Sutcliffe, 2007). Publications concerning the concept have increased

dramatically.

The concept of resilience has emerged relatively recently in the scientific debate.

The number of publications dealing with resilience is strongly increasing over the

last years. Taking into account a general increase in publications per year (about

doubled since 1995), scientific articles containing the keyword resilience grew

more than ten-fold since 1995, corresponding to a larger application of the

resilience concept and a wider diffusion to other scientific areas. The picture

below shows the number of publications dealing with resilience in all scientific


disciplines. Searching for the keyword “resilience” in only scientific articles on

the scientific database web of knowledge17 yields 9,272 results (Sept. 2011).

Figure 5: Resilience Publications (1996-2013)18

The growing popularity of the term ‘resilience’ has caused some (e.g., (Lorenz,

2010; Strunz, 2012) to believe that resilience is in danger of becoming another

linguistic fashion or buzzword with little or no meaning or validity. While there

may be some transient fashion involved, the increased popularity of resilience also

signals an alternative focus to the challenges of uncertainty and variability that

arise from the increasing complexity and interconnectedness of modern systems.

This has led to new worldwide efforts to recognize and deal with systems that

cross traditional academic boundaries and corporate and governmental regulatory

divisions. For example, the Resilience Alliance19 has developed an

interdisciplinary “Resilience Thinking” as a framework for understanding change

in social-ecological systems (Walker and Salt, 2012). An emerging community of

engineers20 from a variety of subspecialties is developing ‘Resilience

Engineering’ as “a new way of thinking about safety”.

17 www.webofknowledge.com 18from Longstaff et al. (2013). 19 The Resilience Alliance is a multi-disciplinary research consortium who collaborate to explore the

dynamics of social-ecological systems (http://www.resalliance.org , accessed August20, 2013). 20 The Resilience Engineering Association is an emerging community of researchers and practioners to

promote the ideas and principles of Resilience Engineering (http://www.resilience-engineering-association.org/, accessed June06, 2013).


Against the backdrop of varied conceptual usage across multiple fields, it is not

surprising that extant resilience research is surrounded by diversity and ambiguity

of definitions, scope conditions, antecedents and outcomes e.g. Lorenz (2010) and

Norris et al. (2008). Is resilience a metaphor, a capacity, a capability, a strategy, a

goal, a guiding principle, a philosophy, a measure or behavior? Although an

elastic notion of resilience may facilitate communication across disciplines (or

even divergent lines of research within a discipline (Brand and Jax, 2007; Strunz,

2012), a lack of clarity confusion may hinder operationalization in specific

contexts and lead to unclear or even contradicting evaluations of results. A

definition that is too broad would also hinder empirical research results and even

cause some to question the relevance of the concept (Strunz, 2012; Suddaby,

2010). As Suddaby (2010) states, a clear construct might not only facilitate

communication between scholars, it also “enhances researchers’ ability to

empirically explore the phenomena” and further enhance outcomes by “allowing

managers to redefine problems in ways that are more amenable to resolution” (p.

352).

Unfortunately, a holistically agreed upon definition will be difficult and

problematic in the short term. And the world cannot wait for the perfect definition

before it begins to tackle the dangers and uncertainties from which we must

bounce back. Fortunately, a variety of definitions can exist as long as they are

acknowledged (Strunz, 2012) and there are people who can translate between

them. The skills for translation between academic disciplines and between the

academy and practitioners will almost certainly need to happen for productive

discussions between ecologists, engineers, physicists and psychologists (who have

all developed their own definitions and lexicon) in order to build new approaches

to the complex problems facing many organizations and all governments(Le Coze

and Dupré, 2008).

The framework proposed here will help begin the process of translation and this

will help identify the modi operandi (strategies and mechanisms used) that are

more likely to allow a system (such as a community or a technical system)

achieve resilience. The four perspectives are broad enough to allowfor differences


in situations but concrete enough to allow for the discussion of how and to whom

resources for recovery or adaption are allocated (Baker, 2009) and help identify

other trade-offs with regard to the arsenal of resilience mechanisms and policies

that are employed.

Notwithstanding some substantial communalities among the disciplines,

substantial distinctions of the concept exist with regard to (1) the level of

complexity that is assumed (reductionism vs. holism orientation) and (2) the

degree of normativity included in the perspective (descriptive vs. normative

orientation). After analyzing these meanings, I will discuss the applicability of our

conceptual framework as a blueprint for facilitating real-world problem solving

and cross-disciplinary resilience research by giving options for re-contextualizing

the appropriate resilience type to the respective object of investigation. This

allows for the concept of resilience to continue to evolve as disciplines begin to

talk to each other and as practitioners discover new mechanisms for systems to

recover from shocks they cannot avoid.

That does not mean that there is one best way to accomplish resilience, at least not

at the moment. That is unlikely to be the immediate outcome of international,

interdisciplinary, and inter-organizational efforts to deal with a wide variety of

uncertainties. The first step in managing such an effort is to acknowledge all the

potential opportunities and all possible difficulties. The next steps are to make the

goal clear in each case, decide how success will be judged, and determine how (or

if) the lessons learned in one place can be translated into another place or

knowledge domain.

2.2.1 Walk in the definitional thicket

Resilience, n. 1.The action or an act of rebounding or springing back; rebound, recoil. 2. a. Elasticity; the power of resuming an original shape or position after compression, bending, etc. b. The energy per unit volume absorbed by material when it is subjected to strain; the value of the elastic limit.…. 5. The quality or fact of being able to recover quickly or easily from, resist being affected by, a misfortune, shock, illness, etc.; robustness; adaptability. (Oxford English Dictionary)


The English word “resilience” is derived from the Latin words resilire and salire,

meaning to leap back, recoil, spring and spring again, re-flow, et cetera. Although,

in general terms, resilience is often said to reflect any system’s response to

change or forces outside itself, the evolution of the term across different

disciplines and fields of application leads to a diverse and sometimes confusing

definitional lexicon. An extensive review of the literature reveals that the word

resilience has been used to indicate a metaphor, a capacity of a systems and a

strategy to cope with uncertainty (Norris et al., 2008). Several conceptual and

review papers have been written to clarify resilience in various fields: (Klein et

al., 2003a) review resilience in natural hazards, (Brand and Jax, 2007) in

sustainability science, Norris et al. (2008) in community resilience, and Strunz

(2012) has applied resilience into the vague/ precise concept debate in philosophy

of (environmental) science.

Before providing a conceptual framework of organizational resilience, we must

first explore the conceptual genealogy of resilience across a variety of disciplines

and fields of application. This section will systemize the multidisciplinary

research body based on theoretical observations extending to a high level of

abstraction, independent of the specific context and discipline in order to make

differing applications comparable according to (1) the level of complexityand (2)

the degree of normativity.

The level of complexity reflects the assumptions about system behavior, ranging

from a reductionist view of single-equilibrium, linearity and predictability to

complex system view of multi-equilibria, non-linearity and emergence. The

degree of normativity covers the distinct conceptualizations from a descriptive

system property to developmental processes with desirable outcomes. According

to specific combinations across the two dimensions, one can help appreciate the

specific nature of resilience. The section will firstly address the axis of matrix by

giving readers a comprehensive look at how the word is used in several

disciplines.


2.2.1.1 Level of complexity Reductionist approaches. Perhaps the most comprehensive development of

resilience frames the concept as a return to normalcy or a single equilibrium. At

this simplest level, resilience refers to dynamics close to a stable equilibrium and

is defined as the (speed) time required for a system to return to its original state

following a disturbance event21(Pimm, 1984). This meaning presumes equilibrium

before the shock, so that the definition is similar to a stability property such as

elasticity, resistance, maintenance(Handmer and Dovers, 1996) or rapidity of a

system for restoration (McDaniels et al., 2008). Hence, the interest and focus of

the often termed “engineering resilience” (Holling, 1996) are on (often designed)

systems with a single equilibrium, such as standard bridge load but also similar to

the speed of homeostasis of body temperature or a fertility replacement rate.

This approach to resilience tends to dominate in the fields of engineering, natural

science as well as earlier psychology and disaster studies; all of which seek to

understand why people, infrastructure and places recover from disturbances and

stresses. For example, psychological resilience literature has tended to examine

how children develop normally and successfully despite adverse conditions;

consequently, resilience referred to as “bouncing back” like a spring to our former

pre-crisis or pre-trauma behavior (Baum, 2005; Masten, 2001). As this stream

focuses on efficiency, constancy, predictability (Holling, 1996) the single

equilibrium bears a close affinity to the more traditional views of reductionist

theories such as conservation law of energy in physics (Griffiths, 2013) or Milton

Friedman’s “plucking-model” of business fluctuations (Friedman, 1993) in

economics. For materials scientists, resilience is an expression of how a material

responds to external force by either bending or breaking (Trautwine 1907). A

material is either ductile or brittle. A resilient (or ductile) material can bend when

force is applied and return to its original condition once that force is removed. The

material will exhibit “stretching” along with unfolding and refolding at

the molecular level. This is referred to as “reversible unfolding.” The

21 This is close to the term found in physics/material science, where resilience is the property of a material to absorb energy when it is deformed elastically and then resume its initial form.


more tightly bound a substance is at the molecular level the more brittle it is

(Campbell, 2008). The strength of molecular bond is measurable and so the ability

of the material to bounce back is predictable.

Single-equilibrium and reductionist approaches have some limitations, particular

in situations when the costs of rebound outweigh the benefits and the resistance to

change might fail or lead to further losses e.g. Handmer and Dovers (1996). In

addition, management approaches based on stability and single-states tend to

maintain a predictable world with maximized, consistent production as main goal.

However, in a more dynamic and uncertain world (Boisot and McKelvey, 2011)

this assumption is questionable as adaption towards new environmental conditions

may be more appropriate in the long run and may call for some rethinking on this

perspective.

For instance, engineers have attempted to deal with complex organizational

structures that are intended to develop complex technology with Concurrent

Engineering methods that integrate design, manufacturing and downstream uses.

But the uncertainties in this process has led some to analyze it as a complex

system that must deal with surprises (Wolfram, 1986; Efatmaneshnik and

Reidsema, 2007). They have noted that some technological systems have high

sensitivity to small perturbations – a characteristic of many chaotic systems and

conclude that Complexity x Uncertainty = Fragility(Efatmaneshnik and Reidsema,

2007). Others have concluded that these systems must avoid optimum solutions

because this implies hypersensitivity to small perturbations and therefore fragility

(Marczyk, 2002).

In fact, optimization may not be a meaningful term in complex and adaptive

systems where order emerges from uncertainty – especially if one is trying to

encourage adaptation or innovation (Holland 1998). Some resilience engineering

scholars see a system’s resilience as represented by the adaptations necessary to

cope with the real world complexity (Nemeth, 2008, 2009). An engineered

system’s resilience might be measured by the time it takes to return to appropriate

functionality. Sometimes this will be to bounce back to system specifications and


sometimes this will mean bouncing forward to a new, adapted system that can

cope with changed conditions (Mendoca, 2008; Woods, 2006c).

But some engineering scholars argue that measurement is more problematic (e.g.

Park et al. 2013). Resilience in a complex systems context is a dynamic,

emergent property that can only be observed in the context of a specific failure

scenario (Haimes, 2009b). As such, it is improper to think of engineering systems

resilience as a static property of state, as in materials engineering, it cannot be

predicted or calculated from aggregation of the individual components (Hollnagel

et al. 2006; Park et al. 2013). Hence, scholars from different disciplines promote

a more complex system view of resilience.

Holistic approaches. Systems resilience appreciates the dynamism inherent to the

process and is strongly influenced by theories on complex adaptive systems or

complex science emphasizing system attributes such as non-linearity, feedbacks,

emergence, self-organization and co-evolution e.g. (Levin, 1998). This research

stream evolved assuming the existence of multiple, dynamic states of equilibria in

systems (Holling and Gunderson, 2002). In contrast to the return to a single

equilibrium (normalcy), the so called “(eco)system resilience” or “ecological”

view looks beyond restoration and focuses on the magnitude of disturbance that a

system can tolerate and absorb before it is pushed beyond its “elasticity threshold”

into another stable state (Holling, 1996; Brand and Jax, 2007; Cumming et al.,

2005; Handmer and Dovers, 1996). According to this philosophy, resilience is

“the capacity of a system to experience shocks while retaining essentially the

same function, structure, feedbacks, and therefore identity” (Walker et al., 2006)

and is a dynamic attribute associated with a process of permanent change and

adaption.

Similar, for ecologists associated with the Resilience Alliance (Walker and Salt

2006), resilience is the capacity of an ecosystem to tolerate disturbance without

collapsing into a qualitatively different state that is controlled by a different set of

processes. A resilient ecosystem can withstand shocks and rebuild itself when

necessary. Resilience does not mean the system will look exactly like it did

before: the forest fire or the flood but many of the same species and their place in


the ecosystem hierarchy will be preserved. It will still be a forest or a prairie even

if the mix of species has changed. The ecosystem depends on the ability of

individual species to adapt.

Example: If a system changes too much by crossing its identity-threshold it starts

to enter into another state operating a different manner. These so called “regime

shifts” are very often driven by infrequently and slow changing variables.

(Ecosystem) resilience is the capacity to absorb disturbances in order to withstand

such regime shifts. Each transition into another state is a consequence of loss of

the resilience in the existing system and its resilience is often determined by a

few “slow changing key variables”. For instance, a rain forest is deforested to

serve as grassland for cattle farms. The ecosystem’s key variables water

depth/saturated soil depth are affected as grassland requires higher amounts of

water consumption. To maintain productivity of the cattle breeding, the farmer

increasingly uses fertilizer. Over the time, a critical level of fertilization is

reached leading to fast shrinking water depth which can finally result in spoil land

(Walker and Salt, 2006).

The key difference between “engineering resilience” and “ecological(system)

resilience” is illustrated by Scheffer et al.’s (1993) “Ball and Cup-Model”, where

each system state is represented by a basin or zone of attraction. The current

position of the ball within a basin reflects the system state. While the slope of the

basin determines the recovery rate to return to the former equilibrium (engineering

resilience), ecosystem resilience is represented by the height and latitude of the

basin and therefore the amount/magnitude of disturbances that a system can

withstand before restricting into another basin of attraction (Holling 1996,

Scheffer et al. 1993).


Figure 6: Ball and Cup-Model22

Advocates of the systems view of resilience further emphasize cross-scale

dynamics (temporal and spatial) of co-evolving systems where only temporal or

even no equilibrium state can be achieved, particularly through diversity in

responses and functions (Walker et al., 2006). Holling and Gunderson (2002)

propose the “adaptive cycle” as a metaphor of dynamic behavior in (socio-

)ecological systems suggesting four cyclical phases of change in the structure and

function of a system. But the relationship between resilience and adaptability is

surrounded by confusion: While some ecosystem scholars (Brand and Jax, 2007;

Strunz, 2012; Walker et al., 2002) treat adaptability and resilience as related but

distinct concepts, a number of definitions exist where the concepts are treated as

equivalent (Cumming et al., 2005; Nelson et al., 2007; Smit and Wandel, 2006).

Moreover, others consider adaptability as a subset of resilience(Carpenter et al.,

2001; Folke, 2006) or inversely, resilience as a subset of adaptive capacity

(Adger, 2006).

In summary, the descriptive term of resilience is usually conceptualized as either

an inherent property or as a potential outcome. The both tables below illustrate

examples of resilience definitions as descriptive terms but varying levels of

complexity:

22 From Scheffer et al. (1993)

Engineering Resilience

Ecological Resilience

System State


Table 3: Definitions with Low Complexity, Low Normativity

Discipline Definition Author

Business (IS)

thecapacity to resist major business disruptions due to unforeseeable, unexpected, or catastrophic events, leading the organizational systems beyond the planned service limits without serious losses.

(Antunes, 2011, p. 383)

Computer science

resilience as an intrinsic system attribute is arising in every domain of system and software development. Resilience is an attribute often related to robustness, and survivability (and by this dependability) from one side,and sustainability from other side

(Crnkovic, 2011, p. 113)

Risk Analyst

The resilience of a system is a manifestation of the states of the system. Perhaps most critically, it is a vector that is time dependent. [...] 'the ability of the system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable time and composite costs and risks.'

(Haimes, 2009b, p. 498)

Engineering resilience implies the ability to “bounce back” after undergoing deformation of some sort

(Madni and Jackson, 2009, p. 185)

Ecology Thespeed at which the system returns to the stable point or trajectory following a perturbation.”

(Pimm, 1984, p. 321)

Ecology

theability of human communities to withstand external shocks or perturbations to their infrastructure, such as environmental variability or social, economic, or political upheaval, and to recover from such perturbations.

(Timmerman, 1981)

Table 4: Definitions with High Complexity, Low Normativity


Business the ability to ‘bounce back’ after suffering a damaging blow […] as an ‘emerging property’ of a ‘healthy’ system

(Boin and McConell, 2007, p. 54)

Ecology

Resilience is the magnitude of disturbance that can be tolerated before a socio-ecological system (SES) moves to a different region of state space controlled by a different set of processes. Resilience has multiple levels of meaning: as a metaphor related to sustainability, as a property of dynamic models, and as a measurable quantity that can be assessed in field studies of SES.

(Carpenter et al., 2001, p. 765)


Ecology the ability of the system to maintain its identity in the face of internal change and external shocks and disturbances

(Cumming et al., 2005, p. 976)

Ecology … the capacity of a system to experience disturbance and still maintain its ongoing functions and controls

(Holling, 1973, p. 1)

Sociology

Resilience is a relational concept that saliently marks the importance of a balanced relation between a system and its environment, as well as their seminal adjustment with regard to the system’s persistence in the future.

(Lorenz, 2010, p. 2)

Ecology Resilience is the capacity of a system to experience shocks while retaining essentially the same function, structure, feedbacks, and therefore identity.

(Walker et al., 2006, p. 2)

2.2.1.2 Resilience as a normative term Nonetheless, even in ecology, resilience has been often transformed towards a

desirable outcome or ability, e.g. the maintenance of natural capital in the long-

run (Ott and Döring, 2008). Scholars from social science have expanded the

concept by adding social and normative components Folke (2006). For example,

Carpenter et al. (2001) include a system’s ability to self-organize and the

capability of learning and adaption. Although this conceptualization is consistent

with ‘ecosystem resilience’ emphasis of persistence, the addition of learning

particularly points to significant differences between social and ecological

perspectives: They may feature significantly different response dynamics, exhibit

additional capacities of intentionality, interpretation and foresight (for an

overview see (Holling, 2001) and Lorenz (2010)). Thus, social systems are aware

of being within an environment characterized by a given history and expectations

about a certain future, which can be pro-actively influenced by its learning actors.

Consequently, social resilience is often conceptualized as an ability to cope with

external stresses and disturbances or rather the capacity to withstand external

shocks (Adger, 2000) in ecological or technical systems. The added social

component of learning, intentionality and adaptability can be regarded as “the

capacity of humans to manage resilience” (Walker et al., 2004).

Managing resilience or “resilience engineering” (Hollnagel et al., 2006) are

usually normative activities as they aim to either maintain a desirable state


(bounce back) or adapt and transform towards an alternative desirable state

(bounce forward). Under pure ecological considerations, none of the potential

system states is preferable. When transitioning from one state to another there is

usually an absence of choice e.g. when a jungle turns into a desert. The

importance is not whether an ecosystem becomes a dessert but the persistence

against change. In social systems however such potential path-dependency is seen

as a problem (or an undesirable state, hence the need for a normative value).

Following the rationale of this third type of resilience, a regime change from

democracy toward a dictatorship or lock-in-situations (e.g. the dominant usage of

an inferior technology) can also be described as persistent or resilient.

This active and normative conceptualization of resilience (Handmer et al., 1999;

Klein et al., 2003b) is not exclusive to the higher level of analysis of socio-

ecological (Gunderson, 2002) and socio-technological systems (Park et al., 2013):

The most prominent introduction of normative aspects is also found on the

individual level in psychology, where scholars define it either as “good outcomes

in spite of serious threats to adaptation or development” (Masten, 2001), as

“dynamic process encompassing positive adaptation within the context of

significant adversity” (Luthar et al., 2000) or as “a process linking a set of

adaptive capacities to a positive trajectory of functioning and adaption” (Norris et

al., 2008).

This process view of individual and social resilience explicitly includes not only

surviving but also thriving (Masten, 2001) and exemplifies that the holistic view

of resilience can be regarded as normative. Supporters of the normativity,

particularly in psychology and related social studies such as disaster research

emphasize the capacity for successful adaption when confronted by challenges.

They further conclude, that resilience is better conceptualized as an ability or

process rather than an outcome, and focusing on the adaptive rather than the

recovery aspect of resilience (Handmer and Dovers, 1996; Longstaff, 2005; Norris

et al., 2008).


A wide set of resilience definitions as normative terms are illustrated in the two

tables below. While table 5 consists of normative definitions with low levels of

complexity, table 6 entails normative definitions with higher complexity.

Table 5: Definitions with Low Complexity, High Normativity


Economics Resilience is defined as the ability of an economy to reduce the probability of further deep crises or at least to mitigate the effects of a crisis.

(Aiginger, 2009, p. 311)

Risk Analyst

resilience is defined as the ability of the system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable time, and composite costs, and risks.

(Aven, 2011, p. 515)

Economics

economic resilience refers to the policy-induced ability of an economy to recover from or adjust to the negative impacts of adverse exogenous shocks and to benefit from positive shocks. The term is used in two senses […], relating to the ability to: (1) recover quickly from a shock; and (2) withstand the effect of a shock.

(Briguglio et al., 2009, p. 233)

Business (IS)

the organization’s ability to adapt to risk that affects its core operational capacities. Operational resilience is an emergent property of effective operational risk management, supported and enabled by activities such as security and business continuity.

(Caralli et al., 2010, p. 1)

Psychology “good outcomes in spite of serious threats to adaptation or development

(Masten, 2001, p. 238)

Business (SCM)

the adaptive capability of the supply chain to prepare for unexpected events, respond to disruptions, and recover from them by maintaining continuity of operations at the desired level of connectedness and control over structure and function

(Ponomarov and Holcomb, 2009, p. 131)

Economics

refers to the inherent and adaptive responses to disasters that enable individuals and communities to avoid some potential losses. It can take place at the level of the firm, household, market, or macroeconomy. In contrast to the pre-event character of mitigation, economic resilience emphasizes ingenuity and resourcefulness applied during and after the event.

(Rose, 2004, p. 307)

Resilience Scholar

the act of rebounding or springing back” from a disaster, and a resilient organization often is described as one which is able to quickly return to normal (or even improved) operations after such an event has occurred

(Zobel, 2011, p. 394)


Table 6: Definitions with Low Complexity, High Normativity


Business (SCM)

the ability of a system to return to its original state or move to a new, more desirable state after being disturbed.

(Christopher and Peck, 2004, p. 2)

Business

Resilience is a fundamental quality of individuals, groups, organizations, and systems as a whole to respond productively to significant change that disrupts the expected pattern of events without engaging in an extended period of regressive behavior

(Horne III and Orr, 1998, p. 31)

Business (Strategy)

as an organizational capacity to adopt new organizational routines and processes to address the threats and opportunities arising from disruptive business model Innovation. Organizational resilience is manifested through both cognitive and behavioral resilience.

(Dewald and Bowen, 2010)

Business (Strategy)

Ability to dynamically reeinvent business models and strategies as circumstances change […] It’s about continuously anticipating and adjusting to deep, secular trends that can permanently impair the earning power of a core business.

(Hamel and Välikangas, 2003, p. 53)

Disaster Studies

A three-class typology of resilience (resistance to change; change at the margins; openness and adaptation)

(Handmer and Dovers, 1996, p. 494)

Business (Strategy)

properties that increase a firm’s ability to understand its current situation and to develop customized responses that reflect that understanding. Resilience capacity is a multidimensional, organizational attribute that results from the interaction of three organizational properties: cognitive resilience, behavioral resilience, and contextual

(Lengnick-Hall and Beck, 2005, p. 738)

Business (Strategy)

The main aspects of organizational resilience in this context are the continuing capacity to recover from disturbances as well as the capacity torebound from adversity in a strengthened and more resourceful way.

(Linnenluecke and Griffiths, 2010, p. 488)

Business (SCM)

the capacity for an enterprise to survive, adapt, and grow in the face of turbulent change”

(Pettit et al., 2010, p. 1)

Business the capability to self-renew over time through innovation.

(Reinmoeller and van Baardwijk, 2005, p. 61)

Business (Strategy)

as the maintenance of positive adjustment under challenging conditions such that the organization emerges from those conditions strengthened and more resourceful.

(Vogus and Sutcliffe, 2007, p. 3419)


Despite the different conceptualizations, the reader will have noted that there are

clearly ideas that are common among one or more of these disciplines. In

fact,there is some evidence that resilience is most likely to be found in systems

that:

• Build the right amount of diversity and robustness for increasing options and spreading risk;

• Increase their range of knowledge for learning and problem solving; • Create opportunities for self-organization, including strengthening local

functions, building cross-scale links, and building problem-solving networks;

• Organize with the right balance of tight and loose coupling; • Increase resilience at the right scale.

And there is some evidence that resilience will be a trade-off for other desirable

traits for the system. For example:

• Things that increase resilience may decrease some kinds of efficiency; • Efforts to increase the stability can lower adaptability and resilience; • Resilience at one scale can reduce it at another.

(e.g., Berkes, 2007; Woods, 2006c; Dorner, 1996; Longstaff, 2005; Walker and

Salt, 2006).

For human organizations that are good at dealing with uncertainty: “The traits of

resilience include experience, intuition, improvisation, expecting the unexpected,

examining preconceptions, thinking outside the box, and taking advantage of

fortuitous events. Each trait is complimentary and each has the character of a two-

edged sword. (Nemeth 2008, p. 7)”.Therefore there is hope for some sort of

definitional structure that is broad enough to allow for translation between them

all even as we allow for the particulars to remain at the disciplinary level.

2.2.2 Multidisciplinary Resilience Framework

It helps to think of each discipline or domain as looking at a resilience problem

through their own “frame”: Think of a group of people each standing with an

empty picture frame and looking through it at a scene while ignoring everything


outside their frame. It becomes clear that only by putting all the frames together

will we get a good picture of the scene. And while that ultimate construction for

resilience may not be available to us in the near future, we can put some frames

together where we know they look at the same things and pulling them apart

where we know they are looking in very different directions. Translation enables

us to construct some broader frames that can be used by more people.

There are two main differences that must be bridged in translating resilience ideas

between disciplines: First, the various disciplines differ with regard to their

assumptions about their system’s potential for stability and equilibrium. Some

have a Newtonian outlook (everything can be counted and predicted) while others

take complexity/unpredictability outlook (the system has so many dimensions or

variables that it is mathematically intractable and/or emergent properties that

make prediction difficult or impossible) (Lewin and Regine, 1998; Mitleton-

Kelly, 2003). And second, the degree of normativity (resilience as a coping

capacity vs. a desirable outcome). The conceptual model presented below puts

these two differences in a framework that allows us to make some distinctions that

are broad enough to find commonality put narrow enough to recognize

differences. It is the contention of this work that these fields are not mutually

exclusive and that a fuller understanding of resilience would encapsulate many (if

not all) of these views.

We have also differentiated resilience that is seen as a capacity or a capability of

the system. The choice of these terms is somewhat arbitrary but reflects the most

commonly understood ideas behind those words. The term capability is used to

denote human/animal skills or abilities to perform or achieve certain actions and

outcomes through a set of functions or processes. In contrast, the term capacity is

used as a description for anything you can hold and/or measure(IF4IT, 2014).

There are obviously no bright lines between the two because you can sometimes

measure skills. But the distinction is worth noting because it affects how

disciplines look at the systems they study and how they describe and (sometimes)

measure what they call “resilience.”


The Multidisciplinary Resilience Framework outlines four applications based on

the differing fields of study. The boxes on the left of the Framework focus on

system’s level of complexity. In the upper box, the state of the system and the

impact of a disturbance are both predictable and measurable. In the lower box the

system has multiple possible states due to high levels of complexity/non-linear

behavior and there are often high levels of uncertainty. Measurement and

prediction in the bottom box is thus more problematic.

The boxes on the top of the matrix focus on the level of normativity that is applied

to describing the resilience of a system, that is, the extent to which humans

determine how things should be, how to value the state of the system, and which

strategies are good or bad. Normativity can be contrasted with positivity which is

generally described as producing factual statements that attempt to describe

reality.

Figure 7: Multidisciplinary Resilience Framework23

23 from Longstaff et al. (2013)


Type I Resilience: The capacity to rebound and recover (low complexity/low

normativity). The systems/disciplines that fall in this box see resilience as a purely

descriptive measure of elasticity against perturbations and the rapidity of the

recovery to a pre-defined (usually intended) state. Resilience can be seen as a

system property or measure of stability. This view of resilience is predominantly

adopted in traditionally engineered and other designed systems. It is most feasible

in situations where the normal system state is assumed to be a reliable (if not

necessarily optimal) state for the system or the adaption of the previous system

state toward an alternative state is too difficult in terms of time and/or costs.

Type II Resilience: The capability to maintain a desirable state (low

complexity/high normativity). This is described in systems/disciplines that have a

low level of complexity and focuses on the maintenance of some predetermined

state or equilibrium that is judged to be either a desirable outcome or as a process

of positive adjustments that leads the system back to that predetermined, desirable

state (Luthar et al., 2000; Seligman, 2011). Predominantly employed in business,

psychology and other social studies; resilience in these systems is regarded as

something positive and bouncing back to an approved equilibrium proves the

existence of resilience.

In contrast to the first two constructs of resilience, which focus on efficiency and

constancy (similar to Newtonian Thinking), the latter two conceptualizations

emphasize stable landscapes (in line with evolutionary and complexity theory

with multiple states due to complex and non-linear behavior that is far from any

equilibrium and full of uncertainty.

Type III Resilience: The capacity of the systems to withstand stress (high

complexity/low normativity). The disciplines in this box often describe resilience

as the relationship between the current system state and a potential system shift

that will flip the system into a different state often called a “regime shift.” The

focus is on persistence thresholds. The distance between the current state and a

potential flip is a measurable indicator of resilience levels. High resilience implies

sufficient robustness and buffering capacity against a regime shift and/or the

ability of system components to self-organize and adapt in face of fluctuations. If


resilience is low, the system loses its original identity and moves toward a new

regime or “basin of attraction.” It’s noteworthy, that none of the potential system

states or regimes is preferable to the system itself since it cannot make good/bad

distinctions:

Type IV Resilience: The capability to adapt and thrive (high complexity/high

normativity). Resilience in social systems and psychology is often conceptualized

as skill that an individual or group can bring to a disturbance that will allow it to

reach a level of functionality that has been determined to be “good.” Human

beings and human systems have high complexity and a determination of what is

good or “adaptive” in these systems is often highly high normative. The

disciplines in this box acknowledge the existence of multiple possible states, but

also explicitly call for a successful adaption before or after a disturbance occurs.

This contrasts to Type II resilience, which focuses on a successful return to an

assumed normal state. Hence, a positive adjustment can involve different

desirable states ranging from a worse, but acceptable level to an even better post-

disturbance state. Managing resilience as a normative activity or outcome

involves human capabilities such as anticipation, sensemaking and learning.

2.2.3 Application of the framework and conclusion

The categories in the descriptive boxes of the framework will allow participants to

ask questions about how the other participants see the level of complexity/

predictability of the system(s) they are trying to deal with. The framework will

also help them discuss how they see the role of shared norms. A discussion of the

four Resilience Types will further identify shared or differing goals (e.g., bounce

back or bounce forward). So, for example, people in government are likely to be

in category II with a high degree of normativity about outcomes and a seeking

short-term, linearity and predictability for their actions. Engineers at the table may

be less sure of predictability for anything that requires a human interface but less

interested in the norms that applied to outcomes so they would be in category I or

category III. Ecologists may be more comfortable with designing systems that can

adapt so might be in category IV.


Once the similarities and differences have been identified the next steps are to

make clear what the goal is in each case, how success will be judged (or

measured), and how (or if) the lessons learned in one place can be translated into

another place or knowledge domain. Does the problem require a capacity or a

capability? Does the system have to be maintained as it is or should it be capable

of adaptation? How will that adaptation be judged? Can the adaptation be

designed in advance or will it have to emerge from the conditions that are

presented? Once these questions are answered the group can narrow down its

search for definitions and mechanisms that are found in similar systems to the

Resilience Type they are dealing with.

Of course there is the possibility (and in some cases a likelihood) that a particular

problem will involve multiple types of resilience. In those cases the role of

translators becomes critical as two stems attempt to work in consort toward

resilience for both without unanticipated harm to the other system. If the

resilience of one requires the rules of the other to be ignored for a time how does

that get decided and by whom? If action by one or both is called for in response to

some danger (or opportunity) does this require the measurement of something that

they measure differently? This does not require that the two systems (or

disciplines or organizations) respect each other’s methods but it does require

agreement on the goals and that they actually understand what the others are

saying.

It seems certain that the need to find ways to make things bounce back will only

continue to grow. The groups who come together to deal with these issues will

only become more diverse. The framework proposed here allows researchers and

practitioners from various disciplines and/or economic sectors to communicate

and concentrate their efforts on specific types for resilience goals by allowing

broad definitions where that is possible and identifying where specific definitions

are necessary to deal with the issues at hand. The words used to designate these

efforts will undoubtedly adapt, splinter into subgroups, and go in and out of

fashion. Translation and translators will only become more important.

53

3 Organizational Resilience

As we learned in the previous chapter (Section 2.1 in particular), organization

scholars and practitioners have long acknowledged the unique characteristics of

organizations that must exist in environments characterized by turbulence (Meyer,

1982; Drucker, 1980), discontinuity (Boisot and McKelvey, 2011) and uncertainty

(Grote, 2009). To survive, persist and even thrive in the face of unexpected

changes represents significant challenges for organizational decision-makers and

have resulted in calls for understanding and developing mechanisms of coping

with uncertainty (Longstaff, 2005; Weick and Sutcliffe, 2007). Although a

plethora of insightful concepts, theories and frameworks pay attention to the

survival and longevity of organizations, the survival rate of businesses remain

low, as 50-70 percent of all start-ups disband within five years and more than 80

percent do not survive more than a decade (Hollnagel, 2011; Geus, 1997; Zook

and Allen, 2010). As organizational decision-makers were forced to consider how

to respond to different kinds of uncertainties the concept of resilience began to

gain ground in business management. Some saw it as a potential panacea to move

beyond survival and even prosper in face of challenging conditions. But the

interest of business managers has not been matched by the attention that

academics have given the concept of resilience.

Coutu (2002) stated that “resilience is a hot topic in business these days” and goes

on to quote a CEO that emphasized the importance of resilience, citing that “a

person’s level of resilience will determine who succeeds and who fails. That’s

true in the cancer ward, it’s true in the Olympics, and it’s true in the boardroom”.

Interestingly, in 1997 John Horne III wrote of the ‘coming age of resilience’ and

highlighted that factors such as: the end of communism; a technological shift to an

era dominated by manmade brain power industries; changing global

demographics; a global economy; and no dominant economic, political, or

military power as contributions to an increased focus on organizational resilience.


It seems that these factors combined with the recent economic changes have now

made resilience research an imperative.

Here, organizational resilience is not offered as a panacea but in understanding its

antecedents and processes it may help engender and promote new strategies that

will increase an organization’s ability to manage in times of high uncertainty.

Resilience scholarship has become important for at least five reasons. First, in any

era of economic turbulence there may be very few hiding places for firms that

operate on a global basis. Second, organizational resilience scholarship is still

largely fragmented and misunderstood by many (Klein et al., 2003a). An

appreciation of the varied applications is warranted, as is finding unifying themes

will help in the development of larger organizational strategy. Third,

organizational resilience is in danger of becoming another catch-all-word for

change (Longstaff et al., 2013; Koslowski et al., 2013a) and a systematic rigorous

review would help solve some of the construct proliferation issues surrounding its

use. Fourth, it has practical application for executives, allowing for a new frame

of reference to help them view their context. Finally, very few reviews explicitly

address organizational resilience in a comprehensive manner and few still try to

integrate desperate research into helping understand organizational resilience.

The purpose of this chapter is to rigorously systematize the literature of

organizational resilience in order to make the following contributions: First, a

comprehensive review on organizational resilience based on descriptive analysis

is provided. Thus helping scholars recognize and segment the different

philosophies and approaches to organizational resilience. Second, this chapter

further identifies knowledge gaps, critical appraisals and inconsistencies within

organizational resilience to help counteract the construct proliferation that has

become apparent within the domain. Third, an organizational resilience

framework based on systematic research will advance a clear method to help

distinguish the specific context for resilience.

3.1 A review and reconceptualization 55

3.1 A review and reconceptualization

Organizational resilience remains an underspecified concept. Parallels can be

drawn between resilience and the seminal work of Orton and Weick (1990) on

loosely coupled systems:

“The concept provides a combination of face validity, metaphorical

salience, and cutting-edge mysticism, all of which encourage

researchers to adopt the concept but do not help them to examine its

underlying structure, themes, and implications. Because the

concept has been underspecified, its use has generated controversy.”

(Orton and Weick, 1990, p. 203)

Thorough examinations of organizational resilience24 remain difficult due to the

diversity and ambiguity of definitions, scope, conditions, antecedents and

outcomes of this existing research, c.f.Lorenz (2010) and Norris et al. (2008). The

respective definitions used will affect strategies and mechanisms used to achieve

resilience (Norris et al., 2008) e.g. how and to whom resources for recovery or

adaption are allocated (Baker, 2009). Hence, the next sub-section seeks to address

these varied perspectives and untangle the resilience web. Moreover, this will

serve as a basis for the development of a resilience management cycle, introduced

in Chapter 4.

3.1.1 Descriptive analysis The first step to build a rigorous organizational resilience database was to identify

the major sources of scholarly publications. Three of the most prominent archives

were identified and employed as initial search banks. Data mining occurred in the

following three main catalogues: (1) Web of Knowledge & Web of Science (2)

Social Sciences Citation Index (SSCI) and (3) EBSCO. The search was limited to

Peer reviewed journal articles – omitting books, book chapters and non-refereed

publications in line with similar literature reviews, e.g. (Koslowski and Strüker,

24 Parts of this section are adapted from the paper Koslowski et al. (2013a).


2011). Searches were carried out with for ‘organizational/organizational

resilience’ in ‘title’, or ‘subject term’ or ‘author supplied key word’ in each of the

three databases. Then the results have been limited to those that were classified as

having a management or business orientation. This yielded a total of 142 papers

across all three sites. The remaining 142 papers were analyzed to glean insights

into the specific gaps pertinent to an organizational resilience. Specifically, seven

main themes within each of the papers were investigated, including:

• Research Method (Conceptual or Empirical) • Type of empiricism employed • Model Development • Level of Analysis • Disciplinary context • Sub disciplinary perspective • Antecedents & determinants

This was done through a process of reading and categorizing the different papers

into the variables mentioned above. Categorization errors were limited through a

double blind review process that sought to decrease the variability in some of the

subjective categories.

Total Publications.One can observe from the chart below the huge increase in

interest afforded to organizational resilience over the last five years compared to

the relative inactivity from more than a decade beforehand. The relative fall off in

2012 can be accounted for by the time lag in some of the databases in updating

their catalogue.


Figure 8: Publications onOrganizational Resilience (1993-2012)

Organizational Resilience Research Methods. An initial investigation into the

research paradigm employed by these papers sought to examine whether they

were mainly of a conceptual or empirical nature. The conceptual papers mainly

pertained to literature reviews, frameworks and discussion pieces. These papers

did not employ any research into the field of organizational resilience and mainly

posited ideas, thoughts, classifications and models. The empirical papers were

classified as such if that paper had undertaken some research. The caveat was that

anecdotal examples were also deemed empirical. The basis of empiricism shall be

developed in a subsequent section. Those of a conceptual nature that had research

and an empirical part were classified as empirical. This led us to 66 papers of a

solely conceptual nature and 76 papers that had some empiricism.

Figure 9: Organizational Resilience Research Methods

Model/Framework Development.The research also investigated whether a

model had been developed or not. This helped to ascertain the nature of the

0

5

10

15

20

25

Total number of journal articles on organizational resilience

Research Method Employed

Conceptual

Empirical


conceptual contribution. Although not overly indicative of any high level analysis

it allows us to observe the nature of the contribution by the authors of the 142

papers. It was found that 48 of the papers developed and hypothesized a

somewhat stylized model within their analysis.

Figure 10: Organizational Resilience Model Development

Type of empiricism employed. Following from a broad classification of

conceptual/ empirical a logical subsequent step was to analysis the type of

empiricism that was carried out. Six major empirical classifications were mainly

found in organizational resilience, these included: anecdotal examples, single case

studies, multiple case studies, econometric/ macro analysis, surveys and focus

groups. One can see from the graphic below that the majority of papers employ

anecdotal examples or single case studies to analyze resilience. Of the 142 papers

analyzed, 57 were found to have used a single case study and 39 solely relied on

anecdotal examples.

Model/ Framework Development

Yes

No


Figure 11: Type of Empiricism Employed

Multi-DisciplinaryContext.The analysis then investigated what disciplines

organizational resilience papers had been built upon i.e. what were the main

academic fields or branches of knowledge outside of organizational science have

these papers borrowed from, adapted or built upon. As has been illustrated (see

section 2), resilience has been written about in a wide variety of disciplines. We

can see that many authors found a congruency exists between some of these

disciplines, making the adaptation of their ideas into organizational resilience

reasonable. Specifically, many organizational resilience papers have employed

ecology, engineering and psychology as support for writings within a business or

management context. This may illustrate the multidisciplinary nature of resilience

and how potential opportunities exist to further clarify and investigate how

organizational resilience may draw learning’s from other disciplines and branches

of knowledge.

0

10

20

30

40

50

60

Anecdotal Examples

Single Case Study

Multi Case Study

Econometric/ Macro

analysis

Survey Focus Group


Figure 12: Multi-Disciplinary Background

Business Sub-Disciplinary Context.The research then focused on the business

sub-disciplinary context within the organizational resilience database. The remit

for these sub-disciplines were largely driven by the different functions within

organization studies i.e. the operational level strategies and activities carried out

within an organization. These helped to clarify the specific business context that

the 142 papers on organizational resilience emphasized. One can observe that

there is large importance given to the Human Resource Management function

within organizational resilience writings with 43 of the 142 papers stressing this

sub-discipline. HRM is followed by strategy and crisis fields in joint second place

with 31 articles each, with information systems, communication and innovation

coming in fourth, fifth and sixth place respectively.

1116

29

4 4

05

101520253035

Ecology Engineering Psychology Pathology Biomedical


Figure 13: Business Sub-Disciplinary Perspective

Antecedents and Determinants of Organizational Resilience. A major

contribution of the organizational resilience database is to investigate how

organizational resilience has been operationalized in previous studies. Several

iterations were made to help make this list as comprehensive as possible. It was

found that most of the organizational resilience papers use 13 constructs to help

clarify the antecedents or explanatory factors for resilience.

It should also be noted that originally the analysis included ‘resilience capacity’

but this was found in more than 93 papers and it was deemed to be overly generic

as a determinant of organizational resilience. The remaining 12 constructs,

determinants and antecedents are illustrated in the pie chart below. Many of the

papers employed more than one of these constructs and the total number includes

all papers that used each construct i.e. we found that constructs were not mutually

exclusive and that papers usually employed more than one to help explain

resilience in an organization setting.

There is a mixture of external and internal factors in the list of factors, which

helps to explain the organizational resilience matrix, i.e. that resilience and the

Innovation; 12

Strategy; 31

Crisis Mgmt; 31

Info Systems; 18

Communication; 17

Marketing; 1

SCM; 11

HRM; 43


typology associated with organizational resilience is a mixture of scope and nature

of resilience.

Figure 14: Factors in Organizational Resilience Papers

Risk 20%

Vulnerability17%

Uncertainty14%Bricolage

2%Safety

3%

Protection3%

Robust Transformation

4%

Adaptive Fit5%

Learning8%

Adaptive capacity

10%

Agility3%

Capabilities11%


3.1.2 Critical analysis Several publications (Bhamra et al., 2011; Burnard and Bhamra, 2011; Pettit et

al., 2010), (Ponomarov and Holcomb, 2009; Vogus and Sutcliffe, 2007) have

sought to form a literature review of resilience within an organizational

perspective. Others have applied existing ideas about vulnerability to problems of

increased organizational uncertainty in supply chains (Rice, JR and Caniato, 2003;

Sheffi, 2007), high-reliable-organizations (Weick and Sutcliffe, 2007), terrorist

attacks (Freeman et al., 2003), disruptive innovation (Dewald and Bowen, 2010;

Reinmoeller and van Baardwijk, 2005) natural disasters (Baker, 2009) and

pandemics (Nohria, 2006). Other authors have attempted to analyze the link

between resilience and competitive advantage (Hamel and Välikangas, 2003;

McCann et al., 2009). These studies, although helpful, do not fully address some

of the important broader issues in organizational resilience. Most of these reviews,

theories, frameworks or typologies either approach the topic in an inclusive, but

necessarily vague, manner (e.g. Bhamra et al., 2011; Burnard and Bhamra, 2011;

Pettit et al., 2010; Ponomarov and Holcomb, 2009; Vogus and Sutcliffe, 2007).

Others focus on a narrow perspective that does not place resilience in the larger

context of the organization (Freeman et al., 2003).

The main limitations of these early works on organizational resilience fall under

four main categories: (1) construct ambiguity, (2) vagueness about the specific

level of analysis, (3) failure to integrate and appreciate other research strands, and

(4) lack of managerial guidelines for practical implications. The first three

limitations will be discussed in detail in the following paragraphs. Chapter 4 will

further provide a set of practical implications of organizational resilience for the

management and design of Information Systems.

3.1.2.1 Construct ambiguity First is the lack of construct clarity, which relates to the cautious recognition of

different conceptual abstractions of resilience. Ensuring construct clarity requires

an appropriate definition that captures essential properties and characteristics of

the concept. The descriptive analysis of existing contributions in the field of

organizational studies (either conceptual or empirical) indicate that many papers


fail to build on other academics’ work: 76 papers (53,5%) developed their own

definitions.

Some of the papers studied use resilience as a meta-theory (Freeman et al., 2003;

Vogus and Sutcliffe, 2007) Some paper identify resilience as an emerging

discipline in areas such as security (Perelman, 2006), safety (Hollnagel et al.,

2006; Wildavsky, 1988) and risk management (Smith and Fischbacher, 2009).

Others use resilience as a dynamic property (Coutu, 2002; Horne III and Orr,

1998; Weick and Sutcliffe, 2006)or as a meta-construct that encompasses multiple

features and mechanisms such as ‘redundancy’, ‘adaptability’ and ‘capability to

self-organize’ (Burnard and Bhamra, 2011; Longstaff, 2005; Woods, 2006c) or a

multi-dimensional high-level capacity (‘resilience capacity’) encompassing

cognitive, behavioral and contextual dimensions (Dewald and Bowen, 2010;

Lengnick-Hall and Beck, 2005). Some use the term to identify a set of

competitive strategies (Carmeli and Markman, 2011; Hamel and Välikangas,

2003; Reinmoeller and van Baardwijk, 2005).

The lack of construct clarity would not be an insurmountable problem in an

emerging field if the authors acknowledge or address the similarity and

differences of closely related topics and constructs. For example, how does the

author’s use of the term “resilience” relate to other concepts such as adaptive

capacity, adaptive fit, robust transformation, strategic agility, the learning

organization, turnaround and failure? Are resilience and efficiency simply

negative correlated (e.g. (Longstaff, 2005) or can their relationship be described

as curvilinear such as innovation vs. slack(Geoffrey Love and Nohria, 2005)?

Confusion can develop when authors use terms such as adaptive capacity and

resilience interchangeably. Some authors treat resilience and vulnerability as two

sides of the same coin (e.g. Aven, 2011),while others see resilience as a relational

concept moderating the interaction of other constructs such as adaptive capacities,

vulnerabilities or threats (Pettit et al., 2010; Ponomarov and Holcomb, 2009). The

existing strands within organizational research may help explain and complement

resilience thinking, however the links between these strands and organizational


resilience need to be knitted together or some sort of translation made to allow the

strands to talk to each other.

3.1.2.2 Level of analysis The majority of organizational resilience papers studied are specific to different

contexts and levels within the organization to which resilience is applied. This

contextual variance is detailed by (Somers, 2009) when he questions what

constitutes resilience and if its definition can be a product of the units of analysis

in which it has been used. Of the 142 specific organizational resilience papers

investigated for this paper it was found that four main levels were studied: the

operational, the organization and the systems level. Some papers do not specify

the lines between these four levels and sometimes do not clearly delineate their

contribution to a specific level (compare Figure 16):

Figure 15: Level of Analysis Employed

For example (McCoy and Elwood, 2009; Luthans et al., 2010; Riolli and Savicki,

2003) do not explicitly distinguish between resilience on an individual and

organizational resilience, while the papers of (Buys, 2012; Wastell et al., 2006;

Erol et al., 2010b; Bhamra et al., 2011) do not reconsider difference between

organizational and industrial level. This is problematic because the resilience of a

sub-system does not ensure resilience of the larger system. I There is evidence

that cross-level interactions are critical, as the resilience of a system at one level

Individual Operational/ Team

Organization

Industry/ Systems

Level of Analysis Employed 21 30 79 37

0102030405060708090

Jour

nal A

rtic

les


(or “scale”) is affected by influences from scales above and below (Woods,

2006c, p. 23; McCann and Selsky, 2012, p. 53).

Lengnick-Hall et al. (2011) write that the relationship between individual

resilience and organizational resilience reflects the typical interaction between

systems and subsystems: “Organization-level capabilities are not just additive

composites of individual capabilities. Both, the actions of individuals and the

interaction effects matter. The complex social network in which it is enacted alters

both the development and realization of an organization's capacity for resilience in

important ways (Lengnick-Hall et al., 2011, p. 245).” Upward, it remains unclear

whether resilient individuals ensure a resilient community (Longstaff, 2005) or

whether resilient species within a biological system also guarantee a resilient

ecosystem (Maruyama, 2013). Moreover, factors determining resilience may vary

across different levels of analysis and are difficult to compare and transfer

(McDonald, 2006, p. 158): For instance, personality traits such as “self-

confidence” and mental orientations such as “locus of control” that are linked with

increasing individual resilience (Coutu, 2002; Masten, 2001; Luthar et al., 2000)

are not necessarily transferable to group or organizational level (Norris et al.,

2008).

