Abstract
The purpose of this article is to contribute scientifically to the thematic areas of organisational resilience and security risk management by providing a model of a flexible security management system that can be integrated with other management systems and be applied to the operational dimension of organisational resilience. To this end, the literature on security risk and operational resilience has been reviewed, as well as on security governance models based on enterprise security risk management and other international standards that allow integration with business processes. During the study, an incipient production of specific models that determine the maturity of different management systems was observed in the academic sphere, with a gap being detected in terms of security management system maturity models linked to organisational governance and enterprise risk management, which would facilitate their inclusion in the organisation's integrated management system in a practical way. It is concluded that the proposed model provides scientific support to practitioners, and, to a greater extent, to companies and other organisations irrespective of their size, sector of activity or location.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
In the context of public or private organisations, the concept of the term "security" could currently be understood in two ways: as a state or perception, and as a process of risk reduction and protection, or resilience building in the face of possible threat scenarios, (Jore 2019, pp. 157–174).
Security understood as a state or perception can vary significantly according to different 'situational factors' and, notably for individuals, between different places and times of day, also taking into account that such perceptions can be influenced by the adoption of situational crime prevention measures (Hirschfield 2004, pp. 9–20) (George and Mawby 2013, pp. 93–104) or the degree of familiarity with the risk (Borodzicz and Gibson 2007, p. 142). At the organisational level, boards of directors of large companies are paying attention to security risks, as these are also perceived as a cause of disruption in international business (Goosman 2022, pp. 237–244) (Dau et al. 2018, pp. 79–97) (White 2013, pp. 425–442); while depending on the functional area asked, perceptions may vary within the organisation itself (Burns 2016).
Security understood as a process (in addition to routinely managing those operational risks of organisations intentionally induced by humans) actively collaborates in obtaining and analysing intelligence information received by senior management for strategic decision-making (Crump 2015), as well as in comprehensive crisis management (Borodzicz and Gibson 2007, p. 142) when facing serious disruptive events (global pandemics, natural disasters, large-scale cyber-attacks, etc.).
In an earlier study by the authors on security risk management, it was concluded that, over the last thirty years, the discipline of security risk management has established itself on the one hand as a subject area in its own right, and on the other hand as a field closely linked to enterprise risk management (hereafter ERM). Among its conclusions, it was considered pertinent to delve deeper into the current contribution to the organisational resilience of a security management system (hereinafter SMS) based on Enterprise Security Risk Management (hereinafter ESRM). In parallel, it was highlighted that it would also be relevant to identify and analyse the managerial implications of corporate security leadership and its capacity to promote organisational resilience through ESRM.
To avoid the SMS being misaligned from the rest of the organisation's corporate functions and the achievement of its objectives (Bernardo et al. 2018, pp. 453–480), such a system should be embedded in the organisation’s integrated management system (hereinafter IMS), together with other corporate areas involved in risk governance. Especially those areas with shared responsibility for the governance and implementation of processes that constitute, together with risk management, the core of the organisations' operational resilience and the preparation of their response plans: crisis management, business continuity and emergency or incident management (Mehravari 2013, pp. 119–125).
According to Petruzzi y Loyear (Petruzzi and Loyear 2016, pp. 44–56), ESRM involves all parts of businesses, proactively recognising and addressing risk without overlooking that the alignment of business continuity and crisis management within the ESRM philosophy are key requirements in any resilience programme. Along these lines, ASIS International already refers to these resilience processes in its standard ORM.1–2017 "Security and Resilience in Organisations and their Supply Chains"(ANSI/ASIS 2017). It is closely linked to sustainability and the supply chain, where it highlights the need to “continually integrate and optimise their risk and business management processes”. In the fields of business management and supply chain management, sustainability is considered a component of resilience, i.e. increasing the sustainability of the system makes the system more resilient (Balugani et al. 2020, p. 1742). According to Ogrean (Ogrean 2018, pp. 526–536), both of these—resilience and sustainability—have emerged as some of the biggest challenges facing organisations in their strategic pursuit of performance and competitiveness.