Downwards, resilience of employees is affected by how organizational context

(e.g. culture, hierarchy, procedures) offers resolution of pressures such as goal

conflicts and other dilemmas. For instance, mismanaging goal conflicts or an

ineffective automation design can create power differentials and confusion at the

individual scale, leading to inflexible and misaligned responses with negative

consequences (Woods, 2006c; Riolli and Savicki, 2003). On the other hand,

upward resilience is affected by the behavior of entities of local agents: local

adaptions such as workarounds or innovative tactics can have delayed effects on

strategic goals. For example, workload bottlenecks at the operational scale can

lead to higher workarounds that make strategic attempts to implement standards

for better compliance and efficiency unworkable (Woods, 2006c, p. 23). This

further exemplifies the need to stringently reconsider contextual variances in


organizational research regarding the selected level of analysis (McDonald, 2006,

p. 158).

3.1.2.3 Lack of theory building Since the existing organizational resilience constructs lack universality it is

important to outline the precise contextual conditions under which a construct

may or may not adhere. Types of scope conditions include e.g. space, time and

constraints of assumptions, which can strongly affect the specific

conceptualization of resilience and its related determinants. The importance of

“space conditions” for organizational resilience have already described in the

section above as the different hierarchical roles that are operational (e.g. leader,

manger, or employee) can also be viewed as a dimension of “space”. As

responsibilities, obligations and capabilities across the different hierarchical role-

levels largely differ, organizational resilience requires different principles and

enablers in each dimension of that space (Välikangas, 2007). For instance, front-

line employees such as maintenance stuff or sales-managers are often most

knowledgeable about the actual state of the current organizational process, while

employees of higher managerial levels such as division leaders might have a

clearer picture about the strategic mission and interaction of the web of

organizational processes (Butler and Gray, 2006; Weick and Sutcliffe, 2007).

In line with Suddaby (2010) the lack of construct clarity for resilience impedes

empirical exploration of organizational resilience. Bhamra et al. (2011) in their

review of organizational resilience highlight that “there appears to be a strong

focus around building theories and definitions of resilience. However, the

literature is lacking in empirically proving the theories.” This assertion is

supported by (Rose, 2004), citing that “at the empirical level, it is especially

difficult to gather data on resilience to specify models.” Vogus and Sutcliffe

(2007) further posit that, “Given the dearth of empirical work exploring resilience

in organization theory, many (if not all) avenues are open for future research in

resilience” (Vogus and Sutcliffe, 2007).


These observations are basically confirmed by the descriptive analysis in the

preceding section as around 46% of the reviewed organizational resilience

literatures were solely conceptual. In addition, only approx. 33% of the papers

developed a model within their analysis.

The following sections seek to answer the call from Lengnick-Hall and Beck

(2005) that “components of resilience capacity need to be better understood.” It

also looks to inform the questions posed by Carmeli and Markman (2011): “What

strategies are primarily related to organizational resilience; and what tactics are

indispensable when organizations strive to enhance their resilience and prolong

their existence? These and similar questions regarding the architecture of long-

lasting organizations are vexing research topics in the field of strategic

management” (Carmeli and Markman, 2011).

The next section also illustrates that although the differing literature streams on

resilience help inform the nuances, there is no cure-all for organizational

resilience anywhere on the horizon. And, in line with Lengnick-Hall and Beck

(2005), this research supports the assertion that resilience is not an effective

approach under all circumstances and for all organizations. So the elements of

resilience appearing crucial in moderately dynamic environment marked by

punctuated equilibrium appear to be different than those resilience elements in an

extremely turbulent environment (Lengnick-Hall and Beck 2009, p.53). For

instance, they further state that one of the four resilience types identified, robust

transformation, “should be a situation-specific choice and a distinct, deliberate,

episodic set of responses to an environmental condition rather than an underlying

organization design paradigm” (Lengnick-Hall and Beck, 2005). Therefore, it

becomes important to begin by looking at several strands within the research that

attempt to discover the link between resilience elements and organizational

capabilities.


3.1.3 Resilience elements and organizational capabilities Scholars across different disciplines have discussed the importance of temporal

scales of resilience (e.g. Hollnagel et al. 2006; Kahan et al. 2009; Norris et al.

2008; Walker and Salt 2006). Some systems are in a continuous state of change

while others require the development of multiple capabilities and strategies for the

different phases of an occasional or episodic disturbance: before, during and after

(Hollnagel et al. 2011). Figure 17 depicts three different “resilience elements”

which capture the relationship between resilience responses across these different

time points. In addition, unique organizational capabilities that are said to enhance

and maintain organizational resilience are depicted as well.

Research on organizational design and capabilities has received growing attention

since 1980s with rise of the so-called “resource-based view” (for a detailed

overview, see for instance Dosi et al., 2000; Teece and Pisano, 1994; Wernerfelt,

1984). Although the concept of organizational capabilities still remains rather

ambiguous, it is basically accepted that a set of capabilities can be identified,

selected, developed, and implemented in unique ways to enable firms to deal

effectively with organizational problems, and consequently generating

competitive advantage and better firm performance (Dosi et al., 2000; McCann

and Selsky, 2012, p. 115). At least one scholar has proposed that a capability

consists of several interrelated knowledge dimensions: employee knowledge and

skills; technical and managerial systems; and values and norms (Leonard-Barton,

1992). Barney (1991) stressed that these unique capability configurations are due

to particular historical conditions, while causal ambiguity and social complexity

can be vital in achieving a sustainable competitive advantage (Teece and Pisano,

1994; Hitt et al., 2011). Coutu (2002)states that resilience is “merely the skill and

the capacity to be robust under conditions of enormous stress and change.” Cunha

and Da Cunha (2006) explores the complexity of many sub strands of strategic

management and sees commonalities between concepts such as improvisation,

minimal structures, simple rules, dynamic capabilities, bricolage, and

organizational resilience. Carmeli and Markman (2011)also link


organizationalcapabilities with helping to answerwhat makes an organization

resilient and prolongs their existence.

Therefore, an array of different organizational capabilities with focus on each

resilience element is provided.

Figure 16: Resilience Elements and Organizational Capabilities

3.1.3.1 Before an event On the first end of the time line, before an event occurs, resilience elements

encompass processes of preparation and anticipation(Hollnagel, 2011;

Lengnick-Hall et al., 2011; Madni and Jackson, 2009). Successful anticipation

and prediction of expected disruptions allow for preventive measures and

therefore an avoidance of an actual occurrence. This includes, for example,

building walls around a city or screening people for weapons at a building

entrance. These approaches of resistanceand anticipation are suitable for semi-

stable and predictable environments (compare Section 2.2)where the types of

disruption are knowable. In other situations, where anticipation is not possible,

forecasting or calculating probabilities of threats and vulnerabilities may not be

feasible. Instead, resilience may require a process by which ongoing knowledge

about the systems’ structure and behavior is gained by increased awareness and


sensing25 to permit ex-ante adaptive moves to reduce the impact of unexpected or

unavoidable disruptive events (Hollnagel, 2011; Park et al., 2013).

3.1.3.2 During an event Organizational capabilities to anticipate further enable and strengthen other

organizational capabilities in the subsequent periods of the time-line, namely

during and after the occurrence of the event. The resilience elements during an

event combine current capabilities and practices with the objective of risk

mitigation and endurance. Here, organizations are forced to leverage on

robustness, capabilities to absorb or withstand stress, related to a disruptive event,

as well as a quick and thoughtful response in order to mitigate the impact of an

event to an organizational system or process. While improvisational skills such as

bricolage and creativity gain importance on an individual level (e.g. Weick and

Sutcliffe, 2007; Välikangas, 2007), prompt and flexible coordinative or

networked-based actions enable resilience in this phase on a group or

organizational level (e.g. McCann and Selsky, 2012; Sheffi, 2007; Woods,

2006c). A deeper investigation about networked-based actions is subsequently

provided in the paragraph on the resilience element “integration”.

3.1.3.3 After an event Some authors focus solely on restoration and adaption after an event has occurred

(such as (Ponomarov and Holcomb, 2009, p. 131; Boin and McConell, 2007, p.

54; Zobel, 2011, p. 394). Those ex-postiori responses require unique

organizational capabilities that are also included in the corresponding resilience

definitions, such as the ability to recover or return to normal (Linnenluecke and

Griffiths, 2010, p. 488; Zobel, 2011, p. 394), the ability to adapt or adjust to

normal (operation) (e.g. (Caralli et al., 2010, p. 1; Vogus and Sutcliffe, 2007, p.

3419), but also the ability of renewal and reinventing (e.g. Dewald and Bowen,

2010; Hamel and Välikangas, 2003, p. 53; Reinmoeller and van Baardwijk, 2005,

p. 61). This element of resilience obviously addresses situations where disruptive

events have taken place, despite (ineffective) efforts in the previous times.

25Further explanations of awareness and sensing will be given later in the same section “Continous elements”.


Another crucial capability, on both, the tactical as well as the strategic level that

must take place after the event, is learning from the experience. (e.g. Hollnagel,

2011; Lengnick-Hall et al., 2011). Learning is generally understood as a process

by which knowledge is created, accumulated, and maintained by observations and

experiences of the past (Hamel and Välikangas, 2003; Hollnagel et al., 2006;

Weick and Sutcliffe, 2007). In turn, those learning experiences serve as a

foundation for further improvements of the other resilience elements in

successional periods or future similar disruptions (Crichton et al., 2009; Erol et

al., 2010b).

3.1.3.4 Continuous elements A transversal resilience element along the whole time line or life cycle of the

organization relies on continual awareness, sense-making, and

integration(McDaniels et al., 2008; McCann and Selsky, 2012; Pettit et al., 2010;

Stephenson et al., 2010; Weick and Sutcliffe, 2007). According to the taxonomy

of (Lengnick-Hall and Beck, 2005, pp. 750f; Lengnick-Hall et al., 2011),

awareness and sensemaking present cognitive factors of organizational resilience.

These factors can, for instance, foster a positive and focused mental orientation if

given a strong sense of purpose, sophisticated tools and solutions for scanning

and interpreting signals, as well as an ability to accumulate knowledge (McCann

and Selsky, 2012, pp. 85f.). In contrast, integration and the related ability to create

and manage networks refer to behavioral and contextual elements of

organizational resilience. Those elements enhance and maintain organizational

resilience along the whole timeline. For example an established cross-

organizational platform (such as periodic risk reporting between suppliers or a

common information system (Koslowski and Strüker, 2011) for managing supply-

chain risks allows a more comprehensive and faster repertoire of responses in

times of stress (Lengnick-Hall et al., 2011; McCann and Selsky, 2012).

A broad and widely accepted definition of situationalawareness is given by

(Endsley, 1995, p. 36) as “the perception of environmental elements within a

volume of time and space, the comprehension of their meaning, and the projection

of their status in the near future.” Hence, situational awareness is basically about


an achieved knowledge base (“big picture”) of current data. It comes along with

data gathering that sufficiently provides management with insights about current

state of system behavior (such as the problems regarding the quality of

performance, safety, security, etc. and the current state of defense controls)

(Wreathall, 2006, p. 280). In contrast, sense-making is about those collaborative

processes to achieve (shared) situational awareness (Klein et al., 2006). Literally,

sensemaking is a process of framing experienced situations as meaningful to all

decision makers. Moreover, it describes a process26 of examining past events that

further allows for the interpretation and justification of the present and for the

prediction of a plausible future. The concept is widely applied in organizational

studies and generally provides insights into factors that arise when organizations

face uncertain or ambiguous situations (Weick, 1995; Weick et al., 2005).

A related but distinct concept is mindfulness. It is said to be “a rich awareness of

discriminatory detail […] Mindfulness is different from situational awareness in

the sense that it involves the combination of ongoing scrutiny of existing

expectations, continuous refinement and differentiation of expectations based on

newer experiences, willingness and capability to invent new expectations that

make sense of unprecedented events, a more nuanced appreciation of context and

ways to deal with it, and identification of new dimensions of context that improve

foresight and current functioning” (Weick and Sutcliffe, 2007, p. 23).

Consequently, mindfulness is “about the quality of attention” (Weick and

Sutcliffe, 2007, p. 23). As organizations become more vulnerable when their

attention is distracted or unstable, mindfulness preserves a resilience enhancing

capability to see the significant meaning of weak signals (such as emerging threats

or small failures) and to give strong responses to weak signals. Therefore,

mindfulness helps organizations to anticipate unexpected events, but it further

assists in mitigating the potential damage of those events. Mindful organizations

continually refine existing processes and establish a wide array of creative skills

to cope with stress. Key aspects and processes of mindfulness introduced by

26 According to Weick (1995, p. 17), sensemaking is understood as” a process that is 1. Grounded in identity construction; 2. Retrospective; 3.Enactive of sensible environments; 4.Social; 5.Ongoing; 6. Focused on and by extracted cues; 7. Driven by plausibility rather than accuracy.”


(Weick and Sutcliffe, 2007, pp. 36–39) will be discussed in the next Chapter on

the role of Information Systems for resilient organizations.

In addition to these cognitive factors of organizational resilience, there are also

behavioral and contextual conditions that support resilience(Lengnick-Hall and

Beck, 2009). These conditions primarily rely on integration, here broadly

defined as the ability to systematically create and manage structured networks of

relationships, both within and outside an organization in order to facilitate

effective collaborative responses to environmental and operational turbulence and

complexity (e.g. (Hoffer Gittell et al., 2006; Longstaff, 2005; McCann and

Selsky, 2012; Lengnick-Hall et al., 2011; Sheffi, 2007). This is supported by

(Lengnick-Hall and Beck, 2009, p. 51; Lengnick-Hall et al., 2011), who find

evidence for the crucial role of access to broad resource networks in creating

contextual resilience. The authors define contextual resilience as “the combination

of interpersonal connections, resource stocks, and supply lines that provides the

foundation for quick action under emerging conditions that […] have the potential

to jeopardize the organization’s long-term survival” (Lengnick-Hall and Beck,

2009, p. 50). Hence, resilient organizations are able to utilize relationships with

other stakeholders to enrich an inventory of resilient responses by obtaining

external resources and supportive actions.

As highlighted previously, organizations are increasingly confronted with an

operational environment marked by interconnectedness and interdependence.

These challenges are object of Perrow’s “Normal Accident Theory” (NAT)

(Perrow, 1984). According to Perrow’s investigations in the aftermath of the

accident at the Three Mile Island nuclear power plant, Perrow introduced the idea

that multiple failures and errors are inevitable in complex socio-technological

systems (e.g. nuclear power plants or air traffic). As a consequence, accidents are

unavoidable and “normal” as a result of a system’s combination that is

characterized by two dimensions, coupling and interaction (interactive

complexity). The first dimension (sometimes called coupling) describes the extent

to which an action is related to its consequences, indicating how fast cause and

effect propagate through the system. “Tightly coupled” systems are highly


interdependent, and have prompt and major impacts on each other. Although such

systems can quickly respond to perturbations, there is a danger that this response

may be catastrophic. In contrast, loosely coupled systems have fewer links and

interdependencies (Orton and Weick, 1990) and therefore allow local adaptions

and absorbing failures or unplanned behavior.

The other dimension, interactive complexity describes the interaction between

system elements: complex interactions consists of many alternative sub-tasks at

any completion while linear interactions are comprised of a set of fixed step

carried out in rigid sequence. Moreover, complex interaction further indicates that

it is very difficult for operators to understand and interpret/predict the system’s

behavior. The two-dimensional framework of Perrow is illustrated in Figure 18:

The tight coupled and linear situations (matrix field 1) represent more stable

configurations with emphasis on efficiency and prompt response (Lengnick-Hall

and Beck, 2005, p. 752). In such systems like assembly-line production, routine-

based approaches ensure resilience through standardizing processes, automation,

and embedding procedures and therefore fundamentally Tayloristic27 (e.g. (Butler

and Gray, 2006, p. 214). This requires that potential failure-modes have already

been anticipated ex ante in the original design of the system or process.

Examples of the other extreme, loose coupled and complex interactions (matrix

field 4), can be found in research and development departments or universities.

The sequence of processes is often independent from each other, feedback times

are relatively slow, and the system is better prepared to allow sub-system

breakdowns without damaging the entire system (Orton and Weick, 1990).

Vulnerable systems are those with interactive complexity and tight coupling

(matrix field 3) such as aircraft, nuclear plant, and space missions. In such

turbulent and incomprehensible environments, independent failure events can

27 Taylorism or „scientific management“ is a management approach focusing on detailed decomposition of labor, control, and standardization (e.g. Pruijt (2000), Section 3.2). It still receives great attention in current business as a foundation for the “Business Process Engineering”-paradigm Davenport (1993); Hammer and Champy (2003), which is research object in chapter 4 & 5.


interact in unpredictable ways that cannot be predicted and prevented by designers

of the system. For example, the so called compositionality challenge describes

such a phenomena: Emergence and the concentration of novel services, functions,

or components to a shared infrastructure places a considerable strain on any

system that has originally been designed with a more limited set of components in

mind, but later adopted to run multiple services (not originally envisioned). This

increase of complexity further enhance unforeseen events and therefor uncertainty

(Paries 2006). Operators are in danger of reacting too slowly, and automatic

systems are prone to cascading failures with possibly disastrous consequences

(Perrow, 1984). Perrow concludes, that accidents in complex and tightly coupled

systems are inevitable, and attempts to improve safety is questionable as

corrective actions involve increasing complexity and therefore render accidents

more likely (Woods, 2006a; Hollnagel, 2011).


Figure 17: Normal Accident Theory28

While Perrow’s conclusion is very pessimistic (Hollnagel, 2011, p. 128), it is

widely accepted that Taylorism under such circumstances lead to higher

supervision and controlling costs, lack of flexibility, loss of creativity and

(information) processing overload. This eventually can lead to a call for mindful-

based responses to resilience that are more loosely coupled and flexible (e.g.

(Grote, 2009; Meyer, 1982; Nohria, 2006; Weick and Sutcliffe, 2007).

Hence, we can conclude from this literature that, in turbulent and complex

operational settings, any kind of incident or disruption has the potential to affect

the multiple lines of business and organizational units to which they are

connected (e.g. Sheffi, 2007; Tanriverdi et al., 2010; Weick and Sutcliffe, 2007).

This may call for a higher degree of flexibility, agility, and informal decision-

making. Such situations reveal that localized and discrete responses may not be

28 from Perrow (1984, p. 97)


sufficient and could require harmonization of managerial responses by means

integration, collaboration and the management of interdependencies within an

organization and across organizations (e.g. (Caralli et al., 2010; Grote, 2009;

Victor and Blackburn, 1987; Roberts, 1990). While all these terms such as

interdependence (Victor and Blackburn, 1987; Grote, 2009, p. 19), integration

(Barki and Pinsonneault, 2005), cohesion (Fiksel, 2003, p. 5333), convergence

(Borgatti, 2003, p. 1004; Caralli et al., 2010, p. 17), or “engaged networking”

(McCann and Selsky, 2012, pp. 155f.)describe distinctive concepts with their own

definitions and meanings, this thesis focus on the commonalities and similarities

and therefore use the terms interchangeably.

To sum up, integration as another resilience element encompasses both managing

positive effects of the organization’s networks (such as quick response,

information exchange, collective learning, etc.) as well as managing negative

effects of the networks (such as increasing complexity and interdependency, less

predictability, and emerging systemic risks that can cause cascading failures and

system collapse)(Boisot and McKelvey, 2011; Perrow, 1984; Schweitzer et al.,

2009).

Some organizational resilience scholars who have dealt with integration mention

the extension of decision making amongst networks as highly important, such as

immediate cross-organizational communication and collaboration (e.g. Crichton et

al., 2009; Grote, 2009, pp. 83f; Kahan et al., 2009; Lengnick-Hall and Beck,

2005, p. 752; Rice, JR and Caniato, 2003; Sheffi, 2007). Other scholars emphasize

distributed decision-making, mutual collaboration and coordination between

departments within an organization (Coutu, 2002; Mallack, 1998; McCann and

Selsky, 2012; Nohria, 2006).

In practice, integration can be manifested as cross-departmental training of

employees (Somers, 2009; Stephenson et al., 2010) to attain the convergence of

operational risk management activities with local objectives, such as security,

business continuity, crisis and IT operations management (Caralli et al., 2010, p.

17).

3.2 Framing organizational resilience types 79

In contrast, others emphasize managing risks of networks inherent in its

interdependencies, at least when organizations become overexposed to network

relationships (McCann and Selsky, 2012, p. 157)29. For instance, the financial

crisis in the mid-2000s revealed the fragility of the hyper-connected network of

global banks, creating some institutions with a “too big to fail” status, making it

impossible for financial institutions (and regulators) to correctly assess and predict

their own robustness and risk of contagion (McCann and Selsky, 2012, p. 18;

Schweitzer et al., 2009; Taleb, 2008).

Another well-known example is given by Sheffi (2007) in “Big Lesson from

Small Disruption”, describing why a relatively small disruption - a lightning strike

in a supplier’s plant - affected two companies in the same business (Ericsson and

Nokia) in dramatically different ways. The disruption forced Ericsson to exit the

market while Nokia could increase its market share (Sheffi, 2007, pp. 3–10)

because Nokia had connections to alternate suppliers. The essence of these

anecdotal examples is that integration not only requires the ability of prompt

relationship-building, but also the ability to carefully manage these

interdependencies by creating boundaries and decoupling relationships when risks

of containment occur (McCann and Selsky, 2012, pp. 166ff; Sheffi, 2007, p. 224).

3.2 Framing organizational resilience types

Perrow’s „Normal Accident Theory“ introduced in the previous section shows,

that a combination of specific system-characteristics (interaction and coupling)

have significant impacts regarding the requirements and mechanism in order to

cope with turbulence. This serves as a starting point for developing a novel

framework to distinguish and categorize organizational resilience types. The

framework explores how the recognition of environmental and internal

characteristics help to clarify substantial distinctions of the organizational

resilience concept according to the dimensions (1) Degree of Turbulence and (2)

State of Adaption. This allows for a systematic consolidation of both external and

29 Risks associated with IT-induced connectivity are presented in Chapter 4.


internal forces that can be examined to determine the appropriate organizational

resilience type for each combination. Such a clarification and categorization

enables an appreciation into the nuanced nature of the specific mechanisms for

building resilient organizations under specific environmental conditions.

The next section will review existing approaches to organizational resilience. It

will build on the existing work in this field to build a theoretical framework that

recognizes the competing visions and manifestations of organizational resilience

(i) as either as a tactical or strategic response to uncertainty or surprise; (ii) as a

capacity for resistance to change or a capacity for transformation and renewal;

(iii) as a descriptive or normative notion; and (iv) as a solely reactive ex-post

response or a broader proactive response. The basic problem of current attempts

to conceptualize organizational resilience is they fail to capture both the different

external system characteristics (“resilience to what?”) and the internal

mechanisms (as well as the amplitude of the applied resilience elements).

3.2.1 The underlying puzzle

As one can learn from the multidisciplinary resilience matrix introduced in

Section 2.2.2, there exist four generic resilience types based on the level of

complexity and the degree of normativity. The comparison between the

descriptive and normative applications of resilience masks a further obscurity of

resilience: the nature of change. In material science and ecology, resilience

mechanisms become apparent in the event of destabilizing change and strain. In

human and ecological systems change can be positive surprises that can lead to

opportunities. Or the change can be negative events such as failure and crisis that

can lead to a reduction in resources or even system collapse. The latter situation

dominates the attention of organizational studies, as organizational resilience is

linked to adjustments in the face of challenging conditions (Sutcliffe and Vogus,

2003), responses on “disruptive surprises that potentially threaten organization

survival” (Lengnick-Hall et al., 2011), “springing back from a disaster” (Zobel,

2011) or triggered by any kind of crisis (Norris et al., 2008).


However, some authors see resilience in both situations. They see the term is

associated with the “a set of technical and organizational capabilities in order to

manage performance variability, both as a source of failure and success”

(Hollnagel et al., 2006) and “any kind of surprise” (Longstaff, 2005). This second

school of thought that sees change and challenge as both an opportunity and a

danger corresponds well to Schumpeter’s notion of creative destruction, where

experiments, failure and deconstruction involve opportunities and sources of

innovation and novelty (Lorenz, 2010).

The academic work that emphasizes resilience against ‘bad events’ seems to

correspond with the specific field of application: The importance of resilience as a

capacity or capability to cope with negative events is often highlighted in the

theory and practice of disaster response and related sub-fields such as business

continuity, emergency response, security and safety management. These authors

have examined these problems using different terms but all look at negative

events: accidents (Hale and Heijer, 2006; Woods, 2006a), human adversity

(Masten, 2001), crisis (Norris et al., 2008), disturbances (Woods, 2006b), risks

(Hale and Heijer, 2006), shocks (Kendra and Wachtendorf, 2003), failure

(Leveson et al., 2006), loss and trauma (Freeman et al., 2003) in order to

minimize the exploitation of vulnerabilities in threats. In these fields, managing

for resilience is linked with a wide arsenal of managerial, analytical and

architectural principles with the objective of damping negative impacts through

‘fault tolerance’ and ‘graceful degradation’ and rapid recovery to an acceptable

performance state (Madni and Jackson, 2009). Across different disciplines and

fields, the underlying mechanisms to enhance and maintain resilience involve

investments in different kinds of buffering capacities (Lynn, 2005) such as

‘redundancy’, ‘diversity’ and ‘modularity’ both in structure and responding-

actions of a system, such as an organization.

Although these mechanisms do not fundamentally differ from other streams with

a more strategic orientation such as in ecosystem management (McCann and

Selsky, 2012, pp. 43ff.) and particularly strategic management (Hamel and

Välikangas, 2003; Reinmoeller and van Baardwijk, 2005), it is evident that the


range of options or ‘strategic degree of freedom’ increases with a longer time

horizon. Hence, a second aspect of the nature of change concerns the perceived

pace, predictability and the magnitude of the impact, leading to different degrees

of turbulence(Ansoff and Sullivan, 1993; McCann and Selsky, 2012) that

consequently call for different respond-types. A short-term oriented application of

resilience emphasizes low-complexity types of recovery and withstand.

Instead, a longer time frame allows a higher degree of freedom: a stronger

consideration of other related resilience capabilities such as learning and

innovation that can lead to adaption or transformation (Walker and Salt, 2006).

For example Hamel and Välikangas (2003) link strategic resilience as “having the

capacity to change before the case for change becomes desperately obvious”.

Authors such as Reinmoeller and van Baardwijk (2005) and Carmeli and

Markman (2011) underpin capabilities for innovation and renewal as the core of

organizational resilience. As we can see, the conceptualization of organizational

resilience is often dependent on the specific time frame/predictability applied and

consequently requires fundamentally different resources and policies for

enhancement and maintenance.

An illustrative example is given again by Nokia: Nokia’s success in the late 90’s

and early 2000s is often used as business case for resilience. In particular, Nokia’s

reaction during the lightning-strike incident at Philips Electronics semi-conductor

fabrication plant (for recap see Section 3.1.3) is often used example of resilient

behavior (Sheffi, 2007): After Nokia was informed about the incident they

immediately started daily discussion with Philips regarding affected parts.

Moreover, they pressed Philips to find alternative suppliers, and further paid extra

rates for quick setup and production. As a consequence, Nokia increased its

market share more than 10% while its competitor, Ericsson, was forced to exit

market. But while Nokia impressively demonstrated operational resilience in the

short-run, they fail to sustain their superior position in the long-run (lack of

strategic resilience). Today, Nokia confronts declining yields and market shares as

they struggled to adapt their business model to transformation of the mobile


industry when Apple and Google introduced their smartphones and mobile apps

(Cord, 2014).

A similar, but distinctive issue addresses the relationship between dangers that are

known and those that are not. Ecologists who investigate the interaction between

human and ecological systems (social-ecological systems) highlight the unique

role of human capacity for foresight and anticipation e.g. (Gunderson, 2009). As

people can anticipate, learn and plan to increase resilience, many theorists and

decision-makers advance the view that preventive principles and actions need to

be included into the arsenal of resilience mechanisms. This extended scope of

organizational resilience is found in safety management (Hollnagel, 2011), the

protection of critical infrastructure e.g. (Jackson, 2009), as the ‘readiness’-

component of supply-chain resilience (Sheffi, 2007), or in strategic management

as the “continuously anticipating and adjusting to deep, secular trends that can

permanently impair the earning power of a core business” (Hamel and

Välikangas, 2003). This exists under relatively stable and predictable

environments where causalities, boundary conditions and system dynamics are

known.

In contrast to the broad scope of resilience, another perspective exists in which

organizational resilience is explicitly against unexpected, unforeseeable events, as

for instance noted by Wildavsky (1988) who characterizes organizational

resilience as the “capacity to cope with unanticipated dangers after they have

become manifest” (Wildavsky, 1988, p. 77). Similar to Perrow’s assumptions

regarding “normal accidents”, Wildavsky (1988) criticizes the prediction of

hazards and the ‘pretend” safety improvement within high-complex technologies

and favors resilience as an alternative, complementary approach. Instead of a lull

into a “false sense of controllability or security”, this stream outlines

organizational resilience as a collective ability to learn how to cope with

unanticipated events through a positive attitude/culture towards failure

(Wildavsky, 1988, p. 79).


3.2.2 Organizational resilience dimensions

The arguments advanced in the previous paragraphs have signified the need to

consider contextual (system-) conditions, resulting events and related mechanisms

to cope with risks and perturbations. As claimed by (Mamouni Limnios et al.,

2014, p. 109; Longstaff et al., 2013) and in Chapter 2.2 of this dissertation,

resilience cannot be a goal itself. In contrast to resilience in social-ecological

systems, resilience in human systems is usually30 accompanied by intentionality

and expectations about a certain future. Thus, managing resilience or “resilience

engineering” (Hollnagel et al., 2006) are usually (positive) normative activities as

they aim to either maintain a desirable state (bounce back) or adapt and transform

towards an alternative desirable state (bounce forward). Organizational resilience

is almost always conceptualized with normative connotations (Mamouni Limnios

et al., 2014, p. 109).

In order to recognize both, environmental forces as well as organizational desired

responses to the environment, the resilience of an organization will depend on two

dimensions: (1) Degree of Turbulence of the (external) environment; and (2) the

current State of Adaption (Chakravarthy, 1982, pp. 35f.), which expresses the

degree to which an organization is matching its capabilities with the external

environment.

According to the specific combinations across the dimensions, one can identify

four different typologies of organizational resilience and its corresponding key

actors, design strategies, and outcomes.

3.2.2.1 Degree of turbulence Swift change, driven by technological innovation, has been seen in many parts of

the world in the Twentieth and Twenty-first century. Early work on change was

during the time of the transformation from industrial to information age (McCann

30 In fact, situations are possible where human systems such as organizations successfully cope with challenging conditions by accident or by fortune. This can happen when they fail to realize “wrong” plans. Nonetheless, the activities of human systems basically remain goal-oriented and therefore intended.


and Selsky, 2012, pp. 24f.). In organizational studies, at least three prominent

research streams exist emphasizing the crucial relationship between organizational

environment and organizational performance:

The most prominent theory in the strategy literature, often referred to as the

“market-based view of the firm” is based on industrial organizational economics

and stresses an adequate market position as a source of economic performance

(Hitt et al., 2011). The widely used framework “Five Forces Analysis” developed

by Michael Porter is drawn upon this perspective and focus outside the

organization on diverse external forces (bargaining power of (i) suppliers and (ii)

customers, (iii) new entrants, (iv) substitutes, and (v) rivalry within an industry

(Porter, op. 1998). The second perspective treats organizations as complex

adaptive systems that are sensitive to their environment, respond, and co-evolve

with them (Colbert, 2004; Holland, 1998; Mitleton-Kelly, 2003; Church, 1999)

(for recap on complex adaptive systems see Section 2.2). Thirdly, other scholars

stress the need for organizations to seek for a strategic fit with its changing

environment (e.g. Chakravarthy, 1982; Ginsberg and Buchholtz, 1990; Levinthal,

1997; Venkatraman and Camillus, 1984). According to this stream, organizational

design – work systems, managements processes, organizational cultures, and

leadership – evolve to “fit” their business environment and their strategic actions.

This fit or alignment enabled organizations to develop the required capabilities to

compete successfully (Beer, 2002; Venkatraman and Camillus, 1984). From this

point of view, both environmental characteristics and organizational potential

shape a firm´s adaptive response and consequently determines its survival and

performance (Lengnick-Hall and Beck, 2005; Lengnick-Hall and Beck, 2009).

As we learned in Section 2.1.1 on VUCA environments, there is an increasing

tendency for systems to become turbulent and complex. However, all systems,

industries, and organizations experience turbulence and complexity of varying

degrees. Turbulent environments are often described as highly dynamic and

having volatile changes that create uncertainty and unpredictability (Calantone et

al., 2003, p. 91). Calantone et al. (2003) provide an overview of the multifaceted

notions that have been used to describe turbulent environments: unfamiliar,


hostile, heterogeneous, uncertain, complex, dynamic, and volatile. Calantone et al.

further conclude that these descriptors alone constitute only measures of a

turbulent environment. Hence, they do not completely describe turbulence

because turbulence evolves from the mixture of a hostile, heterogeneous, and

dynamic environment. However, the majority of organizational scholars

emphasize the unpredictability of turbulent environments. For example, McCann

and Selsky (2012) define turbulence as the “pace and disruptiveness of change”

(McCann and Selsky, 2012, p. 19) while Milliken (1987) highlights the

“unpredictability of change” as a crucial element of turbulence (Milliken, 1987, p.

139). A continuum of varying degrees of turbulence (from more stable and

predictable to volatile and unpredictable) will constitute one dimension to

categorize different organizational resilience types.

Low Degree of Turbulence. An environment with a low degree of turbulence is

marked by events with moderate levels of predictability and severity. The system

characteristics exhibit stable features such as the linearity and embeddedness of

vertical hierarchical control structures. The “expected” surprises or change

impacts occur as episodic, incremental or continuous, meaning that the turbulence

may be embedded in the expectations of the organization (cf. Figure 4 in Section

2.1.1). An example for a continuous turbulence is competition or market

turbulence which is characterized by continuous changes in customers’

preferences, in price structures, and in the composition of competitors. These

challenges exhibits ongoing risk and thus are not surprisingly for organizations

(Sutcliffe and Vogus, 2003; Calantone et al., 2003, p. 91). In less turbulent

environments, the emphasis on coping with change lies in investments to create

robustness and stability through anticipation and preventive measures (Lengnick-

Hall and Beck, 2009; Wildavsky, 1988, pp. 119f.). They share a lot of

commonalities with Perrow’s characterization of linear, tightly coupled systems

(cf. Sub-Section 3.1.3.4). The intelligence base is introduced as another feature to

describe the varying degrees of turbulence: it includes different scanning,

planning, and control systems for decision-makers (e.g. Burns and Stalker, 2000).

Under more stable and predictable circumstances, organizations may be able to

deal with this kind of turbulence in advance by setting up routines and


standardized procedures. Algorithmic, systematic optimization models are

effective for problem solving based on historical precedents and experiences as

long as the forces that created those precedents and experiences have not changed

(Chakravarthy, 1982, p. 38).

High Degree of Turbulence. In contrast, high-turbulent environments have

properties such as highly dynamic and volatile change creating uncertainty and

unpredictability (Calantone et al., 2003, p. 91). A major feature of high degree of

turbulences is their potential for disruptive changing environments, surprises and

discontinuity. In the 1960s, Emery and Trist first noted the term “turbulent

environment” and that the nature of change itself was beginning to change

(McCann and Selsky, 2012, p. 24). Consequently, it is not just the pace of change

but rather the disruptiveness of change what are experienced in some systems.

Turbulent, uncertain types of change are given multiple terms in notions in

organizational studies such as “black swans” (Taleb, 2008), “environmental jolt”

(Meyer, 1982). They all describe an abruptly and unexpected event which is

difficult or even impossible to foresee and whose impacts on organizations are

disruptive and harmful (Meyer, 1982). Such “low-probability/high-impact events”

(Sheffi, 2007, p. 21) are outside the scope of daily management or “safety

envelope” (Hollnagel et al., 2006; Nemeth et al., 2009) and call for different

decision-making styles and resources. Historical records are not sufficient

anymore, and organizations need to develop capabilities for improvisation and

creativity to face these turbulences (Coutu, 2002; Horne III, 1997; Lengnick-Hall

and Beck, 2009; Lengnick-Hall et al., 2011).

Turbulent systems often come along with complexity. Such complex systems are

often open and nested (Dorner, 1996; Longstaff, 2005). An open system is one

that continuously interacts with its environment by means of information, energy

and material exchange. Moreover, they are often nested in a sense that the

components or sub-systems of a complex system are also complex. For instance,

an industry is constituted by different market players such as competing firms,

public agencies, suppliers, which are made up of people. Consequently, complex

systems may feature many, intractable non-linear relationships, and emergent


behavior (for a more detailed explanation on complexity properties compare

Section 2.2).

The consequences for organizations in complex environments can be tremendous:

Comfort et al. (2001) identified that a negative correlation between environmental

complexity and organizational performance. The organization is not able “… to

process the amount and range of information required to adequately establish the

coordination required across the components of the response system” (Comfort et

al., 2001). According to Perrow, loosely coupled structures are favorable in highly

complex systems (Perrow, 1984). Other scholars support this view and highlight

that flexible organizational structures are essential to maintain the focus after

disruptive events (Comfort et al., 2001). The organization requires an increase in

informational exchange, communication, coordination etc. caused by the increase

in environmental complexity.

Another possible outcome of turbulence is surprise (Longstaff, 2005). Cunha et al.

(2006) describe that surprises (defined as events that happen unexpectedly or

expected events that take unexpected shapes) can be formed into a typology. The

dimension “issue” represents events from external sources while “processes” arise

from internal activities. The combined typologies help clarify how to distinguish

internal vs. external sources of surprise, but also show the interplay between them.

This typology further posits that different surprising situations call for distinct,

sometimes even contradicting managerial responses. For instance, “creeping

developments”, expected issues take surprising shapes when minor, often

interrelated changes accumulate, cause system drift and lead to major impacts.

When formerly reliable routines and standard processes drift, employers and

managers cannot retain control, as the sources of change are distributed. Instead,

managers should empower operators by employing flexible rules (Cunha et al.,

2006, p. 324; Grote, 2009). Combinations of unexpected issues and processes can

result in “losses of meaning”, where people are astonished and forced to

fundamentally re-analyze their assumptions and behaviors. Here, a manager’s

responsibility is facilitating sense-making and allowing the development of new

interpretations that adjust to the new situation by means of improvisation.


Expected process Unexpected process

Expected issue

Routines Creeping developments Distinctive characteristics: organizational routines in moderately dynamic markets

Distinctive characteristics: emergent, complex and interactive processes lead to unexpected situations

Examples: linear routines, standard operating procedures, preventive action

Examples: normal accidents, escalating commitment, cultural change

Managerial implications: management as controlling

Managerial implications: managing as empowering

Unexpected issue

Sudden events Losses of meaning Distinctive characteristics: new themes emerge from existing processes

Distinctive characteristics: novel, incomprehensible situations

Examples: exploration, evolutionary dynamics

Examples: wild cards, crises of sensemaking, 9/11

Managerial implications: management as facilitating learning

Managerial implications: managing as sensemaking

Figure 18: Typology of Organizational Surprises31

All these examples illustrate that if the nature of organizational environment

continues evolves and changes, the organizations relationship within the

environment must also evolve (McCann, 2004). Depending on the underlying

complexity of a system or the type of surprise, the nature of the desired resilience

will change. Applying either a stable-system perspective (marked by linearity and

predictability) or a volatile-system perspective (emphasizing non-linearity and

emergence) has strong implications for the analysis of system behaviors and

substantially modifies the resources required to survive, including variety and

adaptability (Forrester, 1961; Holland, 1998; Senge, 1997); both widely described

as related concepts of resilience.

The stable-system perspective is related to mechanic management systems

introduced by (Burns and Stalker, 2000). Mechanical organizations often have

great difficulties adapting to change because they are designed to achieve specific

31From Cunha et al. (2006).


goals; they are not designed for innovations (Burns and Stalker, 2000, p. 44).

However, the mechanical vision of the organization fits well to an era of stability

and slowly incremental change and thus for low degrees of turbulence (Burns and

Stalker, 2000; Horne III, 1997). In contrast, a high degree of turbulence requires

more complex and open strategies of the organizations. Such an “organic

management system” (Burns and Stalker, 2000, p. 45) is characterized by flat

hierarchies, task roles according to experience and competence, network structure

of communication, and joint decisions.

3.2.2.2 States of adaption In order to identify the appropriate organizational response for environments with

varying degrees of turbulence, a second dimension “States of Adaption”may be

necessary.

A state of adaption for an organization describes a condition in which a firm

survives uncertainty by adapting internal processes and/or external relationships

to fit changing conditions. The term “adaptive fit” is utilized by Chakravarthy

(1982) “to intend, that a firm is able to accommodate the level of complexity

presented by its environment” (Chakravarthy, 1982). Originally, he proposed a

framework of adaptive fit that included three states of adaption (Chakravarthy,

1982, p. 37): The unstable, stable, and neutral states, which all are viable for a

corresponding environmental condition. In the unstable state, an organization

tries to protect itself from its environment and aims to resist internal or external

disturbances. This “narrow focus” is a defensive arrangement, as organizations

seek to create stability through a set of actions to dampen the interaction from

outside. The stable state slightly differs, as the organization is open to the

environment and “offers a reactive move in keeping with every move with the

environment (Chakravarthy, 1982, p. 36). The emphasis is on short response times

and incremental adjustments. In opposition to the first two states, an organization

in a neutral state will withstand and embrace environmental changes. This is

clearly an offensive arrangement, as organizations are continuously searching for

opportunities and keeping pace with change. All three states are suitable for

coping with the environment, however, not all states have the same immunity


from environmental changes. The proactive notion of adaption in neutral states

enables firms to handle the highest levels of complexity. Nonetheless, not all

organizations, departments or actors aspire to the same level of adaption. The state

of adaption is rather determined by the resources of and organization, the time-

horizon for responses, and the nature of management processes (Chakravarthy,

1982) linked with the desirability of the current state (Mamouni Limnios et al.,

2014). As we will see in the subsequent chapters, there exist situations where

protection and stability of critical systems by robust measures is sometimes a

more desirable goal than transformative change.

There exist two conflicting perspectives of resilience across different disciplines

(Longstaff et al., 2013) but also within organizational science (Lengnick-Hall et

al., 2011): a narrow perspective emphasizing resilience as a capacity to resist or

recover; and a broader perspective of resilience emphasizing adaption and

learning. In line with the states of adaption, one can differentiate these two

opposing resilience manifestations as either defensive or offensive (Mamouni

Limnios et al., 2014).

Similar to Chakravarthy’s states of adaption, Fiksel (2003) introduced the three

different adjacent system-states depicted in Figure 20. The figure illustrates

thermodynamic changes that characterize different types of resilience. Each

system features a stable state representing the lowest potential energy at which it

maintains order (Fiksel, 2003, p. 5332). The first system, called resistant system,

represents a highly controlled system which is designed to resist perturbations that

would move it from its equilibrium state. It rapidly recovers from small

disruptions, but may not survive large disruptions (Fiksel, 2003, p. 5332).

The second system can function in a broad spectrum of possible states and tends

to gradually return to its original (single) equilibrium. By means of adaption and

evolution, it is able to survive large perturbations in order to retain its basic

identity and high-level functions.

The third system exists where it is possible to shift to an alternate equilibrium,

representing a transformational change in its structures and lower-level functions.


Here the system can withstand shocks and rebuild itself. In contrast to the first

two systems, it is possible that the system will not look exactly like it did before

and allows a system to move towards a new basin of attraction. This new

equilibrium state may even result in a fundamental change in its structure and/or

function (c.f. Section 2.2).

Figure 19: Three Types of Change and Resilience32

It worth noting, that some organizations may need to shift between all modes of

adaption. However, the choice of which of these modes and states of adaption is

appropriate for any organization will be different depending on considerations

such as the goal (seeking for stability and improved efficiency vs. continuous

adaption and transformation), the time-horizon (short-term and tactical moves vs.

long-term and strategic moves), and the responsibility of the respective task-level

(sub-systems and sub-ordinates vs. corporate systems and managers).

Defensive and Reactive Mode of Adaption: Resistance and Resilience. In line

with Chakravarthy’s framework on adaptive fit, organizations that apply a

defensive and reactive mode are looking for stability with their environment by

trying to resist internal or external disturbances. This strategy will not be

appropriate if there are unforeseeable conditions that the organization has not

32From Fiksel (2003).


planned for and any attempts to quickly recover and adapt to disturbances may

fail catastrophically. This point becomes crucial in disaster research and related

sub-fields such as business continuity, emergency response, security- and safety

management because these fields highlight the importance of resilience as a

positive capacity or capability to cope with negative events. The shorter time-

horizon for coping with these unpredictable events limits the “degree of freedom”

of response-options and helps to demarcate tactical or operational resilience from

strategic resilience.

Operational resilience is linked with a wide arsenal of managerial, analytical and

architectural principles with the objective of damping negative impacts through

‘fault tolerance’ and ‘graceful degradation’ and rapid recovery to an acceptable

performance state (Madni and Jackson, 2009). It involves enhancing

organizational defenses such as investments in different kinds of buffering

capacities (Lynn, 2005) such as ‘slack’, ‘redundancy’, ‘diversity’ and

‘modularity’ both in the structure and the responding-actions of an organizational

or management system. Although most of the previously identified Resilience

Elements and Organizational Capabilities remain important, this mode of

adaption/resilience clearly emphasizes the mitigation of hardships. Moreover, this

tactical notion of resilience receives increasing attention for sub-systems of the

organization, such as on a departmental or divisional level, or even individual

level. Here, the actors usually seek for stability and have to develop capabilities to

withstand or resist disturbances and to recover quickly from perturbations.

It is acknowledged in both, resilience research of social-ecological-systems (for an

overview e.g. (Berkes, 2007; Folke, 2006; Holling and Gunderson, 2002) and

Section 2.2) as well as research on organizational resilience (e.g. (Mamouni

Limnios et al., 2014; Reinmoeller and van Baardwijk, 2005; Hamel and

Välikangas, 2003; Välikangas, 2007; Välikangas and Romme, 2013) that such

defensive resilience measures may help (organizational) systems to survive and

maintain their current structures and functions for a long period of time. However,

such persistence in the face of change may also come with negative effects.

Persistence or resistance against change may also impede the spring of innovative


ideas and products. This is similar to two situations that Mamouni Limnios et al.

(2014) described as “vulnerability quadrant” and “rigidity quadrant”. In both

situations, an organization will seek to survive by exploitation and the control of

status quo. The increasing control and efficiency gained by this strategy also

results in cycles of reinforcing exploitation leading to systems that maintain only a

narrow focus and that may decrease in value over time. This can result in a

maladaptive system in the long-run. Organizations may experience path-

dependent situations where they are unable to trigger a period of change and

reorganization. According to Mamouni Limnios et al. (2014, p.111) the

organizations “are caught in a rigidity or poverty trap and can suddenly collapse

upon a disturbance.” Therefore, another mode of adaption is needed to capture the

multi-faced nature of organizational resilience.

Offensive and Proactive Mode of Adaption. This mode of adaption is more

compatible with Chakravarthy’s third state of adaption: neutral state: In this

offensive arrangement, organizations are continuously searching for opportunities

and even embracing change. The proactive notion of adaption equals strategic

resilience that arises with as a response to opportunity by engaging in exploration

(Välikangas and Romme, 2013). Here, the goal of system operators is to improve

and sustain organizational prosperity by means of transformation. Organizations

need to develop a wide range of organizational capabilities to adapt, to

reconfigure, and to reinvent in order to sustain themselves. These capabilities

enable organizations to match the requirements of a changing environment in

order to create “organizational fitness” (Beer, 2002). This not only involves the

creation of innovations, but also the continuous redesign of existing systems,

processes, culture, and leadership behavior (Beer, 2002, p. 3). Hence, the long-

term prosperity and survival of such an organization calls for a “total system

approach to organizational transformation.” This would enable the organization to

overcome a set of interrelated barriers to organizational fitness such as unclear

strategy, poor communication and coordination across business units, and lack of

top-management commitment.


Consequently, the proactive mode of adaption finds its roots on a higher level

within the organization: on a corporate level with the commitment of leaders and

top teams (Beer, 2002, p. 6; Park et al., 2013; Vogus and Sutcliffe, 2007).

According to Välikangas and Romme (2013), the journey toward strategic

resilience starts learning to practice mindful and experimental behavior, to

permanently develop and renew a set of organizational options. For this, the

quality and speed of learning demands a culture of honest conversation (Beer,

2002, p. 6), and the capability to mobilize employees and managers toward

experimental and mindful behavior (Reinmoeller and van Baardwijk, 2005;

Välikangas and Romme, 2013).

3.2.3 Organizational Resilience Framework In the following, a framework is introduced to conflate the different dimensions

discussed above: (1) the degrees of turbulence and (2) the different modes of

adaption. While the first dimension captures environmental conditions, the second

dimension captures inherent organizational characteristics and responses. This

allows for identifying and examining four types of organizational resilience:

Prevention and Absorption, Restoration, Strategic Agility, and Robust

Transformation and Renewal. The resulting matrix is depicted in Figure 21.

The matrix helps to engender a greater understanding regarding organizational

resilience by integrating the previous mentioned factors. It delineated four

applications of organizational resilience based on the differing results of the

research. The X-Axis which constitutes the State of Adaption separates

organizations with a mechanic structure and a defensive/reactive response from

organizations with an organic structure and an offensive/proactive response. The

Y-Axis constitutes the Degree of Turbulence, focusing on the predictability and

severity of disturbances.


Figure 20: Organizational Resilience Framework

3.2.3.1 Prevention and Absorption The defensive/reactive modes of resilience share commonalities with

“engineering” or “static” resilience, as posited by a pioneer of resilience research

Buzz Holling (Holling, 1996; Longstaff et al., 2013; Norris et al., 2008; Walker

and Salt, 2006). Here, the conceptual approaches of resilience focus on

maintenance of a stable state. The strength of this simple view of resilience as a

reactive term of bouncing back is its measurability. In this sense, resilience can

simply be derived by the so called “resilience triangle” (see Figure 22) which

reflects three dimensions of resilience: pre-disaster functionality, the extent of

damage, and the speed of recovery of the system (Birkland and Waterman, 2009,

pp. 20f.). According to Birkland (2009), resilience is achieved when four factors

are present (p. 20f.):


• Robustness: the ability to withstand a given level of stress or demand without suffering unrecoverable degradation or loss of function. This can be reflected in physical building and infrastructure design (office buildings, power generation and distribution structures, bridges, dams, levees);

• Redundancy: the extent to which elements, systems, or other units are substitutable

• Resourcefulness: the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds. This includes identifying courses of action for, business continuity planning, training, supply chain management, prioritizing actions to control and mitigate damage, and effective communication of conditions and decisions.

• Rapidity: the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption. Components include carefully drafted contingency plans, competent emergency operations, and the means to get the right people and resources to the right place.

Figure 21: The Resilience Delta33.

Hence, it is possible to calculate the “resilience triangle” or “resilience delta”

(Zobel, 2011). It is determined by robustness or resistance (the vertical axis

33 Adapted from from Zobel (2011)


representing the initial amount of damage) and its hypotenuse reflecting the rate

of recovery to the prior level of functionality. Thus as posited by Birkland

(Birkland and Waterman, 2009, p. 27), robustness and redundancy can maintain

higher levels of functionality than non-robust and non-redundant systems while

recoverability/rapidity can vary considerably. Although the resilience delta is

highly simplified, it provides insights about the multi-dimensional nature of

engineering/static resilience as a combination of robustness, rapidity and

redundancy as well as resourcefulness. These measures will have indirect positive

effects on all resilience features by reducing vulnerability (Birkland and

Waterman, 2009; Zobel, 2011). Moreover, the resilience delta further illustrates

the importance of temporal scales of resilience (see also Subsection “Resilience

Elements”): Business systems at different levels (such as organizational,

departmental, or team) are in a continuous state of change and call for the

development and maintenance of resilience capabilities and strategies before,

during and after challenging events occur at all levels (Hollnagel et al. 2011 and

Subsection 3.1.3).

Before a dangerous event occurs, a resistance strategy that attempts to keep a

danger away (prevention) is only appropriate for occurrences that can be planned

and that will justify the additional costs. This includes building walls or screening

people for weapons at a building entrance. In contrast, engineering/static resilient

preparedness is an appropriate strategy where we know how a system will be

surprised but not when (Longstaff 2005). This kind of resilience is achieved by

having buffers that enable a system to withstand a disruption without need for

major reconfiguration. Such fault tolerance or graceful degradation can be reached

by redundancy (the duplication of critical components or functions of a system) or

response diversity (the range of different response types available to substitutable

perform a function) (Madni and Jackson 2009; Walker and Salt 2006).

This leads us to the first organizational resilience quadrant, assuming low degree

of turbulence and a defensive/reactive state of adaption to disturbances:

Prevention and Absorption. The organizational management system in this

quadrant is characterized by hierarchical, centralized leadership, and is policy and


procedure driven. The key actor would be a custodian or controller/administrator

that aims to restrict variability bydetecting and resolving any deviations from

target plans. Consequently, an organization which aspires this state of adaption

will be in a relatively stable environment and will focus on preventive measures.

Norris et al. (2008) noted, that resistance and maintenance is the best outcome of

a system after a disturbance. This means, “that the resources have effectively

blocked the stressor” (Norris et al., 2008). But such an approach is only feasible if

organizations are capable to anticipate possible future events. Moreover,

organizations may satisfy stakeholder needs and maintain their current structures

only under a narrow spectrum of conditions, making them susceptible to

unexpected external disturbances (such as governmental and legal actions,

technological or socio-demographic shifts or ecological changes) (Mamouni

Limnios et al., 2014, p. 111). Therefore, in organizations that experience more

unpredictability the alternative approaches in the lower quadrant may be more

useful when it is necessary for defensive organizations to match turbulent

environments.

3.2.3.2 Restoration Under more turbulent circumstances, organizations applying defensive/reactive

response mode focus on restoration and adaption. In contrast to organizations

that can plan for resistance to stress and disturbances within expected and narrow

boundaries, other organizations face unforeseeable perturbations. Here, resilience

is mainly built on organizational capabilities that become effective after an event.

The anticipation and interpretation of low-probability events can require actions

outside the normal set of responses (this is also a well-known observation

discussed as “outside the safe operating envelope” in safety management- and

engineering introduced by (Cook and Rasmussen, 2005). This is in line with

resilience concepts emphasizing recoverability as key for survival – also

previously highlighted as the fourth factor of the resilience triangle “rapidity”.

Therefore, scholars such as Bhamra et al. (2011) describe resilience as “capability

and ability of an element to return to a stable state after a disruption”. Also

Wildavsky (1988) describes resilience simply as the capacity to bounce back.


Sutcliffe and Vogus (2003) note, that resilience in organizational theory is an

ability to recover and bounce back from undesirable events. Also in positive

psychology, a tumbler represents an ideal type of a resilient and optimistic person

that bounces back from adversity (Margolis and Stoltz, 2010; Powley, 2009;

Seligman, 2011). Such a tumbler is “a positive person with a bouncebackabilty,

like a sportsman who has a capacity to recover quickly after setback (Oxford,

accessed 14.01.2014). Bouncing back like a tumbler may require an organization

to invest in build-in redundancy and diversity where possible in order to use

resources that are not typically available under normal conditions(Sheffi, 2007;

Weick and Sutcliffe, 2007; Wildavsky, 1988).

Moreover, resilient organizational actors have been seen to constantly improvise,

reorganize and create new resources and to move quickly to cope with unexpected

events. The literature suggests that bricolage34 (experimentation and mindfulness)

and resourcefulness are central to resilience under such circumstances (Horne III

and Orr, 1998; Mallack, 1998; Park et al., 2013; Välikangas and Romme, 2013;

Weick, 1995; Zobel, 2011): Consequently, turbulent environments demand

organizational capabilities for restoration of the system’s pre-disruption state as

closely and quick as possible (Madni and Jackson 2009). As illustrated through

the resilience triangle, the effectiveness of recovery mechanisms will also highly

rely on the successful implementation of preparedness efforts. But in addition to

preparative efforts, effective communication skills and distinctive resourcefulness

are likely to affect the recovery process in positive ways (Zobel 2011).

These defensive/reactive responses are similar to “engineering resilience”,

introduced in Section 2.2. This involves the idea of designed systems that can be

stressed to a particular point without breaking, or without suffering a significant

degradation in functionality (Birkland and Waterman, 2009, p. 17). The goal of

the first two resilience types therefore “is either to allow for a wide performance

envelope given particular stresses, or to allow some components of a system to

34 According to Weick (1995), organizational bricolage encompasses the employment of intimidate knowledge of resources from a wide range of sources, carefull observation and mutual trust among organizational members.


fail so that the overall system” (Birkland and Waterman, 2009, p. 17) remains

intact. This is similar to the first type “resistant systems” depicted in Fig. 20

(Fiksel 2003). However, resilience with focus on efficiency and consistency ends

here. A focus on adaptability becomes more important in situations where

surprises and other challenges will be so debilitating that planning for recovery

becomes too costly or even dangerous (as when the vulnerability against the

event will persist).

For such situations and in face of long-term threats where optimal solutions are

often impossible to reach or even remain unknown, an offensive/pro-active mode

of resilience provides a more comprehensive and suitable foundation of

organizational survival and well-being. In the following, these two types of

organizational resilience will be explained.

3.2.3.3 Strategic Agility Although this quadrant in the framework assumes relatively stable and predictable

environmental conditions, a multitude of strategic challenges such as disruptive

innovations can still threaten the survival and resilience of incumbent firms

(Dewald and Bowen, 2010). This strategic notion of resilience is not just about

responding on turbulences but rather about constantly updating the organization’s

ability to adapt to future turbulences.

Accordingly, an offensive/proactive resilience mode is favorable where

organizations seek to develop and maintain organizational capabilities to cope

with long-term change and uncertainty. A stream of literature on resilience

suggests, there is a need for constant, proactive and quicker response to change

than ever before. Adaptive capacity, often outlined as a key capacity for

organizational resilience (e.g. Lorenz, 2010; McCann and Selsky, 2012;

McDonald, 2006; Smit and Wandel, 2006). Advocates of such an adaptive

management approach postulate that in competitive and dynamic markets, the

more successful firms are the ones that continuously apply and develop new

knowledge. This tension further parallels much of what has been written about the

concept of strategic ambidextrousness (e.g. Benner and Tushman, 2003; O'Reilly


III and Tushman, 2004): organizations need to simultaneously combine

exploration and exploitation strategies. In other words, they need both, the ability

to take leverage of existing circumstances, as well as capacity for continuous

scanning for opportunities.

Managing in environments with low degrees of turbulence - characterized by

anticipated events and long-term planning - allows organizations to establish

fitness with its environment through Strategic Agility(Lengnick-Hall and Beck,

2009; Hamel and Välikangas, 2003; Dosi et al., 2000). Strategic Agility can be

defined as “capacity for moving quickly, flexibly, and decisively in anticipating,

initiating, and taking advantage of opportunities and avoiding negative

consequences of change (McCann and Selsky, 2012, p. 19). In opposition to

reactive and short-term oriented resilience, an offensive long-term approach treats

(continuous) change as a source of competitive advantage (McCann and Selsky,

2012, p. 29) and variability as a source of success (Hollnagel et al., 2006). Thus,

strategic agility “enables a firm to initiate and apply flexible, nimble, and dynamic

competitive moves in order to respond positively to changes imposed by others

and to initiate shifts in strategy to create new marketplace realities ((Lengnick-

Hall and Beck, 2009, p. 40) referring to McCann, 2004). This proactive notion of

resilience is increasingly advocated by organizational scholars: For instance,

according to Mallack (1998), resilient organizations will not experience the

environment passively; instead they will permanently develop and apply new

knowledge. Ates et al. (2001) demonstrate, that resilience will be enhanced by

“paying attention to long-term planning and external communication to drive

change proactively […]”. Furthermore, organizations have to “[...] increase the

amount and quality of resources through improvisation and recombination” (Ates

and Bititci, 2011).

A high level of strategic agility is often linked with a firm’s demonstrated

capacity for quick and effective concentration of resources on strategic key issues,

accumulating new resources, and (re-)combining resources in new ways for new

uses (Hamel and Välikangas, 2003; McCann and Selsky, 2012; Lengnick-Hall and

Beck, 2009). The organizational literature offers a number of factors associated


with such agility, including response speed, the number and variety of strategic

moves undertaken, and different indicators of broad action repertoires coupled

with decisiveness (Lengnick-Hall and Beck, 2009, p. 53). Enablers of strategic

agility encompass different routines, capabilities, and resource deployments

depending on the environmental conditions and the outcomes a company is

striving to achieve. Strategic Agility asplanning for resilience emphasizes

Contingency and Responsiveness as intended outcomes. Some believe that the

underlying logic for agile and resilient organizations is to open its boundaries to

larger environments by means of outsourcing and networking (Lengnick-Hall and

Beck, 2009, p. 51). Building strategic agility may involve- the creation of rapid

growth and encouraging large scales systems in order to respond adequately to

challenges or opportunities. Key actors for such an endeavor are often called as

entrepreneurs and strategic planners(Dewald and Bowen, 2010; Hamel and

Välikangas, 2003).

For organizations with low levels of environmental turbulence, organizational

literature suggests mechanical structures with centralized leadership, vertical

hierarchies, formalized and standardized routines and processes to achieve

efficiency and consistency (Burns and Stalker, 2000). But, as pointed out earlier,

in increasingly turbulent environments, “organic management system” (Burns and

Stalker, 2000, p. 45) may be more effective at coping with uncertainty. The

positive contributions of decentralization and diversity to resilience has also been

acknowledged within the safety discourse by Aaron Wildavsky (1988) more than

two decades ago: “The larger and more centralized the organization seeks to

predict the future, the longer it will take to get agreement, the fewer the

hypotheses it can try, and the more costly each probe is likely to be. […]

Decentralized anticipation (numerous independent probes of an uncertain future)

can achieve a greater degree of safety” (Wildavsky, 1988, p. 8). Such a structure

emphasizes decentralization (for instance flat hierarchies, joint decisions with

cross-trained generalists, network structure of communication, etc.) to achieve

flexibility and adaptability.


As stated by Lengnick-Hall and Beck (2009), resilient organizations in the long-

run generally comprise features of agile organizations (being nimble, flexible and

agile). However, not all agile organizations can be classified as resilient

organizations (Lengnick-Hall and Beck, 2009, p. 43). Strategic agility is

designated to address continuous and relentless change. As a consequence, high

degrees of turbulence call for a more radical strategic resilience response captured

in the fourth quadrant of the matrix.

3.2.3.4 Robust Transformation and Renewal This alternative strategic resilience type in high-turbulent environments is labeled:

Robust Transformation and Renewal. The term “robust transformation” is

posited by Lengnick-Hall and Beck as “a deliberately transient, episodic response

to a new, yet fluid, environmental condition.” (2005, p. 742). In contrast to

strategic agility, which aims to achieve contingency to promote (at least

temporary) equilibrium, robust transformation seeks to capitalize on

environmental change in ways that create new options and capabilities. It is

therefore linked with the resilience idea of “even thrive” in the face of challenges

which is often found in positive psychology (compare Section 2). Following this

logic, a turbulent condition triggers processes of improvement (such as the

development of new capabilities) and positive outcomes. This was exemplified by

the Ericsson-Nokia case in an earlier paragraph, where Nokia capitalized on its

competitors’ rigid responses by introducing new products and growing market-

share (Section 3.1.3). This is in line with other examples highlighted in multiple

works on organizational resilience and high-reliable organizations such as

(Hollnagel et al., 2006; Meyer, 1982; Roberts, 1990; Seligman, 2011; Välikangas,

2007; Weick and Sutcliffe, 2007) showing that organizations often find new

effective solutions that were previously counterintuitive during normal operations.

Here, the key actors have to be creative and innovative. In these organizations you

can see a process of learning, transforming, growing and reconstructing in face of

change. This type of resilience is also captured in a definition given by Fiksel: In


the business context “… resilience is the capacity for an enterprise to survive,

adapt, and grow35 in the face of turbulent change” (Fiksel, 2006). Effectively

responding and adapting to a new environment requires providence, innovation,

experimentation and improvisation.

Reinmoeller and van Baardwijk devote their working paper the linkage between

resilience and innovation. They defined resilience, as “the capability to self-renew

over time through innovations” (2005, p.61). Moreover, they argue that resilient

companies are those which make use of the dynamically balance of four

innovation strategies: Exploration, entrepreneurship, knowledge management and

cooperation (Reinmoeller and van Baardwijk, 2005, p. 63). The differences

between the set of strategies follows two dimensions: (1) whether the innovative

resources are internal or external, (2) in use or being created. These dimensions

share some commonalities with the dimensions of the proposed resilience matrix:

in less turbulent environments, organizations are able to employ resources that are

already in used by means of internal knowledge (“Knowledge Management”) or

complementary knowledge of partners (“Cooperation”). In contrast, high-

turbulent environments require the creation of “new ideas and resources”, either

internally by means of experimenting and recombining of existing organizational

resources (“Exploration”) or by means of experimenting and sensemaking of

environmental factors (“Entrepreneurship”). The latter underpins the need for the

fourth type of resilience as Robust Transformation and Renewal. Here,

organizations must go beyond conventional knowledge management and

continually encourage entrepreneurial behavior to drive change and innovation

(Reinmoeller and van Baardwijk, 2005, p. 64). The emphasis does not lie in the

continuity of status quo but in more radical changes in order to keep pace with a

fast changing environment.

In a case study about resilience in a project team employed by(Edson,

2012)showed a positive correlation between resilience and the potential for

innovation though creative destruction. Similarly, Hamel and Välikangas (2003)

35emphasis added.


noted, that renewal must be the natural outcome of organizational resilience.

Moreover, according to Linnenluecke and Griffiths (2010), the main aspect of

resilience in organizations is the capacity to rebound from hardship in a

strengthened and more innovative way.

Resilient organizations in a high-turbulent/offensive arrangement are seeking for

robust transformation and renewal. They perceive deviations positively as source

of success and therefor interpret their environment as a turbulent flow of

opportunities. Organizational actors constantly learn, improvise, reorganize and

create new resources to move quickly to explore the manifold unexpected

opportunities. The literature suggest bricolage36 (experimentation and

mindfulness) central to resilience under such circumstances (Horne III and Orr,

1998; Mallack, 1998; Park et al., 2013; Välikangas and Romme, 2013; Weick,

1995). In contrast to strategic agility, which is an appropriate resilience type in

less turbulent environments, robust transformation and renewal do not seek for

establishing fit or contingency with the environment by scanning and incremental

adaptions. Here, organizations attempt to undertake transformations of their

structure, processes and products. This can be involved with complete strategic

turn-arounds and renewal of an organization’s identity.

3.2.4 Discussion and conclusion

Although the term “resilience” in general reflects a system’s property to cope with

change, the evolution of the term across different disciplines and fields of

application lead to a diverse and confusing definitional lexicon. It is not surprising

then that the different levels of abstraction and levels of analysis make

comparison and the identification of common characteristics or

synthesis/comprehensive definition almost impossible (Carpenter et al., 2001).

The main issues revolve around two main assumptions (often unstated) about

36 See Section 3.2.3.2 for a definition given by Weick (1995).


fundamental two aspects of the system being studied. The literature reviewed here

fundamentally differs with regard to assumptions about the (1) degree of

turbulence of the organizational environment and (2) the current modes of

adaption an organization is seeking for (defensive/reactive vs. offensive/proactive

orientation).

Accordingly, this chapter has rigorously examined the organizational resilience

literature in order to make the following contributions: First, a comprehensive

review on organizational resilience will be an important starting point for scholars

working in this area by enabling them to recognize and segment the different

philosophies and approaches to organizational resilience. Second, the information

gathered from disciplines such as ecology can give important clues for new

research directions for organizational resilience. Third, this chapter identifies

knowledge gaps, critical appraisals and inconsistencies within organizational

resilience to help counteract the construct proliferation that has become apparent

within the domain. Finally, the organizational resilience framework presented

based will advance a clear method to help distinguish the specific context for the

application of resilience principles in multidisciplinary contexts.

Resilience as a construct is essential to the process of theory building theory and

to enrich existing theories. Hence, it is reasonable to believe that a re-evaluation,

extension and development of theories across disciplines in order to include the

various types of resilience within those theories. The literature reviewed here

fundamentally differs with regard to assumptions about the environment’s degree

of turbulence and assumptions about the state of adaption, here defined as an

expression of the degree to which an organization is matching its capabilities with

the external environment).

Making these assumptions explicit will have important implications for research

in organizational management. Some resilience concepts will be more useful for

organizational theories and schools of thought than the others, e.g. the resilience

types with lower complexity may fit better with more static frameworks such as

Ansoff’s ‘Strategic Planning’ (Ansoff and Sullivan, 1993), the Resource-based

view (RBV) (Wernerfelt, 1984)or some of the contingency theories (Hoffer,


1975), while the more complex concepts are more compatible with evolutionary

theories such as Dynamic Capability (Teece and Pisano, 1994), Population

Ecology (Hannan and Freeman, 1977)or Neo-Institutionalism (DiMaggio and

Powell, 1983).

Depending on the underlying theoretical assumptions, the nature of the required

resilience type will change. As for example Colbert (2004) highlights changing

implications for strategic human resource management using a complexity theory

perspective of a resource-based-view. Also, Boisot and McKelvey (2011)

exemplify the fundamental re-evaluation of organizational effectiveness based on

the network-structure of the organizational system. Applying either a ‘Gaussian

perspective’ emphasizing linear-additivity and predictability or a ‘Paretian

perspective’ emphasizing non-linearity and emergence has strong implications for

the analysis of system behaviors and structures and therefore substantially

modifies the required variety that will be necessary to adapt and survive (p. 126,

both widely described as related concepts of resilience). New method-sets from

other disciplines such as mathematics, quantum mechanics and complexity

science may enable new streams of resilience research in an organizational

context. However, researchers such asBoisot and McKelvey (2011) highlight the

trade-off between the potential of complex perspectives to enrich and question

simpler assumptions at the expenses of academic rigor and a wide repertoire of

quantitative statistics.

The policy alternatives, organizational practices and intended outcomes will also

depend on the specific type of resilience that is needed and the unique

organizational context. So it is important for policymakers and managers to know

which part(s) of the quadrant they want to operate in. For example, the defensive

resilience types (Prevention & Absorption and Restoration) might emphasize

principles of efficient recovery that align lower policies such as ones that ‘invest

in business intelligence services for anticipating changes’ (so this organization

will invest in prediction) or ‘build sufficient buffer capacity for critical processes’

and practices such as ‘rewarding failure reporting’ to the actual outcomes

(‘number of failures in a given process’).


The specific context or type of resilience sought will also affect the menu of

possible instruments for measurement. Measurement in a simple version of

resilience may be well served by Newtonian or Gaussian analysis but will have

significant limits in a more complex or Paretian system. Recovery time and the

amount of accidents are relatively easy to measure, while measurement of the

effectiveness of proactive adaption towards a new state remains an adventure.

Therefore each type of resilience has different implications for decision makers

and theorists. While in particular technical indicators for the earlier resilience

types are already established (e.g. Zobel, 2011), For instance, the development of

more complex indicators still remains at a formative stage.

Many socio-technological systems such as telecommunications, nuclear power or

medicine include a wide set of potential failure modes. Establishing redundant and

robust mechanisms make the system safe from single point failures but also add

more complexity and uncertainty (Hale and Hovden 1998). Hence, we can argue,

that at least in particular complex situations and in face of long-term threats,

where optimal solutions are impossible to reach or even remain unknown, the

ecological resilience types provide a more comprehensive and suitable foundation

of organizational or societal survival.

As technology and human connectedness develop ever-more complex systems

that have the ability to change by self-organization, adaption and continual

learning, the need for theories and models to improve security and survivability

will only increase. Hence, organizations and societies will need to find innovative

ways to deal with risks in socio-technical systems that are more and more

complex and tightly coupled in a world where security, productivity and its

deviations can no longer be disjunctive. The resilience-analysis model presented

here begins the process of enabling organizations find new strategies to cope with

challenges that confront them.

110

4 Resilience Management and Information Systems

Today, decision makers are already equipped with a broad set of information

technology (IT) tools and models to enhance organizational resilience.

Information systems (IS) support resilience management by means of quick

information provision and automated decision support. As explained in the

previous chapter, resilient organizations are forced to adapt to changing needs of

their operational environment. As a consequence, the intensive use of technology

also brought up the need for decision makers such as CIOs to systematically (re-

)organize and manage their IT- and IS-infrastructures to new requirements which

have not been explicitly incorporated into the existing IT design. As we will see in

the subsequent sections, IS play a key role to support managers to maintain and

enhance the resilience of an organization. Therefore, this chapter is dedicated to

transfer the concept of resilience to IS research and Business Informatics37.

In this thesis, a Resilience Management Information System (RMIS) is defined as

a complex set of interrelated components (technology, people, facility, processes)

that collect, process, store, and distribute information to support the operational

resilience management. The remainder of the chapter firstly introduces the notion

of resilience management as a complementary approach to prevailing security-

and risk management approaches (Section 4.1). The next section will discuss

various sources of stress and disruption associated with IT-diffusion (Section 4.2).

IS risk and security management traditionally offer a wide set of approaches to

cope with operational risks. Section 4.3 firstly provides some basics on IS

architectures. Subsequently, it introduces an exemplary research project to show

current challenges and limitations of prevailing IS risk and security approaches.

These shortcomings stress the need to extend IS risk management with resilience.

Consequently, this is followed by a report on the status quo with respect to IS

research and a scientific-programmatic view of the upcoming research questions

37 This chapter is based on revised versions of Koslowski and Zimmermann (2013); Müller and Koslowski (2012); Müller et al. (2013); Fenz et al. (2013).

4.1 From risk management to resilience management 111

in this area (Section 4.4). Finally, the chapter derives foundational requirements

for the design of RMIS and paves the way for the design of PREDEC, an IS

artifact for detection of process-centered resilience.

4.1 From risk management to resilience management

How organizations manage turbulence has been a core issue in organizational

literature. Today, many organizations have integrated risk management and

contingency planning to respond to disruptions and crisis. This “hard paradigm”

(Perelman, 2006, p. 24) of conventional organizational security and safety

emphasizing risks mitigation and prevention is strongly influenced by engineering

and Taylor’s “scientific management”, but also by Max Weber’s bureaucratic

administration (Grote 2009, p.30). The conventional views were developed under

the assumption that uncertainties can be designed out of the system by prescribed

procedures and controls (Grote 2009; Perelman 2006). For instance, Erik

Hollnagel described this paradigm of protection in the field of safety management

as “safety by design” (Hollnagel, 2008, p. 1). Safety by design - also termed

“analytical safety” - is rather a requirement than an option to ensure continuous

operations of an organization as “all possible, or practicable, precautions needed

to ensure an acceptable level of safety are taken ahead of time”. Therefore, the

“mechanistic” or “Tayloristic” design methodologies emphasizing resistance are

appropriate for firms who are operating in a stable market with little or no

uncertainty on the horizon (e.g. Grote 2009 and Chapter 3), but have their limits

in hypercompetitive and dynamic markets as for instance (Nohria, 2006) notes:

“Much of the organizational thinking about […] crisis management in

general has focused on preparation. […] This is necessary but not

sufficient. In the complex and uncertain environment of a sustained,

evolving crisis, the most robust organizations will not be those that simply

have plans in place but those that have continuous sensing and response

capabilities.”

In contrast to conventional approaches of the “protection paradigm” (Jackson,

2009, p. 14), the interest in resilient organizations that can “bounce back” from


some sort of challenge and even thrive (“bounce forward”) is clearly related to the

recent unpredicted economic events that swept the globe and the socio-political

uncertainty that flowed from them. This “soft paradigm” (Perelman, 2006, p. 24)

is therefore associated with adaption and resilience. There is no competition but

rather a complementary relationship38 between the different paradigms. But the

evolving resilience paradigm requires a fundamental shift to different visions,

strategies and capabilities (as indicated in Table 7).

38 Some authors even presume an overlapping relationship, e.g. Kahan et al. (2009); Sheffi (2007); Avizienis et al. (2004).


Table 7: From Protection to Resilience39

Paradigm Control / Resistance Adaption / Resilience

Risk Concept

Perception of deviation

Engineering

• as to be avoided symptoms of inefficient system design

Human Factor

• as opportunity for use and development of competencies and for systems change

Protection Goal Strategic Focus Management Objectives

hardening potential targets against threats

aligned toward criticalness

• minimizing • reducing operative degree of

freedom through procedures and automation

softening the brittleness of potential threats

aligned toward brittleness

• coping • maximizing operative

degree of freedom through integrative complete tasks and lateral cooperation

Management and Design

Organization

System Coupling Leadership Workforce Competencies Governance

Hierarchical

• Tightly coupled • Centralized leadership • Concentrated workforce • Specialists • Policy and procedure driven

Networked

• Loosely coupled • Distributed leadership • Dispersed workforce • Cross-trained generalists • Guided by simple yet

flexible rules

Design strategies • Armoring, strengthening,

oversizing, resistance, isolation

• Diversity, adaptability, cohesion, flexibility, renewability, regrowth, innovation, transformation

4.1.1 Risk concept By comparing the distinctive paradigms of managing turbulence, one can observe

key differences regarding the concept of risk and how operators perceive

variability/deviations.

39Adapted from Grote (2009); Hollnagel (2008); Nohria (2006); Park et al. (2013); Perelman (2006).


The dominant approach of control and resistance is rooted in engineering and the

related (analytical) risk management approach (Park et al., 2013). Generally, a

fundamental assumption of this traditional security paradigm is that system’s

components have a bimodal functioning, i.e. they function correctly or they fail.

Deviations and inefficiencies are seen as failures, and source of hazard and the

object or activity that needs protection are separated. Hence, the management of

risks – attempted to prevent system failures - is based on the identification and

quantification of the product of threats, vulnerability and consequences in order to

eliminate or mitigate the negative symptoms by corrective actions (Park et al.,

2013).

Organizations are faced with different types of risk such as hazards, financial,

operational or strategic risks. Operational risks are generally defined as those risks

that affect an organization’s operations (internal activities). They are usually

arising from the actions of people, systems and technology failures, failed internal

processes, but also external events (e.g. Allen and Cebula, 2011; Fenz et al., 2011;

Haimes, 2009a; Prokein, 2008; Tjoa et al.). Traditional (operational) risk

management often involves statistical analysis attempting to predict future

occurrences to judge whether the risk is worth the reward or if the risk can be

mitigated through different responses depicted in Figure 23:


Figure 22: Traditional Risk Management Instruments40

Risks with high probability and high magnitude should be prevented and finally

avoided. This requires the ability to predict the outcomes and take a proactive

action to circumvent. Those risks with relatively high probability and moderate

magnitude should be mitigated, for example via adaption, risk reduction, or

diversification (hedging). Adaption requires timely reconfigurations while risk

reduction is achieved by means of controls such as safeguards or quality

management. Risk diversification (hedging) calls for a broad set of alternative

systems, processes or resources. Risk transfer by means of insurance41 is

appropriate for bad events with low to moderate probability but high magnitude of

impacts. Finally, those risks that exhibit low probabilities and low impacts can be

accepted and absorbed. This can happen by having sufficient buffer capacity (such

as redundant back-up systems or slack) that enables the system to withstand stress

without having to reconfigure itself.

This works well for situations where risk is known or can be approximate based

on historical data and subjective assumptions (Longstaff, 2005; Perelman, 2006;

Smith and Fischbacher, 2009). However, such risk analysis consisting of both risk

assessment and risk management have their limits in the following situations

40 Adapted from Prokein (2008, p. 100). 41 Beside traditional insurance premiums, their exist a wide range of alternative options of risk transfer, such

as securitization, derivatives, debt obligations (for an overview e.g. Prokein (2008, pp. 91f.)).


(Longstaff, 2005, p. 10): where hazards are simply unknown or when some

known events exhibit low-probability but high impacts (compare e.g. (Longstaff,

2005; Perelman, 2006), Chapter 3). Such risks can emerge through nonlinear

interactions among system components and finally may result in cascading or

multiple and simultaneous failures (Park et al., 2013). Thus, problems and

limitations refer to the identification and understanding of probabilities, but also

to the understanding of how failures propagate and amplify within and across

complex systems (Smith and Fischbacher, 2009). For instance, the calculation of

asymmetric probability distribution functions (such as power law distributions, for

example Boisot and McKelvey, 2011) is problematic since they lack

representative set of historical data and the ability to determine meaningful

measures of mean and variance. Moreover, “systematic bias in risk analysis”

(Park et al., 2013) can often result in underestimation (“false sense of security”)

or even ignorance of such risks (Perelman, 2006, p. 27; Taleb, 2008).

Within the resilience paradigm, acknowledging the complexity and rapidity of

change, a system cannot be completely specified. It rather must vary to meet

changing conditions and demands. Hence, variability and permanent adjustment,

particular based on human’s capacity to adapt, is an inevitable asset to ensure

functioning of an organization42. However, as noted by (Dekker, 2003), at the

same time, variability and human adjustments can also harm security when it

combines unexpectedly. Different from traditional risk management with

emphasis on ex-ante identification, resilience in a complex systems context is an

emergent property that can only be observed after an event has occurred (an ex-

post approach of resilience management is presented in the subsequent sections).

The distinct risk concepts between traditional risk and security management vs.

resilience management are depicted in Figure 24. Risk assessment in security

management often means the process to identify risks relative to threats and

vulnerabilities. Here, operators attempt to manage the conditions of risk by

42 As one can see in the following subsection, resilience management forms a positive view of deviation. Variability is linked with the openness to new developments and innovative experimentation, both fundamental for daily success Hollnagel et al. (2006), Hollnagel (2008, 2009), as well as sustainable competitive advantage (Hamel and Välikangas 2003; Lengnick-Hall 2005).


reducing the likelihood of threats and vulnerabilities that are determined by

conditional factors (actors, motive, and outcome). In opposition, operational

resilience management aims to reduce effects on organizations by managing the

consequences.

Figure 23: Risk Elements and Management Implications43

According to the taxonomy of (Allen and Curtis, 2011; Allen and Cebula, 2011;

Allen et al., 2011; Allen and Davis, 2010; Caralli et al., 2010), outcome refers to

unwanted or unintended results of an actor with a motive exploiting a weakness,

exposure, or vulnerability. In contrast, consequence refers to the impact on a

person or organization as a result of the exploitation. For example the outcome of

a technical failure can be the access detention to a sales information system, while

the impact for the affected organization might be a loss of $50.000 in revenue per

hour.

To sum up, the ex-ante risk management approach is suitable to address

anticipated risks; in contrast, operational resilience management, as an ex-post

approach, intends to support an organization to continue its mission despite/after

disruption.

43 Adapted from Allen and Cebula (2011).


4.1.2 Protection goal A further distinction between conventional protection and resilience can be drawn

regarding the strategic focus and the related objectives for management and

design:

Within the established paradigm, the operational concept of safety and security

has a focus on singular, concrete assets and hardening against a range of

imaginable threats (Perelman, 2006, p. 27). The established approach is to try to

reach a state44 that is marked by the absence of something (bad) by means of

minimizing uncertainty and variability (Hollnagel, 2008). To contrast protection

and resilience as two different perspectives on safety, Erik Hollnagel introduced

Theory W and Theory Z: According to the first idealized position of Theory W,

safety and efficiency are to be achieved because: Systems are well designed and

scrupulously maintained; procedures are complete and correct; people (system

operators) behave as expected/as they are taught; designers can foresee and

anticipate any contingency (Hollnagel, 2008, p. 3). Different types of failures and

malfunctions can threat normal performance. Accordingly, safety is achieved by

constraining performance (variability) in multiple forms as depicted in Figure 25.

The shift from functioning (normal operation) to malfunction can happen either

gradually in form of drift or slow misalignment, or in form of an abrupt transition.

The solution to manage uncertainty and variability is to constrain the performance

through strengthening barriers and controls such as regulations and procedures

(Hollnagel, 2008, p. 3).

44 According to advocates of resilience engineering, former safety models treated safety as something a system has, rather than something a system does (e.g. Hollnagel et al. (2006); Hollnagel (2008)).


Figure 24: Safety by constraints45

In contrast, the resilience paradigm takes a holistic view of complex adaptive

systems by softening the brittleness of the system by reducing vulnerabilities

through redundancy, dispersal, reduced scale, self-healing capabilities, accelerated

recovery and more graceful failure modes (Perelman 2006; Grote 2009). That is

similar to Hollnagel’s oppositional idealized position termed Theory Z. This

position emphasizes that (performance) variability is not only inevitable but also a

source of success. Moreover, the functioning of socio-technological systems is

based on the acceptance that humans are key to proper the functioning of

organizations because of their inherent capacity to adapt. For this, he gives

following reasons: people learn to overcome design flaws and functional glitches;

they adapt their performance to meet demands as they further interpret and apply

procedures to match conditions; designers can detect and correct when things go

wrong. Here, the solution to manage uncertainty and variability is to identify

situations where normal performance variability may composite unwanted side-

effects. Continuous monitoring seek to discover how the system functions in order

to select and implement appropriate controls to dampen the threatening impacts of

performance variability. Hence, decision makers should try to understand the

45 From Hollnagel (2008, p. 3).


nature of performance variability, and specifically the underlying forces (internal

and external factors) as depicted in Figure 26.

Figure 25: Safety by Management46

4.1.3 Management and design Conventional security practices often follow a ‘top-down’ or ‘command and

control’ approach (compare the explanations of mechanical and organic

management systems previously accomplished in Chapter 3). Such hierarchical

and tightly-coupled systems allow efficient and immediate response (Longstaff et

al. 2010). Centralized leadership can control the concentrated and specialist

workforce based on strict policies and procedures (Nohria 2006). Such feed-

forward oriented control can feature high efficiency in responsiveness in face of

anticipated disturbances (Grote, 2009). But analytical study and empirical

observation of modern complex systems indicate that such tightly controlled

systems often behave in counterintuitive, unintended ways with the potential of

46 From Hollnagel (2008, p. 4)


producing even catastrophically damages (Perrow, 1984). Moreover, according to

many conventional approaches to safety and reliability management that often

tend to take a technological optimistic perspective47 (e.g. Grote, 2009; Hollnagel

et al., 2006; Nemeth et al., 2009; Perrow, 1984; Weick and Sutcliffe, 2007),

humans are often perceive as a liability causing variability. As variability is seen

as a threat, the purpose of design is to constrain variability so that efficiency can

be maintained.

In contrast, resilient organizations treat humans as an asset that enable a proper

functioning of modern technological systems (Hollnagel, 2008). Thus, scholars in

the fields of safety management and organizational reliability (e.g. (Butler and

Gray, 2006; Hollnagel et al., 2006; Weick and Sutcliffe, 2007; Roberts, 1990)

argue that organizational design should concentrate on flexible, local and situated

action (Grote, 2009). These scholars further conclude that loosely coupled

organizations are better prepared to tolerate perturbations in subsystems (Weick

and Sutcliffe 2007). A networked organization characterized by distributed

leadership and dispersed workforce with diverse skills and experiences might be

superior in sensing threats and coordinating actions in the occurrence of surprising

events (Comfort et al., 2001; Grote, 2009; Mallack, 1998; Nohria, 2006).

Conventional risk approaches seek for system design that is resistant to identified

threats by means of several design principles. Classical resistant design strategies

include prevention, “resistance that keeps the bad thing(s) from happening”

(Longstaff, 2005, p. 25). This “fortification” is found in many fields of

application. For instance, oversizing or strengthening hardship of barriers can be

found in armored vehicles in military operations, or isolating assets from others

by means of ordinary security principles based on access control (Müller and

Koslowski, 2012; Park et al., 2013; Perelman, 2006). Contemporary design

practices are typically favoring efficiency over thoroughness (Hollnagel, 2009).

Thus, design is mainly approached as a process of hierarchical decomposition. In

this sense, the overall system function and architecture is developed first and then

the systems and subsystems are designed accordingly (Fiksel, 2003, p. 5332).

47 The optimistic view of technology is also dominant in IS research Butler and Gray (2006).


Some resilience scholars claim that there is a need to shift from conventional

practices by integrating risk and resilience approaches (Fiksel, 2003; Park et al.,

2013; Petersen and Johannson, 2008). The problem of current engineering starts

with a too limited system’s definition in the early stages in the design phase. This

means that only a portion of variables that actually affect the system are

considered. Hence, where traditional design thinking with a narrow focus of

protection and control dominates, failure can often be brittle and catastrophic: The

designer might fail to consider consequences of several threats that might occur

outside the defined system. Moreover, the design tends to putting too little

emphasis on different agent’s capabilities to respond to adverse events (Petersen

and Johannson, 2008, p. 162). Furthermore, another perverse outcome of

catastrophe is sometimes a more determined application of conventional

protective measure that failed in the first place, such as building higher levees or

sea walls, reinforcing existing structures, or armoring vulnerable targets (Park et

al., 2013; Perelman, 2006; Senge, 1997).

Additionally, prevailing design is often based on incremental adaptations of

previous approaches. But in some instances, incremental adaptation can actually

lead to the degradation of a safe structure over time due to asynchronous

evolution (emergence) , where only a minor change is made, but fails to fit with

changes in the connected parts (Park et al., 2013; Perrow, 1984), leading to

undesired consequences. Hence, defining system borders for design becomes

increasingly difficult since our infrastructures and services are becoming more

and more interconnected. This increasing interconnectedness and interdependence

might bring up the need to expand the (scope of) the system model that also

includes other systems that are only indirectly affected by the current design

changes (Petersen and Johannson, 2008, p. 163). However, managing for

resilience highly relies on expanding decision making boundaries, dialogue and

coordination also across organizations48(Comfort et al., 2001; Grote, 2009;

Longstaff et al., 2010; Mallack, 1998; Nohria, 2006).

48 As we will learn in Chapter 6, the reluctance of organizations to share information regarding their system architecture, make it difficult to incorporate external knowledge in the design and management process.


Resilience is a novel way of design and management thinking that relies on an

understanding of structures and behavioral patterns of a system (Gunderson, 2002;

Walker and Salt, 2006). The often unpredictable nature of complex systems calls

for cautious design principles. Hence, (socio-technological) systems should poses

adaptive capacity to cope with unexpected events. Regardless of the field of

application, the following design principles enhance adaptive capacity and finally

resilience: Resilient systems should exhibit diversity, a broad set of different kinds

of components that build up the system (Fiksel 2006; Walker and Salt 2006). With

regards two resilience, there are two types of diversity that are particularly

important (Walker and Salt, 2006, pp. 64–73): functional diversity refers to the

range of functional groups that a system depends on. For example in ecological

systems, this might include groups of different kinds of species like trees, grasses,

deer, wolves, and soil. Functional diversity means that species do different things

and therefore underpins the performance of a system. In management, this type of

diversification is widely used for risk-mitigation, e.g. in terms of business and

product diversity (Hitt et al., 2011), or a diverse portfolio of investments in

banking or insurance (Prokein, 2008). The other type is response diversity, the

range of different response types existing within a functional group. In ecology,

species with the same basic service/function respond differently according to

conditions (such as changes in temperature, pollution etc.) (Walker and Salt,

2006, pp. 64–73). This in-built redundancy can effectively increase the resilience

of multiple systems: For instance in IT-security, it is widely accepted to decrease

the vulnerability by using different computer systems, e.g. different operating

systems or email-applications. In the same field of application, the use of

redundant systems such as back-up systems and distributed systems is very

natural to IT-security and dependability experts (e.g. Wolter, 2012; Avizienis et

al., 2004; Sterbenz et al., 2010). Another design feature is modularity as it allows

the containment of propagating failures (e.g. (Longstaff, 2005; Madni and

Jackson, 2009).

Resilient practices are not limited to structural or technological changes, but also

strongly rely on behavioral or cultural innovations (McCann and Selsky, 2012;

Stephenson et al., 2010): According to (Dekker, 2003, p. 233), organizations


should “invest in understanding the gap between procedures and practice, and

help develop operators’ skill at adapting”. For this, he concludes that

organizations need to “(a) Monitor the gap between procedure and practice and try

to understand why it exists (and resist trying to close it by simply telling people to

comply). (b) Help people to develop skills to judge when and how to adapt (and

resist telling people only that they should follow procedures)” (Dekker, 2003, p.

236). This is similar to the notion of mindfulness (introduced in Chapter 3), that

presumes that “unvarying procedures can’thandle what they didn’t anticipate”

(Weick et al., 2007).

The importance of cognitive capabilities for resilience is also underpinned by

Hollnagel’s “Four cornerstones of resilience” (depicted in Figure 27): According

to Hollnagel, a resilience management process can be modeled as a cycle

including responding, monitoring, anticipating and learning (2011, p. xxxvii):

Figure 26: Four cornerstones of Resilience Engineering49

• Responding is the ability to address the actual: it requires knowing what to do, e.g., how to respond to regular and irregular disruptions and disturbances by adjusting normal functioning;

49From Nemeth et al. (2009, p. 121); Hollnagel (2011, pp. xxxvii;279)


• Monitoring is the ability to address the critical: it demands knowing what to look for, e.g. how to monitor that which is or could become a threat in the near term (either from the environment or within the system);

• Anticipating is the ability to address the potential: it aims to knowing what to expect, e.g., how to anticipate developments and threats further into the future;

• Leaning addresses the ability to address the factual: it involves knowing what has happened, e.g., how to learn from experience.

Another popular set of resilience management principles is proposed by Weick

and Sutcliffe’s “High Reliability Organizations”. While the previously introduced

“Normal Accident Theory” can be regarded as a “pessimistic” perspective on

safety management, the concept of HRO attempts to capture an “optimistic view”

on organizational safety (Roberts, 1990). HROs actively pursue reliability by

means of adaption and mindfulness to enable efficient responses to stress and

disturbances. HROs’ main principles are:

• Preoccupation with failure: HROs give strong attention to weak signals such as “near-misses” and treat any lapse as something wrong with the system. Unanticipated outcomes and incidents may be analyzed in depth, as the coincidence of several separate small errors may have severe consequences;

• Reluctance to simplify: HROs accept that the world they face is complex, unstable and unpredictable. Attempts at simplification could lead to the non-detection of failures and consequently a crisis might occur;

• Sensitivity to operations: they encourage situation awareness among frontline workers and allow continuous adjustments to current operational information;

• Commitment to resilience: HROs develop capabilities to detect, contain and bounce back from the inevitable errors by training and preparing personnel with deep and varied knowledge;

• Deference to expertise: HROs push decision making down to the people with the most expertise in order to make better decisions, because they know the most about the problem (Weick and Sutcliffe, 2007).

Based on the HRO principles, scholars in the field of safety management claim

that resilience is built on mindfulness rather on than on routines and complex

compliance management systems. Such adaptive approaches (to safety) do not

4.2 IT-induced sources of stress and disruption 126

imply an abandonment of procedures, but rather a more demanding informed

culture of attention. Turbulence or performance variability demand organizational

sensitivity to operations: the timeliness and density of information presented to

decision makers is critical in determining whether something becomes an

opportunity or a threat (McCann and Selsky, 2012, p. 105).

Mindfulness allows detecting important aspects of the context and taking timely,

appropriate action. However, according to the HRO principles above, in

organizations the processes of perception are often separate from the processes of

action. Front-line employees are often most knowledgeable about the actual state

of its operational system. For example, sales people who interact regularly with

customers are often most aware of shifting needs and demand. However, these

individuals rarely are capable of fundamentally changing the direction or priorities

of the organization (which is usually the responsibility of higher management

levels). Thus, mindfulness requires organizations to combine quick detection with

the capability to make significant decisions. This may involve open decision-

making authorities or taking steps to increase top management’s ability to

perceive the important signals (Butler and Gray, 2006; Riolli and Savicki, 2003;

Weick and Sutcliffe, 2007).

Yet, in order to achieve mindfulness and finally organizational resilience, RMIS

must promote timely and accurate information to enable quick responses. This is

also stressed by Weick (2003) who states that effective resilience requires quick

accurate feedback. Hence, the next sections address the role of IT and IS50 for

organizational resilience.

4.2 IT-induced sources of stress and disruption

Before discussing the relationship between resilience research and the IS field in

detail, the next section is intended to reconsider the “dark side” of IT for

50 A differentiation between IT and IS is given by Boudreau (2008): IT is capable of information transmission, processing, or storing, whereas IS depict “integrated and cooperating set[s] of software using IT to support individual, group, organizational, or societal goals" Boudreau et al. (2008, p. 2).


organizational resilience by introducing various sources of stress and disruption

associated with an ongoing IT-diffusion.

The importance of information technology (IT) brought up the urgent need to

ensure its continuous and reliable operation and to protect the processed and

stored data. The intensive use of interconnected and complex IT-systems incurs

risks with increasingly severe disruptive effects. The double-edged role of

information systems for coping with complexity and disruption has been a major

theme in prior computer science and IS research (for an overview e.g. Avizienis et

al., 2004; Butler and Gray, 2006; Caralli et al., 2010; Fenz et al., 2011; Seo and

La Paz, Ariel I., 2008; Sterbenz et al., 2010; Tanriverdi et al., 2010; Tjoa et al;

Wolter, 2012).

For instance, Tanriverdi et al. (2010) discuss how IT has contributed to increasing

complexity of operational environments “by fusing into the fabric of products,

services, and business processes and by increasing the diversity, adaptiveness,

interconnectedness, and interdependency of firms (p. 823)”. This complexity

increase arises by the co-evolution between global and economic pressures on the

one hand and the pervasiveness of technological on the other hand. The global

economy brings requirements for more open borders to compete and thrive.

Moreover, open boarders introduce additional stress and exhibits risks outside the

focal firm’s control. For instance, outsourcing can often cause core competencies

to diminish while the dependency on upstream partners steadily grows (Tanriverdi

et al., 2010, pp. 823f.). In order to keep pace with the volatile and highly

competitive business landscape, companies attempt to optimize their business

processes by intensifying IT usage. But more technology comes also along with

more complexity: The sources of competitive advantages increasingly rely on

intangible resources that are more challenging to identify, locate and protect

(Caralli et al., 2010, pp. 15f; Seo and La Paz, Ariel I., 2008). Further, as processes

evolve, new technologies can introduce new risks. This is depicted in Figure 28.


Figure 27: IT-induced sources of stress and disruption

The IT-diffusion raises complexity, dynamics, and vulnerability by multiple ways:

An example of IT-induced complexity in terms of products is the automotive

industry where more than 80% of innovations come from computer systems and

software that improve technical performance, safety, convenience, and energy

consumption (Tanriverdi et al., 2010, pp. 823f.). Today, a premium car contains

around 100 million lines of software code that executes on more than 70

microprocessor-based units. Nowadays, cars have become “a platform for IT-

innovations that interconnect car components and increase their mutual

dependencies”. This development is accompanied by significant economic effects:

Firstly, the costs of IT in cars climbed from 5% of total costs in the 1970s to more

than 15% today (ibid.). Secondly, the complexity has further led to emerging

unintended and unpredictable safety and reliability problems. Tanriverdi et al. cite

a study conducted by IBM estimating thatin 2009 approx. 50% of all car warranty

costs related to IT-failures (2010, p.823).

IT-induced complexity is also evident in entire business systems in terms of

interdependence and in terms of inter-connectedness (Butler and Gray, 2006;

Caralli et al., 2010; Tanriverdi et al., 2010): IT-enabled interconnections have

promoted the rise of business ecosystems (e.g. (Kim et al., 2010) and Chapter 6)

where industry and market-boundaries have blurred. In those ecosystems,

different actors, such as dominant platform leader and complements, have


developed various types of nonlinear dependency relationships that are often

asymmetric and unpredictable. Today, companies are faced with turbulent

disruptions and cascading effects across a wide range of industries. For instance,

in the financial sectors, interactions between automated trading software can

create anomalous stock trading patterns; seemingly minor problems of a supplier

can cause serious disruptions for the integrated supply chain (as for example in

the Nokia case described in Chapter 3); and also software problems can trigger

widespread power outages (Tanriverdi et al., 2010).

The work by (Seo and La Paz, Ariel I., 2008) also identified and discussed several

problems of IS with regard to their impact on organizational agility. One major

problem arises with the overwhelming collection of data: Most organizations are

confronted by floods of data from a variety of sources, which creates information

overload and exacerbates identification and interpretation of changing business

needs. Among other problems, the authors point out two major obstacles that

hinder effective responsiveness: a lack of standardized data that require time

consuming conversion, and the increasing management efforts due to IT-usage

(Seo and La Paz, Ariel I., 2008).

All these examples underpin the need for organizations to reconsider also the

threats and vulnerabilities that arise with extensive IT-usage. Because despite the

fact that implementation of technology provides demonstrable opportunities for

organizational effectiveness and efficiency, it also increases the likelihood of

disruptions and failures. But as highlighted in the previous chapters, being

responsive in cases of unexpected disruptions is already a major challenge for

management. However, achieving resilience by means of IT and IS is even more

challenging as IT systems are generally developed to fulfill predefined properties,

and offer a hard-wired set of exception handling functionalities. Therefore,

organizations and its decision makers are increasingly forced to rethink how they

address the security and reliability of their IT-infrastructure and the supported

business processes. Traditionally, this has been object of experts in the field of IT-

security, information risk management and business continuity management

(Caralli et al., 2010, p. 17).