In the current Volatile, Uncertain, Complex and Ambiguous (V.U.C.A.) environment, in which companies and organisations operate, it is necessary to improve the efficiency of their internal processes through specific management systems. Many of them have started by implementing one or more management systems, usually beginning with quality, environmental and occupational health and safety, but as the number of management systems to be implemented grew, problems arose from the multiplicity of management systems, which were subsequently mitigated after the implementation of IMS (Zeng et al.
Purpose and scope. Standards for consultation. Terms and definitions. Organisational context. Leadership. Planning. Support. Operation. Performance evaluation. Improvement. The content of each of the first three clauses is discipline-specific and each standard may even have its own associated bibliography. From a governance and compliance point of view, the remaining seven sections are perfectly quantifiable for any organisation that intends to implement it, and a desirable target maturity level could therefore be determined. Among the international standards and guidelines related to security are those described in Table 3. Although no two security functions are the same, many organisations often appoint a senior security executive to implement a strategic security framework with a wide range of responsibilities (ASIS 2022a), particularly in multinationals or where they are required for regulatory compliance such as in the case of critical infrastructure, essential services or a state's defence-related industry. Of these, ISO 28000 has been revised in 2022 and now allows for better alignment with ISO 31000 in terms of recommendations on principles; and also with ISO 22301 in terms of security strategies, procedures, processes, treatments and security plans. Figure 5 shows that ISO 28000 also applies the Plan-Do-Check-Act (PDCA) model to plan, establish, implement, operate, monitor, review, maintain and continually improve the effectiveness of an organisation's security management system. This ensures a degree of consistency with other management system standards, such as ISO 9001, ISO 14001, ISO/IEC 27001, and ISO 45001, which ensures consistent and integrated implementation and operation with related management systems. PDCA model applied to the security management system, extracted from ISO 28000:2022 According to the Spanish Association for Quality, the integration of management systems is defined as the set of related or interacting elements that make it possible to implement and achieve the policy and objectives of an organisation, in terms of various aspects such as quality, environment, health and safety, or other management disciplines (AEC 2019). For reasons of efficiency in implementation, reduced bureaucracy, ease of auditability, and a better unitary vision, organisations tend to develop integrated management systems in such a way that links their components, instead of kee** each management system separate in silos (Calvo and Zapata 2010, pp. 1555–1564), regardless of which function within the company is ultimately responsible for governing them within its area of responsibility. Other authors highlight that this integration uses common resources to support the improvement of stakeholder satisfaction (Bernardo et al. 2017, pp. 121–133). Both ISO and BSI organisations, among others, have also contributed to the integration of these management systems, especially due to the similarities and compatibility of these standards, such as ISO 9001, ISO 14001, ISO 45001 or PAS 99. There could be different motivations for implementing an IMS, such as customer or public regulator requirements, or following the competitors' lead. If we focus on the benefits, it is obvious that simplifying the number of audits and the process of self-certification or certification bodies, it reduces the associated costs and bureaucracy. (Zeng et al. 2010, pp. 171–179). It also seems logical that the greater the number of systems and processes to be integrated, the greater the difficulty of implementation. (Bernardo et al. 2012, pp. 23–33). There is abundant literature addressing the benefits and drawbacks of IMS implementation, including delving into the different levels of integration and strategies adopted (Domingues et al. 2016, pp. 164–174), but it must be up to each organisation to determine the boundaries and applicability of the IMS to establish its scope. In accordance with the purpose of this study, a proposed methodology will be presented through which we will be able to discern the state of our security management system, with sufficient flexibility to indicate its level of maturity regardless of the matters attributed by each organisation to the security function, including the transversal governance of the organisation's operational resilience.Security management systems
Integrated management systems
Methodology
The academic community is already aware of the urgency regarding resilience and has some development in this area. However, there is still limited research on metrics, the delivery mechanism and the relationship with other organisational variables (**ao and Cao 2017, p. 4021), such as its interaction with security as a function responsible for the governance of operational resilience within the organisation. There are a number of integrated organisational resilience models that have been successfully implemented in a variety of different organisations, but for such models to make a significant contribution to organisational resilience, they must be based on a robust risk management programme that provides the foundation that links different organisational capabilities, such as emergency, business continuity, security, and crisis management (Gibson and Tarrant 2010, pp. 8–14).