4.3 IS management fundamentals 130

The next section is dedicated to briefly introduce the reader with fundamentals on

IS and IS security and risk management in particular. This is followed by an

introduction of recent challenges and efforts of IS risk and security management

(Subsection 4.3.2).

4.3 IS management fundamentals

Today, companies are enabled to act on global markets by help of modern

information technology (IT) and information systems (IS). IS scholars, such for

instance (Laudon and Laudon, 2010), suggest the following differentiation

between IT and IS: While IT consists of hardware and software an organization

uses to achieve its mission, IS can be understood as a complex set of interrelated

components that collect, process, store, and distribute information to support

decision making and control in an organization. Additionally, IS may also support

users in problem-solving and the development of new products (p. 45-46).

In order to support organizations with appropriate information, a typical firm will

usually make use of different types of IS such as Enterprise Resource Planning

(ERP) Systems (Koslowski and Strüker, 2011), Managements Information

Systems (MIS) or Supply Chain Management (SCM) Systems (for an overview,

e.g. Laudon and Laudon, 2010, pp. Chapter 2). To overcome complex and

complicated computing tasks, so-called decision-support systems (DSS), are

intended to support human decision making. DSS initially have emerged in the

1970's, coupled with the introduction of IT infrastructures. Until now, their

evolution has not stopped and contemporary IT infrastructures such as the internet

still improve the development of DSS (Power, 2008). Power (2008) provides a

more detailed history of DSS. As a subgroup of IS, DSSs depict computer

technology solutions which provide relevant data and information to decision

makers in order to support problem solving and complex decision making;

thereby, the provided information allows for enhanced efficiency and rationality

(Power, 2008). In this regard, Power identifies three major characteristics of DSS

(Power, 2002): (1) Facilitation of decision processes; (2) Focus on support rather

than automation of decision making; (3) Quick response to changing needs of

decision making processes. Power (2002) further notes that DSS "should be


considered when two assumptions seem reasonable: firstly, good information is

likely to improve decision making; and secondly, managers need and want

computerized decision support".

As we will see in the subsequent chapters, in terms of organizational resilience

and sustainability, both assumptions seem to be reasonable. On the one hand,

visibility is essential in order to improve resilience and reduce vulnerability of

organizational structures and processes; on the other hand, decision making in

complex supply networks would not be feasible without computational support.

Therefore the provision of supporting information is essential for successfully

developing resilient and sustainable organizations.

Despite the fact that the application of ICT entails various benefits for

organizational sustainability and resilience (see the following chapters), a recap of

section 4.2 shows that an excessive expansion of IS may also increase complexity

and therefore enhance the vulnerability towards disruptions. Hence, the

consideration of complexity-efficiency trade-offs in IS architecture is important.

As introduced in the beginning of this chapter, the main components of IS

architectures are technology (such as hardware and software), people and data. In

order to store and proceed data in a systematic way, IS use databases, generally a

collection of related records organized and structured manner that can be retrieved

efficiently. Hence, IS are key to support organizations to support operations,

knowledge work, and management and organization. For operational support, IS

rely on transactional processing systems that help to integrate all tasks and

resources required to design, market, produce, and deliver products and services.

The other role of IS refers to management support, such as DSS, MIS, knowledge-

management-systems (e.g. Power, 2002; Laudon and Laudon, 2010). As IS have

an undeniable impact on the operational performance (McAfee and Brynjolfsson,

2012), they are also key-enabler for organizational resilience: Resilient

organizations invest in awareness and mindfulness, as they actively scan and

engage in sensemaking of what they perceive and experience, and are able to

derive insights from deviations detected (McCann and Selsky, 2012, p. 46).

Building awareness requires well-developed information gathering, filtering,


sharing, and decision making processes that support sensemaking. Information

systems form the basis of awareness-building, as they collect, coordinate and

validate information from different and distributed sources. Organizations need to

employ analytical tools and technologies such as Data Mining, for handling the

overwhelming amount of data and information.

Before describing the goals and requirements for the design of Resilience

Management Information Systems, the next subsection is dedicated to provide a

brief overview of two widely used IS-architectures, Enterprise Resource Planning

(ERP) and Workflow Management Systems51 (WFMS), that enable decision

makers to deal with the growing data quantity and quality, and consequently to

react to changes quickly. Hence, specialists who are familiar with these IS may

want to turn directly to the next subsection 4.3.2. Here, the reader will shortly be

introduced to IS risk and security management.

4.3.1 ERP and WFMS

IT systems that focus on process management and improvement help

organizations to fulfill their operational missions. Generally speaking, processes

are structured specifications of personnel and business data usage that run (at

least) semi-automated in an IS. Today, the vast majority of organizations see the

necessity to explicitly model their business processes in order to apply automated

analytical and optimization techniques. A major advantage of process-orientated

management is the decoupling of infrastructure and organizational workflows as a

means to enhance enterprises’ overall performance and effectiveness. Examples

for systems building upon processes can be found in very different domains and

range, e.g., organizations’ supply chains, banking, backbone infrastructure to parts

of critical infrastructure such as smart grids or nuclear power plants (Vom Brocke

and Rosemann, 2010). Very popular IS architectures for managing and improving

business processes are Workflow Management and Enterprise Resource Planning

(ERP) systems.

51 WFMS can be defined in various ways. However, almost every definition defines WFMS as a sub-area of Business Process Management (BPM) Systems van der Aalst (2004). A deeper investigation of BPM will follow in Chapter 5. Till then, the terms WFMS and BPM will be used interchangeably.


Although both classes of IS-architectures focus on business processes, they

exhibit distinct features and approaches. According to (Cardoso et al., 2004),

under a WFMS, a workflow model is first created to specify organizational

business processes, and then workflow instances are created to carry out the actual

steps prescribed in the workflow model. During the workflow execution, the

workflow instances can access legacy systems, databases, applications, and can

interact with users. On the other hand, ERP systems are implemented around the

idea of prefabricated applications. To achieve better “fit” between the

prefabricated applications and the needs of the organization, ERP systems must be

“customized” by setting various application parameters. However, the workflow

model in conventional ERP systems is not explicitly specified because it is

embedded in the applications and the parameter tables.

Figure 28: WFMS and ERP systems52

Figure 29 represents one of the key differences between WFMS and ERP systems.

One way to better understand these differences is to distinguish between flow

logic and function logic. Function logic deals with a specific task, such as

updating a customer record or calculating order discounts, while flow logic deals

with combining many functions in some sequence to solve more complex

problems such as processing an order. In ERP systems, flow logic and function

logic are both embedded in applications and parameter tables. In contrast, a

52 From Cardoso et al. (2004).


WFMS separates the two explicitly. Flow logic is captured in a workflow model,

usually graphically represented, and function logic is captured in the applications,

data, and people the model invokes. Thus, a WFMS enable developers to separate

the flows among a system’s components (applications, data, and resources) from

the workflow model. Workflow systems are process-centric, focusing on the

management of flow logic. On the other hand, ERP systems are data-centric,

focusing on managing function logic via a common homogeneous data

infrastructure across the organization to support multiple applications.

Cardoso et al.(2004) compare the IS-architectures along three main dimensions:

domain scope, technological scope, and system implementation, summarized in

Table 8.

Table 8: WFMS vs. ERP Systems53

WFMS ERP systems

Domain Scope • Customized processes

• Domain independence

• Ad-hoc and dynamic domains

• Embedded processes with some customization

• Domain specific

• Static domains

Technological Scope • Process-centric

• Supports workflows involving humans, IT applications, and transactional workflows

• Heterogeneous and autonomous environments

• Data-centric

• Transactional workflows

• Homogeneous environments with common data infrastructures

System Implementation • Workflows are manually

designed and the corresponding code is automatically generated

• May require data conversions

• Based on pre-written “off-the-shelf ” components

• Require data conversions

The domain scope captures the suitability of an IS for a specific application type.

The capability of WFMS to uncouple flow logic from functional logic, and to

53 Adapted from Cardoso et al.(2004).


integrate different kinds of data, applications and resources allows an application

in a wide range of domains. In opposition to this, ERP systems are largely domain

specific as they are built on reference models, including predefined libraries of

business processes for diverse functions (including underlying data and process

models). Thus, ERP has usually more difficulties to support ad hoc and

heterogeneous processes compared to WFMS.

The technical scope describes differences in technological capabilities. WFMS are

well suited for controlling and coordinating process executions of multiple tasks

that require access to heterogeneous, autonomous and distributed systems with

high human involvement (Antunes and Mourão, 2011). Instead, ERP are data-

centric, as the focus lies on the integration of interoperable databases and

structured data transactions.

The last dimension covers implementation issues such as code generation and data

conversion. ERP systems are usually composed of prescribed software modules

available “off-the-shelf” and require data conversions for further module

integration (Cardoso et al., 2004; Koslowski and Strüker, 2011). WFMS on the

other hand are not module-oriented and the deployment of applications is usually

accomplished with little programming. As they do not require a uniform and

interoperable data infrastructure, a data conversion is not mandatory but may be

helpful for organizational purposes (Cardoso et al., 2004).

Despite the differences between ERP and WFM systems, both IS architectures are

widely used in practice for managing business processes. Moreover, there is an

ongoing trend that both system types are increasingly integrated with each other.

However, the goal of this section was to provide the reader some basic knowledge

on IS architectures by giving a brief comparison between ERP and WFM systems.

Both system architectures will be subject of two IT artifacts introduced in Chapter

5 and 6.

4.3.2 IS risk management As illustrated in the previous section, managing evolving IT risks is imperative for

modern organizations to ensure resilient operation and to protect the transmitted


and stored data (Butler and Gray, 2006)54. Beside the disruptions and stress-

factors described above, legal frameworks, such as the Sarbanes-Oxley act and

Basel II/III, demand decision makers to define mitigation strategies for their

operational IT risks. However, since data protection, privacy regulations, and

security standards are a complex range of requirements to which decision makers

have to respond, organizations are increasingly forced to rethink how they

perform risk and compliance management and, equally, how they address the

security and resilience of their business processes. There is, thus, a pressing need

for an overarching resilience management information system able to provide

context and coherence to risk and compliance activities.

To date, though, organizations have mostly relied on best practice guidelines,

information security standards, or domain experts to conduct the risk assessment

and mitigation phases. The prohibitive costs of such approaches can lead to the

ignorance of risk assessment. In fact, according to the 2008 Information Security

Breaches Survey (Fenz and Neubauer 2011) only 48% of 1,007 interviewed UK

organizations formally assess information security risks. While approaches based

on best practices, standards and experts can substantially support organizations in

managing risks, they have a variety of shortcomings. In particular, because

decision makers have to "manually" deal with the following key questions:

(1) What are potential threats for my organization?; (2) What is the likelihood of

these threats?; (3) What is the potential impact of a particular threat?; (4) Which

vulnerabilities could be exploited by such threats?; (5) Which controls are

required to mitigate these vulnerabilities?; and finally (6) What are the

investments in security worth?

While in-depth knowledge of the organization in question and the IS domain as a

whole is fundamental to existing approaches, little research has been conducted on

the knowledge representation of the domains that are relevant to IS risk

management. Recent studies indicate the lack of IS knowledge at the management

54 This subsection is based on Fenz et al. (2013) which presents the research cooperation project “FORISK (Formalizing Information Security Risk and Compliance Management)” between the Department of Telematics of Freiburg University and Technical University of Vienna. The author of this thesis has been member of the project from 2013-14.

http://www.telematik.uni-freiburg.de/forschung/forschungsgebiete/itrc?projectId=8595.


level as one reason for inadequate or missing IS risk management

strategies (Caralli et al., 2010).

4.3.2.1 Current Challenges of IS Risk Approaches A myriad of limitations with existing IS risk and resilience approaches exist:

• Best practice guidelines provide good information about potential threats, vulnerabilities, and controls, but without an information security domain expert, the organization is usually unable to consider the many complex relationships between all the relevant information security concepts, which results in a non-comprehensive information security approach that endangers the performance of the organization’s mission.

• Information security standards, such as ISO 27001/27002, tend to state very abstract implementation suggestions for risk mitigation; concrete measures or combinations thereof are mostly missing, leading to inefficient or even misleading risk mitigation strategies. Effective tools that could be used for the automated compliance check are missing.

• In order to identify the concrete infrastructure elements at risk, the organization has to manually combine the knowledge from best practice guidelines with their actual infrastructure.

• The determination of threat probabilities is predominantly based on subjective perceptions and not on an objective evaluation.

• While companies strive for cost-conscious solutions, they are frequently unaware of their level of IT security capital expenditure or, even more importantly, whether these investments are effective.

Management decision makers, such as the COO or CIO, are faced with a great

spectrum of potential IT security investments on the one hand and the decision of

choosing the most appropriate set of IT security investments on the other hand.

Existing methods provide decision makers with limited intuitive and interactive

decision support and, thus, fail to support them in making an appropriate risk

versus cost trade-off when deciding on the optimal level of investments in IT

security solutions.

The project “Formalizing Information Security Risk and Compliance

Management” (FORISK) has pursued to carve these essential yet open issues by


providing a new approach to support decision makers in interactively defining the

optimal set of security controls and resilience principles according to common

regulations and standards. The proposed project has involved three essential yet

unsolved research problems:

• Formal Information Security Standards Representation: How can decision makers (and organizations) be supported in assessing, defining and selecting the optimal level of security investments (and thereby making an appropriate risk versus cost trade-off) in line with given business processes, multiple objectives such as acceptable risk level or resource constraints and interdependencies? And more precisely, how can they be supported in selecting which ISO 27002 control it is worth investing?

• Risk Determination: How can business processes be used to determine assets’ importance (potential impact) in the overall organizational context? How can risk levels of business processes (i.e., the probability that the business process does not deliver the expected output) be determined based on assets’ importance as well as implemented safeguards, applicable a priori probabilities, and relevant attacker profiles?

• Semi-) automated Countermeasure Definition: What and how much data has to be presented for risk management and how must the data be displayed to decision makers in order to support them in making the optimal decision according to their corporate requirements?

In order to answer these research questions FORISK makes the following

contributions:

(i) Support decision makers in focusing on the essential parts of the compliance

check: defining risk mitigation strategies. The ontology developed brings the

abstract suggestions stated in standards to a concrete level and extracts the

information that is necessary for an effective and efficient decision. (ii) Provide

decision makers with a methodology for defining countermeasures (and thereby

making the appropriate risk versus cost trade-off) in an interactive and intuitive

way while the system automatically ensures that the selected solution will be

efficient with respect to given business processes, acceptable risk and resilience

levels, and resource constraints. (iii) Make a major step beyond state of the art by

introducing a methodology that allows a (semi-)automated compliance check

based on the ISO27001/27002 standard. (iv) Render the tedious work of manually


combing the knowledge from best practice guidelines with their actual

infrastructure obsolete. (v) Allow the objective evaluation of risks in accordance

with corporate business processes and the demand for protection instead of

subjective perceptions. (vi)Provide decision makers with a framework

characterized by ease of operation and efficient handling, such as decision makers

are used to it, e.g., from using their iPad. The subjective user experience is an

essential factor for the success of methodologies intended to be used by top

management. Furthermore, usability allows cost reduction and faster project

cycles due to a higher level of user acceptance and user satisfaction. (vii) Provide

a formal and standardized representation of the ISO27002 standard within an

ontology and thereby provide a “common language” in the area of risk

management to facilitate communication of stakeholders. (viii) Enable an ex post

assessment and control-loop of business process resilience based on exploratory

mining techniques. (ix) Build the methodologies on the requirements made by top

management decision makers and evaluate the applicability of the approaches in

practice.

4.3.2.2 FORISK Framework This section provides an overview of the FORISK framework. The main modules

are illustrated in Figure 30.

Business Process Importance Determination.Based on business process models

and an overall importance value for each business process, asset importance

values are automatically calculated. As input we use business process models,

such as provided by business process management solutions ARIS and ADONIS,

including required assets connected on the activity level, which are internally

transformed into Petri nets for further processing. In addition, for each business

process an importance value is assigned, either monetary (e.g., Euros per hour) or

qualitative (e.g., High, Medium, and Low). With this input data at hand for each

resource (i) a business process-wide, local importance value, and (ii) an

organization-wide, global importance value is calculated. While existing

approaches of importance determination (cf. Fenz et al., 2009) do not incorporate

dynamic aspects such as duration of activities and recovery times, we aim to


integrate the time-factor as a crucial determinant of business process

resilience (Caralli et al., 2010).

Figure 29. FORISK Modules55

Inventory Knowledge Base. In the early phase along the risk and resilience

management cycle, an organization has to define (i) their assets, (ii) its

corresponding acceptable risk levels, (iii) the organization-wide importance of the

defined assets, and (iv) the attacker profile in terms of motivation and capability.

To store and interrelate this information with general information security domain

knowledge we use a security ontology. The security ontology by Fenz et al. is

utilized, which is based on the security relationship model presented in the NIST

800-12 (Fenz and Ekelhart, 2009). Transforming the advantages of formal

specifications on the challenge of modeling security relationships results in the

following three major advantages: (i) ontologies facilitate interoperability by

55 From Fenz et al. (2013).


providing a shared understanding of the domain in question and help to avoid

heterogeneity, (ii) ontologies provide a formalization of shared understanding

which allows for machine-processability, and (iii) ontologies support reusability

as an important factor in information security risk management. Already gained

information about the own company, including identified risks and applied

actions, is of paramount importance for ongoing handling and maturity of the

information security risk management process. Not only can the created data be

reused in future projects, independently of implemented tools, but also can other

groups, e.g., open communities facing similar risks in the same domain or partner

organizations, profit from the collected data. The ontology follows the OWL-DL

(W3C Web Ontology Language) standard and ensures that the knowledge is

represented in a standardized and formal form to enable its utilization by

automated systems. The introduced security ontology incorporates a basic set of

concept definitions, relations, and formal axioms to generate an ontological model

of the organization in the system characterization phase but has to be adopted to

allow the use of ISO27001/27002 objects and filled with data.

Ex-ante Risk Determination. In this phase, our approach extracts knowledge

regarding threats, threat a priori probabilities, vulnerabilities, existing and

potential control implementations, attacker profiles, and the assets of the

organization from the security ontology and establishes a Bayesian network

capable of calculating threat probabilities based on the aforementioned input

information. In general a threat requires a threat origin and an existing

vulnerability to become effective. A human threat origin can exploit vulnerability

either accidentally or deliberately. At this step it is important to compile a

comprehensive list of potential threats (e.g., as recommended in (Fenz et al.,

2011). While standards and best practices often provide an exemplary threat list,

the risk manager is not always aware about the nature of each threat (Which

threats threaten critical assets? Which threat is a multiplier?) Such questions are

hardly addressed in current information security risk management standards or

best-practice guidelines. Starting from the threat report produced in the previous

step, the vulnerability identification step analyzes potential vulnerabilities which

are present in the defined system. This includes the consideration of


vulnerabilities in the field of (1) management security (e.g., no assignment of

responsibilities or no risk assessment), (2) operational security (e.g., no external

data distribution and labeling or no humidity control), and (3) technical security

(e.g., no cryptography solutions in use or no intrusion detection in place). For

each threat and highly granular vulnerabilities, which a threat could exploit, are

defined and modeled in the ontology. For each of the vulnerabilities a mitigation

control is assigned, thus implementing a control aim to close vulnerability. With

these functions in place, a user knows exactly how to protect his organization

from specific threats: mitigating vulnerabilities by implementing recommended

controls.

Control Selection. In this process step, controls which could mitigate or eliminate

the identified risks, as appropriate to an organization’s operations, are provided. In

the control evaluation phase existing and potential control implementations, their

effectiveness, initial and running costs are extracted from the security ontology.

Information regarding the relevance of existing and potential control

implementations is extracted from the Bayesian threat probability model. Using

the extracted data as input for the interactive decision support methodology, a

methodology is provided for two fundamental IS risk management questions (and

a significant extension to our previous work, cf. (Neubauer et al., 2008): (i)

Which IT security solutions can generally be used to mitigate the risk to an

acceptable level?, and (ii) Which IT security solutions should be used to mitigate

the risk cost-efficiently to an acceptable level? In contrast to traditional risk

management processes, this solution provides a thorough knowledge base about

countermeasures and thus (i) saves time, (ii) avoids that solutions are simply

forgotten, and (iii) provides effective controls in compliance with best-practice

standards. Furthermore, it supports decision makers to derive concrete security

solutions based on the abstract control definition of the ISO 27001/27002

standard. However, with the list of potential control instances at hand, the

decision makers still have to identify the optimal set of security solutions under

economic considerations. Such cost-benefit analysis are still rarely considered by

existing security standards such as NIST SP 800-30 and focus mainly on financial

measures only.


Resilience Determination.In contrast to module “Ex ante Risk Determination”

that attempts to calculate operational risks based on (either subjective or

historical) threat probabilities (focus on the cause of events), ex post detecting

resilience will focus on the business processes’ interdependencies and potential to

cascade (focus on the impact) (Koslowski et al., 2013a). This module for “Process

Resilience Detection” (PREDEC) will be introduced in the next chapter. The

design of PREDEC as an ex post-checking module will close the management-

cycle of the FORISK architecture. Thus, PREDEC intends to complementary

address further questions such as (i) Do the actual process models correspond with

the intended concepts? (ii) Does the observed system behavior meet requirements

of the respective compliance standard? (iii) Can we derive further information

about the dynamic system behavior (e.g. recovery time, rate of degeneration)? In

order to extract the interdependencies and dynamics, PREDEC attempts to

employ process mining techniques for conformance checking (Accorsi and

Stocker, 2012) as well as process discovery (Accorsi et al., 2012; Accorsi et al.,

2013).

4.3.3 Limitations of IS risk management FORISK is one of many examples within the areas of IT/IS risk and security

management that underpins that the tensions between IT-enabled productivity

gains versus emerging vulnerabilities and risks are well recognized for decades.

However, while IS architectures such as ERP and BPMS (for a more detailed

explanation recap Sec. 4.3.1) are often associated with significant performance

improvements by means of standardization, high formalization, automatization

and service decomposition (Balasubramanian and Gupta, 2005), their potential for

enhancing security and risk management is gaining momentum but still is not

exploited thoroughly (Jakoubi et al., 2009). A key challenge arises with the fact

that existing approaches of information security and risk management mainly

assume stable, predictable and isolated process types.

This is sometimes in contrast to the business reality, as large organizations have

often hundreds or more of interdependent processes in place (Houy et al., 2011).

As a consequence, today's complex and fragile IS are prone to unforeseeable

4.4 Resilience and IS research 144

disruptions (Caralli et al., 2010). This is supported by Butler and Gray (2006) who

identified the paradox of relying on complex systems composed of unreliable

components for reliable outcomes as a mostly neglected field in IS research so far

(Butler and Gray, 2006). These gaps call for a transfer of resilience engineering

and resilience management principles to IS research and management. The next

section attempts to introduce the resilience concept and its implications in the

areas of IS research and business informatics56.

4.4 Resilience and IS research

The starting point for putting resilience into IS research context has its roots in the

study of safety-critical socio-technological systems characterized by high

uncertainty (Hollnagel et al., 2006; McCann and Selsky, 2012; Meyer, 2013).

Recent works and theoretical developments, introduced in the earlier chapters of

this dissertation, such as the “Normal Accident Theory” (Perrow, 1984)and “High

Reliability Organizations” (Weick and Sutcliffe, 2007) indicate that some failures

are not only hard or impossible to predict, but also inevitable products in complex

and tightly-coupled systems. Resilience is an emergent property associated with

an organization's capacity to continue its mission despite disruption through

mindfulness (Weick and Sutcliffe, 2007), resourceful agility and recoverability,

e.g. (Caralli et al., 2010; Hollnagel et al., 2006). Therefore, resilience is a

combination of technical design features, such as fault-tolerance and

dependability (Avizienis et al., 2004), with organizational features such as

mindfulness, training and decentralized decision making (e.g. (Antunes and

Mourão, 2011; Weick and Sutcliffe, 2007) and Chapter 3). Hence, this socio-

technological conception of resilience has recently attracted IS scholars' attention

(e.g. (Antunes and Mourão, 2011), Caralli et al., 2010; Riolli and Savicki, 2003).

The following sections are dedicated to provide an overview of existing work on

IS resilience and its shortcomings, and finally discuss its implications for IS

Research.

56 This section entails fragment of the paper Müller et al. (2013) that capture and establish a relationship between resilience and IS research.


4.4.1 Status quo and shortcomings Although resilience is widely recognized in related disciplines such as Computer

Science (Wolter, 2012), Contingencies and Crisis Management (Boin and

McConell, 2007), or Safety Engineering (Hollnagel et al., 2006), there is an

apparent incongruity between the level of interest paid by practitioner and the

attention that IS scholars have given to resilience (Müller et al., 2013). Today,

only a limited number of resilience researchesexist. This research gap is

surprising, as resilience is often said to be a combination of social or

organizational and technical qualities and, therefore, a research topic well-suited

for IS research. The following literature review identifies current research gaps

and challenges as a foundation for a IS resilience research agenda.

The majority of recent work on IS resilience and related research remains on a

pure conceptual level. For example, a recent literature review on the related

concepts IS reliability and mindfulness has been carried out by Butler and Gray

(2006), examining how organizations achieve reliability when operating in

complex, fragile, and often unreliable IS environments. Although the authors

intended to contribute to IS reliability, they introduced mindfulness, an

organizational resilience concept into IS research (Weick and Sutcliffe, 2007).

Accordingly, they provide a foundational framework of IS reliability achieved by

balancing routine-based strategies (focus on reducing variability and deviation)

and mindfulness-based strategies (focus on cognitive and organizational

capabilities for contextual sense-making). This is depicted in figure 30 below:

Based on a comprehensive literature review, they conclude that IS research

provides little guidance for organizational reliability and highlight the need for

conceptual tools and artifacts that help mindfully management to support

surviving and thriving in complex, dynamic environments. Similarly, Riolli and

Savicki (2003) emphasize individual and organizational characteristics against

pressuring information system work environments. The authors conclude that

much more empirical work has to be done to analyze the interrelations between

stressors and resilience outcomes on an individual and organizational level. Based

on a broader literature review on resilience across multiple disciplines, Erol et


al.(2010) propose a framework to discuss the moderating role of IS on assisting

connectivity and collaboration in order to support resilience (Erol et al., 2010b).

Figure 30: Foundations of IS Resilience57

Another research stream addresses the issue of resilient IS architectural design.

Inspired by biological systems, (Zhang and Lin, 2010) introduced a set of

resilience axioms and derived five principles of engineered artifact systems. These

principles encompass technical and managerial recommendations to increase

system resilience such as inherent redundancy, flexible coordinative

responsibilities, and components for monitoring and continual training. Others

discuss the relationship between resilience and other similar architectural

properties and present seven constraints to consider in the architecture for

enhancing resilience (Liu et al., 2010a). A set of fundamental requirements for

supporting resilient business process management (BPM) is given by Antunes and

Mourão (Antunes and Mourão, 2011). While these works capture basic



resilience in IS, e.g. (Antunes and Mourão, 2011; Caralli et al., 2010).

A further research stream focuses on measurement issues of resilience in the IS

context. Wang et al. (2010) present a measure in the context of enterprise

information systems focusing on recoverability(Wang et al., 2010). They develop

57 Adapted from Butler and Gray (2006).

Emergent systems composed of vulnerable components

Individual and CollectiveMindfulness

Routines, Procedures,and Structures

Organizational Resilience


a formula that calculates the weighted relation between request time and

completion time. A more advanced contribution with regard to measuring and

visualizing resilience is given by Zobel et al. in the context of disaster events and

cyber-attacks (Zobel and Khansa, 2012). Their approach captures multiple

dimensions of resilience as a function of the predicted amount of initial loss and

associated recovery time. Derived resilience curves provide further decision

support for appropriate selection of countermeasures.

4.4.2 Implications for IS research Despite the wide spread of resilience across multiple disciplines, a number of

open research issues remain. These encompass conceptual and definitional


(organizational) solutions and IT-artifacts to bring resilience into action (Chapter

1 and Müller et al., 2013). Müller et al. articulate a research agenda on resilience

and resilience management comprising four research questions spanning

conceptual perspectives, research methods and prototypical implementations of a

resilience supporting information system. The first research question refers to the

divergent understanding and the need for construct clarity. The second research

question focus on research challenges regarding the lack of empirical exploration

of resilience in IS research. The third research challenge address problems when

operationalizing and measuring resilience in the IS context. Finally, the fourth

research challenge focus on guidelines, requirements, and approaches for resilient

IS design. While the some of these challenges (challenge one and two in

particular) have been already addressed in the previous chapters of this thesis, the

subsequent section will focus on implications of resilience foundations for IS

design.

The foundations of IS resilience have a variety of implications for the design of

IS. Recent studies on resilience emphasize the integration of organizational and

technological views, as well the integration of related, but usually disjointed

activities of IS security, business continuity and IT operations (Allen et al., 2011;

Caralli et al., 2010) as depicted in Figure32.


Figure 31: Operational Resilience Management System58

As for other business information systems, the elicitation of requirements and

their system-wide enforcement are of utmost importance. At the technical level

resilience requirements are intricate to capture, as they merge the capability of

absorbing failures and unexpected situations (e.g. cushioning the ripple effect on

the advent of change) with detecting the continuous deterioration of systems

throughput (e.g. when running out of resources). While the former can be

somehow estimated at design-time, the latter requires the a posteriori analysis and

intervention. Interestingly, current literature reviews on risk-aware BPM by

(Jakoubi et al., 2009) or (Suriadi et al., 2012) show that the vast majority of

contributions focus on design-time risk-management in BPM systems, while

approaches at run-time and the exploitation of process-related log files a posteriori

are largely neglected. Process-oriented resilience management might have the

potential to fill these gaps.

According to the CMU-CERT Resilience Management Model (Caralli et al.,

2010), an operational resilience requirement is defined as a constraint that an

organization places on the productive capability of assets to ensure viability when

charged into business processes. These requirements provide the foundation for

58 Adapted from Allen and Cebula (2011).


how to enhance the resilience of assets and related processes. They embody

organizational objectives, risk appetite and tolerance, critical success factors, and

operational constraints (Caralli et al., 2010). Moreover, (Antunes and Mourão,

2011) propose fundamental requirements for resilient BPM: They support (i)

various levels of severity, ranging from simple failures of key resources to

catastrophic accidents; (ii) the coexistence of stable processes with unstable

changes in the operating environment; (iii) the dynamic construction and update

of situation awareness; (iv) assistance for knowledge representation and

management, a fundamental drive to decision-making (Fenz et al., 2013); (v)

flexible operations and unplanned tasks whenever necessary; (vi) the opportunity

to experiment with and learn from the novel, innovative and challenging situations

that emerge from hazards; and finally (vii) the transition from emergency to

normal operations.

Up to now, there are techniques and formal foundations (for instance Antunes and

Mourão, 2011; Caralli et al., 2010; Fenz et al., 2013) that can, when assembled,

provide for resilience mechanisms at the level of BPM. However, the current state

of the art does not offer corresponding mechanisms. Similarly, vendors of BPM

systems and workflow management systems have not yet focused their solutions

on resilience.

Based on a literature review, a resilience management cycle has been developed

for automated support for resilient BPM according to the well-established BPM

lifecycle. The cycle contains four phases adapted primarily from (Antunes and

Mourão, 2011), beginning with (i) Detection in order to identify failures, potential

weaknesses and exceptional process executions. (ii) The purpose of Diagnosis

and Evaluation is to collect and assess vulnerabilities, and consequently to

determine a set of intervention types. (iii) The next stage covers Treatment and

Recovery, including the actual selection and implementation of supportive actions

and automatic corrections. (iv)Finally, the phase of Escalation and

Institutionalization guarantees enrichment or revision of the current knowledge

base, and aims to establish and facilitate an organization-wide resilience culture.


Figure 32: Resilience Management Cycle

In accordance with the resilient management cycle (see above), it is natural to

focus on the detection stage first. The purpose of this phase is to collect, record,

and distribute information about the operational resilience of BPM on a timely

basis. Effective resilience detection provides essential information about

changes/deviations (Hollnagel et al., 2006; Meyer, 2013), such as hazard

occurrences and exceptional process executions, but also potential weaknesses

such as high utilization at the margin of resources' or processes' capacity. Data

collection, logging, and measurement are at the heart of resilience detection: they

addresses the organization's competencies for identifying, collecting, logging, and

disseminating information needed to ensure that operational resilience

management processes are performed consistently and within acceptable

tolerances (Caralli et al., 2010). This requires an effective measurement and

analysis process that transforms operational resilience objectives and requirements

into visible measures. Measures need to express the gap between intended

process-goals and actual process-goals.

Works on BPM re-engineering (Harrington, 1991), risk-aware (Balasubramanian

and Gupta, 2005), and resilient BPM in particular (Caralli et al., 2010), provide a

solid basis for measures for the attempted resilience detection service. However,


deriving meaningful measures for resilience detection requires the alignment with

organizational goals and missions (Caralli et al., 2010). As these objectives need

to be interpreted and aligned for a specific organization, the well-established

objective-driven approach suggest by (Allen et al., 2011) seem promising. The

rationale behind it is to assure that resilient measures for extraction and detection

have a direct link with operational goals and therefore impact the resilience of

diverse organizational missions.

Another implication for resilient IS design arises with the concept of mindfulness,

an organization's capability to perceive cues, interpret them, and respond

appropriately (Butler and Gray, 2006; Koslowski et al., 2013a). Ongoing research

aims at elaborating the conception and implementation of intuitive user interfaces.

For instance, process resilience detectors as an a posteriori checking module could

complement and support established risk-aware BPM architectures. In contrast to

those approaches with emphasis on design-time analysis to calculate operational

risks based on (either subjective or historical) threat probabilities (focus on the

cause of events) (Suriadi et al., 2012), the a posteriori resilience approach will

focus on the business processes' interdependencies and potential to cascade, so-

called ripple effect (Koslowski et al., 2013a; Hollnagel et al., 2006).

152

5 Process-centered Resilience Management

This chapter introduces “Process-Centered Resilience Detection“ (PREDEC), a

detective framework to assert the resilience of business process-based information

technology infrastructures.Beside a detailed description of the components and the

analysis of its requirements, the chapter introduces process-oriented resilience

measures (Section 5.3.2) and further elaborates underlying mechanisms (Section

5.3.3).It will turn out that time-behavior represents one crucial indicator for

process-resilience. Therefore, Section 5.4 will introduce an IT artifact as an

example of resilience management information systems (RMIS). This artifact

enables to model the amount of resources required as a stochastic function and to

sum up the need for the whole business process, including its branches. Based on

a case study from the manufacturing sector,theperformance, feasibility, and

effectiveness of the developed IT artifact will be evaluated. The chapter concludes

with a discussion of the findings and future research work.

The next section firstly provides some basics on business process management

(BPM). Subsequently, the section describes the increasing attention paid to

resilience management as a complementary approach to process-oriented security

and risk management is explained in detail. In that, the section provides a brief

overview of existing work on resilience in IS research with an emphasis on

resilient BPM.

5.1 Resilient BPM

Today, enterprise systems and information infrastructures increasingly build upon

processes. Generally speaking, processes are structured specifications of

personnel and business data usage that run (at least) semi-automated in a business

process management (BPM) system. Examples of systems building upon

processes can be found in very different domains and range from, e.g.,

organizations’ supply chains, banking backbone infrastructure to parts of critical

infrastructure such as smart grids or nuclear power plants (Vom Brocke and

5.1 Resilient BPM 153

Rosemann, 2010). Business process models are virtual representations, which

include organizational assets connected to multiple activities. The advantage of

process-orientation is the decoupling of infrastructure and organizational

workflows as a means to enhance enterprises’ overall performance and

effectiveness. A myriad of BPM definitions exist, most of which include

Workflow Management (see Section 4.3.1). In this thesis, a popular definition of

BPM given by (van der Aalst, 2004, p. 4) is used: “supporting business processes

using methods, techniques, and software to design, enact, control, and analyze

operational processes involving humans, applications, documents and other

sources of information”.

The BPM life cycle, depicted in Figure 33 describes the various phases in support

of operational business processes. According to (van der Aalst, 2004), in the

design phase, processes are (re)designed. In the configuration phase, designs are

implemented by configuring a process-aware information system (such as WFMS

introduced in Chapter 4). Afterwards, the enactment phase starts where the

operational business processes are executed using the system configuration. In the

diagnosis phase, the operational processes are analyzed to identify weaknesses

and problems for the purpose of an ongoing optimization.

Existing approaches of BPM mainly assume stable, predictable and isolated

process types. This is sometimes in contrast to the business reality, as large

organizations often have hundreds or more processes in place (Houy et al., 2011),

and increasingly invest in the new opportunities of ubiquitous computing and “big

data” (McAfee and Brynjolfsson, 2012). Against this backdrop, more complex

modeling and exploratory analytical techniques such as Process Mining (Accorsi

and Stocker, 2012; van der Aalst and Weijters, 2004) seem to be promising

developments for identifying and designing business processes more resiliently.


Figure 33. BPM Life Cycle59

As previously described in Chapter 4, the increasing reliance on IS such as BPM

brought up an urgent need to ensure continuous business operations despite a

multitude of risks. For instance, a comprehensive arsenal of so-called risk-aware

BPM-approaches has been constantly evolving for years (Jakoubi et al., 2009;

Suriadi et al., 2012). While conventional approaches of risk or security

management have provided valuable support for risk prevention and mitigation in

relatively stable operational environments, they may fall short of addressing new

emerging risks such as unforeseeable disruptions with the potential to cascade

(Caralli et al., 2010). Against this backdrop, the concept of resilience has recently

attracted IS scholars’ attention as a denominator to move beyond risk control and

survival, but even prosper in the face of challenging conditions (Caralli et al.,

2010; Antunes and Mourão, 2011; Müller et al., 2013). Interestingly, the current

state of the art at the intersection of BPM and resilience approaches the high-level

design of resilient information systems (Antunes and Mourão, 2011), the

satisfiability of workflows (Basin et al., 2012; Wang and Li, 2010), change

59 Adapted from van der Aalst (2004).


propagation (Fdhila et al., 2012) and incident response (Freiling and Schwittay,

2007)(cf. also Chapter 4). However, there are no approaches and technical

frameworks that put processes in a “resilience loop” which also encompasses

adaption (cf. Section 4.3.2. ff.).

According to the BPM lifecycle, the analysis of processes can take place at design

time (a priori), at runtime and offline (a posteriori)(Accorsi, 2013), depicted in

Figure 33. While the first two points of time allow for preventive mechanisms to

avoid violations, a posteriori methods based on the analysis of event logs are

detective. Casting them into the context of resilience, preventive methods are in

place to allow for robustness (resistance against incidents) whereas detective

approaches serve as an input for business process redesign and, if in large scale,

re-engineering.

However, extensive literature review in the field of risk-aware BPM reveals that

current approaches focus on the design-time phase, while concepts and artifacts

with focus on runtime and offline analysis are rare (Jakoubi et al., 2009; Suriadi et

al., 2012). As stated by van der Aalst (2004), the focus of prevailing WFMS is on

these latter phases of the BPM life cycle. So in order to take full advantage of

WFMS by means of automated collection and interpretation of real-time data,

organizations need new tools and models at hand such as business activity

monitoring (Jakoubi et al., 2009; van der Aalst, 2004) to finally detect the

resilience of current processes. Concretely, in the context of resilience

management, the ultimate goal of PREDEC is to enable organizations to

automatically identify and assess the interdependence of assets and processes. In

order to extract the interdependencies PREDEC employs process mining

techniques developed by (Accorsi, 2013; van der Aalst, 2011). In the future, it is

also planned to employ techniques as developed by, e.g., (Reijers et al., 2005) to

elicit sociometric data from event logs in order to build social networks of the

subjects involved in process executions. In that, it is aimed at augmenting the

assessment of interdependence of assets and processes with a social network

perspective.

5.2 Research context and design 156

The next section describes the research context and design. Furthermore, the

increasing attention paid to resilience management as a complementary approach

to process-oriented security and risk management is explained in detail. In that,

the chapter provides a brief overview of existing work on resilience in IS research

with an emphasis on resilient BPM. By screening prior research, we see that there

is a lack of research on (semi-automatic) BPM resilience tools (Section 5.2).

5.2 Research context and design In accordance with the resilient management cycle (cf. Figure 1 in Chapter 1.2), it

is natural to focus on the detection stage first. Hence, in order to detect operational

resilience, the goal is to automatically identify failures (cause a loss of acceptable

service Meyer, 2013), exceptional process executions (Hollnagel et al., 2006), and

potential weaknesses (such as interdependencies and bottlenecks Yen, 2009;

Weick and Sutcliffe, 2007) by means of forensic techniques.

Before describing PREDEC framework and its modules, the subsequent sections

will first review current research and identify several research gaps to formulate

the research agenda.

5.2.1 Status quo and shortcomings

The majority of recent work on IS resilience and related research remains on a

pure conceptual level. For example, a recent literature review on IS resilience has

been carried out by (Müller et al., 2013), proposing an IS research agenda on

resilience and resilience management. Through a comprehensive collection and

evaluation of relevant literature, the authors identified and consolidated a myriad

of limitations and research gaps: Resilience is rarely acknowledged in theoretical

discussions of IS domains, which results in a lack of understanding of

antecedents, principles and outcomes of IS resilience. The current state of art is

dominated by conceptual or anecdotal contributions. This results not only in a

lack of empirical work to validate IS resilience, but also in the lack of systematic

resilience requirements for either IS design or methodological approaches.

Moreover, current attempts to operationalize IS resilience are still on a very


immature stage and impede both empirical evaluation of current research work as

well as the actual implementation and validation of techniques and IS artifacts to

make resilience operational. Finally, the paper discusses the integration of

resilience and BPM (Müller et al., 2013): Although the management of risks in

BPM has been well recognized in the past few years, the link between resilience

and BPM is largely neglected so far, leading to an absence of frameworks and

approaches.

Interestingly, current literature reviews on so-called risk-aware BPM by (Jakoubi

et al., 2009) or (Suriadi et al., 2012) show, that the vast majority of contributions

concentrate on design-time risk-management in BPM systems, while approaches

at run-time and the exploitation of process-related log files a posteriori are largely

neglected. But as highlighted in the previous section, operational resilience

focuses on run-time and a posteriori analytics in order to manage consequences of

risks, as also illustrated in Figure 34.


Figure 34. Relation between Operational Risks and BPM60

Recent frameworks for resilient BPM such as (Antunes and Mourão, 2011) tend

to state very abstract implementation suggestions. For example, (Antunes and

Mourão, 2011) and (Caralli et al., 2010) provide a set of fundamental

requirements for supporting resilient BPM. While these works capture basic



resilience in IS. Thus, concrete measures are mostly missing, leading to inefficient

or even misleading resilience strategies. Effective and cost-efficient tools that

could be used for the (semi-)automated detection of BPM resilience are missing.

Moreover, existing methods provide decision makers with limited intuitive

support-tools at high personnel costs, they fail to assist them in enhancing and

60 From Koslowski and Zimmermann (2013, p. 180).


maintaining resilience of BPM. Furthermore, monitoring and measuring how

closely a system is operating relative to its performance margins to improve its

ability to detect unexpected events before they emerge and building capacities for

recovering rather than eliminating errors and unexpected events is crucial for the

success of organizations in turbulent environments (Weick and Sutcliffe, 2001).

5.2.2 Research questions and objectives

This chapter pursues to address these essential, yet open, issues by providing a

new approach to supporting decision makers in automatically detecting the

occurrence of hazards, and therefore addressing the sensitivity and resilience of

information infrastructures.

RQ1: Requirements for Detection of Resilience Measures in Event Log Data:

What are fundamental requirements for resilient BPM? How can they be

translated into measures in order to provide decision makers with a resilience

detection service based on analysis of event logs?

RQ2: Assessing Suitability of Process Mining Techniques for Resilience

Detection: How can event logs be used to detect hazards’ occurrence and

resilience levels of business processes and associated resources and activities?

RQ3: (Semi-) Automated Resilience Detection: What and how much log-data has

to be depicted for resilience detection and how must the data be displayed to

decision makers in order to support them in making better decisions according to

their corporate requirements?

In order to answer these research questions, the chapter makes the following

contributions. It aims at:

• Combining and systematizing the related but still disconnected fields of IS resilience and process-orientation. The development of a BPM resilience cycle corresponds with the BPM lifecycle and enables and proposes how to build and enhance resilient BPM.

5.3 PREDEC framework 160

• Providing event log specifications to enable process-centric resilience detection. The requirements and measures developed serve as basis for eliciting and subsequently assessing structural characteristics of information infrastructures.

• Making a major step beyond the state of the art by introducing a methodology that allows for a (semi-)automated conformance check based on resilient BPM principles.

• Providing decision makers with a comprehensive methodology for analyzing and diagnosing the resilience of information infrastructures and thereby generating meaningful insights and evidences in an intuitive and economic manner.

• Rendering the tedious work of manually combing the knowledge from best practice guidelines with the actual infrastructure obsolete.

• Enabling the objective detection of vulnerabilities on executed processes instead of intended process models.

• Setting the ground for subsequent phases on the BPM resilience cycle, such as diagnosis and evaluation, treatment and recovery, as well as escalation and institutionalization.

In the following, PREDEC as a process-oriented framework for information

infrastructure resilience is introduced.

5.3 PREDEC framework

The PREDEC framework constitutes a process-oriented and a posteriori approach

to determining information infrastructure resilience. As depicted in Figure 35,

BPM systems’ event logs build the fundament of process resilience detection with

PREDEC. On these event logs, elicitation techniques building upon, e.g., process

mining (Accorsi et al., 2012) or complex event processing (Etzion, 2009) are

applicable in order to elicit processes’ control and information flow data as well

as sociometric data. These techniques allow for elicitation of control flows, i.e.,

process models (van der Aalst, 2011), data flows, i.e., the indirect flows of

information between actors in a process (Accorsi and Lehmann, 2012) and


sociometric data, i.e., social structures of subjects performing processes’ activities

(Reijers et al., 2005). Based on resilience-oriented analysis of this information,

insight can be gained into the resilience of an organization’s interdependent

processes.

Figure 35: Overview of the PREDEC framework61

In the following, the next section examines PREDEC’s components and analyzes

the requirements they must meet in order to effectively and precisely provide for

resilience detection.

5.3.1 Event logs and elicitation techniques

The requirements for event logs regard both their structure (i.e. what to log),

quality (i.e. how good to log) and their integrity (i.e. how to log). The following

addresses these requirements accordingly and indicates the corresponding

mechanisms necessary to achieve a sufficient level of assurance for PREDEC.

Figure 36 depicts the minimal set of fields to be logged per entry in order to

provide a basis for elicitation. Each event in the business process management

system corresponds to an activity of a business process triggered during its run.

Hence, the CaseID records the business process run in which an Activity has

taken place. The timestamp captures the StartPoint and the Endpoint of an

activity. The organizational perspective is captured by the Originator of the

activity (subject or role that triggers the event) and its OrganizationalUnit. Finally,

the data perspective records the Input and the Output fields of the particular

61From Koslowski and Zimmermann (2013).


activity. Of course, for the latter, only the type of data serving as input (or

produced as output) is recorded; the actual fields are not recorded. Although this

information altogether amount to only a few fields, this is sufficient to feed

powerful elicitation mechanisms based upon, e.g., process mining (Accorsi et al.,

2012) or complex event processing (Etzion, 2009). Hence, this provides a

sufficient basis for PREDEC.

Logfile Data

TimeActivity Organization Data

Start-point

End-point

Name

Type

Who

Where

Input

Output

Figure 36: Log entry structure

As for the quality, van der Aalst provides five maturity levels for event logs,

ranging from worst (Level 1) to best (Level 5) (van der Aalst, 2011). PREDEC

requires logs with at least Level 3, which encompass, e.g., tables in ERP systems,

event logs in CRM systems and transactions logs of DBM systems. This is

because, at this level, information can be correlated and organized in a way that

allows the compilation of logs exhibiting the structure in Figure 36. Logs

exhibiting a higher maturity level are already recorded using this structure (Level

4) or are grounded upon semantic annotations and ontologies explaining the

meaning of each activity in the enterprise context.

Turning to the integrity, to provide a reliable log basis for detection, the events

must faithfully record the activity of the system. In particular, it should be

impossible, say, for an attacker to hide its traces or manipulate the logs so that

false-positives (detection of resilience-relevant incidents that did not happen) and

false-negatives (overlooking resilience-relevant incidents) arise. To achieve this,


secure logging mechanisms (Accorsi) must be in place to provide (a) tamper

evidence and, in some situations, (b) confidentiality of event logs.

While the requirements for event logs regarding elicitation of control and data

flow are well examined, requirements for event logs regarding elicitation of

sociometric data have become subject to research only recently. In order to elicit

sociometric data, i.e., social network graphs, from event logs, these event logs

must reflect relations between subjects executing processes’ activities. As shown

by (Reijers et al., 2005), elicitation of these relations from event logs structured as

described above is feasible. Hence, provided event logs meet the requirements

stated above, they provide a sufficient basis for elicitation of sociometric data for

PREDEC.

Elicitation techniques. The elicitation techniques envisaged for the realization of

the PREDEC framework build upon process mining (Accorsi et al., 2012),

(Reijers et al., 2005). In particular, when using these techniques, there is a trade-

off between the following quality criteria (van der Aalst, 2011) (see (Accorsi et

al., 2013) for details):

• Fitness: the elicited structures (e.g. process model or social network graph) should allow for the behavior seen in the event log.

• Precision: the elicited structures should not allow for behavior completely unrelated to what was seen in the event log.

• Generalization: the elicited structures should generalize the example behavior seen in the event log.

• Simplicity: the elicited structures should be as simple as possible.

Technical approaches for the PREDEC framework must seek a balance between

good fitness and precision, thereby minimizing the number of false-positives and

false-negatives arising from measurement errors. A structure having good fitness

is able to replay most of the traces in the event log. Precision is related to the

notions of underfitting in data mining: a structure having poor precision is

underfitting (i.e. it allows for behavior that is very different from what is in the

log). Tackling this trade-off is one of the key challenges in process mining.


5.3.2 Resilience Measures

Measuring resilience is crucial, since metrics and indicators provides the

information that allow for better decision-making (Erol et al., 2010a), learning,

and performance improvement (Hollnagel et al., 2006). The development of a

process-centered measurement approach primarily addresses the detection and

assessment stage of the resilience management cycle. That means, by deriving

appropriate measures, it is possible to identify failures, potential weaknesses and

exceptional process executions. Consequently, measures express not only current

process-gaps but furthermore allow the simulation of impacts of proposed changes

(Allen and Davis, 2010). As PREDEC’s overarching goal is to enable

organizations to automatically identify and assess the interdependence of assets

and processes, one objective of PREDEC is to conceptualize a process-centered

measurement framework which satisfies information needs by collecting and

systemizing quantifiable metrics and indicators based on the ex-post analysis of

event logs. It is intended to serve as foundation for the design of a detective

resilience measurement system.

Measures are differentiated between metrics that quantify an attribute of a process

or a resource and indicators which are pointed towards not directly measurable

characteristics (Allen and Davis, 2010). On basis of these measures vulnerabilities

can be collected and assessed in a second step, which eventually results in the

determination of intervention types (Koslowski and Zimmermann, 2013). BPM

along with risk and security should be treated in a more integrated manner

(Jakoubi et al., 2009). We need a solid idea of resilience measurement issues for

detecting and assessing business process attributes as well as for deriving valid

implications. By providing objective results, one is able to make informed

decisions and taking appropriate corrective actions (Allen and Davis, 2010).

5.3.2.1 Existing Measurement Approaches Currently, organizations still lack reliable means for measuring resilience based

on their business processes. Largely unaddressed are questions about how

organizations achieve operational goals despite challenging conditions and


disruptions. As a result, a number of current research gaps still exist, leading to

the following sub-research questions:

1) Regarding existing measurement approaches for resilient BPM: Which

approaches do exist and which properties of resilience do they address? Do

current approaches provide a holistic approach towards process-centered

resilience measurement?

The shortcomings of existing works further raise questions regarding the

suitability of employed metrics for resilience detection. This logically leads to

question:

2) Regarding the conceptualization and requirements of resilience measures:

How can fundamental requirements of resilient BPM be categorized and

transformed into concrete measures?

Several authors contribute on measurement issues of resilience in the IS context

(for an overview see Table 9). The review of existing measurement approaches

clarifies that current measures primarily consider high-level resilience features

and are not focused on the processes of BPM systems.

Although these works provide comprehensive insights on design features for

distributed IT architectures, they say little about what decision-makers and

organizations actually must do to meet mission goals despite challenges and

consequently to achieve organizational resilience. Decision-makers have to

choose which attributes are most suitable to align with the organization’s strategic

objectives and critical success factors. Accordingly, resilience objectives deliver

the foundation for targeted resilience measurement. But the presented approaches

generally lack well-defined objectives for developing measures. Furthermore,

dynamic aspects and emergence of processes are still poorly considered in

resilience measurement approaches.


Table 9: Overview of existing Measurement Attempts

Attempt Source State Space:Measure in the context of networks focusing on vulnerability. Two dimensions a network can be viewed as: Operational State and Service Parameters. Resilience evaluated as range of operational conditions for which the service level stays in an acceptable range.

(Sterbenz et al., 2010)

Recovery Time & Performance Level: Approach considering the adaptive capacity of a system based on recovery time after an adverse event and the corresponding level of recovery. Recovery time and level of recovery may be used as indicators for resilience.

(Erol et al., 2010a)

Resilience Triangle: Measure in the context of disaster events and cyber-attacks. Multi-event resilience based on the predicted amount of initial loss and recovery time. Assesses the vulnerability and capability to adapt when disruptions occur. Besides, derived resilience curves provide additional decision support for appropriate selection of countermeasures.

(Bruneau et al., 2003)

Business Continuity Analysis: Authors intend to be able to estimate the business impact of potential threats. Therefor they identify critical resources and interdependencies to address the availability of processes and related services. Many or severe abnormalities in comparison to normal process performance level characterize low organizational resilience.

(Winkler et al., 2012)

Value Tree: Based on a checklist of organizational and technical objectives, assessment how organizations perform on attributes of resilience management. A value tree divides the overall resilience objective into sub-objectives in terms of technological and operational resilience and their respective performance measures.

(Stolker et al., 2008)

Nevertheless, they provide a solid foundation for further evaluation: In the future,

PREDEC intends to recognize aspects of (Winkler et al., 2012), for instance the

incorporation of financial impacts of outage times as well as a deep analysis of

resource-interdependencies. Additionally, the “Value Tree”-approach by (Stolker

et al., 2008) entails a subjective goal-formulation and covers a set of structural

resilience properties. However, none of the approaches offers a holistic method

for resilient BPM. PREDEC aims to bring together those promising pieces in our

resilience measurement framework.

5.3.2.2 Measurement framework The components and its relationships of the envisaged process-centered resilience

measurement framework are depicted in Figure 37. The framework provides the

conceptual foundation of measurement system.


Figure 37: Resilience Measurement Framework

Throughout this sub-section, the process of a loan application is used as an

example to provide a concrete practice-oriented implementation (depicted in

Figure 38).

Figure 38: Example Loan Application Process

Single instances of the process start when a loan application is received. In this

simple case, the process consists of only two activities: (i) The process participant

assesses the eligibility of the process applicant (check credit history, check

personal background etc.). (ii) The applicant is informed whether the loan is

granted or not. The process instance ends after the two activities are completed.

Basic Metrics and Log Files. BPM systems’ event logs serve as input for the

calculation of process-centered measures (either simple metrics or indicators).


These logs have to meet certain requirements to provide the needed information

for resilience-oriented analysis. The lower part of Figure 37 shows which fields

must be logged in order to define resilience metrics and indicators. The activity

corresponds to what activity of a business process is captured by the log. In the

loan application process this could be either the “assess eligibility” or the “inform

applicant” activity. By now, the attention is given to the eligibility assessment. It

is crucial to know when an activity took place. For this reason, the Start- and End-

Point of an activity is captured by the timestamp. It contains information about the

time point a process participant starts (and finishes) working on the eligibility

assessment. The organization field determines who (subject or role) triggers and

event, and where (organizational unit) inside an organization the event is

triggered. It may be a clerk, or a software application used to process applicant-

specific data, associated to the credit department of a bank. Finally, the data

perspective is a technical requirement and records which data serves as input or is

produced as output of the respective activity (Koslowski and Zimmermann, 2013).

Potential input data are credit records and formulas containing information about

the personal background of an applicant. Output data includes a statement whether

the particular loan application was accepted or rejected and serves as input data

for the “inform applicant” activity.

With this information, it is possible to derive meaningful basic metrics from the

event logs. A basic metric is the quantification of a directly observable attribute of

a resource or a process. It is “functionally independent of any other measures and

defined by fundamental units that are not composed of any other units” (Allen and

Davis, 2010). Typical basic measures are numbers of an entity or a measure of a

time period. Basic metrics will be used as input for derived metrics introduced in

the next subsection. Examples for basic metrics are: number of roles in a process;

number of activities in a process; or the total time from start-point to end-point of

a process (compare Table 10). The simplified loan application process consists of

two activities and as many events. Well-established resilience measurements have

been derived by expert interviews and literature review. These measurements are

organized in accordance with the categorization in the following.


Resilience Objectives and Derived Metrics.Deriving basic metrics from log files

allows for the definition of process-centered resilience measurements (both,

metrics and indicators). At that point, a set of measurements to identify failures

and exceptional process executions is available, but it must be context-related

with the unique characteristics of different organizations to build a foundation in

order to address the challenge of Detection. For this reason, an objective-driven

approach based on the Goal Question Metric (GQM) is used, which is already

well-established in IS research (Basili et al., 1994; Travassos et al., 2006) and

resilient BPM (Caralli et al., 2010). In order to enable an organization to measure

resilience in a purposeful way it must first specify goals that correspond to its

needs, put these goals into meaningful data and, in a last step, analyze to which

extent the goals are achieved. The result of the application of the GQM is a

hierarchical measurement system with three levels of abstraction: (1) Conceptual

level (goal); (2) Operational Level (Question); and (3) Quantitative Level

(measure). The conceptual level defines goals for the objects of interest, whereby

objects can be resources or even whole processes. A set of questions characterizes

how the assessment of a specific goal is performed on the operational level. The

quantitative level associates measures to the questions with intent to answer them.

The resulting GQM model can be composed of several goals, multiple questions

per goal and a set of measures addressing the questions (Melcher, 2012). Using

this top-down approach assures the required data and analysis to be adequate and

prevents unreasonable data collection with a lot of data never being used and

analyzed. Furthermore, measurement is costly, organizations should therefore be

cautious in selecting measures for economic reasons (Allen and Curtis, 2011).

An Objective-driven approach allows us to constitute purposeful derived metrics,

which are mathematical functions combining two or more basic/derived metrics

and indicators. Those derived metrics and indicators are directly related to

resilience objectives. A selection includes: resource utilization rate; number of

unique activities, joins, splits, and other control flow elements. Table 10 provides

a short overview of some indicators and metrics, their definition and respective

type. Different susceptibility values are evaluated (quantitatively or qualitatively)

applying the two types of metrics.


Table 10: Examples of (BPM) Resilience Measures

Criteria & Definition

Type

Source

(B)a

sic,

(D

)eriv

ed

(S)tr

uctu

re,

(B)e

havi

or

Roles:Number of roles in a process B S (Allen et al., 2011)

Transitions: Number of transitions in a process B S (Allen et al., 2011)

Events: Number of events in a process B S (Allen et al., 2011)

Activities: Number of activities in a process B S (Cardoso et al., 2006)

Diameter: Length of the longest path from start node to end node B S (Cardoso et al.,

2006)

Process Interrelationship: Interfaces with other processes D S

(Balasubramanian and Gupta,

2005) Organizational Interfaces: Interaction between internal departments D S


2005) Coupling: Relationships of the elements within a module D S (Vanderfeesten

et al., 2008) Bottlenecks: An activitiy with lower capacity determines process capacity D S (Yen, 2009)

Throughput: Number of transactions and requests which could be processed simultaeously D B


2005) Resource Utilization Rate: Percentage of actually used capacity of a process D B (Yen, 2009)

Timeliness: Punctuality of interim outputs for a following process activity D B


2005) Working Time: Cumulated time of all operative process activities (without) waiting time D B (Yen, 2009)

Lay Time: Time in which a process stagnates and no handling is possible D B (Harrington,

1991)

Referring to the example, one concrete resilience-objective on the conceptual

level is to ensure the continuity of operations if a fraction of the computing

capacity used for the processing of loan applications becomes unavailable.

Possible questions for the assessment of this issue on the operational level and

their corresponding measures are:


• How much available computing capacity was used by the process over the last two years?

The actually used computing capacity for the processing of loan applications is

expressed by the “Resource Utilization Rate”. It can be used to identify process

runs, where the utilization rate of computing capacity was above a certain

threshold, whose excess hampers continuity of operations.

• To what extent was the process output used as input for another process?

The (not explicitly modeled) payout process for granted loan applications relies

on input data from the loan application process. Those interfaces with other

processes are measured in terms of “Process Interrelationships”.

Metrics and indicators are further categorized regarding the aspect whether they

address either the structure or the dynamic behavior of the process. A literature

survey carried out by (González et al., 2010) applies a similar categorization of

measures, based on the distinction between the business model design and the

actual execution of the business process. But in contrast to (González et al.,

2010), we intend to incorporate both, structural as well as dynamic metrics into

one measurement system to form an assessment of vulnerabilities. In this context,

structure means that the measurement relates to basically static properties of

business processes. The structure may also strongly influence the process

performance, and, thus, the dynamic behavior of processes (Tjaden, 1999). One

example of a pure structural measure is “Diameter”, which quantifies the length of

the longest path from start node to an end node or “Density”, the ratio of the total

number of arcs (transitions) to the maximum number of arcs in the longest path.

Behavior measures address observed interactions between resources and activities

associated to the process. The behavior of the considered process over time plays

an important role in determining its dynamic evolution, with the goal to evaluate

how well the process is executed. This dynamic behavior of a process is hard to

determine by only analyzing its static structure. Side effects or dependencies

between activities and needed resources have a big impact on the workflow’s

behavior and may easily be overlooked. Therefore, an estimation of the time


response is only possible after consecutive runs of the same process and

additionally statistical computation. This estimation cannot be done only by

analyzing the structure of the process as a simulation lacks critical knowledge on

the individual activities. After observing the overall behavior of the process, an

estimation of the runtime of each single activity can be obtained which again

gives further possibilities to quantify the workflow’s resilience. For example,

critical paths can be extracted or the most probable run time is computable.

PREDEC aims to integrate such measures into our approach, because they are

crucial factors influencing business process resilience (Antunes and Mourão,

2011).

Once a set of measures from the measurement system has been linked to

organizational resilience objectives, the desired goals and outcomes of the process

will be stated. The success in reaching those goals/outcomes is subsequently

(automated) measured. To do so, it is important to define operational resilience

levels. Following (Sterbenz et al., 2010), the service levels in particular are

acceptable, impaired and unacceptable, which describe how well the process is

executed. Those levels may be further refined if needed. Resilience is then

specified as the range of operation conditions, for which the service level stays in

the acceptable range. Operational resilience may be compromised by failures (loss

of acceptable service (Meyer, 2013), exceptional process executions (Hollnagel et

al., 2006) and potential weaknesses (interdependencies and bottlenecks Weick

and Sutcliffe, 2007).

The information gathered through the Detection of resilience and respective

vulnerabilities provides input for the subsequent stages of the resilience

management cycle: In the phase of Diagnosis and Evaluation, these

vulnerabilities influencing operational resilience requirements are to be collected

and assessed in terms of traditional security objectives such as confidentiality and

availability as well as economic factors such as costs and utilities (Dumas et al.,

2013; Basili et al., 1994).


5.3.3 Analysis techniques

Automated calculation of resilience measures based on event logs requires

application of appropriate analysis techniques to be applied on the structures

elicited from the event logs.

Process mining provides a basis upon which control flow and data flow

information can be gained from the log files. Specifically, processes can be

reconstructed using process discovery techniques. These techniques reconstruct

the control flow, i.e., the structure of the process, possibly extracting time

information regarding the duration of tasks. Process discovery approaches usually

build a Petri net model of the process. These approaches can be classified as

(Accorsi et al., 2013):

• Abstraction-based algorithms. These algorithms construct a model based on ordering relations (preceding/-succeeding) amongst process activities.

• Heuristic-based algorithms. In contrast to abstraction-based algorithms, heuristic methods additionally consider the frequency of ordering relations. This allows the discovery of models that describe the most common behavior recorded in an event log.

• Search-based algorithms. Abstracting from local properties like ordering relations, genetic algorithms mimic the process of evolution.

• Region-based algorithms. Based on a behavioral process specification (language or state-space), the aim of this group of algorithms is to construct a Petri net with corresponding behavior.

Further, commercial process mining suites (e.g. Disco62) often make use of fuzzy

mining methods for the description of process behavior. Instead of focusing on the

detection of the process structure in the sense of OR or AND structures, they only

view activity transitions and their frequency within the process log.

62 http://fluxicon.com/disco/

5.4 Design and implementation 174

The analysis of these structures, which is partly automated, can be used to

visualize, for example, bottlenecks and throughput.

Conformance checking can be used to detect deviations between the expected

process behavior and the actual behavior encoded in the event logs (Accorsi and

Stocker, 2012). These techniques carry on a trace-based analysis and can be used

to determine, e.g., the time needed for each execution and the number of different

executions.

The bulk of work on process mining focuses on analyzing the control flow of the

process. Recent works also deal with data flows or, more generally, resources

used in the process (Accorsi et al., 2013). Data flows can be used to identify

potential leaks or key resources in the enterprise, as well as monitor their

continuous consumption. Similarly, staff workload and work transfer can be

asserted by inspecting the corresponding traces.

5.4 Design and implementation

The preceding sections have introduced the PREDEC-framework that allows the

design of a prototype to detect and assess the resilience of process-centered IS

infrastructures. Based on the conceptual foundations provided by PREDEC, in the

following, the chapter introduces one possible artifact as an example of resilience

management information systems (RMIS) (as introduced in Chapter 4 & 5.1-3).

As we learned in this thesis, resilient systems accept and manage variability rather

than trying to mitigate or reduce it from the outset. Among various resilience

indicators (as introduced in Section 5.3.2), the temporal behavior of a business

process for resilience estimation is crucial since it shows its reaction on different

type of events and threats, as they delay and slow down processing (Dongen et al.,

2008). A less sensitive process will show smaller delays in its execution even

upon high fluctuation of resources.

Consequently, the remaining chapter examines the use of process mining (PM) for

resilience detection. As PM stands for automatable techniques to analyze business


process models and their execution traces (logs) (van der Aalst, 2011), it is of

great importance for the support and management of automated workflows.

PREDEC represents a framework on which data from the PM is further processed

on, allowing for the extraction of resilience indicators. Focusing on compliance

checking, the next sections report on a case study for the manufacturing sector.

The investigation follows the guidelines of (Runeson and Höst, 2009) for

conducting and reporting case studies. In particular, expert interviews were used

to obtain: firstly, the shape of a non-trivial order-to-cash workflow; secondly, the

set of concrete resilience requirements derived from the set of global business

process security requirements (Power, 2008); and thirdly, the usual execution

characteristics.

The focus of this ITartifact (see Chapter 1 and Bichler, 2006) is on the temporal

aspects of the process. For this, the subsequent sections present a method to model

the amount of resources required as a stochastic function and to sum up the need

for the whole business process, including its branches. In the calculations,

probability distribution functions (PDF) are used instead of using classical

numerical values. Using distribution functions open up the possibility of

considering and measuring uncertainty and to compensate for unknown future

risks and behaviors. The method is not limited to standard distributions as in many

of the previous works. Using PM, decision makers can extract the resource

distribution as PDF for each activity.

A case study is used to illustrate the approach. It shows that modeling the

temporal behavior of a workflow as stochastic variable makes it possible to grasp

the concept of resilience by providing a mathematically framework to deduce

resilience indicators. In line with PREDEC, the ultimate goal is to enable

organizations to automatically identify and assess the interdependence of assets

and processes.

The remaining chapter is structures as follows: First, limitations and research gaps

are identified by reviewing current works on temporal aspects of workflows.

Subsequently, the methodology and research design is elaborated on. Then, the

case study is introduced including an implementation and evaluation of the


developed IT artifact. Finally, a discussion and summary of the findings conclude

the chapter.

5.4.1 Review of temporal aspects of workflows

Research about temporal behavior of workflows started in the middle of the

1970s. Ramchandani introduced timed petri nets (Ramchandani, 1974) which he

used to model the time response of asynchronous pipelined processors. Later, this

method got adapted and used by Tsai et al. to model the behavior of workflows

(Tsai et al., 1995). Both have in common that they use only earliest possible end

time and latest finish time of an activity to represent time constraints. Eder et al.

provided a similar approach to calculate the timeliness of a workflow or if a

cancellation of optional activities is required to reach the deadline (Eder et al.,

1999). The novelty of this approach is,that it could be used as a monitoring

approach on life processes. Also, Pozewaunig et al. suggested an extension to the

PERT model to cooperate time issues (Pozewaunig et al., 1997). Their model

includes an additional timing aspect with two cases for each activity: worst and

best case, each denoting the first possible start time and the latest possible start

time of an activity. Although these simplifications make it easy to calculate and

describe a workflow, it is no well suited when discussing resilience.

Currently, methods are available to use process mining techniques to predict the

cycle time of a workflow and to tell when a certain case will end. This is done for

example by van Dongen et al. in (Dongen et al., 2008). In this work, non-

parametric regression of data records in event logs are used to estimate the

remaining procession time of a running instance. In (van der Aalst, W.M.P. et al.,

2011) the same question is addressed. A transition system is built to model the

time behavior and to answer, if a given workflow will end in a given time-span. In

the same work, an implementation for the ProM63 toolbox is presented. Another

way of dealing with temporal aspects of workflow is done by Pika et al. (2013).

63 http://www.promtools.org/prom6/


They identified a set of Process Risk Indicators (PRI) with the intention to capture

the potential of delayed process executions(Pika et al., 2013).

Despite the valuable contributions of existing works, a wide range of limitations

for resilient BPM assessment exist:

Most approaches use parametric descriptions of time such as start/end time or

best/worst cases. Moreover, while today’s approaches treat time as a stochastic

process existing approaches are considering a Gaussian distribution. Even the

regression based methods do only output single values as a possible remaining

execution time and do not supply the user with a probability density function

(PDF) for the remaining time. However, resilience strongly depends on the

behavior between extremes (best case, worse case). Information on how the

system reacts to changes in the environment lies within these two extreme

boundaries (e.g. graceful degradation). The aspect of resilience can only be

discussed when detailed behavior information of a workflow is given so that

possible changes on a workflow model can be simulated accurately to deduce

resilience key indicators.

The here presented approach also gives the opportunity to test on which

probability the workflow will end at which time through calculating the

cumulative distribution function (CDF). The proposed method also makes a

monitoring approach possible: During an active instance more information of the

workflow are known, the estimation is re-computable and yields in a better

forecast which can again be expressed as CDF so that a decision maker can

efficiently judge the current instance in terms of availability, discrepancies and

capable-to-promise aspects. Depending on the risk-appetite of a company, the

order promise can be evaluated at arbitrary points and the method will return a

success ratio for this point. By providing a fine grained probability value instead

of providing only the information that the workflow will be delayed, this method

yields the possibility to estimate how much the workflow is delayed and at which

time the delayed workflow will most likely finish. This approach further does not

depend on the classification of PRI to make forecasts. Instead, by using PM on

single activity basis, all risks that already occurred get encompassed and used for


estimation calculations. It is also possible to use the extracted information for

finished, single activities in non-finished instances.

5.4.2 Methodology and research design

The guidelines of Runeson and Höst (2009) have been employed to conduct the

case study. A case study is the most appropriate research methodology for this

setting, as its primary objective is exploratory, with a flexible design, and

collecting qualitative (instead of quantitative) data. Concretely, the case study

encompasses the following steps:

1. Case study design: the objectives and objects of the case study are defined.

This is given below.

2. Preparation for data collection (Subsection. 5.4.3.1

3. Evidence collection: carry out the analysis (Subsection. 5.4.3.2).

4. Analysis of collected data (Section 5.4.4).

The “case under study” is the analysis of a real-life business process model and

the derived log file. The process is derived from a medium sized company in

Germany. Figure 40 depicts the formalization of the process.

To present the approach, a scenario is used based on an example workflow. This

section is structured in three parts. First an introduction to the case is given. Then

the requirements are stated. Third, the example is introduced. At the end the

scenario is applied and analyzed.

5.4.2.1 Time behavior - calculus The time distribution for the whole workflow can be calculated out of the time

behavior of each activity. In our case the following rules apply:

Sequential Activities. Two activities with known duration PDF behave like one

activity whose PDF is the convolved PDF of both activities. The convolution of

two functions f(t) and g(t) is defined as


(𝑓𝑓 ∗ 𝑔𝑔)(𝑡𝑡) = ∫𝑓𝑓(𝑡𝑡)𝑔𝑔(𝑥𝑥 − 𝑟𝑟)𝑑𝑑𝑟𝑟 (1)

For concrete functions, the integral becomes a sum.

The convolution can be seen as the weighted average of the two functions at

moment t. The resulting function will have an area of 1, given the area under both

functions is also 1. This means, if two PDF s are merged, the result will again be a

PDF. As a rule of thumb, the variance increases and the mean get shifted.

Conditional Activities.Convolution does not work for conditional activities.

Depending on the outcome of the branch the one or the other path is taken. For

computation the following procedure is done: First, each individual path is

calculated. Second, each path is weighted with the probability that it is taken

(w0wi). This number can be taken from process mining, it can be estimated or

1/2 for each path, if unknown. After this, the function must be normed. The area

beneath the function must sum up to one. This is done by dividing the resulting

function by its integral.

(𝑓𝑓 ⋁𝑔𝑔)(𝑡𝑡) = 𝑤𝑤0 ∙ 𝑓𝑓(𝑡𝑡)+𝑤𝑤1 ∙𝑔𝑔(𝑡𝑡) ∫ 𝑤𝑤0 ∙𝑓𝑓(𝑡𝑡)+𝑤𝑤1 ∙𝑔𝑔(𝑡𝑡)𝑑𝑑𝑡𝑡∞

0 (2)

5.4.2.2 Resilience in workflows Different aspects must be taken into account to be able to measure the ability of a

workflow to endure stress and to recover from it. According to (Bruneau et al.,

2003), resilience may be defined as

𝑅𝑅 = � 1 −𝑄𝑄(𝑡𝑡)𝑑𝑑𝑡𝑡𝑡𝑡

0

WhereQ(t) is the quality of the system at time t. t0 is the time where a shock took

place and time t1 after recovery of the shock. This resembles the resilience

triangle (Bruneau et al., 2003). In the present case Q(t) can be considered the on-


time delivery reliability. That is the probability that the desired outcome is

reached until the deadline is due. This calculates to:

𝑄𝑄(𝑡𝑡) = 𝑃𝑃(𝑑𝑑𝑑𝑑𝑟𝑟𝑑𝑑𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑 = 𝑡𝑡) = ∫ 𝑝𝑝𝑑𝑑𝑓𝑓(𝑡𝑡)𝑑𝑑𝑡𝑡 = 𝑐𝑐𝑑𝑑𝑓𝑓(𝑡𝑡)𝑡𝑡0 (3)

WherePDF is the resulting time distribution of the whole workflow (see Figure 39

where also deadline d is given). In the figure, the quality value Q(t) is the shaded

area below the curve. After a shock, this probability (hence, Q(t)) decreases and

recovers again over time when new resources are built or are restored. CDF is the

resulting cumulative probability distribution.

Figure 39: Calculation for the quality of the given Workflow64

In line with the well-known “R4 resilience framework” (already introduced in

Chapter 3.2.3.1) created by researchers affiliated with the Multidisciplinary

Center for Earthquake Engineering Research (Bruneau et al., 2003), four aspects

of resilience are used with the here presented approach:

• Robustness: the ability to withstand a given level of stress or demand without suffering unrecoverable degradation or loss of function. This can

64 Visualized as the shaded area below the PDF function from 0 to d (from Zahoransky et al. 2014).


be reflected in physical building and infrastructure design (office buildings, power generation and distribution structures, bridges, dams, levees);

• Redundancy: the extent to which elements, systems, or other units are substitutable

• Resourcefulness: the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds. This includes identifying courses of action for, business continuity planning, training, supply chain management, prioritizing actions to control and mitigate damage, and effective communication of conditions and decisions.

• Rapidity: the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption. Components include carefully drafted contingency plans, competent emergency operations, and the means to get the right people and resources to the right place.

The questions this chapter plans to answer are: Firstly, what guarantees can be

made to the costumer regarding the duration of a production-process? In contrast

to the majority of recent approaches, the answer will not be a simple timespan but

a more sophisticated calculation resulting in a PDF (workflow’s completing time

and related likelihood). Each activity is assigned a probability distribution used

for calculations. It is later described how to obtain such distribution.

Secondly, how resilient is the workflow against disruptive effects? More

concretely, if single activities fail, how does it affect the behavior of the whole

workflow? Thus, the impact of each single activity on the whole workflow will

be evaluated. This enables the simulation of situationswhere some paths of a

workflow become unavailable. To state probability values for the whole

workflow, process mining (PM) may be used to measure the individual time

consumption of single activities. This enables process-managers to calculate the

overall workflow restrains. Eventually, PM returns historic data for instance

running time. This data already includes instances where the completion of the

workflow was not optimal due to different occasions, including malfunctions,

external shocks or other difficulties. Instead of estimating each risk individually,

they are automatedextrapolated by means of PM.


5.4.3 Case study

To provide a basis for analyzing our framework within a realistic setting, an

order-to-cash workflow by a medium-sized company in Germany was chosen.

The example workflow is depicted in Figure 40. In the present case, it is intended

to assess the resilience and the delivery reliability of this workflow even under

turbulent situations. It is taken to evaluate the introduced approach for resilience

assessment.

5.4.3.1 Example workflow The workflow is triggered when a customer orders machinery, or anything that

needs assembly. We assume that the workflow generates a trace inside a log. By

utilizing this log by PM, we extract the timing information needed for our

calculation. As stated in Section 5.3.2, the log must contain enough information

for the PM to work (such as start and end time, activity ID and instance name).

The timing behavior can still be extracted, even if the workflow model itself is not

known.

5.4.3.2 Evidence collection For each activity a PDF is extracted from the process logs. Some standard

activities take only short times with a low variance while customized or

interrupted activities exhibit longer duration with high variability. This variability

or risk is modeled with a great variance in the time behavior distribution

regardless of the cause of delay. In order to assess the resilience of a workflow we

need information about the workflow’s completing time. This might be a hard

deadline or a point in time after which the service or product is no longer of value.

In our example the requirement is that it must finish within a given number of

days. The historic data from PM would then be used to calculate the probability

that the current workflow model will end within this deadline. As this is an

example workflow, no historic data is available. Hence, the time response of the

single activities is described by common distribution. A short overview of the

single activities is given in Table 11:


Table 11: Time behavior of each single activity in the example workflow

Activity PDF: (µ,σ) or (p,b) for γ-distribution

Incoming order log-normal(0.2,0.4)

Print component plan φ(0.5, 0.1)

Print assembly plan φ(0.6, 0.15)

Create part list γ(0.9, 0.7)

Acquire parts γ(0.8, 0.8)

Fill out order log-normal(0.1, 0.5)

Send order γ(1, 0.5)

Arrival and inspection log-normal(0.25, 0.5)

Obtain from warehouse log-normal(0.07, 0.3)

Stage from warehouse γ(0.8, 0.3)

Assemble parts log-normal(1.3, 0.4)

Assemble Components log-normal(0.4, 0.4)

Final inspection φ(1, 0.4)

Invoicing and dispatch φ(0.8, 0.3)


Figure 40: Example Workflow65

65 Each activity is denoted a PDF that it will finish at the given time (see Table 11). (from Zahoransky et al. 2014)


5.4.3.3 Simulation settings and analysis After applying the rules from the previous sections (5.4.2.1-2.), Figure 41 and

Figure 42 show the resulting PDF and cumulative probability distributions (CDF)

for the time behavior of the whole workflow. While the continuous line illustrates

the result for the overall workflow, theremaining lines symbolize the individual

paths within the workflow. The first figure shows the probability density scaled to

1 for each path.

Figure 41: PDF calculation of the example workflow66

The second figure depicts the CDF, the overall probability that the workflow will

end until the given time. As we can see, the workflow has almost a 90 % chance

of finishing within 10 days under the assumption that the fastest path (all

components are available) is taken. In the other extreme scenario where the

longest path is taken (neither stocks nor preproduced components are available),

66Calculations of the overall time distribution for the example workflow and for each individual paths. Note: Each pdf’s area is scaled to 1. (from Zahoransky et al. 2014)


the likelihood of workflow completion is less than 10 % (marked by the green-

crossed line). However, if all OR-Splits are considered equally, the overall

workflow still has a change of about 50 % to finish in that time (marked by the

dark-blue line).

Figure 42: Cummulative calculation of the example workflow67

The proposed method provides an accurate picture of the probability distribution

function of the duration time of the workflow: The higher its value (probability

density) at time t, the higher is the probability that it will end at this specific point

in time. Figure 41 shows the PDF for the overall workflow and for each of the

possible paths of the workflow. For readability, the single PDFs are not weighted

with their occurrence probability. Instead they are normalized so that the area

accumulates to one.

Integrating the single PDF yields to the depicted CDFs in Figure 42. Its value

shows the probability that the workflow will end until time t.

67 Cumulative time distributions of the overall workflow and for each individual paths. (from Zahoransky et al. 2014)


The next section discusses and evaluates the results from the case study.

5.4.4 Evaluation and discussion

For the workflow, the following PDFis calculated by using the calculus from the

previous section as seen in Figure 42. A certain deadline is assumed to depict the

methodology. The calculated PDF of the example workflow is also verified by a

simulation of the workflow. In the simulation each activity is mapped to a random

generator implementing the denoted probability density. The activities are started

according to the structure of the workflow. Each path of an OR-decision is

traversed with a probability of 12� . 100 million runs where simulated for the

result depicted in Figure 43.

Figure 43: Simulation results68

The evaluation shows 98.98 % probability, that the workflow is finished within 18

days even under disruptive events. As discussed previously, this value is not based

68 100 Million runs: The required time (red bars) and calculated values (blue line). (from Zahoransky et al. 2014)


on optimal or worst case scenarios as in previous works but a realistic estimate

based on historic data that already includes adverse impacts. As seen in Figure 41,

the greatest change for a delay is when parts are not preproduced and need to be

ordered. The additional information can be extracted out of the time behavior: The

robustness of a workflow is expressed by the slope of the pdf. The steeper it is at

the negotiated delivery time, the more susceptible the workflow is to external

influences. In Figure 43, robustness can be expressed as the density of the pdf at

the projected delivery time (near to zero). If an interruption happens, the

workflow would take slightly longer. However, the overall probability of the

intended completing time would not change significantly as the shattered area will

not decrease much. The redundancy of a workflow can be calculated as the

difference between actual probabilities of delivery compared to the negotiated

delivery reliability. A higher success rate indicates a surplus on resources that

increase the redundancy.

The quick and accurate information about the observed workflow further

enhances the resourcefulness and rapidity of the IS: The calculations grant the

possibility to react early to situations that are no longer covered by the workflow’s

robustness or redundancy. Furthermore, our framework gives the possibility to

compare different variations of the same workflow. This is useful for workflow

engineers which start to redesign a given workflow. For each evolved design, they

can compare robustness and redundancy. This also increases rapidity as the

redesign process is more efficient and target-oriented.

It is now possible to rearrange the activities based on the learned numbers to

further increase the operative viability (e.g. by creating the parts list in parallel to

creating the components list). Despite the fact that it would slow down the best

case, this modification could decrease the time required when the upper path is

taken. It would therefore increase the systems capacities to absorb negative effects

as the upper part is essentially involved in the delayed cases. The time behavior

and thus the resilience levels of the re-designed workflow are instantaneous

available as no new data is required.

5.5 Concluding remarks 189

5.5 Concluding remarks

The traditional understanding of trust and security amounts to building large

information systems that are robust, i.e. they avert failures by mitigating the

corresponding risk associated to the execution of business processes. This chapter

introduced a process-oriented framework for information infrastructure resilience.

The key premise behind PREDEC framework is that in merging robustness and

resilience, one can provide for more trustworthy information systems that not only

prevent incidents, but that, upon an incident, fault or attack, can also bounce back

to a stable state and even improve their design. In line with the operational

resilience management cycle, the main research questions for resilience detection

were introduced and schematically sketched the PREDEC and its building blocks.

The subsequentlyproposed approach uses process mining (PM) to create

probability distributions on time behavior of workflows. Instead of relying on an

expert’s view who gauges the possible risk according to her experience, PM can

help and automate this part. The resulting time probability provides an overall

resilience estimation for a workflow. Repeating this method yields in even more

accurate results and finally enables a monitoring approach for resilience

assessment during runtime. This approach is not dependent on an overall

workflow as each activity is considered on its own. This brings the advantage that

the process log does not need to identically match the workflow, as long as the

single activities correspond.

A remodeled workflow can thus be simulated and compared to the original one by

using the same process log. This comparison can be on different resilience

dimensions to support workflow designers to improve existing workflows. During

execution of a workflow the current resilience level can be monitored and

countermeasures can be initiated on run-time if the level drops.

In the future, it is possible to empirically evaluate the effectiveness of the PM data

with interview partners in practice. This comparison will allow foran evaluation of

both, the usability and the relative benefits of the proposed approach compared to

manual exception handling. Moreover, the introduced method is not limited to


evaluating timing behavior. Depending on the input functions the method can for

instance be extended to estimate economic impacts of a workflow. Moreover, in a

more complex setup, the functions could be plotted against each other, resulting in

a cost-dependent time behavior. This enables a new and throughout visibility of a

workflow’s resilience on run-time.

design

191

6 Secure Sustainability Benchmarking Service

Chapter 3 shows that in turbulent and complex operational settings any kind of

incident or disruption has the potential to affect multiple lines of business and

organizational units to which they are connected (e.g., Sheffi, 2007; Tanriverdi et

al., 2010; Weick and Sutcliffe, 2007). Such situations reveal that localized and

discrete responses may not be sufficient and require harmonization of managerial

responses by means of integration and collaboration within an organization and

across organizations (see Section 3.1.3.4). Hence, integration - previously defined

as the ability to systematically create and manage structured networks of

relationships – becomes crucial in order to facilitate effective collaborative

responses both within and outside an organization. According to literature

resilient organizations are able to utilize relationships with other stakeholders to

enrich an inventory of resilient responses by obtaining external resources and

supportive actions(Antunes and Mourão, 2011; Bayuk and Silverstein, 2007).

Similarly, integration and cross-organizational collaboration receive also growing

attention in the field of sustainability management. To measure and assess

ecological sustainability performance, such as Carbon Footprint, the assignments

of environmental impacts to those segments that caused them are required.

Consequently, this so-called cradle-to-grave principle means to assess

environmental impacts associated with all the stages of a product's life cycle (i.e.,

from raw material extraction through manufacturing to disposal or recycling). As

organizations have been reducing their production intensity for years by means of

outsourcing and off-shoring of multiple services, the scope of environmental

sustainability is far beyond a single organization and requires a systematic

understanding of an organization’s interconnected value net (Watson et al., 2010).

As business is apparently recognized as being a critical contributor in realizing the

challenges of environmental sustainability (Elliot, 2011), requirements from

stakeholders on sustainability measurement have steadily grown (Chatterji and


Toffel, 2010). Moreover, research increasingly demonstrates benefits of proactive

sustainability management (Burnett and Hansen, 2008). In line with the prevailing

view in theory and practice, sustainability benchmarking is defined as a

management tool to identify sustainability performance gaps between business

objects for facilitating continuous improvement and organizational learning (e.g.,

Shaw et al., 2010; Wiedmann et al., 2009). Note, that similar to resilience the

multidisciplinary field of environmental sustainability developed a variety of

definitions and conceptualizations leading to confusion of terminology (Elliot,

2011; Koslowski et al., 2013b). For example, according to the triple-bottom-line

accounting framework sustainability incorporates the three dimensions of

economic, social, and environmental performance (compare Chapter 2), while

Elliott (2011) states that environmental sustainability is an essential prerequisite

of social development. As the contribution of this chapter is rooted in the green IS

research field, e.g., (Dedrick, 2010; Melville, 2010), in the following,

environmental sustainability will be utilized as proposed by Elliot (2011) that

focuses on impacts on the environment without an explicit reconsideration on an

extra social dimension.

This chapter attempts to show that while sustainability benchmarking, in

particular, is a promising approach of proactive sustainability management. It

faces a significant data input and information-sharing problem: Firstly, the

heterogeneity of the data requires significant cost-intensive data gathering and

pre-processing. Secondly, the sensitivity of the data causes enterprises to

reluctantly share this data.

Accordingly, the first division of this Chapter (Sections 6.1 – 6.3) focuses on the

first challenge by analyzing the utilization of the platform principle for an ERP

on-demand provider and sustainability-benchmarking provider69. Beside the

consideration of possible cost savings for providers and users, the focus lies on the

specific potential provided by an ERP on-demand platform. This mainly consists

of the integration of complementary enterprise applications with the core ERP

69 These sections are based on the paper Koslowski and Strüker (2011) which has been previously published in the journal of Business & Information Systems Engineering.

6.1 Sustainability quest for enterprises 193

application and the resulting added value for service users as well as platform and

service providers. This added value will be investigated by using the example of a

software service for sustainability benchmarking (SBM) and explores how this

may contribute to the lasting success of ERP on-demand platforms. As

subsequently shown the quality of the SBM application as well as of corporate

management can be significantly improved. In particular, an SBM software

service that is integrated into an ERP on-demand platform is able to accelerate

market penetration.

Nonetheless, research on inter-organizational systems shows how reserved and

cautious enterprises are still today when it comes to the exchange of sensitive data

(Kerschbaum et al., 2011). Ideally, in order to track inter-organizational data in a

reasonable granularity and precision for holistic sustainability assessments, a

collaborative exchange of sensitive data like environmental impacts and

sustainability indicators will be necessary (Elliot, 2011). For this purpose, the

second division (Sections 6.4 - 6.8) introduces an IT artifact, namely a secure

sustainability benchmarking service (SBS) to overcome the information-sharing

problem70.

For a start, the next section describes why SBM is increasingly relevant for

companies.

6.1 Sustainability quest for enterprises

Stakeholders, such as customers, investors or legislators, are increasingly

confronting enterprises with expectations for more sustainable business practices

(Hoffmann and Busch, 2008, p. 506; Sharma and Henriques, 2005). Practical

implications for companies so far mainly concern the compliance to a variety of

environmental laws in order to reduce liability or to allow better access to relevant

resources: In the European Union, for instance, the so-called ‘climate and energy

package’ (20-20-20 targets) became law in June 2009. The goal was to reduce the

70 These sections are based on a revised version of the paper Kerschbaum et al. (2011) presented at International Conference on Information Systems 2011 in Shanghai.


output of greenhouse gases by 20%, improving energy efficiency by 20% and

increasing the percentage of renewable energy by 20% by the year 2020 (Melville,

2010). Beside a growing trade of CO2 emission allowances the demand for green

products and sustainable investment funds are further indicators of the growing

importance of an environmentally sustainable business policy (Chatterji and

Toffel, 2010; Dedrick, 2010).

Companies increasingly address the demands of stakeholders for sustainably

responsible business practices by means of publication of sustainability

performance statements (Sharma and Henriques, 2005, pp. 174 f). These

developments include to a greater extent the measurement and documentation of

effects on the environment in the form of sustainability reports and eco-efficiency

labeling of products, besides the avoidance and reduction of ecologically harmful

substances (Cho and Patten, 2007). The European Accountants Modernization

Directive wants enterprises to reveal environmental information in the annual

report as part of their annual accounts. Also in the US, more than 80 percent of the

Global Fortune 250 published sustainability reports (Koslowski and Strüker,

2011, p. 360). Moreover, public, media, and non-governmental organizations,

such as the Carbon Disclosure Project, ask enterprises to provide accountability

and proof of sustainable management such as certificates or sustainability reports

(Dedrick, 2010). Finally, the growing demand for green products calls for

environmental sustainability information (Sharma and Henriques, 2005). Besides

publishing sustainability reports, enterprises have met this demand by

implementing corporate environmental management systems for quite a while.

These measures are especially supposed to fulfill the compliance requirements of

the stakeholders and, in this manner, help to avoid liability claims, reputation

damage, and consumer boycotts (Chatterji and Toffel, 2010; Sharma and

Henriques, 2005).

6.1.1 Sustainability performance management systems

The measurement and documentation of environmental impacts is meant not only

to meet environmental compliance requirements (Sarkis, 2003, p. 97), but also to


provide a basis for improvements in a company’s sustainability performance and

resource productivity (Hervani et al., 2005, p. 330). This requires a systematic and

deep analysis and control of all business objects, which includes not only a re-

structuring of processes but also the development of innovations in the light of

sustainability (Sharma and Henriques, 2005, p. 160). As a consequence,

sustainability reporting has also changed over the years by expanding from an

internal to an external, i.e., cross-enterprise perspective. By establishing methods

like Life Cycle Assessment (LCA) (Reap et al., 2008) or Carbon Footprint

(Weidema et al., 2008), a more systematic and comprehensive covering of

environmental impacts is increasingly gaining attraction. The basic idea is that

environmental impacts are always assigned to the segment that caused them.

This so-called “cradle-to-grave” principle means to assess environmental impacts

associated with all the stages of a product's life cycle (i.e., from raw material

extraction through manufacturing to recycling and disposal) (Tukker and Jansen,

2006, pp. 152 f). This becomes relevant as more stringent environmental laws and

reporting standards require tracing and accounting of indirect emissions and also

taking pre-chain and post-chain services into consideration. Thus, the scope of

environmental sustainability is far beyond a single organization and requires a

systematic understanding of an organization’s interconnected value net (Watson et

al., 2010).

But particular challenges for the determination of this information results from the

fact that for years, companies have been reducing production intensity and

outsource a variety of upstream processes to suppliers and other third parties for

realizing specialization benefits. As a consequence companies need to examine

their entire value chain in terms of its (environmental) resource productivity in

order to ensure the allocation of all environmental impacts according to their

causes and to avoid double counting(Koslowski, 2011). Different institutions,

such as the World Business Council for Sustainable Development or the National

Renewable Energy Laboratory in the U.S., issue comprehensive recommendations

as regards which environmental effects and related indicators should be included

in the analysis as inputs or outputs (Fava et al., 2009, pp. 492ff).


Accordingly, Shaw et al. (2010) highlight the importance of managing and

reporting on sustainability indicators to gain significant cost savings and enhanced

productivity. Widely used productivity indicators, such as carbon productivity or

eco-efficiency, represent the relationship of output from a productive activity to

its inputs (e.g., Dedrick, 2010; Hoffmann and Busch, 2008; Wiedmann et al.,

2009). However, in order to make a statement about the productivity of a business

unit or a process, usually the use of a reference object to determine a performance

gap is necessary (Figge and Hahn, 2005). Such a comparative, relative efficiency

measurement represents “the constitutive feature of benchmarking, which is a

fundamental and by now well established concept of modern management and

strategy research as well as business practice” (Hammerschmidt, 2006, pp. 89,

translated). Hence, benchmarking is seen as a promising tool for sustainability

performance measurement and management (Sarkis, 2010).

Benchmarking, in general, means the “search for industry best practices that leads

to superior performance” (Camp, 1989, p. 19) and as a continuous and systematic

process that compares specific research objects with reference partners using

diverse measurements (Spendolini, 1992). Due to an increasingly dynamic

environment and complex markets on the one hand and limited rationality and

scarcity of resources on the other, companies are striving to increase their own

performance at reduced risk by means of learning from successes and failures of

others. Solutions should not only be imitated, but rather be seen in context with

their own core competencies and developed further. The orientation towards

competitors is also supposed to prevent that market requirements in resource

allocation are not sufficiently taken into account. Benchmarking thus represents

“a synthesis of the thesis ‘market orientation’ (search for opportunities) and the

antithesis ‘resource orientation’ (capacity building)” (Hammerschmidt, 2006, p.

93).

In terms of sustainability policies Graafland et al., 2004, pp. 139ff) mention

central reasons for sustainability benchmarking (SBM): It increases the

transparency, accountability, and credibility for stakeholders through the

objectivity of a third party and improves the identification of a company’s


weaknesses. Eventually, (Reid and Toffel, 2009, p. 1171) argue that companies

often react to external requirements in order to follow their competitors who have

already taken appropriate action. With the help of an SBM thus the next

evolutionary step for pro-active management of a company’s sustainability

performance can be reached (Hoffmann and Busch, 2008, p. 506). The validity of

information on a company’s sustainability performance always depends on the

quality and quantity of the provided data basis. In practice, the potential

significance of the sustainability performance to be measured can be increased

with an increasing scope and detail of information about a company’s processes

and products (Melville, 2010).

On the enterprises’ side, the need for detailed analyses clearly exists (Wiedmann

et al., 2009, p. 361), but the realization often fails as a consequence of difficulties

in terms of data availability due to inconsistent approaches to the measurement

and collection as well as the insufficient exchange of data between companies

(Hoffmann and Busch, 2008, pp. 517f). In addition to such methodological

problems, also the high costs of extensive analyses may hinder the sustainable

development of enterprises (Butler, 2011). The next sections explores in detail

why sustainability benchmarking – in spite of the aforementioned benefits – is

still in an early stage of development.

6.1.2 IT-based SBM

During the last two decades, information technologies have already led to crucial

improvements regarding the operational efficiency of supply chains in terms of

the well-established dimensions of cost, time, quality, and flexibility. Companies

now also expect the realization of ecological improvements through the use of

information systems, so-called “Green IS” (Dedrick, 2010, p. 179; Koslowski et

al., 2013b; Melville, 2010, p. 3). For example, ERP data on machinery and

process lead times may provide a detailed data basis for sustainability

management by linking these to respective energy costs and CO2 concentration.

Also in product development, the access to ERP data, such as material and

supplier choice, could allow conclusions on environmental effects during the


product life cycle. Different substances and materials are made comparable by

transformation into CO2 equivalents and can therefore be included in calculating

optimization. Furthermore, physical properties, such as weight or size, which may

influence the transport and energy consumption during use and recovery of the

final products, are calculated prior to development (Zhu, 2010, p. 28; Linton et

al., 2007, p. 1075).

Apart from increased data quality also shorter reaction times constitute an

essential benefit of information systems for sustainability management. To date,

enterprises’ sustainability-relevant data are mainly collected manually using

questionnaires or semi-automatically through import of different documents and

tables (Butler, 2011). Given, for instance, the Global Reporting Initiative, the

Dow Jones Sustainability Index, the EPA Climate Leaders Greenhouse Gas or

Toxic Release Inventory, a number of established and competing standards exists

(Chatterji and Toffel, 2010). They cause immense personnel expenses both on the

part of data providers through the data compilation and preparation and on part of

the user during data collection. Therefore, companies often draw upon specialized

service providers such as SAP or C2P GreenTech info (Butler, 2011, p. 19).

Currently available SBM on-premise71 applications already allow extensive

comparisons inside a company. However, to perform inter-organizational

comparisons enterprises often join benchmarking networks and groups

exchanging experience such as the Carbon Disclosure Project. This is often

because of high data collection costs as well as the necessary adaptation of data

due to different software. The involvement in such a cooperative network

platform is supposed to enable the transfer of core capabilities, which also

includes tacit knowledge in addition to explicit knowledge assets

(Hammerschmidt, 2006). Although companies are pursuing different - sometimes

contradictory - objectives even within one value chain and inter-organizational

benchmarking has long been considered unthinkable, it can be observed that

71 In a conventional on-premise application deployment model, the organizational data continues to reside within the organizations boundary and is subject to its physical, logical, and personnel security and access control policies. In an on-demand or “as-a-service” model, the data is stored outside with the service vendor Subashini and Kavitha (2011a).

6.2 Integration into an ERP on-demand platform 199

companies increasingly realize that the additional benefits through collective

“learning” may prevail the risks of opportunistic behavior for all parties

concerned (Helper et al., 2000, p. 468)72. The essential importance of an inter-

organizational exchange of information for meeting corporate sustainability

objectives is also highlighted by Linton et al. (2007) who particularly identify the

large potential for improvement in product development and reuse of raw

materials and by-products through re-design (Linton et al., 2007, pp. 1078f).

Outsourcing sustainability performance management to an intermediate service

provider could not only reduce costs of acquisition and maintenance of relevant

expertise and knowledge, but also increases objectivity and thus credibility with

third parties (Kolk and Mauser, 2002, p. 25). Furthermore, permanent contact and

a greater number of relationships make it possible for a benchmarking service

provider to detect trends early (so-called innovation effect). As a mediator

between both sides of the market (data supplier and benchmarking consumer), he

has a strong interest in permanently keeping up the relationship with the

companies in order to save agreement and coordination costs for repeated

acquisition of data and also to establish a positive reputation and in consequence

create trust.