A Maturity Model (MM) is a technique that has proven valuable for measuring different aspects of a process or an organisation and represents a path towards an increasingly organised and systematic way of doing business in organisations (Proença and Borbinha 2016, pp. 1042–1049). The authors of this research have also reviewed the literature on governance models for security risk based on ESRM, noting an incipient production in academia of specific models that determine the maturity of a security management system linked to organisational governance and ERM through an ESRM programme, to have a clear correspondence not only with internationally recognised management systems, but also with the specificity of the operations inherent to the security function within their organisation.
In the review of the international standards related to security, it has been noted that the specifications of some of the standards are not specific, remaining at a very general level and serving only to indicate compliance or non-compliance under the auditor's criteria, but without providing a breakdown of the minimum points that determine the level of maturity in the operational area. For this reason, a flexible model is needed in terms of the attributes that can be selected from a wide range, historically entrusted to the business security function and corporate security departments of organisations, such as security of assets, people, and information; but also crisis management and intelligence. All common steps in the structure of an ISO standard are met in this model, with the "Operation" section being the one that will vary from one organisation to another without influencing the final maturity assessment, allowing flexibility in the operational approach chosen by the organisation. For example, there will be organisations where security has operational responsibility for crisis management, in others, it will have prerogatives in terms of business continuity or emergency management, whilst it is also common for it to have intelligence attributions (ASIS Foundation 2022) in support of the business strategy. This model makes it possible, regardless of the powers assigned to security, to establish a level of maturity and strategies to advance from an initial starting point to the desired level for senior management in accordance with its strategic objectives.
Organisations where the corporate security function is also in charge of the cross-cutting governance of operational resilience, even if the responsibility for its implementation lies with the business itself, can utilise the flexibility of this model by matching resilience management systems (i.e.: ISOs 22316, 22361, 22301 and 22320) and security-specific ones (i.e.: ISO 28000). As can be seen in Fig. 3, the whole process of operational resilience could be divided into three phases. The first phase begins with the implementation of the management system, which may be embedded within the security management system, and continues until the moment when an event previously identified as triggering one or more of the response plans occurs, either by a real disruptive scenario or the performance of an exercise created for testing and training the teams. The third phase is the "new normal" phase, where the acquired capabilities will be part of the continuous improvement process included in the first phase.
Results
Taking into account all of the above, a model called ERMsec © has been developed, which is made up of a questionnaire divided into two sections. The first section consists of six initial control questions that help to frame the organisation within its geographical and activity sector (Fig. 6), and a second section with thirty-four variables distributed in seven parts that coincide with the seven clauses of Fig. 5. The result of the second section determines the maturity level according to the Capability Maturity Model Integration scale initially developed by Carnegie Mellon University (CMMI Institute 2020), in establishing 5 levels of process maturity: Non-Existent/Not Wanted (0); Ad Hoc (1); Repeatable (2); Defined (3); Managed (4); Optimised (5).
© questionnaire. Source own elaboration
First section of the ERMsec
A variable is a magnitude whose values are the object of study, and its definition makes measurable what is intended to be evaluated (Medianero Burga 2014, p. 61). In general, a variable (Fig. 7) has five basic elements:
-
I.
Name. It should be short and easy to remember. It must be unambiguous, avoiding confusion with other variables.
-
II.
Operational definition. A variable is an attribute or characteristic that can be measured, but that without an adequate operational definition could not be measured.
-
III.
Criteria for reference measurement. To measure the variables, it is necessary to indicate the measurement scale that will be used for information processing. In this tool, each variable has included requirements that will serve as a reference to obtain a value associated with the CMMI maturity level. For example, if any one of the requirements is met, the value of the variable will be "1" at the CMMI maturity level; and if all the requirements are met, the value will be "5".
-
IV.
Procedure to collect the data. To obtain data from primary sources, a survey has been prepared consisting of questions and their responses, which for their systematic processing have been grouped into two sections with different measurement scales.
© questionnaire. Source own elaboration
Example of a variable in the second section of the ERMsec
The first section is made up of six initial control questions, which are not complex as it is easy to obtain a numerical value, choose an option from a list or fill in a free text field. These questions will allow us to compare organizations according to their position in the stock market, sector of activity, resources allocated to the security function and the position of the Senior Security Executive and its department in the organization's hierarchy. (Fig. 6).