6.2 Integration into an ERP on-demand platform

ERP applications offered as Internet-based software services (SaaS) so far only

have a small market share (Benlian et al., 2009; Hofmann, 2008). The ERP world

market leaders for traditional on-premise applications, SAP and Oracle, react

ambivalently to this on-demand service: On the one hand, they point to the

industry’s continuing demand for traditional ERP solutions and are thus skeptical

of the market potential of ERP on-demand solutions. In addition to regulatory

obstacles and critical privacy and security related aspects, researchers and

practitioners particularly identify so-called “mission-critical applications” to be a

72 However, lack of trust may still constitute an insurmountable obstacle for information sharing. A problem to overcome this challenge will be provided in Section 6.5f..


problem and therefore claim further technical development needs (Subashini and

Kavitha, 2011b). On the other hand, SAP currently offers ERP on-demand

solutions with Business One (formerly Business ByDesign73) and Oracle via

NetSuite74. They bind significant corporate resources through the development of

other software services, and see a growing willingness among companies to trust

in cloud providers also for financial data, e.g., a recent forecast report estimates a

18.5 percent market growth in public cloud services in 2013 to total 131 billion

US-Dollar (Gartner, 2010).

6.2.1 ERP as a platform

However, the changes which currently become apparent in the market for

enterprise software are not limited to the choice between the alternatives ERP on-

demand or ERP on-premise: Platforms for enterprise applications, such as

“AppExchange”75 by Salesforce, show how to successfully transfer the platform

principle, as e.g., known from Apple’s App-Store, to enterprise applications

today. Hence, this CRM on-demand provider claims to already have offered more

than 1,800 complementary services, so-called apps, via its internet-based platform

in August 2013. Given this success and the central importance of ERP software

for managing companies the integration of ERP on-demand and the platform

approach appears promising (Hofmann, 2008).

The ongoing subsections analyze the utilization of the platform principle for an

ERP on-demand provider. Beside the consideration of possible cost savings for

providers and users, the focus lies on the specific potential provided by an ERP

on-demand platform. This mainly consists of the integration of complementary

enterprise applications with the core ERP application and the resulting added

value for service users as well as platform and service providers. This added value

will be investigated by using the example of software service for sustainability

benchmarking (SBM) and explore how this may contribute to the lasting success

73http://www54.sap.com/pc/tech/cloud/software/business-management-bydesign/overview/index.html 74 http://www.netsuite.com/portal/landing/oneworld-for-oracle.shtml 75 https://appexchange.salesforce.com/


of ERP on-demand platforms. As subsequently shown, the quality of the SBM

application as well as of corporate management can be significantly improved. In

particular, a SBM software service that is integrated into an ERP on-demand

platform is able to accelerate market penetration.

6.2.2 Literature on ERP on-demand

Before explaining the platform concept and discussing the essential work relevant

for an ERP on-demand platform, this section firstly outlines the research gaps on

ERP on-demand by means of a comprehensive literature search.

The scientific analysis of ERP applications designed according to the SaaS model

has hardly been carried out so far. A search of title, abstract, and keywords (in

August 2011) in the databases Business Source Premier, MLA International

Bibliography, EconLit, Science Direct, IEEE Xplore, ACM Digital Library,

SpringerLink, DBLP, and Google Scholar found only six relevant results. As

logical search term we used (“ERP” OR “Enterprise Resource Planning”) AND

(“on-demand” OR “as-a-service” OR “software-as-a-service” OR “Cloud

Computing” OR “Platform as a Service” OR “PaaS”). The above databases

considered the journals ACM Transactions on Information Systems,

Communications of the ACM, European Journal of Information Systems,

Information Systems Journal, Information Systems Research, Journal of

Management Information Systems, Journal of the AIS, Management Science, MIS

Quarterly, and Wirtschaftsinformatik/BISE, among others. None of the six

contributions found was published in one of these journals.

The literature review on the much more comprehensive concept of Software as a

Service (SaaS) has provided a number of works presented in table 12. In total,

however, computer science related publications are dominant again, while IS-

related contributions are available only sporadically. The contributions by

Lehmann and Buxmann (2009) and (Mathew and Sumesh, 2010) dealing with

SaaS and pricing have to be pointed out as well as Benlian et al. (2009) who

empirically investigate the adoption of SaaS-based applications. (Demirkan et al.,


2010) analyzes potential coordination strategies between software and hardware

or infrastructure providers. (Susarla et al., 2010) deals with modeling the

relationship of SaaS providers and consumers as a principal agent problem

illustrated by a SaaS CRM application. The question of what additional value is

achieved through a SaaS-based application for enterprise customers by means of

cost savings and flexibility or elasticity (Armbrust et al., 2010) remains

unanswered.

Table 12: Results of the literature review on “SaaS”76

Databases Search term: SaaS or Software as a Service

Business Source Premier (including MLA International

Bibliography, EconLit, and ScienceDirect) 11

IEEE Xplore 96

ACM Digital Library 6

Springerlink 2

DBLP 49

Google Scholar (without limitation to peer-reviewed

journals) 144

In addition to Apple’s App Store and the marketplaces for business software

offered by Salesforce, generally platforms (also sometimes termed as eco-

systems) have long played a major role in information-goods markets and in

markets with physical products and services (Cusumano, 2010; Kim et al., 2010).

76From (Koslowski and Strüker, 2011, p. 360).

6.3 System dynamics model 203

A central characteristic of such platforms is that actors using these platforms

create more value together than alone (Kim et al., 2010, p. 151). Conversely, this

means for the participating companies of a platform that their own success

depends on the long-term vitality of the platform. This is especially true for

knowledge-intensive industries such as ICT where companies often do not

compete individually, but are sub-units in a competition of platforms which is

highly influenced by self-reinforcing feedback (Arthur, 1996, p. 104). The next

section will tie in with this aspect and shows how a SaaS-based SBM application

that is integrated into an ERP on-demand platform may significantly contribute to

the diffusion and economic success of the platform.

6.3 System dynamics model

For analyzing how the integration of a SaaS-based SBM application into an ERP

on-demand platform may significantly increase and accelerate the market success

of both components, an ERP on-demand platform is assumed which is not being

offered at the market in this form. This platform for SaaS-based enterprise

applications is characterized by the fact that the success of the participating actors

significantly depends on the vitality of their platform (Arthur, 1996, p. 100). This

is, among other things, due to feedback effects which have been studied

intensively as increasing economies of scale in economic disciplines, e.g., in the

context of organizational path dependence (for a review see (Sydow et al., 2009)

or strategic management Markides and Williamson, 1996). Since comparative-

static analysis methods do not allow for a holistic view of feedback of an

integrated ERP on-demand platform, we have chosen a qualitative system

dynamics approach that considers the systemic interconnections as well as

complexity and dynamics of social and economic systems (Coyle, 2001, p. 10).

6.3.1 Methodology

The bounded rationality and the predominantly linear thinking of individuals lead

to the fact that decision makers often do not directly recognize the dynamical

behavior of social systems and their functional relations (Richmond, 1997, p.


133)and, due to these misjudgments, make changes to the system that may have

unintended consequences (Senge, 1997, p. 58). Based on system thinking, i.e., the

disclosure of mental models and the representation in formal models, knowledge

about system identity, such as its structure or behavior, can be generated. In this

case, each model element has a real world counterpart so that an adequate analysis

of the causes of problems and their consequences contribute to decision making

(Senge, 1997, p. 73). Following the axioms of system dynamics, social systems

interact with their environment. Interactions are represented via causal arrows

between system elements, whereas the kind of impact (positive or negative) is

visualized through polarities. Since any impact between two system elements

directly or indirectly becomes a cause of new impacts itself, dynamic time figures

evolve from cause-effect-chains, which can only be explained and predicted by

means of models and sufficient knowledge of the internal system structure (Senge,

1997, p. 63). Hence, the modeling process forms the center of system thinking

(Forrester, 1994, p. 246).

Jay Forrester originally refers to the quantification and simulation of a formal

model as a necessary step for the traditional system dynamics approach to reach a

solution (Forrester, 1994, p. 245). However, since the early 1980s more and more

purely qualitative models have been developed, which are limited to the

description of the system and the creation of causal loop diagrams (Coyle, 2000,

p. 225). The starting points of these models are the lack of availability of valid

data, the idealized representation of reality due to the restrictive nature of flow

charts, and the tendency to develop models that are too detailed and complex to

allow for common learning, which actually is the main purpose of system

dynamics (Wolstenholme, 1999, p. 424). Hence, especially in situations of great

complexity and uncertainty a qualitative approach in terms of “system thinking”

(Senge, 1997) or “qualitative modeling” (Coyle, 2000, p. 225) is sufficient and

appropriate (Forrest, 2010). In the following context, hypotheses will be

formulated based on an appropriate theory so that the problem behavior is

(endogenously) generated from the feedback structure of the model. To visualize

the hypotheses-based causalities, mainly causal diagrams are used. Following

(Coyle, 2000, p. 225) the benefit of qualitative modeling results particularly from


the facts that very complex problems can be visualized in a simple and compact

form, that the problem focus is sharpened during the discussion and analysis and

that the identification of feedback can already explain system behavior. The first

objective of this chapter predominantly consists of explaining the added value of

an integrative SBM service within an ERP on-demand platform from a dynamic

perspective for scientists and practitioners. For this, a qualitative model will be

developed that discloses feedback within the platform and offers sufficiently

realistic predictive power despite simplifying assumptions to reduce complexity.

For this purpose, the proposed model will draw upon information and network

economy for the definition and derivation of suitable hypotheses as well as upon

concepts of adoption and diffusion research. The starting point of investigation is

the problem definition, which is carried out from a dynamic perspective

(Forrester, 1961): How does an integrated SBM complementary service affect the

market penetration of an ERP on-demand platform? The remaining aspects of the

modeling process are subject of the next sub-section.

6.3.2 Model development and analysis

After a problem is defined, it is important to firstly identify key variables, i.e.,

central factors which explain the system structure and behavior patterns.

A dynamic perspective requires the behavior of the variables over time to be taken

into account. Key variables and temporal behavior eventually enable the

development of a causal loop diagram which helps to detect and visualize cause-

effect relationships. Figure 44 shows the result of the analysis. Due to the

complexity of the model, the identified key variables are presented at first before

we draw attention to their interactions. In order to facilitate the comprehensibility

of the arguments for the reader, key variables and feedback are distinguished.


Figure 44: Feedback Loops77

Diffusion curve: Limited by the maximum market potential (potential_adopters),

the diffusion curve of an ERP on-demand application and an SBM service can be

described as an S-shaped curve through the aggregation of the individual purchase

or adoption processes becoming steeper with increasing diffusion or adoption

(adoption_rate) (Rogers, 2003, p. 272). Product-related factors are considered to

be the most important influencing determinants for the diffusion of an innovation

(Gatignon and Robertson, 1985, pp. 850 ff). According to the classification

proposed by (Rogers, 2003, pp. 22 ff), here, the innovation attributes

(attributes_of_ERP/SBM) relative advantage, compatibility, and complexity are

particularly significant (Moore and Benbasat, 1991, pp. 195 ff). Relative

advantage represents a measure of the extent to which the innovation is preferred

to alternative offerings. This superiority may result from economic reasons, time

savings, or status issues. In addition to the existence of common standards,

compatibility also describes the innovation’s consistency with existing values,

needs, and experiences of the consumer. While the first two influencing factors

have a positive impact on the rate of adoption, complexity, i.e., the difficulty of

77 From Koslowski and Strüker (2011, p. 363).


understanding and applying an innovation, leads to a delay of adoption (cf.

Rogers, 2003, pp. 233, 249, 257). As an additional obstructive feature the

perceived risk is mentioned as an influencing factor considering the fact that the

adoption of an innovation is determined by the pursuit of risk reduction (see

Figure 44).

Network effects: Information technologies are often characterized by network

effects when people use a common standard and thus form a common network

(Brynjolfsson and Kemerer, 1996). Here, direct network effects refer to the added

value of a product resulting from the increasing number of network users (Katz

and Shapiro, 1985). These effects are identified in the model through the loop

between actual_adopters_ERP andattributes_of_ERP. Particularly regarding the

use and management of information systems there is a variety of standardization

advantages both for the application and for the support of IT (Lee and Mendelson,

2007, p. 395): The coordination of a standard platform facilitates the exchange of

information, generates a larger repository of configuration knowledge and

problem solving options, and increases the availability of complementary

software. As already shown, this particularly applies to knowledge-based services

such as SBM (see the previous section).

Therefore, we can conclude that network effects are also of great importance for

the success of an ERP service, since the diffusion of a system may additionally

result in a higher interoperability (syntactic and semantic compatibility) between

companies and provides an advantage compared to less common solutions.

Another cause for network effects can be seen in so-called learning and

experience effects (Arthur, 1996, p. 103). High-complex products, such as

software applications, require an introductory period to establish a sufficient

understanding (Moore and Benbasat, 1991, p. 200). The resulting learning

expenses and uncertainty of potential consumers have an obstructive effect on

their adoption (Rogers, 2003, pp. 233ff). If an established standard exists, it is

more likely that customers will be able to draw upon existing knowledge and

easier to appoint employees who are familiar with the standard. Especially in case

of standardized corporate applications, such as ERP systems, the experience and


expertise of the users may lead to switching costs or even lock-in effects (Varian

et al., 2005, p. 21).

Learning and experience effects on provider side: Conversely, providers may

exploit users’ collected experience and their suggestions for further product

development. Moreover, they can gain experience (improved_knowledge) and

develop capabilities (Rosenberg, 1982) themselves in the course of service

provision, which can also be used for quality improvements (Fichman and

Kemerer, 1997, p. 1345). Furthermore, empirical studies show that in many

industry sectors unit costs can be reduced by an average of 20–30% with a

simultaneous doubling of output as a result of experience (Dutton and Thomas,

1984, p. 235). Also an ERP provider will be able to realize some cost reductions

with growing demand, among other things, as a result of increasing experience

and specialization in data collection, data normalization and data analysis, as well

as through standardized contracts and volume discounts for the use of the network

infrastructure, which in turn can positively affect the adoption rate. Since building

knowledge and experience is time consuming, a delay must be taken into account

during modeling. In the case of time savings here, e.g., a first-mover advantage

may come into effect.

High fixed costs: Investments in building an IS infrastructure and the production

of information are usually associated with significant costs and uncertainty.

Information is an intangible good which continues to exist even with repeated use

and which can be quickly transported and consumed via media (Laudon and

Laudon, 2010). Thus, costs largely occur during the initial creation of

information, whereas reproduction and distribution cause very low marginal costs.

Once these sunk costs are realized information providers can achieve significant

economies of scale with increasing dissemination of information (Arthur, 1996, p.

100). Economies of scale and capacity utilization are also a major selling point for

cloud computing (Armbrust et al., 2010).

While development, maintenance, and administration of ERP applications in form

of SaaS are carried out only once, the provider can quickly and inexpensively

make the application available to a variety of customers via the internet. The


customer, in turn, uses the application via the internet without owning it and pays

for its use, usually in the form of a subscription fee (Lehmann and Buxmann,

2009). The potential economic benefits of a software service from the customers’

perspective can be seen in the fact that companies can afford IT departments that

are not fully stretched with capacity limits that are designed for the maximum

usage (Armbrust et al., 2010). At different points in time and with fluctuating

demand a specialized and large software service provider can then achieve a

significantly higher utilization of data centers by means of statistical multiplexing

and virtualization technologies.

Moreover, additional economies of scale result from discounts for energy,

hardware, and bandwidth when operating very large data centers (Armbrust et al.,

2010). As shown in figure 44, the capacity utilization of ERP providers increases

with an increasing number of users, which enables significant cost savings

(utilized_capacity_ERP). These gains may – for example, through investments in

improvements or price reductions – increase the relative advantage of the ERP

service which in turn promotes adoption and dissemination.

Social influences: Investments in enterprise software constitute adoption

decisions, which bear uncertainty due to their specificity. Thus, potential users

frequently turn to the observed product selection of prior adopters when

searching for information and shaping preferences,

(positive_expectations_ofpotential_customers) (Bikhchandani et al., 1992). Such

effects are important for internet-based goods and services for two main reasons:

On the one hand, the complexity of the adoption decision resulting from the flood

of data and information is reduced by means of selecting popular offerings. On the

other hand, information about the preferences and decision behavior of third

parties is more easily accessible in digital markets, due to, e.g., recommender

systems and user experience (Duan et al., 2009, p. 23). Duan et al. demonstrate

empirically that informational cascades have an increasingly positive impact on

the adoption of lower ranking products (2009, p.25). As opposed to network

effects, informational cascades and social contagion (Angst et al., 2010) do not

refer to the increase in economic benefits of the goods or services, but to the


reduction of uncertainty. Since in accordance with the diffusion theory

particularly late adopters and laggards adopt only after advanced steps of

dissemination (Rogers, 2003, pp. 284 f) a substantial time delay here is to be

expected, too.

Economies of scope: If a provider is in a situation where it is more cost-effective

to market several products jointly, economies of scope or synergistic effects may

result (Panzar and Willig, 1981, pp. 268 ff). Often, these effects originate from

sharing common resources and the transfer of skills (Markides and Williamson,

1996, p. 340). Economies of scope on the consumer side are often referred to as

indirect network effects (Katz and Shapiro, 1985, p. 424). The benefit increase is

not a direct result of the relation between the actors of a network, but is rather

caused by the additional (further) development of complementary services due to

the increasing numbers of users. Today, sustainability benchmarks are primarily

based on published data which can be partly questioned in terms of their

reliability and objectivity and thus ultimately as regards their information value

(e.g. Chatterji and Toffel, 2010, p. 1163; Graafland et al., 2004).

Although the offers from established software vendors like SAP and Microsoft

basically provide an automated access to various information systems using

appropriate application programming interfaces, but also in our case the data basis

is mostly provided by estimated “average” values. The comparison with the

industry average (average practice) is contrary to the principle of benchmarking

which inherently focuses on the best comparison partners (best practice) (Camp,

1989, p. 19). Furthermore, a superficial investigation and use of highly aggregated

and unverified data does not allow for an effective detection of performance gaps

in accordance with the objectives of SBM (Hervani et al., 2005). Overall,

providers of larger enterprise solutions appear superior compared to specialized

benchmarking service providers, since the latter must first develop interfaces for

greater automation with customer information systems. In addition, ERP and

SCM providers may, possibly in interaction with their own benchmarking

services, draw upon existing competencies in the design of business processes and

better ensure syntactic and semantic comparability of data


(database_for_operational_and_sustainability_ information). In doing so,

ultimately also the proportion of quantitative information for sustainability

management can be increased.

Self-reinforcing effect of an integrated ERP platform: As the figure illustrates, the

combination of an ERP on-demand system and a complementary service such as

the SBM leads not only to complementary effects on the sides of both providers

and consumers. Instead, the combination also leads to a complex positive

feedback effect that mutually intensifies the diffusion of ERP on-demand and

SBM services. A combined ERP and benchmarking application duplicates the

scale effects as both services are provided completely digitized. The reason is to

be found in very large data centers which lead to considerable cost savings when

purchasing hardware, network bandwidth, and power compared to medium-sized

data centers (Armbrust et al., 2010). Theoretically, any on-demand benchmarking

provider may operate very large data centers and thus ultimately achieve low unit

costs. However, this requires a sufficient workload to actually achieve the targeted

reduction in unit costs.

This is exactly where the integrated ERP and benchmarking on-demand provider,

which can start from an existing ERP customers’ base, achieves a systematic

advantage. It begins with a higher workload than a service without ERP basis. In

this way, the provider is able to share realized unit cost reductions with the

customers through reduced prices and to gain additional customers. Consequently,

the unit costs decrease with each additional benchmarking customer so that again

more customers are attracted through price reductions. Such an extreme unit cost

digression is not possible for a traditional provider since a saturation point is

quickly reached and additional customers again increase costs at some point.

6.3.3 Discussion

According to the analysis, running an ERP software service as an application

platform also appears profitable for other services that are based on ERP data in a

similar way as benchmarking services. Given the central importance of an ERP


system for corporate processes, the integration of applications requires a particular

accuracy (Benlian et al., 2009, p. 422). Applications, such as ERP systems and

benchmarking services, which have greater strategic importance and specificity,

should be offered by the platform provider. Due to its responsibility and liability

for the entire platform, this indicates more credibility for potential customers than

if offered by an individual complementary service provider. Such additional

applications would in turn lead to both a better utilization of computing capacity

and to a higher attractiveness of the offer for customers. In this context, it is

interesting for practice whether third-party providers similar to Apple’s App Store

should be approved, which consequences may result from the competition

between the applications on the platform, and thirdly, how they should be

positioned in regard to the platforms of ERP competitors. An answer to these

questions requires extending the presented model to competitors and intense

competition.

The admission of third-party providers makes it appear reasonable to evaluate the

impact on trust relationships. Since companies will not necessarily trust third-

party providers on a platform to the same extent as the ERP provider, trust

building measures such as reputation or isolation mechanisms, e.g., access

monitors (Schneider, 2000) or process analysis (Accorsi et al., 2011), must be

evaluated. In particular, the multi-party computation approach could play a central

role for this purpose (Yao, 1986) as this approach focuses on enabling the

comparison of data between systems without disclosing the data between these

systems. The threshold for participating companies to provide data would be

reduced significantly.

The increasing connection of objects to the Internet, such as cargo containers,

electricity and gas meters, or machines equipped with temperature, motion,

position, or moisture sensors, provides significant potential to further improve the

data base for SBM providers (Dedrick, 2010; Melville, 2010). Apart from direct

and detailed energy consumption that can be measured in an automated way,

precise tracking of containers and products allows for a more accurate

determination of CO2-emissions. However, the cross-company exchange and thus

6.4 Towards a confidential SBS 213

the provision of these data for an SBM require information exchange

infrastructures which are so far only rudimentarily available. Finally, the

availability of better data will not necessarily lead to higher benchmarking quality

(Wiedmann et al., 2009). To account for a large number of comparison criteria,

such as cost, CO2-emissions, waste, or product units, appropriate procedures

should be used. Therefore, it is necessary to examine to what extent they are

already available.

6.4 Towards a confidential SBS

The preceding sections have demonstrated the benefits of proactive sustainability

management and sustainability benchmarking in particular. Multiple benefits

associated with sustainability benchmarking are summarized below (e.g.,

(Björklund, 2010; Miakisz, 1999; Sarkis, 2010; Shaw et al., 2010):

• By tracing environmental impacts across the entire supply chain, sustainability benchmarking improves the accountability and transparency of an enterprise by fulfilling a cradle-to-grave perspective. It further allows measuring and communicating the improvements made and enables stakeholders to judge the level of responsibility of an enterprise.

• It identifies problem areas that might be overseen and therefore provides opportunities to improve environmental and economic performance simultaneously.

• Comparisons within and between entire supply chains allow enterprises to

choose suppliers according to sustainability criteria.

Although SBM is a promising approach of proactive sustainability management, it

faces a significant data input and information-sharing problem: The quantity and

availability of ecological data makes the benchmarking process very difficult to

execute today (Shaw et al., 2010). While typical challenges of benchmarking

exercises, such as scope selection, time, common accepted indicators and cost

(Shaw et al., 2010), are also relevant for sustainability benchmarking, cost and


confidentiality, in particular, hinders sustainability benchmarking from a wide use

(Matthews and Lave, 2003).

The remainder of the subsequent chapter is structured as follows: The next section

describes the applied research approach. This is followed by a description of the

data input problem for sustainability benchmarking and the identification of

appropriate solutions to these data quality and quantity problems. A subsequent

literature survey reveals that there is, however, a lack of research on the

information-sharing problem. Finally, a solution for a secure sustainability

benchmarking service (SBS) is presented. The chapter ends with a discussion of

strengths and limitations for future research.

6.4.1 Research design

The problem which the remaining chapter tackles is the lack of data for

sustainability benchmarking due to cost-intensive manual data collection and

insufficient willingness of information-sharing across organizations. The problem

is addressed by using the well-known design science research approach (e.g.,

(Hevner et al., 2004) to develop an IT artifact that enables enterprises to measure

and compare sustainability performance in a confidential manner. Melville (2010)

states that “design research is essential to developing innovative IS-enabled

solutions to environmental problems and evaluating their effectiveness” (pp. 8).

The design science methodology seeks to create IT artifacts that are intended to

solve specific organizational problems and provide rigorous evaluation of these

artifacts based on utility rather than an empirical test of theories. This

encompasses successive steps of problem identification, definition of objectives

for a solution, design or development of a suitable IT artifact, and demonstration

of the proof of concept, evaluation, and communication (Hevner et al., 2004).

Accordingly, the chapter first identifies the data input problem and its relevance

by screening the literature. This is followed by a discussion of proposed solutions

to this problem and the introduction of a hybrid model based on homomorphic

encryption and differential privacy in order to overcome the information-sharing


problem. Afterwards, functional and security objectives for the SBS are derived in

order to develop the corresponding method with an instantiation. The subsequent

section evaluates security using theoretical, cryptographic proofs, performance via

measuring a prototypical implementation, and functionality by comparing with

non-secure benchmarking initiatives. Rigorous cryptographic proofs for security

are followed. The proposed method is secure if the underlying encryption system

is secure and Paillier’s encryption is provably secure if the decisional composite

residuosity assumption holds (Paillier). The measurement of a prototypical

implementation is used applying the statistically sound methodology of (Georges

et al., 2007). Then the functionality with non-secure benchmarking initiatives

(e.g., SAP, 2011) is compared. Finally, the chapter discusses the proposed

solution and highlights implications for business practice and further research.

The following section will firstly show that data capturing and data adaptation are

so costly because both are still mainly manual operations.

6.4.2 Automated data gathering

Regardless of which of the sustainability benchmarking types is to be conducted,

the relevant data first has to be gathered from the actor(s) and reference object(s)

before the benchmark is processed. ERP systems are considered as key in order to

automate the data capturing process (Funk et al., 2009). They provide the

necessary data such as consumption of energy, water and materials (Makrinou et

al., 2008) as indicated in Table 13 and, in this manner, they can be used as a basis

for sustainability performance evaluations such as ISO 14000 series or

environmental reporting as Global Reporting Initiative (Shaw et al., 2010).

Important sources of data based on ERP modules are bills of material and work

plans for the production processes. The integration of this data enables assigning

environmental impacts to the corresponding business objects.

Automatingthe process of extracting and processing the necessary environmental

data requires specific sustainability management applications that are integrated

into ERP systems (compare the previous sections). Such applications are not only


able to integrate management information including manufacturing, accounting,

or sales across an entire organization. They can also account for anthropogenic

material and energy flows occurring in production processes. This requires the

consideration of environmental impacts, for example in material management,

transport planning, or business process management.

Table 13: Data Collected and Indicators for SBM78

Although the systematic and deep integration of sustainability management

information systems and ERP systems is comprehensively discussed in IS (e.g.,

Funk et al., 2009), these conceptualizations and reference architectures have

mainly prototypical status at best, and are not yet widely diffused in companies.

Nevertheless, first experiences with business software solutions are promising.

For instance, Butler (2011) reports time savings of more than 90% when an ad

hoc evaluation of a product is calculated with SAP’s “Compliance for Product”

compared to the still dominating manual spreadsheet solution. These significant

savings in terms of working hours can be achieved when sustainability

applications comprise widely accepted environmental compliance repositories and

frameworks for reporting and management purposes (see Figure 45). Existing

conceptual IS architectures often suggest the extension of the ERP data model by

78 From Kerschbaum et al. (2011).

Categories Data Collected Sustainability Indicators

Energy Forms of

energy

Annual

consumption

Energy

costs

Emissions • Carbon productivity

• Product Carbon Footprint

• Percentage of recycled products

• Eco-Efficiency • Transport

intensity • …

Water Annual

consumption

Costs of

water

Effluent

Materials Material used Annual

consumption

Material costs

Waste Hazardous

waste

Recycled

waste

Disposal

costs

Recycling

revenues

Production Production costs Annual sales


description rules (process libraries) to derive ecological transformations (Funk et

al., 2009). Against the background of current research and development activities

and the increasing number of software solutions on the market (Butler, 2011), it

seems to be only a question of time before data input cost will no longer be

prohibitively high.

Figure 45: Automating the Data Gathering Process79

6.4.3 Tackling the data heterogeneity and quality problem

Given a wide use of sustainability management applications that are integrated

with ERP systems, the data input problem is still not completely solved. As

sustainability benchmarking is an inter-organizational process, data gathering

from various enterprises is faced with specific challenges (Hoffmann and Busch,

2008). ERP systems integrated with sustainability management systems, in

principle, provide the necessary data. However, getting and making the data

79 From Kerschbaum et al.(2011).


comparable and processable across different ERP and different sustainability

management systems requires interoperability, i.e., commonly accepted standards

on different layers. Otherwise, interoperability between applications across

enterprises needs time-consuming agreements on the business process level which

makes data gathering and adaptation very costly.

As mentioned above, current methodologies such as LCA or Carbon Footprint

demand a cradle-to-grave perspective. Therefore, the environmental impacts of

the upstream value chain must be determined, too. Today, the missing

sustainability data in the ERP systems (e.g., environmental impacts of the in-use

and end-of-life phases) has to be entered manually. Alternatively, they are either

replenished through external publicly available data sources like governmental

statistical inventories, e.g., US Environmental Protection Agency or the ELCD

core data base of the European Commission (European Comission, 2011). These

data sets usually rely on “typical” descriptions of material and energy flows that

are often not up-to-date and rather estimated than measured (Chatterji and Toffel,

2010).

As previously shown, ERP on-demand systems provide a promising solution to

the data heterogeneity problem. If sustainability management applications are

integrated with such an internet-based ERP software service, the data basis for

sustainability benchmarks could be unified and all ERP on-demand customer data

would be comparable. Assuming that ERP customers give access to their data, the

use of the same ERP software service would widely solve the data heterogeneity

problem. Such ERP on-demand applications have yet a low market share (Benlian

et al., 2009). However, the ERP market leaders SAP and Oracle meanwhile

provide their own ERP on-demand solutions and the platform integration model,

in particular, is seen as an auspicious business model.

According to previous system dynamic model, sustainability management

applications as independent software services are also an alternative to the

platform approach. On-demand providers could specialize in offering standardized

interfaces to a plethora of different ERP systems and sustainability management

information systems. Even though they are likely to gain a considerable market


share, enabling sustainability benchmarks by using the least common denominator

between different applications comes with the price of quality-losses: As the

functionalities and semantic of different ERP systems differs, cost-intensive

adaptations and compromises seem to be inevitable. However, recent market

forecasts indicate that ERP on-demand platforms will establish on the market

(Gartner Research, 2014) and, in this way, the data heterogeneity problem for

sustainability benchmarking will be increasingly manageable for enterprises.

Matthews and Lave (2003) point out that sustainability benchmarking also

exhibits a considerable data quality problem. As soon as the data capturing for

several enterprises is automated though, the data reliability of sustainability

benchmarking is very likely to increase. This is because any data manipulation is

a serious intervention in automated processes. Consequently, the resultant costs of

data manipulation significantly rise compared to a world where excel spreadsheets

are exchanged.

Hereafter, one more obstacle for sustainability benchmarking will be illustrated.

6.4.4 Unsolved information-sharing problem

When it comes to exchanging sensitive data across enterprises, mistrust and fear

for opportunistic behavior hinder collaboration. Research on inter-organizational

systems shows how reserved and cautious enterprises are still today when it

comes to the exchange of sensitive data (Kumar and Diesel, 1996; Saunders et al.,

2004). In order to track inter-organizational data in a reasonable granularity and

precision for holistic sustainability assessments, a collaborative exchange of

sensitive data like environmental impacts and sustainability indicators is

necessary (Elliot, 2011). Enterprises will view sustainability benchmarking very

critically, since competitors could simply imitate best practices or communicate

superior performance to customers (Brewer and Speh, 2001; Hervani et al., 2005).

Apart from competitors, enterprises also regularly do not trust their supply chain

partners and third parties (Saunders et al., 2004) and could, therefore, also fear

opportunistic behavior of their partners.


There are a number of techniques in computer science to share sensitive and

private data in a confidential manner. The underlying assumption is that trust in

organizations and people can be substituted through trust in a security mechanism

(cp. (Anderson and Needham, 1995). First, there are anonymization and

randomization techniques, such as k-anonymity (Samarati and Sweeney, 1998)

and l-diversity (Machanavajjhala et al., 2007), which remove or blur information

so that it is no longer identifiable. Such techniques lower the accuracy and utility

of the data in favor of privacy (Brickell and Shmatikov, 2008) and clearly prevent

applications such as competitive benchmarking for supplier evaluation and

selection. When using input randomization it is not clear whether the necessary

accuracy even for an average computation can be achieved using reasonable client

population sizes (Bohli et al., 2010). Furthermore, most attempts at anonymizing

data have been later broken (e.g., Narayanan and Shmatikov, 2009).

Secondly, cryptography developed secure multi-party computation (SMC) (Ben-

Or et al., 1988; Goldreich et al., 1987; Yao, 1986). SMC substitutes computation

with a trusted third party by an interactive protocol which achieves the same

security properties as the fully trusted third party. An interactive protocol requires

the simultaneous on-line availability of all parties, including all client enterprises,

for each computation which is likely infeasible in our ERP outsourcing scenario,

since the probability of all parties being available is negligible in the number of

parties. We therefore leverage homomorphic encryption which allows non-

interactive computations on the plaintext using the cipher-texts only. Recently,

fully homomorphic encryption, which enables any computation on the plaintext,

has been introduced by Gentry (Gentry, 2009), but is currently still too inefficient

for practical application (Gentry and Halevi, 2011; Liu et al., 2010b).

Thirdly, trusted computing (Anderson, 2011) can be used to verify a computer's

software integrity. It has been designed to protect digital rights on personal

computers and its application to secure remote services is not yet clear.

Furthermore, it cannot verify a computer's hardware integrity which always

remains under the control of the service provider.

6.5 Design of a confidential SBS 221

The subsequent parts of this chapter will introduce a solution for a sustainability

benchmarking service (SBS) addressing the lack of trust for information sharing.

For this, only additively homomorphic encryption will be extended (e.g., Paillier),

which is limited to plaintext addition in order to implement all necessary

benchmarking functionality, including comparison.

6.5 Design of a confidential SBS

The secure sustainability benchmarking service (SBS) is a software-as-a-service

that integrates the sustainability data from multiple on-demand or on-premise ERP

applications and provides the business user with the three types of benchmarking:

benchmarking as aggregation, generic benchmarking, and competitive

benchmarking for supplier evaluation and selection.

1) Benchmarking as aggregation of data along the supply chain: To assess the sustainability performance of products or processes adequately, a comprehensive approach, such as LCA or Carbon Footprint, is desirable. This means, the value of LCA increases with the integrity of data collected from actors involved in the production process. If sufficient supply chain partners participate in the SBS, we then can compute and compare aggregated indicators for the entire supply chain or the final product item (Hoffmann and Busch, 2008).

2) Second, generic benchmarking is considered where a market actor compares its performance to its direct competitors (Spendolini, 1992). Using generic benchmarking, an actor can compare its performance, determine improvement potential, and initiate measures to close the gap to the competition.

3) As supplier selection also plays an important role in the greening of a supply chain, also competitive benchmarking for supplier evaluation and selection will be implemented, which provides a comparative overview over several market actors (Sarkis and Talluri, 2002).

We refer to an actor as an enterprise either represented by an ERP system

providing the necessary input or a business user accessing the sustainability

benchmarking reports.


6.5.1 Benchmarking types

The SBS must provide all three benchmarking types on the input data to enable

business users to compare and improve their performance. These functions must

respect the confidentiality requirements of the actors, but also implement the

benefit of collaboration for the actors. In the remainder of the subsequent section,

the implementation of the benchmarking types is presented in detail, since we

need to later reconciliate them with the confidentiality objectives.

Benchmarking as aggregation.Consider the example of Carbon Footprint where

the carbon emissions broken down to product items need to be aggregated along

the supply chain. Assume we have collected the sustainability data of all actors of

an entire supply chain. We can compute aggregated data for specific products. Let

xi,j be a sustainability indicator, e.g., Carbon Footprint, for an item of product i at

actor j. From the meta-data, i.e., the bill of material, we can recursively compute

an aggregate indicator yi,j. Let k ∈M(xi,j) be the materials, ak,i be the number of

units and Sj(k) be the supplier of k to actor j. Then if follows

.)(

)(,,,,,

∑∈

+=ji

jxMk

kSkikjiji yaxy

Aggregate indicators can be input to generic or competitive benchmarking.

Nevertheless, they require information from the entire supply chain as only

available in ERP systems.

Generic Benchmarking.In generic benchmarking, an actor j compares its

indicator xi,j to its peers. Peers are loosely formed groups of competitors offering

substitutable goods. Generic benchmarking can be used to judge one’s absolute

position for an indicator. It allows determining improvement potentials by

analyzing the absolute gap to the competition (Spendolini, 1992).

Due to data confidentiality requirements of the actors, the SBS cannot disclose

any actor-specific indicators. Instead, the SBS computes statistics about the peer

group and distributes these. Good candidates for a secure implementation are the


mean μ and the variance σ². Let i ∈ P be the set of products in a peer group and

S’(i) be the set of suppliers for product i. Then μ and σ² can be computed as:

∑ ∑∈ ∈

∈

=Pi iSj

ji

Pi

xiS )('

,

)('

1

µ ( )∑ ∑

∈ ∈

∈

−−

=Pi iSj

ji

Pi

xiS )('

2,

2

1)('

1 µσ

All statistics are published anonymously, i.e., except the peer group, no individual

identifiers are attached to the data.

Competitive Benchmarking for Supplier Evaluation and

Selection.Competitive benchmarking can be used for supplier selection (Sarkis

and Talluri, 2002). The evaluation of suppliers will usually not only base on

sustainability criteria but also on traditional indicators, such as service levels,

prices, and responsiveness. Therefore, the supplier selection represents a multi-

attributive decision-making problem which requires a ranking of actors using

weighted indicators. A wide range of powerful decision-making approaches has

been proposed, e.g., Analytic Hierarchy Process or Data Envelopment Analysis

(Ho et al., 2010) which are also applied in sustainability performance

measurement and life cycle assessment (Pineda-Henson et al., 2002; Zhou et al.,

2008). Such a required weighted indicator zi,j is similar to an aggregated indicator.

The weights are public, such that all actors are aware of the scoring mechanism.

We chose fixed weights, since user-set weights may allow inferences about the

indicators. While user-set weights per se are not a problem – as long as they are

fixed –, the user’s choices must be rate-limited, i.e., he must be restricted to

perform at most a fixed number of weight updates per period. Balancing the rate

of updates and the implied inferences about private indicators is very delicate and

in order to avoid this issue we chose fixed, public weights.

Let wy be the weight for indicator y and Y be set of indicators. Then we obtain

.,∑∈

=Yy

jiyj ywz


The result of the competitive benchmarking is a ranking of actors from best to

worst, i.e., it is not anonymous. Instead, no numerical data except the rank is

released.

6.5.2 Security objectives

A necessary objective of the SBS is to provide security of the sustainability

indicators (despite providing the types of benchmarking reports). As seen in

Section 6.4.3 it is required for the uptake of benchmarking by the market. The

main security objective is confidentiality of the indicators, i.e., no party other than

the source of the indicator should be able to learn its value. For this, two distinct

confidentiality objectives have to be distinguished:

Confidentiality During Processing. The SBS itself should not learn the indicator

values when computing the benchmarking reports. Instead, it should remain

oblivious to the values. The SBS should not be entrusted with the indicator values.

First, the actors may not trust the SBS provider to use the indicators for different

purposes than intended. Second, the SBS may not want to carry the burden of

securing such sensitive data. The collected storage may make the SBS an

attractive target for hackers. Third, if the SBS can be implemented adhering to

these security objectives, there is no reason not to do so. Nevertheless, trust the

SBS not to collaborate with individual actors on espionage of competitors.

Confidentiality Given Results.While confidentiality against the SBS is

necessary, it is not sufficient. Even given the results of the benchmarking reports,

the actors should not be able to discern additional information about another

actor’s indicator values. While this is not critical for competitive benchmarking,

which only releases the ranking of the actors, this can be difficult in generic

benchmarking where the actors learn statistics about the indicator values. These

statistics should disclose only limited information about a specific actor’s

indicator. The features and benefits of the SBS are summarized in Table 14.


Table 14: Features and Benefits of SBS

SBS Features Benefits

Confidentiality During

Processing • No trust in service provider necessary • Simplified data management at service provider

Confidentiality Given Results • Collaborative Benchmarking functionality • Controlled leakage to competitors

6.5.3 Implementation

The implementation of the security objectives of the SBS uses two mechanisms:

(1) homomorphic encryption and (2) differential privacy. The choice can be

explained as follows. There are essentially two methods for providing

confidentiality during processing: homomorphic encryption and SMC.

Homomorphic encryption has the advantage that the computation can be

performed non-interactively as opposed to an interactive protocol. This allows us

to maintain the usual service communication pattern of submitting input and then

receiving the result. Among all methods to provide confidentiality given results,

differential privacy is the first that is independent of the previous knowledge of

the adversary. This allows us to design the SBS without making any assumption

about the knowledge of actors about each other’s indicators. Each indicator is

stored encrypted at the SBS. The data are processed in encrypted form computing

the three types of benchmarking reports. Subsequently, the results will be

prepared using differential privacy, if needed.

Homomorphic Encryption.Homomorphic encryption is an encryption technique

that allows certain operations on the cipher-texts mapping to homomorphic

operations on the plaintexts. Specifically, we use Paillier’s encryption scheme

(Paillier). Paillier’s encryption scheme allows the addition (modulo a key-

dependent constant) of plaintexts using the cipher-texts only. Let E(x) denote the

encryption of plaintext x and D(c) the decryption of cipher-text c. Then we can

compute:

.))()(( yxyExED +=⋅


With simple arithmetic the following formula can be derived

yxxED y ⋅=))((

Paillier’s encryption scheme has several other interesting properties. First, it is a

public-key scheme, i.e., one can encrypt without being able to decrypt. Second, it

is proven secure against chosen plaintext attacks. Loosely speaking, an adversary

cannot distinguish any two cipher-texts, even if he knows the plain-texts. Third, it

can be implemented reasonably efficiently. Its performance is comparable to the

popular RSA encryption scheme.

Key Management.Key Management is critical for any encryption scheme. We

share the public key among all actors and the SBS, i.e., every party can encrypt

and perform homomorphic operations on the cipher-texts. We then offer two

choices for managing the private key. In the simple case each actor has access to

the same private key. Of course, this private key needs to be safeguarded, e.g., by

safely embedding it in the software. In the complex case, the key is shared among

several participants. We can use Damgård and Jurik’s variant of Paillier’s

encryption scheme (Damgård and Jurik, 2001) in order to facilitate the decryption

process without reconstructing the key first. It is a threshold scheme, i.e., any t out

of n actors can jointly decrypt a ciphertext.

Differential privacy.Differential privacy is a technique for protecting against

leakages from results of statistical functions (Dwork, 2006). It guarantees that the

difference in the probability of an output between two data sets differing in just

one element is at most a factor of eε. Then, the probability of successfully

deciding whether an actor’s data is in the set or becomes not negligible in ε. One

can achieve ε-differential privacy in any statistical function f by adding Laplacian

noise proportional to maximum difference ∆f any element can cause in the result.

An ε-differential private function f’ is then

,)()()(' εfLapxfxf ∆+=


WhereLap(∆f/ε) is drawn from the symmetric exponential distribution with

standard deviation ∆f/ε.

Determining the impact on utility of differential privacy is multi-faceted. First, the

usefulness of the results depends on the usage of the results which can only be

assessed in a particular application context. Second, there are a number of

parameters that influence the distribution of random noise. There is the parameter

∆f which is computed as the fraction of the size of the domain of the indicators

over the number of peers in the group. Then one can also choose the privacy

parameter ε. This choice should be made according to the sensitivity of the

indicators. Using this parameter, we can provide exemplary calculations: For an

indicator domain size of 16 bits (indicator values ranging between 0 and 65535), a

peer group size of 50 and a privacy parameter of ε = 0.33, the random noise is in

the range [-6392, 6392] (less than 19,5% deviation from the expected mean) with

80% probability and in the range [-9144, 9144] (less than 27,9% deviation from

the expected mean) with 90% probability.

System architecture.Our SBS operates non-interactively on the encrypted input

by the ERP systems of the actors. It then computes the benchmarking reports on

this encrypted data and reports the results to the business users of the actors, i.e.,

our SBS has never access to the unencrypted sustainability data. Information

sharing across the supply chain – either on the product or item level – is

accomplished via ciphertexts encrypted under the same public key. The SBS can

aggregate these ciphertexts without granting the actors access to these

cipheretexts, but only the aggregated indicators. Any indicator value never leaves

an actor-controlled ERP system (be it on-demand or on-premise) in plaintext. The

actors can therefore be ensured that their data are not abused and the SBS provider

may not need to implement certain additional safeguards, such as file system or

hard disk encryption, for this data – presuming customer acceptance. A picture of

this system architecture is shown in Figure 46. Next, we describe how we can

implement the benchmarking report computation on encrypted data.


Figure 46: SBS system architecture

Aggregation.We can now describe our implementation of the three benchmarking

types while meeting the confidentiality objectives using homomorphic encryption

and differential privacy. For the ease of the exposition we use a different

denotation of the indices in this section. Let xi be indicators stored at the SBS.

Recall that each indicator is stored encrypted as E(xi). Let wi be the weights for

each indicator. We can then compute an aggregated indicator y as

( ).)()( ∏ ∑ ⋅== iiw

i xwExEyE i

The same computation can be used for weighted indicators in competitive

benchmarking. Note that the result is encrypted and can only be used as such in

further processing.

Statistics.We first consider the generic benchmarking. For computing the mean µ,

we emphasize that the number n of actors in a peer group is known from

competitive benchmarking where a ranking is computed. So we can compute the

product-sum nµ instead. Furthermore, we now need to take care of differential

privacy, since we need to protect against inferences from the statistical quantity

itself. We therefore choose a random noise. Let d = max(xi) – min(xi) be the

domain-size of the indicators. Then we compute

( ) ( ).)()()()( ∏ ∑ +== εεµ dLapxExEdLapEnE ii


The result of this computation can be sent to the actors where it is decrypted, i.e.,

the SBS never learns the results of its computations. It only stores the data,

performs the computation and provides the (encrypted) results to the actors. We

can perform a similar computation for the variance. We first note that the variance

can be computed from the power sums

( )2

222

nxxn ii∑ ∑−

=σ

We note that the actor has already received E(nµ) and knows n. We therefore need

to only send the (ε-differential private and encrypted) second power sum S2. We

store the (encrypted) square xi2 for each indicator xi at the SBS and compute

( ) ( )∏ ∑ +== )()()()( 22222 εε dLapxExEdLapESE ii

The (encrypted) second order moment is sent to the actor which can decrypt it and

compute the variance. The (encrypted) square can be submitted to the SBS along

with the encrypted indicators. The SBS maintains them in the same database of

ciphertexts.

Comparison.For competitive benchmarking we need to compare encrypted

(weighted) indicators. This is challenging, since additively homomorphic

encryption, such as Paillier’s encryption, does not directly support this operation.

Instead, we can use the technique of (Kerschbaum et al., 2009), which operates on

such data directly. It leaks information proportional to the bit length of the

plaintext, but nothing else. It works as follows: Choose a large random number r

> 0 (at least three times the bit length of d). Then choose a second random

number r’, such that 0 ≤ r’ < r. Given two indicators xi and xj we compute a

comparison operand c as

( ) ( )')()'()()()( 1 rxxrErExExEcE jir

ji +−=⋅= −

6.6 Analysis and evaluation 230

This comparison operand c can now be sent to an actor which decrypts it. It holds

that

,0 ji xxc <⇔<

but reveals nothing else about xi or xj. Using this comparison operation we can

implement a ranking of actors. Let xi(1 ≤ i ≤ n) be the set of (weighted) indicators

of the peer group. Then we compute a comparison operand cij for each pair xi and

xj(1 ≤ j ≤ n). Note that if cij ≥ 0 and cji ≥ 0, then xi = xj. We sent all comparison

operands to the actor for decryption, which can then compute the ranking.

6.6 Analysis and evaluation

All security objectives of the SBS are met and the computation of the three

benchmarking types succeeds. Regarding confidentiality during processing, it can

be noted that all stored and processed indicators by the SBS are encrypted. They

are submitted to the SBS as ciphertexts and later processed. Regarding

confidentiality given results, one can note that all revealed numerical values are ε-

differential private. The actors only learn ε-differential private statistics in generic

benchmarking and secure comparison operators in competitive benchmarking. In

summary, both security objectives are met by the SBS.

Performance.Performance remains a critical aspect for encrypted computations.

A single arithmetic operation in fully homomorphic encryption can take up to an

hour (Gentry and Halevi, 2011; Liu et al., 2010b), rendering enterprise-size

computations infeasible. This approach therefore uses only partially homomorphic

encryption, which has performance comparable to regular public-key

cryptography. Nevertheless, measurements are necessary in order to size the

computational resources. Furthermore, although many of our computations can be

performed off-line, some are tied to user interaction, such as decryption.

Additionally, benchmarking information is supposed to be available for a

proactive sustainability management at the time when decisions are made

(Matthews and Lave, 2003). Beside the customers, an SBS provider also has a

6.6 Analysis and evaluation 231

strong interest in keeping computing time as low as possible: the less computing

time needed, the lower the capital costs of computing. The performance of

operations is therefore critical for market acceptance of the SBS.

A benchmark of a prototypical implementation of the SBS is provided. The use

case is considered for one single indicator which may be either for a single

product or a single item and also may be either computed cross-company or intra-

company. The system scales linearly with the number of such indicators only. We

focus on the most performance-critical operation of competitive benchmarking.

We distinguish three phases: weighted indicator preparation, comparison operand

computation, and decryption. Weighted indicator preparation and comparison

operand computation are performed off-line by the SBS provider while decryption

is performed by each actor on-line. We can solely focus on the computational

performance, since our entire SBS operates non-interactively. The encrypted

indicators are submitted and – either on request or off-line – the benchmarking

reports are computed, i.e., the computational performance is the decisive factor for

our SBS.

All computations were performed single-threaded on a 2.4 GHz Intel Xeon

processor with 64 GB of memory. Java SDK 1.6 was used. We report the mean

and 99% confidence interval of 20 experiments. We used a 1024-bit RSA key for

the encryption. We depict the runtime in seconds of each of the three operations in

Table 4. Weighted indicator preparation (Aggregation) grows linearly with the

number of input indicators while the comparison operand computation

(Comparison) and decryption (Decryption) grow quadratically with the number of

actors in the peer group.

We can compare our performance results to fully homomorphic encryption and to

some extent to standard public-key encryption. For a peer group size of n and a bit

length l of the indicators, we need roughly 5l(n-1) gates for aggregation (without

any weights) and 5l(n log2 n) gates for comparison. We obtain circuit sizes for

n=10 (our smallest peer group size) and l=32 bits of 1440 gates and 12800 gates,

respectively. Using the implementation results of Gentry and Halevi (2010) for a

realistic key size of 32768 and assuming 30 gates per re-encryption operation, we

6.7 Discussion 232

can estimate the performance of fully homomorphic encryption to be roughly 24

hours for aggregation and 220 hours for comparison, respectively. Compared to

our results measured in seconds, this is a factor of more than 50.000. Standard

public-key encryption cannot implement aggregation or comparison, so we can

only compare decryption. Decrypting a single value in the homomorphic

encryption scheme takes approximately 0.024 seconds. Decrypting a single value

in standard RSA encryption with the same key length takes approximately 0.0045

seconds. This small factor of 5 is not surprising, since both encryption schemes

use the same key generation algorithm, but homomorphic encryption operates in

the double field size.

Table 15: Performance results in seconds

Peer

Group

Size

Aggregation Comparison Decryption

Mean 99% CI Mean 99% CI Mean 99% CI

10 0.47 ±0.003 11.19 ±0.043 2.16 ±0.003

20 0.94 ±0.003 47.10 ±0.033 9.10 ±0.005

30 1.42 ±0.005 107.82 ±0.112 20.83 ±0.005

40 1.89 ±0.005 193.14 ±0.137 37.35 ±0.006

50 2.36 ±0.006 303.21 ±0.180 58.65 ±0.008

6.7 Discussion

The starting point of this exploration has been the observation that sustainability

measurement and management is increasingly used to improve not only

sustainability but also productivity. As the automation of the data capturing

process is the necessary condition in order to overcome today’s expensive manual

data gathering, IS research comprehensively addressed this so-called data input

problem of sustainability benchmarking. Concretely, the focus has so far been on

the integration of sustainability management information systems and ERP

6.7 Discussion 233

systems within an enterprise. As have shown in the previous parts of the chapter, a

wide use of sustainability applications integrated with ERP systems at enterprise

level is likely to improve the quantity and availability of digital environmental

data.

However, the data input problem is still not completely solved: sustainability

benchmarking as a more and more inter-organizational process requires data

gathering from various enterprises. Thus, getting and making the data comparable

and processable across different ERP and different sustainability management

systems is very costly. This chapter has argued that a sustainability benchmarking

service integrated in an ERPon-demand platform can overcome this data

heterogeneity problem. The second part of this chapter has identified an additional

information-sharing problem as part of the inter-organizational data input problem

and has finally proposed a secure sustainability benchmarking service (SBS) as

solution.

The research contribution of this chapter is twofold: it has identified an inter-

organizational dimension of the data input problem as a yet underrepresented

research area. In spite of its importance for sustainability benchmarking, there has

been only little research into this question so far. Sustainability benchmarking as a

management tool aims to identify sustainability performance gaps between

business objects for facilitating continuous improvement and organizational

learning. All three sustainability benchmarking types that have been discussed –

benchmarking as aggregation of data along the supply chain, generic, and

competitive benchmarking – are based on real and precise data for the first time –

instead of rough estimates or obscure reference enterprises usually used.

Consequently, the validity of aggregated indicators such as LCA or Carbon

Footprint for the entire supply chain or the final product item is supposed to

significantly increase.

Besides the data heterogeneity problem, this chapter has also identified and

analyzed an information-sharing problem. This is likely to prevent a wide use of

sustainability benchmarking – even if the data heterogeneity problem is solved.

Based on a discussion about several techniques in computer science to exchange

6.7 Discussion 234

sensitive data in a confidential manner, this crucial hurdle for inter-organizational

sustainability benchmarking services have been tackled by developing a secure

sustainability benchmarking service (SBS). It uses homomorphic encryption to

protect the data during processing and differential privacy to protect against

leakages from the reports. The SBS has been implemented and the measurements

show that the performance is manageable for the business user as well as the

service provider.

The proposed security solution in the scope of an integrated ERP platform

primarily aims to solve the information-sharing problem of sensitive data known,

for instance, from business relationships in supply chains. Using the SBS,

enterprises can give a benchmarking service provider access to the relevant data

without the risk of revealing this sensitive data to other enterprises. Enterprises

then have to trust their provider’s security mechanisms instead of building

trustworthy relationships to the provider over time. However, this chapter not only

sees the security mechanism as a key element for a widespread use of automated

sustainability benchmarking services. Additionally, it could help ERP platform

providers to faster reach the critical mass of customers for utilizing self-

reinforcing effects of an ERP on-demand platform as proposed in the first part of

the chapter.

SBS that are integrated into ERP on-demand platforms are supposed to

significantly decrease the cost of gathering environmental data. So far, however,

as there are several competing platforms and supply chain partners use different

ones, there will remain considerable coordination costs: Ensuring interoperability

between different data formats and semantics of different ERP applications might

even outweigh the cost benefits of the ERP on-demand platforms.

With regard to its practical application, this conceptual SBS supports business

professionals in both discovering and evaluating possible applications in a

systematic way, which extends beyond juxtaposing concrete application

examples. Concretely, an SBS will enable procurement managers to base their

decisions on more accurate (unbiased) environmental data. In this context, we

work on a modified algorithm for applicability of advanced non-parametric


benchmarking methods such as DEA (Data Envelopment Analysis, for more

details see Hammerschmidt, 2005).

The holistic cross-organizational assessment of environmental impacts provided

by the SBS may encourage supply chain managers to rethink inventory and

response management: collaborative optimization of sustainability performance of

several actors within the value chain becomes much easier. This might pave the

way for realizing a more sustainable supply chain management. Finally, results

derived by the sustainability benchmarking service may also encourage corporate

sustainability officers or board members in their decision to defend superior

sustainable performance or to make up the gap in case of inferior performance.

6.8 Concluding remarks

Is there a solution to the information-sharing problem in the scope of inter-

organizational sustainability benchmarking? Based on chapter 6’s findings, the

answer to that question is yes: The proposed IT artifact, the secure sustainability

benchmarking service (SBS), integrates ERP sustainability data in a secure and

privacy-preserving manner. It uses homomorphic encryption to protect the data

during processing and differential privacy to protect against leakages from the

reports. The implementation of the SBS and the measurements show that the

performance is manageable for the business user as well as the service provider.

As the underlying assumption is that substituting trust in organizations and people

through trust in a security mechanism, the next attempt in the future is to build a

prototype with industry partners in order to evaluate the SBS in a real

environment. The current study offers a first step toward this goal.

7 Outlook and Conclusion

There are various topics and open research challenges that are out of the

dissertation’s scope. Consequently, this chapter firstly concludes this dissertation

with a summary of the results and contributions. Upon the discussion of the

results, the chapter draws theoretical and managerial implications and, finally

suggests directions for future research.

7.1 Summary and main results

Sustainability is one of the most important challenges for organizations. For

example the growing impacts of climate change affect the global economy highly

unpredictably. Moreover, our interconnected and interdependent world reinforces

the emergence of high-complexity and the exponential pace of change. Today,

organizational decision makers need to learn how to navigate through volatile,

uncertain, complex and ambiguous (VUCA) environments. This

dissertationpresents a “resilience perspective” as a complementary approach to IS

risk and sustainability management, which explicitly recognizes the unpredictable

and turbulent business reality.

Despite the growing spread of resilience across multiple disciplines, a number of

open research issues remain. These encompass conceptual and definitional


(organizational) solutions and IS-artifacts to bring resilience into action.

Accordingly, this dissertation project outlined a research agenda at the intersection

of organization science, information systems and computer science. Therefore, the

thesis articulated several research questions and offered novel perspectives to help

address them. Concretely, the investigations undertaken allow answer to the initial

research questions (RQ):

(RQ)1: “How does resilience manifest itself across multiple disciplines?” To

answer this question, Chapter 2 firstly provides a comprehensive literature

review of resilience scholars from different disciplines. Based on these

7.1 Summary and main results 237

observations, a Multidisciplinary Resilience Framework is developed that allows

for a categorization of four generic resilience types based on the two dimension

(1) level of complexity, and (2) degree of normativity.

Based on the aforementioned findings, the thesis has begun to concentrate on the

invistagation of resilience in organizations studies. This lead to the following

research question: RQ2: “How does resilience relate to other organizational

factors? More precisely, what are determinants and antecedents of organizational

resilience”? In order to “untangle the underlying puzzle of organizational

resilience and its related concepts” (Chapter 1, p.9), Chapter 3 has started with a

descriptive bibliographic analysis to identify the current state of the art of

resilience research in organization science. It has been found that organizational

research on resilience lack a common understanding of resilience by applying

very different, and event contrasting definitions of resilience. These findings have

initated the development of an Organizational Resilience Matrix that consists of

two dimensions (1) degree of turbulence, and (2) state of adaption. The result of

the matrix is not limited only to the identification of the four distinct types of

organizational resilience: Prevention and Absorption, Restoration, Strategic

Agility, and Robust Transformation and Renewal. Moreover, the framework

further provides suggestions regarding key actors, design strategies, and attempted

outcome for the corresponding resilience type.

On this basis, the dissertation has attempted to answer RQ3: “How can resilience

be translated to the principles and measurements of organizations and IS?”. To

answer this question, Chapter 4 has established an intial link between resilience

research and the IS research field. Based on prior observations of Chapter 3 and

the resilience engineering literature, the chapter introduces the notion of resilience

management as a complementary approach to prevailing security- and risk

management approaches. This has been followed by an illustration of limitations

of current approaches in IS risk and security management. Moreover, a

comprehensive review of the still immature IS resilience literature has been

concluded with a scientific-programmatic view of the upcoming research

questions in this area. Regarding the measurement issues, Chapter 3 has already


begun to introduce initial ways to operationalize resilience in an organizational

context, such as the “four resilience factors” and the related “resilience delta”

(Sub-section 3.2.3.1). However, these measures remain on a high-level of

abstraction and faill to explicity address the research question. In contrast, this

dissertation answered this question tentatively by providing a list of concrete

measures for process-oriented resilience detection and assessment. While the list

of metrics and indicators - provided in Chapter 5 -is clearly not exhaustive, it has

allowed for the development of a measurement framework for resilient BPM in

Sub-section 5.3.2. Consequently, this developed measurement approach can be

used as a foundation for the design of resilience management information systems

(RMIS). More concretely, the proposed measurement framework is integrated in

PREDEC, a novel approach for process-oriented resilience management.

These works have provided the basis to tackle the next research challenge: RQ4:

“What are fundamental requirements for resilient BPM design? And what tools

and approaches are applicable to support and enhance IS (respectively BPM)

resilience?” Chapter 5 not only surveyed past research efforts regarding the

design of RMIS but also presented“Process-Centered Resilience Detection“

(PREDEC), a detective framework to assert the resilience of business process-

based management (BPM) systems. PREDEC has captured functional and non-

functional requirements for operational resilienice support in the phases of

detection and diagnosis. This encompasses requirements regarding event-logs,

elicitation techniques, and analytical tools for detecting and assessing resilience of

business-processes. Moreover, in order to validate the feasibility of PREDEC, a

case study has been carried out to quantify the resilience of workflows based on

timely and accurate estimations of completing times. The proposed IT artifact has

shown that an automated assessment tool for BPM resilience can support decision

makers along the whole operational resilience management cycle in multiple

ways: for instance, the quick and accurate provision of information enhances both,

the resourcefulness and rapidity of an information system. Moreover, the

proposed method enables process engineers to re-calibrate and re-design of given

workflows in a more cost-efficient and target-oriented manner.


While the previous research questions focused on resilience and decision support

within the boundaries of an organization, the last research challenge has addressed

the applicability of IS for inter-organizational decision-support. Hence, Chapter 6

has attempted to answer the following question: RQ5a: “What is the economic

rationale for organizations to participate in sustainability benchmarking?”

Accordingly, the last chapter has thouroughfully surveyd the problem-domain of

Green IS and sustainability benchmarking in particular. Moreover, a system-

dynamics-model has been developed to analyze economic incentives for those

enterprises that rely on ERP on-demand solutions to participate in sustainability

benchmarking (SBM). Based on the results of the model, a number of positive

feedback-loops have been identified, which explain and substantiate how SBM (1)

can contribute to the success of ERP-on-demand platforms, and (2) how service

users can take advantage of cross-organizational comparisons.

However, despite multiple benefits related to SBM for organizations, significant

data input and information-sharing problems remain, leading to the additional

research question RQ5b: “What are functional and security objectives to make

confidential information-exchange feasible?”Accordingly, the sixth chapter has

first identified the data input problem and its relevance by screening the literature.

This has been followed by an analysis of prevailing solutions to this problem. In

order to address the research question, this disseration has further presented

another IT artifact, namely a secure sustainability benchmarking service (SBS) to

overcome the information-sharing problem. A hybrid model based on

homomorphic encryption and differential privacy constitutes the SBS. The chapter

has derived functional and security objectives for the SBS in order to develop the

corresponding method with an instantiation. Security has been evaluated by using

theoretical, rigorous cryptographic proofs: The proposed method is secure as the

underlying encryption system is secure and Paillier’s encryption is provably

secure if the decisional composite residuosity assumption holds.In addition, the

performance has been evulated via measuring a prototypical implementation. For

this, the statistically sound methodology of (Georges et al., 2007) has been

applied.Then,functionality has been evaluated by comparing the SBS with non-

secure benchmarking initiatives (e.g., SAP, 2011). Finally, the chapter discusses

7.2 Implications for future research 240

the proposed solution and highlights implications for business practice and further

research.

7.2 Implications for future research

Verehrtes Publikum, jetzt kein Verdruß Wir wissen wohl, das ist kein rechter

Schluß. [...]

Wir stehen selbst enttäuscht und seh‘n betroffen

Den Vorhang zu und alle Fragen offen“

(Brecht, 1964)80.

“You're thinking, aren't you, that this is no right;

Conclusion to the play you've seen tonight?

[...] We feel deflated too. We too are nettled

To see the curtain down and nothing settled.”

(Brecht and Bentley, 2007)

In contrast to the introductory quote from the play “The Good Person of

Szechwan” by Berthold Brecht, several research issues of this dissertation can be

declared as “settled”. The previous section presented a summary of the identified

research problems and this dissertation’s main contributions spanning conceptual

perspectives, research methods and prototypical implementations of resilience and

sustainability management. However, there remain a number of unanswered

questions and challengesthat are out of this dissertation’s scope. Some of this

limitations and open questions will be discussed in this section.

This dissertation developed the Multidisciplinary Resilience Framework as a tool

for translation and communication between stakeholders with different

professions and scientificresearch background. The derived four resilience

categories will allow participants to ask questions about how the other participants

see the level of complexity or predictability of the system(s) they are trying to

deal with. The framework will also help them discuss how they see the role of

80From “Der gute Mensch von Sezuan“


shared norms. A discussion of the four resilience types will further identify shared

or differing goals (e.g., bounce back or bounce forward).

However, the development of the Multidisciplinary Framework opens up many

questions for policy makers and researchers:For example, once the similarities and

differences have been identified the next steps are to make clear what the goal is

in each case, how success will be judged (or measured), and how (or if) the

“lessons learned” in one place can be transferred into another place or knowledge

domain. Does the system have to be maintained as it is or should it be capable of

adaptation? How will that adaptation be judged? Can the adaptation be designed

in advance or will it have to emerge from the conditions that are presented? Once

these questions are answered the group can narrow down its search for definitions

and mechanisms that are found in similar systems to the Resilience Type they are

dealing with.

There is certainly the possibility that a particular problem (either for research or

practical purposes) will involve multiple types of resilience. In those cases the role

of translators becomes critical as stakeholders with different perspectives attempt

to work in consort toward resilience. If the resilience of one (sub-)system requires

the rules of the other to be ignored for a time how does that get decided and by

whom? If action by one or both is called for in response to some danger (or

opportunity) does this require the measurement of something that they measure

differently? This does not require that the two systems (or disciplines or

organizations) respect each other’s methods but it does require agreement on the

goals and a mutual understanding with respect to terminologies.

It seems obvious that the need to find ways to make “things” bounce back will

only continue to grow. The groups who come together to deal with these issues

will only become more diverse. The Multidisciplinary Framework proposed here

allows researchers and practitioners from various disciplines and/or economic

sectors to communicate and concentrate their efforts on specific types for

resilience goals by allowing broad definitions where that is possible and

identifying where specific definitions are necessary to deal with the issues at hand.

The words used to designate these efforts will undoubtedly adapt, splinter into


subgroups, and go in and out of fashion. Translation and translators will only

become more important.

Nonetheless, Chapter 3 of this dissertation raised the assertion, that there

existsdisagreement on the understanding of resilience even within a scientific

domain such as organizational science. The identified knowledge gaps, critical

appraisals and inconsistencies within organizational resilience may help

counteract the construct proliferation that has become apparent within the domain.

Moreover, the organizational resilience framework presented is one solution to

advance a clear method to help distinguish the specific context for the application

of resilience principles in different organizational contexts. However, since the

proposed tool presents primarily conceptual and exploratory contributions, it

needs toproceed further empirical research to validate the suggested framework.

For this, the proposed organizational resilience types pave the way for the

selection of appropriate operationalizations and measurements: For instance,

indicators for outcomes of defensive/reactive resilience types such as “robustness”

and “recovery” are available for different contexts. The future research challenge

is to link them to an explanatory framework that considers antecedents and other

determinants such as in (Jüttner et al., 2010; McCann et al., 2009; McDonald,

2006). But as the descriptive analysis indicated, a more rigorous consideration of

contextual factors is required for both, conceptual as well as empirical studies.

Hence, in the future, fruitful insights are too expected by a deeper investigation

into the role of unique contextual settings, such as the comparative studies of

resilience frameworks between different organization types (business vs. non-

profit, service vs. industrial, etc.). Such new directions in organizational resilience

will help to untangle the underlying puzzle of resilience and its related concepts

such as vulnerability and adaptability.

This dissertation introduced Resilience Management Information Systems (RMIS)

and an operational resilience management cycle as novel approaches to support

decision makers for managing operational resilience. Chapter 4 sets a research

agenda for IS resilience by introducing a number of research challenges. The

chapter further argued that business process management (BPM) provides a lot of


opportunities for future resilience research. For instance, the literature review has

shown that prevailing works still lack empirical validation, concrete


resilience in IS. As a consequence, concrete measures are mostly missing, leading

to inefficient or even misleading resilience strategies. Therefore, Chapter 5 has

introduced “Process-Centered Resilience Detection“ (PREDEC) as a detective

framework for the assertion of resilience of BPM systems. Based on log-data,

generated from business process model executions, and the resilience

requirements derived from operational resilience objectives, resilience measures

are automatically generated. As shown in the case study, either quantitatively

(e.g., transactions per hour, number of activities executed in parallel, total number

of activities) or qualitative (e.g., High, Medium, and Low) susceptibility values

respective resilience indicators are extracted and assigned with the help of the

elicitation techniques for business processes and associated resources. With this

input data at hand for each resource, a business process-wide resilience value is

calculated. Certainly, there are techniques and formal foundations available that

can, when assembled, provide for resilience mechanisms at the level of BPM.

However, the current state-of -art does not offer corresponding mechanisms yet.

One extension refers to the possibility to merge detection approaches with

techniques to analyze sociometric data. Techniques to analyze sociometric data,

i.e., social networks, build on the techniques of social network analysis (SNA).

SNA refers to the collection of methods, techniques and tools aiming at the

analysis of social networks. These are based on the methods and techniques of

graph theory and have been subject to research for decades, e.g., by (Scott, 1991;

Wasserman and Faust, 1994). The suitability of social network detection and

analysis in order to discover information flows within organizations has been

subject to extensive research. Discovery of social network by analysis of e-mail

interaction has been examined by, e.g., (Fisher and Dourish, 2004)(Ogata et al.,

2001). Diesner et al. examine organizational crises from a social network analysis

perspective based on analysis of communication flow via e-mail (Diesner et al.,

2005). In (Fischbach et al., 2009), the authors present an approach to discover

social networks from employees’ interactions by tracking these interactions via


wearable sensors. Van der Aalst and Song introduced an approach to discover

social networks from event logs (Reijers et al., 2005).

However, while the suitability of network analysis techniques for resilience

detection has been addressed, e.g., in the fields of social-ecological systems

(Janssen et al., 2006) or computer networks (Sterbenz et al., 2011), the

implications of social structures with regard to the resilience of business processes

have not been considered by research yet.

In order to constitute suitable tools to support resilience detection in process-

centered information infrastructures, the techniques of SNA have to be able to

assess subjects’ positions within the social network with respect to actual process

executions and resilience measures. The SNA techniques for resilience detection

envisaged for the realization of PREDEC could built on centrality measures and

measures based on co-worker ship and event types, e.g., (Reijers et al., 2005).

Calculation of resilience measures such as, e.g., capacity measures or

interdependence measures, such as “Organizational Interfaces” (cf. Table 10), can

be supported by SNA techniques. For example, betweenness analyses of social

networks can support detection of bottlenecks while SNA metrics custom crafted

for social networks elicited from event logs, such as handover of work metrics

(Reijers et al., 2005), can support calculation of interdependence measures.

Hence, techniques of social network analysis are well suited for enhancing

resilience detection with PREDEC. Moreover, SNA results can lucidly be

visualized by tools like, e.g., (Borgatti et al., 2002), in order to provide decision

makers with intuitive insight into resilience measures.

More limitations and future research areas refer to the aforementioned resilience

management cycle: Although the cycle is based on related work it has not been

explored empirically yet. Future studies may conduct surveys or carry out case

studies to evaluate the robustness of the proposed model. Since the management

cycle also captures the establishment of maturity levels and “resilience culture”,

such studies would benefit fromlongitudinal design to explore the evolution of

operational resilience levels over the time. Furthermore, the management cycle

basically suggest the recognition of four distinct phases for operational resilience


support. However, this thesis only focuses on the first two stages (i) Detection and

(ii) Diagnosis and Evaluation. The attempt to complete the management cycle by

incorporating (iii) Treatment and Recovery, as well as, (iv) Escalation and

Instutionalization offers a number of research opportunities. For instance, future

work could elaborate to which extent recent approaches for automated corrections

(such as introduced by Fenz et al. (2013)) and for knowledge enrichment (such as

in Fenz and Ekelhart (2009)) are applicable.

The subject of the last chapter has been the integration of a sustainability

benchmarking application into an ERP-on-demand platform. It focuses on the

potential added value and market penetration of the services offered. Drawing on

network and information economy as well as diffusion and adaptation research,

the chapter identifies and describes feedback effects and key variables between

the core ERP application and the benchmarking service. As a result, the developed

system dynamic model allows a holistic view on interdependencies. It shoes that

an ERP on-demand platform with an integrated SBM service promises a more

rapid and deeper market penetration for both applications compared to a separate

offer. But the results of the demonstrated advantages of an integrated ERP on-

demand platform have to be put into perspective in several respects:

By means of the developed qualitative model we achieve the objective to visualize

decision-making possibilities for researchers and practitioners through the

identified structures and patterns of behavior. However, no statements about the

extent and strength of the effects can be made. This would require a further step

involving the extension of the qualitative model to a parameterization and

quantification in the form of mathematical simulations according to the traditional

system-dynamics approach (Forrester, 1994). This would allow for an evaluation

by means of iterative simulation runs and ultimately a market forecast for the

optimization of marketing strategies and capacity planning.

Another limitation arises from the assumptions about the willingness of

companies to provide data for the ERP on-demand provider. This “optimistic”

assessment is based on the fact that companies already using SaaS applications

must rely on a trustful handling of their data. The subsequently introduced secure


sustainability benchmarking service (SBS) is a first attempt to tackle this obstacle.

However, the proposed SBS is still limited by its assumptions regarding trust:

While research clearly shows that enterprises in supply chains regularly refrain

from exchanging sensitive data, attitudes as well as routines of organizational

members can significantly change over time. Moreover, substituting trust in

organizations and people by trust in technology, as has been proposes to do with

the SBS, is merely one solution - an alternative are trust-building measures, such

as reputation - and has strong assumptions with regard to individual’s behavior.

Accordingly, empirical evaluation, and for this testing the behavioral assumptions,

is an important next step.

Beside these limitations and options for future research, introducing resilience into

practice will remain a substantial challenge as it first requires a cognitive and

cultural shift on all organizational levels, from leaders to employers on the “sharp

end” (Weick and Sutcliffe, 2001; Woods, 2006b). Similar to, for example

ecological sustainability, recognizing resilience in management will shape aspects

such as strategy, the modus operandi and the skills of the workforce (Coutu, 2002;

Hollnagel, 2011; Weick and Sutcliffe, 2007). Moreover, investing in redundancy

and mindfulness to improve organizational resilience in times of lean management

and high-efficient processing is particularly difficult to justify to investors and

other stakeholders (Staber and Sydow, 2002; Weick and Sutcliffe, 2001). As a

consequence, realizing the need for resilience often requires the hard lesson of

crisis or accidents (Walker and Salt, 2006). However, the growing

(inter)dependence and complexity of the highly–connected business world is

accompanied by an increased sense of vulnerability to new and future threats, all

with the potential to trigger interrelated cascading disturbances and even

organizational decline.

One cannot doubt that most organizations cannot afford to wait for crises as a

method of galvanizing action. It is becoming increasingly clear that the

organizations best able to sustain and cope with increasing uncertainty will be

those that incorporate resilience goals into their business practices.

References

Accorsi, R., “Safe-Keeping Digital Evidence with Secure Logging Protocols: State of the Art and Challenges”, Stuttgart, Germany.

Accorsi, R. (2013), “Sicherheit im Prozessmanagement”, digma Zeitschrift für Datenrecht und Informationssicherheit.

Accorsi, R. and Lehmann, A. (2012), “Automatic Information Flow Analysis of Business Process Models”, in Hutchison et al., David (Ed.), Business Process Management, Lecture Notes in Computer Science, Vol. 7481, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 172–187.

Accorsi, R. and Stocker, T. (2012), “On the exploitation of process mining for security audits: the conformance checking case”, in Ossowski, S. and Lecca, P. (Eds.), SAC, ACM, pp. 1709–1716.

Accorsi, R., Stocker, T. and Müller, G. (2013), “On the exploitation of process mining for security audits: the process discovery case”, in Proceedings of the 28th Annual ACM Symposium on Applied Computing, ACM, New York, NY, USA, pp. 1462–1468.

Accorsi, R., Ullrich, M. and van der Aalst,Wil M. P. (2012), “Process Mining”, Informatik-Spektrum, Vol. 35 No. 5, pp. 354–359.

Accorsi, R., Wonnemann, C., Chu, W., Wong, W.E., Palakal, M.J. and Hung, C.-C. (2011), “Strong non-leak guarantees for workflow models”, ACM symposium on applied computing, pp. 308–314.

Adger, W. (2000), “Social and ecological resilience: are they related?”, Progress in Human Geography, Vol. 24 No. 3, pp. 347–364.

Adger, W.N. (2006), “Vulnerability. A Cross-Cutting Theme of the International Human Dimensions Programme on Global Environmental Change Resilience”, Global Environmental Change, Vol. 16 No. 3, pp. 268–281.

Aiginger, K. (2009), “Strengthening the resilience of an economy”, Intereconomics, Vol. 44 No. 5, pp. 309–316.

Allen, J.H. and Cebula, J.J. (2011), Risk and Resilience: Considerations for Information Security Risk Assessment and Management, 14th-18th February San Francisco.

Allen, J.H. and Curtis, P.D. (2011), Measures for Managing Operational Resilience, Technical Report. Allen, J.H., Curtis, P.D. and Gates, L.P. (2011), Using Defined Processes as a Context for Resilience

Measures, CMU/SEI-2011-TN-029, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pa.

Allen, J.H. and Davis, N. (2010), Measuring Operational Resilience Using the CERT Resilience Management Model, CMU/SEI-2010-TN-030, Pittsburgh, Pa.

Anderson, R. (2011), “Trusted Computing FAQ”, available at: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html (accessed 28 April 2011).

Anderson, R. and Needham, R. (1995), “Programming Satan's computer”, in van Leeuwen, J. (Ed.), Computer Science Today: Recent trends and developments, Springer, Berlin, New York, pp. 426–440.

Angst, C.M., Agarwal, R., Sambamurthy, V. and Kelley, K. (2010), “Social Contagion and Information Technology Diffusion: The Adoption of Electronic Medical Records in U.S. Hospitals”, Management Science, Vol. 56 No. 8, pp. 1219–1241.

Ansoff, I. and Sullivan, P. (1993), “Optimizing profitability in turbulent environments. A formula for strategic success”, Long Range Planning, Vol. 26 No. 5, pp. 11–23.

Antunes, P. (2011), “BPM and Exception Handling: Focus on Organizational Resilience”, IEEE Transactions on Systems, Man & Cybernetics: Part C - Applications & Reviews, Vol. 41 No. 3, pp. 383–392.

Antunes, P. and Mourão, H. (2011), “Resilient Business Process Management: Framework and services”, Intelligent Collaboration and Design, Vol. 38 No. 2, pp. 1241–1254.

Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A. and Stoica, I. (2010), “A view of cloud computing”, Communications of the ACM, Vol. 53 No. 4, pp. 50–58.

Arthur, W.B. (1996), “Increasing returns and the new world of business”, Harvard Business Review, Vol. 74 No. 4, pp. 100–109.

Ates, A. and Bititci, U. (2011), “Change process: a key enabler for building resilient SMEs”, International Journal of Production Research, Vol. 49 No. 18, pp. 5601–5618.

Aven, T. (2011), “On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience”, Risk Analysis: An International Journal, Vol. 31 No. 4, pp. 515–522.

Avizienis, A., Laprie, J.-C., Randell, B. and Landwehr, C. (2004), “Basic Concepts and Taxonomy of Dependable and Secure Computing”, IEEE Trans. Dependable Secur. Comput, Vol. 1 No. 1, pp. 11–33.

Baker, S.M. (2009), “Vulnerability and Resilience in Natural Disasters. A Marketing and Public Policy Perspective”, Journal of Public Policy & Marketing, Vol. 2009 No. 28, pp. 114–123.

Balasubramanian, S. and Gupta, M. (2005), “Structural metrics for goal based business process design and evaluation”, Business Process Management Journal, Vol. 11 No. 6, pp. 680–694.

Barki, H. and Pinsonneault, A. (2005), “A Model of Organizational Integration, Implementation Effort, and Performance”, Organization Science, Vol. 16 No. 2, pp. 165–179.

Basili, V.R., Caldiera, G. and Rombach, H.D. (1994), “Goal Question Metric Paradigm”, Encyclopedia of Software Engineering No. 2, pp. 528–532.

Basin, D., Burri, S.J. and Karjoth, G. (2012), “Optimal workflow-aware authorizations”, in Proceedings of the 17th ACM symposium on Access Control Models and Technologies, ACM, New York, NY, USA, pp. 93–102.

Baum, N. (2005), “Building Resilience”, Journal of Aggression, Maltreatment & Trauma, Vol. 10 No. 1, pp. 487–498.

Bayuk, J. and Silverstein, K. (2007), “Utilising information security to improve resilience”, Journal of Business Continuity & Emergency Planning, Vol. 2 No. 1, pp. 7–12.

Beer, M. (2002), Building Organizational Fitness in the 21st Century, Division of Research, Harvard Business School.

Beermann, M. (2011), “Linking corporate climate adaptation strategies with resilience thinking”, Journal of Cleaner Production, Vol. 19 No. 8, pp. 836–842.

Benlian, A., Hess, T. and Buxmann, P. (2009), “Drivers of SaaS-Adoption – An Empirical Study of Different Application Types”, Business & Information Systems Engineering, Vol. 1 No. 5, pp. 357–369.

Benner, M.J. and Tushman, M.L. (2003), “Exploitation, Exploration, and Process Management. The Productivity Dilemma Revisited”, The Academy of Management Review, Vol. 28, pp. 238–256.

Ben-Or, M., Goldwasser, S. and Wigderson, A. (1988), “Completeness theorems for non-cryptographic fault-tolerant distributed computation”, in Proceedings of the twentieth annual ACM symposium on Theory of computing, ACM, Chicago, Illinois, USA, pp. 1–10.

Berkes, F. (2007), “Understanding uncertainty and reducing vulnerability: lessons from resilience thinking”, Natural Hazards, Vol. 41 No. 2, pp. 283–295.

Bhamra, R., Dani, S. and Burnard, K. (2011), “Resilience: the concept, a literature review and future directions”, International Journal of Production Research, Vol. 49 No. 18, pp. 5375–5393.

Bichler, M. (2006), “Design science in information systems research”, WIRTSCHAFTSINFORMATIK, Vol. 48 No. 2, pp. 133–135.

Bikhchandani, S., Hirshleifer, D. and Welch, I. (1992), “A Theory of Fads, Fashion, Custom, and Cultural Change as Informational Cascades”, Journal of Political Economy, Vol. 100 No. 5, pp. 992–1026.

Birkland, T.A. and Waterman, S. (2009), “The Policy and Policy Challenges of Disaster Resilience”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 15–38.

Björklund, M. (2010), “Benchmarking tool for improved corporate social responsibility in purchasing”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 340–362.

Bohli, J.-M., Sorge, C. and Ugus, O. (2010), “A Privacy Model for Smart Metering”, in Proceedings of the 1st IEEE International Workshop on Smart Grid Communications, Capetown, South Africa, pp. 1–5.

Boin, A. and McConell, A. (2007), “Preparing for Critical Infrastructure Breakdowns. The Limits of Crisis Management and the Need for Resilience”, Journal of Contingencies and Crisis Management, Vol. 15 No. 1, pp. 50–59.

Boisot, M. and McKelvey, B. (2011), “Connectivity, Extremes, and Adaptation: A Power-Law Perspective of Organizational Effectiveness”, Journal of Management Inquiry, Vol. 20 No. 2, pp. 119–133.

Borgatti, S. (2003), “The Network Paradigm in Organizational Research: A Review and Typology”, Journal of Management, Vol. 29 No. 6, pp. 991–1013.

Borgatti, S.P., Everett, M.G. and Freeman, L.C. (2002), “UCINET for windows: Software for social network analysis”, Harvard, MA: Analytic Technologies.

Boudreau, M.-C., Chen, A. and Huber, M. (2008), “Green IS: Building sustainable business practices”, Information Systems: A Global Text, pp. 1–17.

Brand, F.S. and Jax, K. (2007), “Focusing the meaning(s) of resilience. resilience as a descriptive concept and a boundary object”, Ecology and Society, Vol. 12 No. 1.

Brecht, B. (1964), Der gute Mensch von Sezuan: Parabelstück, Edition Suhrkamp, Vol. 73, 1. Aufl, Suhrkamp, Frankfurt am Main.

Brecht, B. and Bentley, E. (2007), The good woman of Setzuan, Modern classics, Penguin Books, London.

Brewer, P.C. and Speh, T.W. (2001), “Adapting the Balanced Scorecard to Supply Chain Performance”, Supply Chain Management: An International Journal (Supply Chain Management Review, Vol. 5 No. 5, pp. 48–56.

Brickell, J. and Shmatikov, V. (2008), “The cost of privacy: destruction of data-mining utility in anonymized data publishing”, in Proceedings of the 14th ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, Las Vegas, Nevada, USA, pp. 70–78.

Briguglio, L., Cordina, G., Farrugia, N. and Vella, S. (2009), “Economic Vulnerability and Resilience: Concepts and Measurements”, Oxford Development Studies, Vol. 37 No. 3, pp. 229–247.

Bruneau, M., Chang, S.E., Eguchi, R.T., Lee, G.C., O’Rourke, T.D., Reinhorn, A.M., Shinozuka, M., Tierney, K., Wallace, W.A. and Winterfeldt, D. von (2003), “A Framework to Quantitatively Assess and Enhance the Seismic Resilience of Communities”, Earthquake Spectra, Vol. 19 No. 4, pp. 733–752.

Brynjolfsson, E. and Kemerer, C.F. (1996), “Network Externalities in Microcomputer Software: An Econometric Analysis of the Spreadsheet Market”, Management Science, Vol. 42 No. 12, pp. 1627–1647.

Burnard, K. and Bhamra, R. (2011), “Organisational resilience: development of a conceptual framework for organisational responses”, International Journal of Production Research, pp. 1–19.

Burnett, R.D. and Hansen, D.R. (2008), “Ecoefficiency: Defining a role for environmental cost management”, Accounting, Organizations and Society, Vol. 33 No. 6, pp. 551–581.

Burns, T. and Stalker, G. (2000), “Mechanistic and organic systems of management”, in McLoughlin, I., Preece, D. and Dawson, P. (Eds.), Technology, organizations, and innovation: Critical perspectives on business and management, Routledge, London, New York, pp. 24–50.

Butler, B.S. and Gray, P.H. (2006), “Reliability, Mindfulness, and Information Systems”, MIS Quarterly, Vol. 30 No. 2, pp. 211–224.

Butler, T. (2011), “Compliance with institutional imperatives on environmental sustainability: Building theory on the role of Green IS”, Journal of Strategic Information Systems, Vol. 20 No. 1, pp. 6–26.

Buys, P.W. (2012), “Developing Corporate Strategies To Enable Resilience In The South African Information Systems And Technology Industry”, Journal of Applied Business Research, Vol. 28 No. 5.

Calantone, R., Garcia, R. and Dröge, C. (2003), “The Effects of Environmental Turbulence on New Product Development Strategy Planning”, Journal of Product Innovation Management, Vol. 20 No. 2, pp. 90–103.

Camp, R.C. (1989), Benchmarking: the search for industry best practices that lead to superior performance, Quality Press, White Plains.

Campbell, F.C. (2008), Elements of metallurgy and engineering alloys, ASM International, Materials Park, Ohio.

Caralli, R.A., Allen, J.H., Curtis, P.D. and Young, L.R. (2010), CERT resilience management model, version 1.0, CMU/SEI-2010-TR-012, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pa.

Cardoso, J., Bostrom, R. and Sheth, A. (2004), “Workflow Management Systems and ERP Systems: Differences, Commonalities, and Applications”, Information Technology and Management, Vol. 5 3-4, pp. 319-338.

Cardoso, J., Mendling, J., Neumann, G. and Reijers, H.A. (2006), “A Discourse on Complexity of Process Models”, in Hutchison, D. and et al. (Eds.), Lecture Notes in Computer Science, Business Process Management Workshops, Springer, Berlin, Heidelberg, pp. 117–128.

Carmeli, A. and Markman, G.D. (2011), “Capture, governance, and resilience: strategy implications from the history of Rome”, Strategic Management Journal, Vol. 32 No. 3, pp. 322–341.

Carpenter, S., Walker, B., Anderies, J.M. and Abel, N. (2001), “From Metaphor to Measurement: Resilience of What to What?”, Ecosystems, Vol. 4 No. 8, pp. 765–781.

Carpenter, S.R., Arrow Kenneth J., Barrett, S., Biggs, R., Brock, W.A. and Crépin, A.-S. (2012), “General Resilience to Cope with Extreme Events”, Sustainability, Vol. 12 No. 4, pp. 3248–3259.

Chakravarthy, B.S. (1982), “Adaptation: A Promising Metaphor for Strategic Management”, Academy of Management Review, Vol. 7 No. 1, pp. 35–44.

Chatterji, A.K. and Toffel, M.W. (2010), “How firms respond to being rated”, Strategic Management Journal, Vol. 31 No. 4, pp. 917–945.

Cho, C.H. and Patten, D.M. (2007), “The role of environmental disclosures as tools of legitimacy: A research note”, Accounting, Organizations and Society, Vol. 32 7-8, pp. 639–647.

Christopher, M. and Peck, H. (2004), “Building the Resilient Supply Chain”, The International Journal of Logistics Management, Vol. 15 No. 2, pp. 1–14.

Church, M. (1999), “Organizing simply for complexity. Beyond metaphor towards theory”, Long Range Planning, Vol. 32, pp. 425–440.

Colbert, B.A. (2004), “The complex resource-based view: implications for theory and practice in strategic human resource management”, Academy of Management Review, Vol. 29 No. 3, pp. 341–358.

Comfort, L.K., Sungu, Y., Johnson, D. and Dunn, M. (2001), “Complex Systems in Crisis: Anticipation and Resilience in Dynamic Environments”, Journal of Contingencies and Crisis Management, Vol. 9 No. 3, pp. 144–158.

Cook, R. and Rasmussen, J. (2005), “Going solid: a model of system dynamics and consequences for patient safety”, Quality and Safety in Health Care, Vol. 14 No. 2, pp. 130–134.

Cord, D.J. (2014), The Decline and Fall of Nokia, 1st ed., Schildts & Söderströms. Coutu, D.L. (2002), “How Resilience Works”, Harvard Business Review, Vol. 80 No. 5, pp. 46–51. Coyle, R.G. (2000), “Qualitative and quantitative modelling in system dynamics: some research

questions”, System Dynamics Review, Vol. 16 No. 3, pp. 225–244. Coyle, R.G. (2001), System dynamics modelling: A practical approach, Chapman & Hall, London. Crichton, M.T., Ramsay, C.G. and Kelly, T. (2009), “Enhancing Organizational Resilience Through

Emergency Planning: Learnings from Cross-Sectoral Lessons”, Journal of Contingencies and Crisis Management, Vol. 17 No. 1, pp. 24–37.

Crnkovic, I. (2011), “Predictability and Evolution in Resilient Systems. Software Engineering for Resilient Systems”, in Troubitsyna, E. (Ed.), Lecture Notes in Computer Science, Vol. 6968, Springer Berlin / Heidelberg, pp. 113–114.

Cumming, G.S., Barnes, G., Perz, S., Schmink, M., Sieving, K.E., Southworth, J., Binford, M., Holt, R.D., Stickler, C. and Holt, T. (2005), “An Exploratory Framework for the Empirical Measurement of Resilience”, Ecosystems, Vol. 8 No. 8, pp. 975–987.

Cunha, M.P.E., Clegg, S.R. and Kamoche, K. (2006), “Surprises in Management and Organization. Concept, Sources and A Typology*”, British Journal of Management, Vol. 17, pp. 317–329.

Cunha, M.P.E. and Da Cunha, J.V. (2006), “Towards a complexity theory of strategy”, Management Decision No. 44, pp. 839–850.

Cusumano, M.A. (2010), “Will SaaS and Cloud Computing become a new Industry Platform?”, in Benlian, C., Hess, A. and Buxmann, P. (Eds.), Software-as-a-Service: Anbieterstrategien, Kundenbedürfnisse und Wertschöpfungsstrukturen, Gabler, Wiesbaden, pp. 3–13.

Damgård, I. and Jurik, M. (2001), “A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System”, in Kim, K. (Ed.), Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography, Cheju Island, Korea, pp. 119–136.

Davenport, T.H. (1993), Process innovation: Reengineering work through information technology, Harvard business school, Boston (Mass.).

Dedrick, J. (2010), “Green IS: concepts and issues for information systems research”, Communications of AIS, Vol. 27 No. 1, pp. 173–184.

Dekker, S. (2003), “Failure to adapt or adaptations that fail: contrasting models on procedures and safety”, Applied ergonomics, Vol. 34 No. 3, pp. 233–238.

Demirkan, H., Cheng, H.K. and Bandyopadhyay, S. (2010), “Coordination Strategies in an SaaS Supply Chain”, Journal of Management Information Systems, Vol. 26 No. 4, pp. 119–143.

Derissen, S., Quaas, M.F. and Baumgärtner, S. (2011), “The relationship between resilience and sustainability of ecological-economic systems”, Ecological Economics, Vol. 70 No. 6, pp. 1121–1128.

Dewald, J. and Bowen, F. (2010), “Storm Clouds and Silver Linings: Responding to Disruptive Innovations Through Cognitive Resilience”, Entrepreneurship Theory and Practice, Vol. 34 No. 1, pp. 197–218.

Diesner, J., Frantz, T.L. and Carley, K.M. (2005), “Communication Networks from the Enron Email Corpus “It's Always About the People. Enron is no Different””, Computational and Mathematical Organization Theory, Vol. 11 No. 3, pp. 201–228.

DiMaggio, P.J. and Powell, W.W. (1983), “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields”, American Sociological Review, Vol. 48 No. 2, pp. 147–160.

Dongen, B.F., Crooy, R.A. and Aalst, W.M.P. (2008), “Cycle Time Prediction: When Will This Case Finally Be Finished?”, in Meersman, R. and Tari, Z. (Eds.), On the Move to Meaningful Internet Systems: OTM 2008, Lecture Notes in Computer Science, Vol. 5331, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 319–336.

Dorner, D. (1996), The Logic of Failure: Recognizing and Avoiding Error in Complex Situations, Metropolitan Books, New York.

Dosi, G., Nelson, R.R. and Winter, S.G. (2000), The nature and dynamics of organizational capabilities, Oxford University Press, New York.

Drucker, P.F. (1980), Managing in turbulent times, Butterworth Heinemann, Oxford. Duan, W., Gu, B. and Whinston, A.B. (2009), “Informational Cascades and Software Adoption on the

Internet. An Empirical Investigation”, MIS Quaterly, Vol. 33 No. 1, pp. 23–48. Dumas, M., La Rosa, M., Mendling, J. and Reijers, H.A. (2013), Fundamentals of business process

management, Springer, Berlin, Heidelberg. Dutton, J.M. and Thomas, A. (1984), “Treating Progress Functions as a Managerial Opportunity”, The

Academy of Management Review, Vol. 9 No. 2, pp. 235–247. Dwork, C. (2006), “Differential Privacy”, in Bugliesi, M., Preneel, B., Sassone, V. and Wegener, I.

(Eds.), Automata, Languages and Programming, Lecture Notes in Computer Science, Vol. 4052, Springer Berlin Heidelberg, pp. 1-12.

Eder, J., Panagos, E., Pozewaunig, H. and Rabinovich, M. (1999), “Time management in workflow systems”, in BIS'99, Springer Verlag, pp. 265–280.

Edson, M.C. (2012), “A Complex Adaptive Systems View of Resilience in a Project Team”, Systems Research and Behavioral Science, Vol. 29 No. 5, pp. 499–516.

Efatmaneshnik, E. and Reidsema, C. (2007), “Immunity as a Design Decision Making Paradigm for Complex Systems. A Robustness Approach”, Cybernetics and Systems: An International Journal No. 38, pp. 759–780.

Ekelhart, A. and Neubauer, T. (2011), “Information Security Risk Management: In Which Security Solutions Is It Worth Investing?”, Communications of the Association for Information Systems, Vol. 28 No. 1.

Elliot, S. (2011), “Transdisciplinary perspectives on environmental sustainability: a resource base and framework for IT-enabled business transformation”, MIS Quarterly, Vol. 35 No. 1, pp. 197–236.

Endsley, M.R. (1995), “Toward a Theory of Situation Awareness in Dynamic Systems”, Human Factors: The Journal of the Human Factors and Ergonomics Society, Vol. 37 No. 1, pp. 32–64.

Erol, O., Henry, D., Sauser, B. and Mansouri, M. (2010a), “Perspectives on measuring enterprise resilience”, San Diego, CA.

Erol, O., Sauser, B.J. and Mansouri, M. (2010b), “A framework for investigation into extended enterprise resilience”, Enterprise Information Systems, Vol. 4 No. 2, pp. 111–136.

Etzion, O. (2009), “Complex event processing”, in Liu, L. and M. T. Özsu, M. T. (Eds.), Encyclopedia of Database Systems, Springer, pp. 412--413.

European Comission (2011), “ELCD core database version II”, available at: http://lca.jrc.ec.europa.eu/lcainfohub/datasetArea.vm. (accessed 15 April 2011).

Fava, J., Baer, S. and Cooper, J. (2009), “Increasing Demands for Life Cycle Assessments in North America”, Journal of Industrial Ecology, Vol. 13 No. 4, pp. 491–494.

Fdhila, W., Rinderle-Ma, S., Reichert and M. (2012), “Change propagation in collaborative processes scenarios”, in Proceedings of the 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing, Pittsburgh, United States, pp. 452--461.

Fenz, S. and Ekelhart, A. (2009), “Formalizing information security knowledge”. Fenz, S., Ekelhart, A. and Neubauer, T. (2009), “Business Process-based Resource Importance

Determination”, in Proceedings of the 7th International Conference on Business Process Management (BPM’2009), Springer-Verlag Berlin, Heidelberg, pp. 113–127.

Fenz, S., Ekelhart, A. and Neubauer, T. (2011), “Information Security Risk Management. In which security solutions is it worth investing?”, Communications of the Association for Information Systems, Vol. 28 No. 1, pp. Article 22, 329–356.

Fenz, S., Neubauer, T., Accorsi, R. and Koslowski, T.G. (2013), “FORISK: Formalizing Information Security Risk and Compliance Management”, 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W) 24-27 June, Budapest.

Fichman, R.G. and Kemerer, C.F. (1997), “The Assimilation of Software Process Innovations: An Organizational Learning Perspective”, Management Science, Vol. 43 No. 10, pp. 1345–1363.

Figge, F. and Hahn, T. (2005), “The Cost of Sustainability Capital and the Creation of Sustainable Value by Companies”, Journal of Industrial Ecology, Vol. 9 No. 4, pp. 47–58.

Fiksel, J. (2003), “Designing Resilient, Sustainable Systems”, Environmental Science & Technology, Vol. 37 No. 23, pp. 5330–5339.

Fischbach, K., Gloor, P.A. and Schoder, D. (2009), “Analysis of Informal Communication Networks – A Case Study”, Business & Information Systems Engineering, Vol. 1 No. 2, pp. 140–149.

Fisher, D. and Dourish, P. (2004), “Social and temporal structures in everyday collaboration”, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York, NY, USA, pp. 551–558.

Folke, C. (2006), “Resilience: The emergence of a perspective for social-ecological systems analyses. Resilience, Vulnerability, and Adaptation: A Cross-Cutting Theme of the International Human Dimensions Programme on Global Environmental Change”, Global Environmental Change, Vol. 16 No. 3, pp. 253–267.

Forrest, J. (2010), “Introduction of qualitative system dynamics”, available at: http://jayfor.site.aplus.net/qualsd/id11.html (accessed 12 December 2010).

Forrester, J.W. (1961), Industrial dynamics, MIT, Camebridge. Forrester, J.W. (1994), “System dynamics, systems thinking, and soft OR”, System Dynamics Review,

Vol. 10 2-3, pp. 245–256. Frank, U. (2006), Towards a pluralistic conception of research methods in information systems research,

ICB-Research Report. Freeman, S., Hirschhorn, L. and Matty, M. (2003), “Organizational resilience and moral purpose. Sandler

O'Neill and Partners, L.P. in the aftermath of September 11, 2001”, D. Nagao (Ed.) Academy of Management (best papers), Madison, WI.

Freiling, F.C. and Schwittay, B. (2007), “A Common Process Model for Incident Response and Computer Forensics”, IMF, Vol. 7, pp. 19–40.

Friedman, M. (1993), “The "plucking model" of business fluctuations revisited”, Economic Inquiry, Vol. 31 No. 2, pp. 171–177.

Funk, B., Möller, A. and Niemeyer, P. (2009), “Integration of Environmental Management Information Systems and ERP systems using Integration Platforms”, in Athanasiadis, I., Mitkas, P., Rizzoli, A. and Marx Gómez, J. (Eds.), Information Technologies in Environmental Engineering, Thessaloniki, Greece, pp. 53–63.

Gartner (2010), “Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update”, available at: http://www.gartner.com/id=2332215 (accessed 13 August 2013).

Gartner Research (2014), Survey Analysis: Adoption of Cloud ERP, 2013 Through 2023. Gatignon, H. and Robertson, T.S. (1985), “A Propositional Inventory for New Diffusion Research”,

Journal of Consumer Research, Vol. 11 No. 4, pp. 849–867. Gentry, C. (2009), “Fully homomorphic encryption using ideal lattices”, in Mitzenmacher, M. and

Bethesda, M.D. (Eds.), Proceedings of the 41st ACM Symposium on Theory of Computing, pp. 169–178.

Gentry, C. and Halevi, S. (2011), “Implementing Gentry’s Fully-Homomorphic Encryption Scheme”, Advances in Cryptology – EUROCRYPT, pp. 129–148.

Geoffrey Love, E. and Nohria, N. (2005), “Reducing slack: the performance consequences of downsizing by large industrial firms, 1977–93”, Strategic Management Journal, Vol. 26 No. 12, pp. 1087–1108.

Georges, A., Buytaert, D. and Eeckhout, L. (2007), “Statistically rigorous java performance evaluation”, in Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications, ACM, Montreal, Quebec, Canada, pp. 57–76.

Geus, A. de (1997), “The Living Company”, Harvard Business Review, Vol. 75 No. 2, pp. 51–59. Ginsberg, A. and Buchholtz, A. (1990), “Converting to For-Profit Status. Corporate Responsiveness to

Radical Change”, The Academy of Management Journal, Vol. 33 No. 3, pp. 445–477. Goldreich, O., Micali, S. and Wigderson, A. (1987), “How to play ANY mental game”, Proceedings of

the 19th annual ACM symposium on Theory of computing, pp. 218–229. González, L.S., Rubio, F.G., González, F.R. and Velthuis, M.P. (2010), “Measurement in business

processes. a systematic review”, Business Process Management Journal, Vol. 16 No. 1, pp. 114–134. Graafland, J.J., Eijffinger, S. and Smid-Johan, H. (2004), “Benchmarking of Corporate Social

Responsibility: Methodological Problems and Robustness”, Journal of Business Ethics, Vol. 53 1/2, pp. 137–152.

Griffiths, D.J. (2013), Revolutions in twentieth-century physics, Cambridge University Press, Cambridge, U.K.

Grote, G. (2009), Management of uncertainty: Theory and application in the design of systems and organizations, Decision engineering, Springer, London.

Gunderson, L. (2009), Comparing Ecological and Human Community Resilience: CARRI Research Report No. 5, Oak Ridge, TN.

Gunderson, L.H. (Ed.) (2002), Panarchy: Understanding transformations in human and natural systems, Island Press, Washington, DC [u.a].

Haimes, Y.Y. (2009a), “On the Complex Definition of Risk: A Systems-Based Approach”, Risk Analysis: An International Journal, Vol. 29 No. 12, pp. 1647–1654.

Haimes, Y.Y. (2009b), “On the Definition of Resilience in Systems”, Risk Analysis: An International Journal, Vol. 29 No. 4, pp. 498–501.

Hale, A. and Heijer, T. (2006), “Defining Resilience”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.

Hamel, G. and Välikangas, L. (2003), “The Quest for Resilience.”, Harvard Business Review, Vol. 81 No. 9, pp. 52–63.

Hammer, M. and Champy, J. (2003), Reengineering the corporation: A manifesto for business revolution, 1st HarperBusiness Essentials pbk. ed, HarperBusiness Essentials, New York.

Hammerschmidt, M. (2006), Effizienzanalyse im Marketing: Ein produktionstheoretisch fundierter Ansatz auf Basis von Frontier Functions, 1st ed., Dt. Univ.-Verl., Wiesbaden.

Handmer, J., Dovers, S. and Downing, T. (1999), “Societal Vulnerability to Climate Change and Variability”, Mitigation and Adaptation Strategies for Global Change, Vol. 4 3/4, pp. 267–281.

Handmer, J.W. and Dovers, S.R. (1996), “A Typology of Resilience: Rethinking Institutions for Sustainable Development”, Organization & Environment, Vol. 9 No. 4, pp. 482–511.

Hannan, M.T. and Freeman, J. (1977), “The Population Ecology of Organizations”, American Journal of Sociology, Vol. 82 No. 5, pp. 929–964.

Harrington, H.J. (1991), Business process improvement: The breakthrough strategy for total quality, productivity, and competitiveness, McGraw-Hill, New York.

Helper, S., MacDuffie, J. and Sabel C. (2000), “Pragmatic collaborations: advancing knowledge while controlling opportunism”, Industrial and Corporate Change, Vol. 9 No. 3, pp. 443–488.

Hervani, A.A., Helms, M.M. and Sarkis, J. (2005), “Performance measurement for green supply chain management”, Benchmarking: An International Journal, Vol. 12 No. 4, pp. 330–353.

Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004), “Design science in information systems research”, MIS Quarterly, Vol. 28 No. 1, pp. 75–105.

Hitt, M.A., Ireland, R.D. and Hoskisson, R.E. (2011), Strategic management: Competitiveness and globalization concepts and cases, 9th ed, South-Western Cengage Learning, Mason (OH).

Ho, W., Xu, X. and Dey, P.K. (2010), “Multi-criteria decision making approaches for supplier evaluation and selection: A literature review”, European Journal of Operational Research, Vol. 202 No. 1, pp. 16–24.

Hoffer, C.W. (1975), “Toward a Contingency Theory of Business Strategy”, Academy of Management Journal, Vol. 18 No. 4, pp. 784–810.

Hoffer Gittell, J., Cameron, K., Lim, S. and Rivas, V. (2006), “Relationships, Layoffs, and Organizational Resilience. Airline Industry Responses to September 11”, The Journal of Applied Behavioral Science, Vol. 42 No. 3, pp. 300–329.

Hoffmann, V.H. and Busch, T. (2008), “Corporate Carbon Performance Indicators”, Journal of Industrial Ecology, Vol. 12 No. 4, pp. 505–520.

Hofmann, P. (2008), “ERP is Dead, Long Live ERP”, IEEE Internet Computing, Vol. 12 No. 4, pp. 84–88.

Holland, J.H. (1998), Emergence: From chaos to order, Addison-Wesley, Reading, Mass. Holling, C.S. (1973), Resilience and stability of ecological systems, International Institute for Applied

Systems Analysis, Laxenburg, Austria. Holling, C.S. (1996), “Engineering resilience versus ecological resilience”, in Schulze, P.C. (Ed.),

Engineering Within Ecological Constraints, The National Academies Press, Washington, D.C. Holling, C.S. (2001), “Understanding the Complexity of Economic, Ecological, and Social Systems”,

Ecosystems, Vol. 4 No. 5, pp. 390–405. Holling, C.S. and Gunderson, L.H. (2002), “Resilience and Adaptive Cycles”, in Gunderson, L.H. (Ed.),

Panarchy: Understanding transformations in human and natural systems, Island Press, Washington, DC [u.a], pp. 25–62.

Hollnagel, E. (2008), “From protection to resilience: Changing views on how to achieve safety”, Proceedings of the 8th International Symposium of the Australian Aviation Psychology Association.

Hollnagel, E. (2009), The ETTO principle: Efficiency-thoroughness trade-off why things that go right sometimes go wrong, Ashgate, Farnham, England, Burlington, VT.

Hollnagel, E. (2011), Resilience engineering in practice: A guidebook, Ashgate studies in resilience engineering, Ashgate, Farnham, Surrey, England, Burlington, VT.

Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.) (2006), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.

Horne III, J.F. (1997), “The coming age of organizational resilience”, Business Forum, Vol. 22, p. 24. Horne III, J.F. and Orr, J.E. (1998), “Assessing Behaviors That Create Resilient Organizations”,

Employment Relations Today (Wiley), Vol. 24, pp. 29–39. Houy, C., Fettke, P., Loos, P., Aalst, W.M.P. and Krogstie, J. (2011), “Business Process Management in

the Large”, Business & Information Systems Engineering, Vol. 3 No. 6, pp. 385–388. IF4IT (2014), “IF4IT Glossary / Dictionary of IT Terms and Phrases”, available at:

http://if4it.com/SYNTHESIZED/GLOSSARY/C/Capability.html. Jackson, S. (2009), Architecting resilient systems: Accident avoidance and survival and recovery from

disruptions, Wiley series in systems engineering and management, Wiley, Hoboken, NJ. Jakoubi, S., Tjoa, S., Goluch, G. and Quirchmayr, G. (2009), “A Survey of Scientific Approaches

Considering the Integration of Security and Risk Aspects into Business Process Management”, in DEXA Proceedings of the 20th International Workshop on Database and Expert Systems Application, pp. 127–132.

Janssen, M.A., Bodin, O., Anderies, J.M., Elmqvist, T., Ernstson, H., McAllister, R.R.J., Olsson, P. and Ryan, P. (2006), “Toward a network perspective of the study of resilience in social-ecological systems”, Ecology and Society, Vol. 11 No. 1, p. 15.

Jüttner, U., Christopher, M. and Godsell, J. (2010), “A strategic framework for integrating marketing and supply chain strategies”, The International Journal of Logistics Management, Vol. 21 No. 1, pp. 104–126.

Kahan, J.H., Allen, A.C. and George, J.K. (2009), “An Operational Framework for Resilience”, Journal of Homeland Security and Emergency Management, Vol. 6 No. 1.

Katz, M.L. and Shapiro, C. (1985), “Network externalities, competition, and compatibility”, The American Economic Review, Vol. 75 No. 3, pp. 424–440.

Kemfert, C., “The coming German energy turnaround”, available at: http://www.thebulletin.org/web-edition/op-eds/the-coming-german-energy-turnaround (accessed 30 April 2012).

Kendra, J.M. and Wachtendorf, T. (2003), “Elements of Resilience After the World Trade Center Disaster. Reconstituting New York City's Emergency Operations Centre”, Disasters, Vol. 27 No. 1, pp. 37–53.

Kerschbaum, F., Dahlmeier, D., Schröpfer, A., Biswas, D. and (Keine Angabe) (2009), “On the practical importance of communication complexity for secure multi-party computation protocols”, in

Proceedings of the ACM Symposium on Applied Computing, ACM, Honolulu, Hawaii, pp. 2008–2015.

Kerschbaum, F., Strüker, J. and Koslowski, T. (2011), “Confidential Information-Sharing for Automated Sustainability Benchmarks”, ICIS Proceedings Paper 4.

Kim, H., Lee, J.-N. and Han, J. (2010), “The role of IT in business ecosystems”, Communications of the ACM, Vol. 53 No. 5, p. 151.

King, A. (1995), “Avoiding Ecological Surprise: Lessons from Long-Standing Communities”, The Academy of Management Review, Vol. 20 No. 4, pp. 961–985.

Klein, G., Moon, B. and Hoffman, R.R. (2006), “Making Sense of Sensemaking 1: Alternative Perspectives”, IEEE Intelligent Systems, Vol. 21 No. 4, pp. 70–73.

Klein, R.J.T., Nicholls, R.J. and Thomalla, F. (2003a), “Resilience to natural hazards. How useful is this concept?”, Global Environmental Change Part B: Environmental Hazards No. 5, pp. 35–45.

Klein, R.J.T., Nicholls, R.J. and Thomalla, F. (2003b), “The Resilience of Coastal Megacities to Weather-Related Hazards”, in Kreimer, A., Arnold, M. and Carlin, A. (Eds.), Building safer cities: The future of disaster risk, World Bank, Washington, D.C, pp. 101–120.

Kolk, A. and Mauser, A. (2002), “The evolution of environmental management: from stage models to performance evaluation”, Business Strategy and the Environment, Vol. 11 No. 1, pp. 14–31.

Koslowski, T. (2011), “Interorganisationale Nachhaltigkeitsmessung als Softwaredienst”, in Eymann, T. (Ed.), Proceedings of the Doctoral Consortium of the Wirtschaftsinformatik, Vol. 2011, Zürich (CH), pp. 115–124.

Koslowski, T. and Strüker, J. (2011), “ERP On Demand Platform”, Business & Information Systems Engineering, Vol. 3 No. 6, pp. 359–367.

Koslowski, T. and Zimmermann, C. (2013), “Towards a Detective Approach to Process-Centered Resilience”, in Accorsi, R. and Ranise, S. (Eds.), Security and Trust Management, Lecture Notes in Computer Science, Vol. 8203, Springer Berlin Heidelberg, pp. 176-190.

Koslowski, T.G. (2013), “Resilience Management – Achieving Sustainability in Turbulent Environments”, 29th Apr - 1st May, Berkeley, CA.

Koslowski, T.G., Geoghegan, W. and Longstaff, P.H. (2013a), “Organizational Resilience: A Review and Reconceptualization”, paper presented at 33rd Annual International Conference of the Strategic Management Society, Sept 28 - Oct 1, Atlanta, VA.

Koslowski, T.G., Strüker, J. and Brenig, C. (2013b), “Mastering the Energiewende – A Cross-disciplinary Teaching Approach”, European Conference on Information Systems, ECIS No. 2013.

Krysiak, F.C. (2009), “Risk Management as a Tool for Sustainability”, Journal of Business Ethics, Vol. 85, pp. 483–492.

Kumar, K. and Diesel, H.G. (1996), “Sustainable Collaboration: Managing Conflict and Cooperation in Interorganizational Systems”, MIS Quarterly, Vol. 20 No. 3, pp. 279–300.

Laudon, K.C. and Laudon, J.P. (2010), Management information systems: Managing the digital firm, 11th ed, Pearson, Upper Saddle River, N.J, London.

Le Coze, J.-C. and Dupré, M. (2008), “The Need for "Translators" and for new Models of Safety”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT.

Lee, D. and Mendelson, H. (2007), “Adoption of Information Technology Under Network Effects”, Information Systems Research, Vol. 18 No. 4, pp. 395–413.

Lehmann, S. and Buxmann, P. (2009), “Pricing Strategies of Software Vendors”, Business & Information Systems Engineering, Vol. 1 No. 6, pp. 452–462.

Lengnick-Hall, C.A. and Beck, T.E. (2005), “Adaptive Fit Versus Robust Transformation: How Organizations Respond to Environmental Change”, Journal of Management, Vol. 31 No. 5, pp. 738–757.

Lengnick-Hall, C.A. and Beck, T.E. (2009), “Resilience Capacity and Strategic Agility: Prerequisites for Thriving in a Dynamic Environment”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 39–70.

Lengnick-Hall, C.A., Beck, T.E. and Lengnick-Hall, M.L. (2011), “Developing a capacity for organizational resilience through strategic human resource management”, Human Resource Management Review, Vol. 21 No. 3, pp. 243–255.

Lentzos, F. and Rose, N. (2009), “Governing insecurity: contingency planning, protection, resilience”, Economy & Society, Vol. 38 No. 2, pp. 230–254.

Leonard-Barton, D. (1992), “Core capabilities and core rigidities: A paradox in managing new product development”, Strategic Management Journal, Vol. 13 S1, pp. 111–125.

Leveson, N., Dulac, N., Zipkin, D., Cutcher-Gershenfeld, J., Carroll, J. and Barrett, B. (2006), “Engineering resilience into safety-critical systems”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 95–123.

Levin, S.A. (1998), “Ecosystems and the Biosphere as Complex Adaptive Systems”, Ecosystems, Vol. 1 No. 5, pp. 431–436.

Levinthal, D.A. (1997), “Adaptation on Rugged Landscapes”, Management Science, Vol. 43 No. 7, pp. 934–950.

Lewin, R. (Ed.) (1998), Complexity: Life at the edge of chaos, 2nd ed., Wiley, S, Chicago. Lewin, R. and Regine, B. (1998), “On the Edge in the World of Business”, in Lewin, R. (Ed.),

Complexity: Life at the edge of chaos, 2nd ed., Wiley, S, Chicago, pp. 197–211. Linnenluecke, M. and Griffiths, A. (2010), “Beyond Adaptation: Resilience for Business in Light of

Climate Change and Weather Extremes”, Business & Society, Vol. 49 No. 3, pp. 477–511. Linton, J.D., Klassen, R. and Vaidyanathan, J. (2007), “Sustainable supply chains: An introduction”,

Journal of Operations Management, Vol. 25 No. 6, pp. 1075–1082. Liu, D., Deters, R. and Zhang, W.J. (2010a), “Architectural design for resilience”, Enterprise Information

Systems, Vol. 4 No. 2, pp. 137–152. Liu, J., Lu Y.-H and Koh C.-K (2010b), “Performance Analysis of Arithmetic Operations in

Homomorphic Encryption”, Purdue Technical Report TR-ECE-10-08. Longstaff, P.H. (2005), Security, resilience, and communication in unpredictable environments such as

terrorism, natural disasters, and complex technology, Center for Information Policy Research, Harvard University.

Longstaff, P.H., Armstrong, N., Perrin, K., Parker, W.M. and Hidek, M.A. (2010), “Building Resilient Communities: A Preliminary Framework for Assessment”, Project on Resilience and Security white paper, Homeland Security Affairs, Vol. 4 No. 3, pp. 1–23.

Longstaff, P.H., Koslowski, T.G. and Geoghegan, W. (2013), “Translating Resilience: A Framework to Enhance Communication and Implementation”, 5th International Symposium on Resilience Engineering, Soesterberg, Netherlands, June 25-27, 2013.

Lorenz, D.F. (2010), “The diversity of resilience: contributions from a social science perspective”, Natural Hazards, pp. 1–18.

Luthans, F., Avey, J.B., Avolio, B.J. and Peterson, S.J. (2010), “The development and resulting performance impact of positive psychological capital”, Human Resource Development Quarterly, Vol. 21 No. 1, pp. 41–67.

Luthar, S.S., Cicchetti, D. and Becker, B. (2000), “The Construct of Resilience: A Critical Evaluation and Guidelines for Future Work”, Child Development, Vol. 71 No. 3, pp. 543–562.

Lynn, M.L. (2005), “Organizational Buffering. Managing Boundaries and Cores”, Organization Studies, Vol. 26 No. 1, pp. 37–61.

Machanavajjhala, A., Kifer, D., Gehrke, J. and Venkitasubramaniam, M. (2007), “L-diversity: Privacy beyond k-anonymity”, ACM Trans. Knowl. Discov. Data, Vol. 1 No. 1, pp. 24–35.

Madni, A.M. and Jackson, S. (2009), “Towards a Conceptual Framework for Resilience Engineering”, IEEE Systems Journal, Vol. 3 No. 2, pp. 181–191.

Makrinou, A., Mandaraka, M. and Assimakopoulos, D. (2008), “Environmental benchmarking for management of energy and water use: A study of SMEs in the Mediterranean region”, Environmental Quality Management, Vol. 17 No. 3, pp. 31–44.

Mallack, L. (1998), “Putting organizational resilience to work”, Industrial Management, Vol. 40 No. 8. Mamouni Limnios, E.A., Mazzarol, T., Ghadouani, A. and Schilizzi, Steven G. M. (2014), “The

Resilience Architecture Framework: Four organizational archetypes”, European Management Journal, Vol. 32 No. 1, pp. 104–116.

Marczyk, J. (2002), Beyond Optimization in Computer-Aided Engineering, Barcelona. Margolis, J.D. and Stoltz, P.G. (2010), “How to Bounce Back from Adversity. (cover story)”, Harvard

Business Review, Vol. 88 1/2, pp. 86–92. Markides, C.C. and Williamson, P.J. (1996), “Corporate diversification and organizational structure: A

resource-based view”, Academy of Management Journal, Vol. 39 No. 2, pp. 340–367. Maruyama, H. (Ed.) (2013), Towards Systems Resilience.

Masten, A.S. (2001), “Ordinary magic: Resilience processes in development”, American Psychologist, Vol. 56 No. 3, pp. 227–238.

Mathew, M. and Sumesh, N. (2010), “Pricing SaaS models: perceptions of business service providers and clients”, Journal of Services Research, Vol. 10 No. 1, pp. 51–68.

Matthews, H.S. and Lave, L.B. (2003), “Using input-output analysis for corporate benchmarking”, Benchmarking: An International Journal, Vol. 10 No. 2, pp. 153–168.

McAfee, A. and Brynjolfsson, E. (2012), “Big Data: The Management Revolution”, Harvard Business Review, Vol. 1.

McCann, J., Selsky, J. and Lee, J. (2009), “Building Agility, Resilience and Performance in Turbulent Environments”, People & Strategy, Vol. 32 No. 3, pp. 44–51.

McCann, J.E. (2004), “Organizational Effectiveness. Changing Concepts for Changing Environments”, Human Resource Planning, Vol. 27, pp. 42–50.

McCann, J.E. and Selsky, J.W. (2012), Mastering turbulence: The essential capabilities of agile and resilient individuals, teams, and organizations, First edition., Jossey-Bass, San Franciso.

McCoy, J. and Elwood, A. (2009), “Human factors in organisational resilience. Implications of breaking the psychological contract”, Journal of Business Continuity & Emergency Planning, Vol. 3 No. 4, pp. 368–375.

McDaniels, T., Chang, S., Cole, D., Mikawoz, J. and Longstaff, H. (2008), “Fostering resilience to extreme events within infrastructure systems: Characterizing decision contexts for mitigation and adaptation”, Global Environmental Change, Vol. 18 No. 2, pp. 310–318.

McDonald, N. (2006), “Organizational Resilience and Industrial Risk”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 155–179.

Melcher, J. (2012), Process measurement in business process management: Theoretical framework and analysis of several aspects, KIT Scientific Publishing, Karlsruhe.

Melville, N.P. (2010), “Information systems innovation for environmental sustainability”, MIS Quaterly, Vol. 34 No. 1, pp. 1–21.

Mendoca, D. (2008), “Measures of Resilient Performance”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 29–46.

Meyer, A.D. (1982), “Adapting to Environmental Jolts”, Administrative Science Quarterly, Vol. 27, pp. 515–537.

Meyer, J.F. (2013), “Model-based evaluation of system resilience”, paper presented at Annual IEEE/IFIP Conference on Dependable Systems and Networks, Budapest.

Miakisz, J.A. (1999), “Measuring and Benchmarking Environmental Performance in the Electric Utility Sector: The Experience of Niagara Mohawk”, in Bennett, M., James, P. and Klinkers, L. (Eds.), Sustainable Measures - Evaluation and Reporting of Environmental and Social Performance, Greenleaf Publishing, Sheffield, pp. 221–245.

Milliken, F.J. (1987), “Three Types of Perceived Uncertainty about the Environment: State, Effect, and Response Uncertainty”, The Academy of Management Review, Vol. 12 No. 1, pp. 133–143.

Mitleton-Kelly, E. (2003), Complex systems and evolutionary perspectives on organisations: The application of complexity theory to organisations, Pergamon, Oxford.

Moore, G.C. and Benbasat, I. (1991), “Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation”, Information Systems Research, Vol. 2 No. 3, pp. 192–222.

Müller, G. (2009), “War Internet die einzige Option? Welchen Weg soll die Wirtschaftsinformatik gehen?”, WIRTSCHAFTSINFORMATIK, Vol. 51 No. 1, pp. 53–60.

Müller, G. and Koslowski, T. (2012), Resilience: A useful Paradigm for IT-Social Infrastructures?, Research Cooperation YRL Hitachi and University of Freiburg, Deliverable No. 1, Freiburg.

Müller, G., Koslowski, T.G. and Accorsi, R. (2013), “Resilience - A New Research Field in Business Information Systems?”, in Abramowicz, W. (Ed.), Business Information Systems Workshops, Lecture Notes in Business Information Processing, Vol. 160, Springer Berlin Heidelberg, pp. 3–14.

Müller, G., Sonehara, N., Echizen, I. and Wohlgemuth, S. (2011), “Sustainable Cloud Computing”, Business & Information Systems Engineering, Vol. 3 No. 3, pp. 129–131.

Narayanan, A. and Shmatikov, V. (2009), “De-anonymizing Social Networks”, in Security and Privacy, 2009 30th IEEE Symposium on, pp. 173–187.

Nelson, D.R., Adger, W.N. and Brown, K. (2007), “Adaptation to Environmental Change: Contributions of a Resilience Framework”, in Matson, P.A. and Gadgil, A. (Eds.), Annual review of environment and resources, Annual Reviews, Inc., Palo Alto, Calif, pp. 395–419.

Nemeth, C.P. (2008), “Resilience Engineering: the Birth of a Notion”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 3–9.

Nemeth, C.P. (2009), “The Ability to Adapt”, in Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham, pp. 1–12.

Nemeth, C.P., Hollnagel, E. and Dekker, S. (Eds.) (2009), Resilience Engineering Perspectives 2. Preparation and restoration, Ashgate, Farnham.

Neubauer, T., Ekelhart, A. and Fenz, S. (2008), “Interactive Selection of ISO 27001 Controls under Multiple Objectives”.

Nohria, N. (2006), “Survival of the Adaptive”, Harvard Business Review, Vol. 84 No. 5, p. 23. Norris, F.H., Stevens, S.P., Pfefferbaum, B., Wyche, K.F. and Pfefferbaum, R.L. (2008), “Community

Resilience as a Metaphor, Theory, Set of Capacities, and Strategy for Disaster Readiness”, American Journal of Community Psychology, Vol. 41 1-2, pp. 127–150.

Ogata, H., Yano, Y., Furugori, N. and Jin, Q. (2001), “Computer supported social networking for augmenting cooperation”, Computer Supported Cooperative Work (CSCW), Vol. 10 No. 2, pp. 189–209.

O'Reilly III, C.A. and Tushman, M.L. (2004), “The Ambidextrous Organization”, Harvard Business Review, Vol. 82, pp. 74–81.

Orton, J.D. and Weick, K.E. (1990), “Loosely Coupled Systems: A Reconceptualization”, The Academy of Management Review, Vol. 15 No. 2, pp. 203–223.

Ott, K. and Döring, R. (2008), Theorie und Praxis starker Nachhaltigkeit, Metropolis-Verl., Marburg. Paillier, P., “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes”, pp. 223–238. Palin, P. (2012), “Homeland Security Watch » Resilience on the (Deepwater) Horizon?”, available at:

http://www.hlswatch.com/2010/06/11/resilience-on-the-deepwater-horizon/ (accessed 29 May 2012). Panzar, J.C. and Willig, R.D. (1981), “Economies of Scope”, The American Economic Review, Vol. 71

No. 2, pp. 268–272. Park, J., Seager, T.P., Rao, P. S. C., Convertino, M. and Linkov, I. (2013), “Integrating Risk and

Resilience Approaches to Catastrophe Management in Engineering Systems”, Risk Analysis, Vol. 33 No. 3, pp. 356–367.

Perelman, L.J. (2006), “Shifting Security Paradigms: Toward Resilience”, in The Critical Infrastructure Protection Program (Ed.), Critical Thinking: Moving from Security to, George Mason University, Arlington, VA, pp. 22–47.

Perrow, C. (1984), Normal accidents: Living with high-risk technologies, Basic Books, New York. Petersen, K.E. and Johannson, H. (2008), “Designing Resilient Critical Infrastructure Systems using Risk

and Vulnerability Analysis”, in Hollnagel, E., Nemeth, C.P. and Dekker, S. (Eds.), Resilience Engineering Perspectives 1. Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot, England, Burlington, VT, pp. 159–170.

Pettit, T.J., Fiksel, J. and Croxton, K.L. (2010), “Ensuring Supply Chain Resilience: Development Of A Conceptual Framework”, Journal of Business Logistics, Vol. 31 No. 1, pp. 1–21.

Pika, A., Aalst, W.M.P., Fidge, C.J., Hofstede, A.H.M. and Wynn, M.T. (2013), “Profiling Event Logs to Configure Risk Indicators for Process Delays”, in Hutchison, H. and et al. (Eds.), Advanced Information Systems Engineering, Lecture Notes in Computer Science, Vol. 7908, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 465–481.

Pimm, S.L. (1984), “The Complexity and Stability of Ecosystems”, Nature, Vol. 307 No. 5949, pp. 321–326.

Pineda-Henson, R., Culaba, A.B. and Mendoza, G.A. (2002), “Evaluating Environmental Performance of Pulp and Paper Manufacturing Using the Analytic Hierarchy Process and Life-Cycle Assessment”, Journal of Industrial Ecology, Vol. 6 No. 1, pp. 15–28.

Ponomarov, S.Y. and Holcomb, M.C. (2009), “Understanding the concept of supply chain resilience”, International Journal of Logistics Management, Vol. 20 No. 1, pp. 124–143.

Porter, M.E. (op. 1998), Competitive strategy, Free Press, New York, London, Toronto. Porter, M.E. and Reinhardt, F.L. (2007), “A Strategic Approach to Climate”, Harvard Business Review,

Vol. 85 No. 10, pp. 22–26.

Porter, M.E. and van der Linde, C. (1995a), “Green and Competitive: Ending the Stalemate”, Harvard Business Review, Vol. 73 No. 5, pp. 120–134.

Porter, M.E. and van der Linde, C. (1995b), “Toward a New Conception of the Environment-Competitiveness Relationship”, The Journal of Economic Perspectives, Vol. 9 No. 4, pp. 97–118.

Power, D.J. (2002), Decision support systems: Concepts and resources for managers, Quorum Books, Westport, Conn.

Power, D.J. (2008), “Decision Support Systems: A Historical Overview”, in Handbook on Decision Support Systems 1, International Handbooks Information System, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 121–140.

Powley, E.H. (2009), “Reclaiming resilience and safety: Resilience activation in the critical period of crisis”, Human Relations, Vol. 62 No. 9, pp. 1289–1326.

Pozewaunig, H., Eder, J. and Liebhart, W. (1997), “ePERT. extending Pert for workflow management system”, in ADBIS, pp. 217–224.

Prokein, O. (2008), IT-Risikomanagement: Identifikation, Quantifizierung und wirtschaftliche Steuerung, Gabler Edition Wissenschaft Markt- und Unternehmensentwicklung, 1. Aufl, Gabler, Wiesbaden.

Pruijt, H. (2000), “Repainting, modifying, smashing Taylorism”, Journal of Organizational Change Management, Vol. 13 No. 5, pp. 439–451.

Ramchandani, C. (1974), Aalysis of asynchronous concurrent system be timed petri nets: Technical Report, Massachusetts Institute of Technology, Cambridge, MA, USA.

Reap, J., Roman, F., Duncan, S. and Bras, B. (2008), “A survey of unresolved problems in life cycle assessment”, The International Journal of Life Cycle Assessment, Vol. 13 No. 5, pp. 374–388.

Reid, E.M. and Toffel, M.W. (2009), “Responding to public and private politics: corporate disclosure of climate change strategies”, Strategic Management Journal, Vol. 30 No. 11, pp. 1157–1178.

Reijers, H.A., Song, M. and van der Aalst, W.M.P. (2005), “Discovering Social Networks from Event Logs”, Computer Supported Cooperative Work (CSCW), Vol. 14 No. 6, pp. 549–593.

Reinmoeller, P. and van Baardwijk, N. (2005), “The Link Between Diversity and Resilience”, MIT Sloan Management Review, Vol. 46 No. 4, pp. 61–65.

Rice, J.B., JR and Caniato, F. (2003), “Building a secure and resilient supply network”, Supply Chain Management Review, Vol. 7 No. 5, pp. 22–30.

Richmond, B. (1997), “TheStrategic Forum: aligning objectives, strategy and process”, System Dynamics Review, Vol. 13 No. 2, pp. 131–148.

Rid, T. (2012), “Cyber War Will Not Take Place”, Journal of Strategic Studies, Vol. 35 No. 1, pp. 5–32. Riolli, L. and Savicki, V. (2003), “Information system organizational resilience”, Omega, Vol. 31 No. 3,

p. 227. Risk Response Network (2012), Global risks 2012, 7th ed., World Economic Forum, Cologny,

Switzerland. Roberts, K.H. (1990), “Some Characteristics of One Type of High Reliability Organization”,

Organization Science, Vol. 1 No. 2, pp. 160–176. Rogers, E.M. (2003), Diffusion of innovations, 5th ed., Free Press, New York. Rose, A. (2004), “Defining and measuring economic resilience to disasters”, Disaster Prevention and

Management, Vol. 13 No. 4, pp. 307–314. Rosenberg, N. (1982), Inside the black box: technology and economics. Runeson, P. and Höst, M. (2009), “Guidelines for conducting and reporting case study research in

software engineering”, Empirical Software Engineering, Vol. 14 No. 2, pp. 131–164. Salzmann, O., Ionescu-somers, A. and Steger, U. (2005), “The Business Case for Corporate

Sustainability: Literature Review and Research Options”, European Management Journal, Vol. 23 No. 1, pp. 27–36.

Samarati, P. and Sweeney, L. (1998), “Generalizing data to provide anonymity when disclosing information (Abstract)”, in 17th Proceedings of the ACM Symposium on Principles of Database Systems, Seattle, p. 188.

SAP (2011), “SAP Benchmarking - EMEA”, available at: http://benchmarking.sap.com/emea/ (accessed 28 April 2011).

Sarkis, J. (2003), “A strategic decision framework for green supply chain management”, Journal of Cleaner Production, Vol. 11 No. 4, pp. 397–409.

Sarkis, J. (2010), “Benchmarking the greening of business”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 421–434.

Sarkis, J. and Talluri, S. (2002), “A Model for Strategic Supplier Selection”, The Journal of Supply Chain Management, Vol. 38 No. 1, pp. 18–28.

Saunders, C., Wu, Y., Li, Y. and Weisfeld, S. (2004), “Interorganizational trust in B2B relationships”, in Proceedings of the 6th international conference on Electronic commerce, ACM, Delft, The Netherlands, pp. 272–279.

Schneider, F.B. (2000), “Enforceable security policies”, ACM Transactions on Information and System Security, Vol. 3 No. 1, pp. 30–50.

Schweitzer, F., Fagiolo, G., Sornette, D., Vega-Redondo, F., Vespignani, A. and White, D.R. (2009), “Economic Networks: The New Challenges”, Science, Vol. 325 No. 5939, pp. 422–425.

Scott, J. (1991), Social network analysis, Sage, Newbury Park, CA, Seager, T.P. (2008), “The sustainability spectrum and the sciences of sustainability”, Business Strategy

and the Environment, Vol. 17 No. 7, pp. 444–453. Seligman, M.E.P. (2011), “Building Resilience”, Harvard Business Review, Vol. 89 No. 4, pp. 100–106. Senge, P.M. (1997), The fith discipline, 1st ed., Doubleday, New York. Seo, D. and La Paz, Ariel I. (2008), “Exploring the dark side of IS in achieving organizational agility”,

Communications of the ACM, Vol. 51 No. 11, p. 136. Sharma, S. and Henriques, I. (2005), “Stakeholder influences on sustainability practices in the Canadian

forest products industry”, Strategic Management Journal, Vol. 26 No. 2, pp. 159–180. Shaw, S., Grant, D.B. and Mangan, J. (2010), “Developing environmental supply chain performance

measures”, Benchmarking: An International Journal, Vol. 17 No. 3, pp. 320–339. Sheffi, Y. (2007), “The Resilient Enterprise. Overcoming Vulnerability for Competitive Advantage”, MIT

Press Books. Simon, H.A. (1996), The sciences of the artificial, 3rd ed, MIT Press, Cambridge, Mass. Smit, B. and Wandel, J. (2006), “Adaptation, adaptive capacity and vulnerability”, Global Environmental

Change, Vol. 16 No. 3, pp. 282–292. Smith, D. and Fischbacher, M. (2009), “The changing nature of risk and risk management: The challenge

of borders, uncertainty and resilience”, Risk Management, Vol. 11 No. 1, pp. 1–12. Somers, S. (2009), “Measuring Resilience Potential: An Adaptive Strategy for Organizational Crisis

Planning”, Journal of Contingencies & Crisis Management, Vol. 17 No. 1, pp. 12–23. Spendolini, M. (1992), The benchmarking book, Amacom, New York. Staber, U. and Sydow, J. (2002), “Organizational Adaptive Capacity”, Journal of Management Inquiry,

Vol. 11 No. 4, pp. 408–424. Stephenson, A., Vargo, J. and Seville, E. (2010), “Measuring and Comparing Organisational Resilience in

Auckland”, Australian Journal of Emergency Management, Vol. 25 No. 2, pp. 27–32. Sterbenz, J.P.G., C, E.K., Hameed, M.A., Jabbar, A. and Rohrer, J.P. (2011), “Modelling and analysis of

network resilience”, Bangalore. Sterbenz, J.P.G., Hutchison, D., Çetinkaya, E.K., Jabbar, A., Rohrer, J.P., Schöller, M. and Smith, P.

(2010), “Resilience and Survivability in Communication Networks. Strategies, Principles, and Survey of Disciplines”, Computer Networks: Special Issue on Resilient and Survivable Networks (COMNET), Vol. 54 No. 8, pp. 1245–1265.

Stolker, R.J., Karydas, D.M. and Rouvroye, J.L. (2008), “A comprehensive approach to assess operational resilience”, in Proceedings of the third resilience engineering symposium, Antibes-Juan-les-Pins, France.

Strunz, S. (2012), “Is conceptual vagueness an asset? Arguments from philosophy of science applied to the concept of resilience”, Ecological Economics, Vol. 76, pp. 112–118.

Subashini, S. and Kavitha, V. (2011a), “A survey on security issues in service delivery models of cloud computing”, Journal of Network and Computer Applications, Vol. 34 No. 1, pp. 1–11.

Subashini, S. and Kavitha, V. (2011b), “A survey on security issues in service delivery models of cloud computing”, Journal of Network and Computer Applications, Vol. 34 No. 1, pp. 1–11.

Suddaby, R. (2010), “Editor's Comments. Construct Clarity in Theories of Management and Organization”, Academy of Management Review, Vol. 35 No. 3, pp. 346–357.

Suriadi, S., Weiss, B., Winkelmann, A., terHofstede, A., Wynn, M., Ouyang, C., Adams, M., Conforti, R., Fidge, C., La Rosa, M. and et al. (2012), Current research in risk-aware business process management - overview, comparison, and gap analysis, 50606, QUT ePrints.

Susarla, A., Barua, A. and Whinston, A.B. (2010), “Multitask Agency, Modular Architecture, and Task Disaggregation in SaaS”, Journal of Management Information Systems, Vol. 26 No. 4, pp. 87–118.

Sutcliffe, K.M. and Vogus, T. (2003), “Organizing for resilience”, in Cameron, K.S., Dutton, J.E. and Quinn, R.E. (Eds.), Positive Organizational Scholarship, Berrett-Koehler, San Francisco.

Sydow, J., Schreyögg, G. and Koch, J. (2009), “Organizational path dependence: opening the black box”, Academy of Management Review, Vol. 34 No. 4, pp. 689–709.

Taleb, N.N. (2008), The black swan: The impact of the highly improbable, Penguin, London. Tanriverdi, H., Rai, A. and Venkatraman, N. (2010), “Research Commentary - Reframing the Dominant

Quests of Information Systems Strategy Research for Complex Adaptive Business Systems”, Information Systems Research, Vol. 21 No. 4, pp. 822–834.

Teece, D. and Pisano, G. (1994), “The Dynamic Capabilities of Firms: an Introduction”, Industrial and Corporate Change, Vol. 3 No. 3, pp. 537–556.

The Critical Infrastructure Protection Program (Ed.) (2006), Critical Thinking: Moving from Security to, George Mason University, Arlington, VA.

Timmerman, P. (1981), Vulnerability, resilience and the collapse of society: A review of models and possible climatic applications, Toronto, Canada.

Tjaden, G.S. (1999), Business Process Structural Analysis. Tjoa, S., Jakoubi, S. and Quirchmayr, G., “Enhancing Business Impact Analysis and Risk Assessment

Applying a Risk-Aware Business Process Modeling and Simulation Methodology”, March 4th-7th, Barcelona Spain.

Travassos, G.H., Maldonado, J.C., Wohlin, C., Mendes, E., Berander, P. and Jönsson, P. (2006), “A goal question metric based approach for efficient measurement framework definition”, in Proceedings of the 2006 ACM/IEEE International Symposium on Empirical Engineering, New York, pp. 316–325.

Tsai, J., Jennhwa Yang, S. and Yao-Hsiung Chang (1995), “Timing constraint Petri nets and their application to schedulability analysis of real-time system specifications”, IEEE Transactions on Software Engineering, Vol. 21 No. 1, pp. 32–49.

Tukker, A. and Jansen, B. (2006), “Environmental Impacts of Products: A Detailed Review of Studies”, Journal of Industrial Ecology, Vol. 10 No. 3, pp. 159–182.

Välikangas, L. (2007), “Rigidity, exploratory patience, and the ecological resilience of organizations”, Scandinavian Journal of Management, Vol. 23 No. 2, pp. 206–213.

Välikangas, L. and Romme, A.G.L. (2013), “How to Design for Strategic Resilience. A Case Study in Retailing”, Journal of Organization Design, Vol. 2 No. 2, pp. 44–53.

van der Aalst, W.M.P. (2004), “Business process management: a personal view”, Business Process Management Journal, Vol. 10 No. 2, pp. 1–12.

van der Aalst, W.M.P. (2011), Process mining: Discovery, conformance and enhancement of business processes, Springer, Berlin [u.a.].

van der Aalst, W.M.P. and Weijters, A.J.M.M. (2004), “Process mining: a research agenda”, Process / Workflow Mining, Vol. 53 No. 3, pp. 231–244.

van der Aalst, W.M.P., Schonenberg, M.H. and Song, M. (2011), “Time prediction based on process mining”, Information Systems, Vol. 36 No. 2, pp. 450–475.

Vanderfeesten, I., Reijers, H.A. and van der Aalst, Wil M.P. (2008), “Evaluating workflow process designs using cohesion and coupling metrics”, Computers in Industry, Vol. 59 No. 5, pp. 420–437.

Varian, H., Farrell, J. and Shapiro, C. (2005), The economics of information technology: an introduction, Camebridge.

Venkatraman, N. and Camillus, J.C. (1984), “Exploring the Concept of "Fit" in Strategic Management”, Academy of Management Review, Vol. 9 No. 3, pp. 513–525.

Victor, B. and Blackburn, R.S. (1987), “Interdependence: An Alternative Conceptualization”, Academy of Management Review, Vol. 12 No. 3, pp. 486–498.

Visser, W., Matten, D., Pohl, M. and Tolhurst, N. (2007), The A to Z of corporate social responsibility a complete reference guide to concepts, codes and organizations, Wiley, Chichester (UK).

Vogus, T.J. and Sutcliffe, K.M. (2007), “Organizational resilience: Towards a theory and research agenda”, IEEE International Conference on Systems, Man and Cybernetics, pp. 3418–3422.

Vom Brocke, J. and Rosemann, M. (2010), Handbook on business process management 1: Introduction, methods and information systems, International handbooks on information systems, Springer, Berlin, London.

Walker, B., Carpenter, S., Anderies, J., Abel, N., Cumming, G., Janssen, M., Lebel, L., Norberg, J., Peterson, G.D. and Pritchard, R. (2002), “Resilience management in social-ecological systems: a working hypothesis for a participatory approach”, Conservation Ecology, Vol. 6 No. 1, p. 14.

Walker, B., Gunderson, L.H., Kinzig, A.P., Folke, C., Carpenter, S.R. and Schultz, L. (2006), “A Handful of Heuristics and Some Propositions for Understanding Resilience in Social-Ecological Systems”, Ecology and Society, Vol. 11 No. 1.

Walker, B., Holling, C.S., Carpenter, S.R. and Kinzig, A. (2004), “Resilience, adaptability and transformability in social--ecological systems”, Ecology and Society, Vol. 9 No. 2, p. 5.

Walker, B. and Salt, D. (2012), Resilience practice: Building capacity to absorb disturbance and maintain function, Island Press, Washington and London.

Walker, B.H. and Salt, D. (2006), Resilience thinking: Sustaining ecosystems and people in a changing world, Island Press, Washington, DC.

Wang, J.W., Gao, F. and Ip, W.H. (2010), “Measurement of resilience and its application to enterprise information systems”, Enterprise Information Systems, Vol. 4 No. 2, pp. 215–223.

Wang, Q. and Li, N. (2010), “Satisfiability and Resiliency in Workflow Authorization Systems”, ACM Trans. Inf. Syst. Secur., Vol. 13 No. 4, pp. 40:1‐40:35.

Wasserman, S. and Faust, K. (1994), Social network analysis: Methods and applications, Structural analysis in the social sciences, Vol. 8, Cambridge University Press, Cambridge, New York.

Wastell, D.G., McMaster, T. and Kawalek, P. (2006), “The rise of the phoenix: methodological innovation as a discourse of renewal”, Journal of Information Technology, Vol. 22 No. 1, pp. 59–68.

Watson, R.T., Boudreau, M.-C. and Chen, A.J. (2010), “Information Systems And Environmentally Sustainable Development: Energy Informatics and new Directions for the IS Community”, MIS Quarterly, Vol. 34 No. 1, pp. 23–38.

WEF (2013), Global risks 2013 - Insight Report, Vol. 8, 8th, World Economic Forum, Cologny/Geneva, Switzerland.

Weick, K.E. (1995), Sensemaking in organizations, Foundations for organizational science, Sage Publications, Thousand Oaks.

Weick, K.E. and Sutcliffe, K.M. (2001), Managing the unexpected: Assuring high performance in an age of complexity, 1st ed., Jossey-Bass, San Francisco.

Weick, K.E. and Sutcliffe, K.M. (2006), “Mindfulness and the Quality of Organizational Attention”, Organization Science, Vol. 17 No. 4, pp. 514–524.

Weick, K.E. and Sutcliffe, K.M. (2007), Managing the unexpected: Resilient performance in an age of uncertainty, 2nd ed., Jossey-Bass, San Francisco.

Weick, K.E., Sutcliffe, K.M. and Obstfeld, D. (2005), “Organizing and the Process of Sensemaking”, Organization Science, Vol. 16 No. 4, pp. 409–421.

Weidema, B.P., Thrane, M., Christensen, P., Schmidt, J. and Løkke, S. (2008), “Carbon Footprint”, Journal of Industrial Ecology, Vol. 12 No. 1, pp. 3–6.

Wernerfelt, B. (1984), “A resource-based view of the firm”, Strategic Management Journal, Vol. 5 No. 2, pp. 171–180.

Wiedmann, T.O., Lenzen, M. and Barrett, J.R. (2009), “Companies on the Scale”, Journal of Industrial Ecology, Vol. 13 No. 3, pp. 361–383.

Wildavsky, A.B. (1988), Searching for safety, Studies in social philosophy & policy, no. 10, Transaction Books, New Brunswick, USA.

Winkler, U., Gilani, W., Guitman, A. and Marshall, A. (2012), “Models and Methodology for Automated Business Continuity Analysis”, 17th IEEE International Conference on Engineering of Complex Computer Systems, July 18 - 20, Paris, pp. 57–64.

Wolfram, S. (1986), “How Can Complex Systems Be Used in Engineering? Approaches to Complexity Engineering”, Physica D: Nonlinear Phenomena, Vol. 22, pp. 385–399.

Wolstenholme, E.F. (1999), “Qualitative vs Quantitative Modeling: The Evolving Balance”, The Journal of the Operational Research Society, Vol. 50 No. 4, pp. 422–428.

Wolter, K. (2012), Resilience assessment and evaluation of computing systems, Springer, Berlin, London. Woods, D. (2006a), “Engineering Organizational Resilience to Enhance Safety. A Progress Report on the

Emerging Field of Resilience Engineering”, Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 50, pp. 2237–2241.

Woods, D. (2006b), “Resilience and the Ability to Anticipate”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT.

Woods, D.D. (2006c), “Essential charactersistics of resilience”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 21–35.

Wreathall (2006), “Properties of Resilient Organizations: An Initial View”, in Hollnagel, E., Woods, D.D. and Leveson, N. (Eds.), Resilience engineering. Concepts and precepts, Ashgate, Aldershot, England, Burlington, VT, pp. 275–285.

Yao, A.C.-C. (1986), “How to generate and exchange secrets”, in Proceedings of the 27th IEEE symposium on foundations of computer science, pp. 162–167.

Yen, V.C. (2009), “An integrated model for business process measurement”, Business Process Management Journal, Vol. 15 No. 6, pp. 865–875.

Zahoransky, R., Koslowski, T.G. and Accorsi, R. (2014), “Resilience Assessment in Business Process Architectures”, in Bondavalli, A., Ceccarelli, A. and Ortmeier, F. (Eds.), SAFECOMP 2014 - 1st International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection (ReSA4CI 2014), Firenze, Italy, 9th Sept, Springer, Berlin, New York, pp. accepted.

Zhang, W.J. and Lin, Y. (2010), “On the principle of design of resilient systems – application to enterprise information systems”, Enterprise Information Systems, Vol. 4 No. 2, pp. 99–110.

Zhou, P., Ang, B.W. and Poh, K.L. (2008), “A survey of data envelopment analysis in energy and environmental studies”, European Journal of Operational Research, Vol. 189 No. 1, pp. 1–18.

Zhu, F. (2010), “A study of Green Manufacturing in workshop Production scheduling system”, International conference on future information technology and management engineering (FITME), Vol. 1, pp. 28–30.

Zobel, C.W. (2011), “Representing perceived tradeoffs in defining disaster resilience”, Decision Support Systems, Vol. 50 No. 2, pp. 394–403.

Zobel, C.W. and Khansa, L. (2012), “Quantifying Cyberinfrastructure Resilience against Multi-Event Attacks”, Decision Sciences, Vol. 43 No. 4, pp. 687–710.

Zook, C. and Allen, J. (2010), Profit from the core: A return to growth in turbulent times, rev. ed, Harvard Business, Boston, Mass.

Documents

RESILIENCE MANAGEMENT INFORMATION SYSTEMS