The second section consists of a total of thirty-four variables, with their respective criteria for reference measurement. In order to develop a high-level assessment that would provide consistent and substantiated results, an effort was made to identify the key cross-cutting compliance indicators of the international standards on which each of the variables, which contains the detailed assessments of the management system, is based. The international norms and standards that have been correlated to develop each of the issues in the second section have been, among others: COSO ERM – 2017; UNE-EN-ISO 22301:2019; ISO 22316:2017; UNE-ISO 28000:2007; UNE-ISO 31000:2018; UNE 166006:2018; UNE-EN ISO/IEC 27001; ESRM Maturity Assessment (ASIS 2022b); ANSI/ASIS ORM.1-2017; ANSI/ASIS/RIMS RA1-2015; ANSI/ASIS PAP.1: 2012; ANSI/ASIS PSC.1: 2012; BS 65000:2014. The correlation between them has been based on Annex SL (ISO 2021).
-
V.
Indicators of data collected. These two sections of the questionnaire will make it possible to compare the results obtained in order to determine whether the company's position in the market or sector, as well as the size of the resources, influence the maturity of the integrated security management system.
In the second section, there are the questions that will allow for specific data to be obtained about the management system itself, and the assessments that will result in both the partial result of each of the questions and the total result of the questionnaire. The result of each of the seven parts in Fig. 8 will be the average of the questions that compose it and will be represented graphically. Those graphs have also been incorporated in the results template to improve its comprehension and therefore facilitate the determination of action plans to reach the desired target (an example segment is available in this link). In addition, it allows for the comparison of business units within the organisation itself, specific operations or comparisons with other organisations in its sector or area of influence. It would be recommended for a better strategic governance to set a reference target to compare with the resulting value, as shown in Fig. 9.
Source own elaboration
Example of ERMsec@ questionnaire results.
Source own elaboration
Example of ERMsec@ graph based on questionnaire results.
In part 5 of the second section, which coincides with the "Do" of the Deming cycle, a proposal is made for security-related operations, which can be adapted to each organisation. In each of the security activities, it is desirable that the issues to be assessed come from a standardised source, such as the information systems security activity which has been referenced to ISO 27000. It should be noted that it does not take into account who owns the risk (the function or the business unit) or who is responsible for its management, as the aim here is to visualise the security management system situation either in the organisation as a whole or in a specific business unit.
Conclusions
Within organisations, security—understood as a process —bases its implementation on the management of the risks in its scope through ESRM, constituting a thematic area closely linked to ERM, but not necessarily requiring ERM to be already implemented in the organisation (Feeney 2019). In order to further explore how the security function contributes to organisational resilience, it has been demonstrated through a theoretical framework and literature review that it is possible and desirable to create security management and operational resilience models that are compatible with existing IMS in organisations. In the review of academic literature in prestigious databases, no such models have been found, which is why the proposed model is considered to be academically innovative and also a contribution to the strategic management of organizations and enterprises; as this model is equipped with a structure and a questionnaire through which the current maturity level is obtained, and even with the option of adjusting the target level within the strategic planning decided by each organisation, in line with its business objectives. This model is a governance tool for the security function while being flexible, as it allows the comparison of different businesses or sub-units within the organisation's own structure and even with other organisations, regardless of their size, sector of activity or geographical location.
In general, those organisations with multiple management systems perceive more benefits than those that executed only one standard or are managed separately in silos. While there is no single quick fix, single process, management system or software application that creates resilience (Gibson and Tarrant 2010, pp. 8–14) this does not preclude organisations from being able to establish the sweet spot they want to achieve in line with their strategic objectives. The ERMsec© model is based on the ideas proposed for the operational resilience process, providing an academic basis and scientific support to practitioners, mainly in its business application due to its flexibility to adapt to different types of organisations. The next step after proposing this model would be to test it through a process of quantitative research through surveys of large business organisations, for which preliminary tests have already been carried out and now require a formal study.
In the future, it would be interesting to delve deeper into a maturity framework that encompasses not only the operational resilience component, where the security function in companies contributes value, but the whole of organisational resilience in a transversal framework of a strategic nature, where some authors (Gracey 2020, pp. 313–327) (Denyer 2017, pp. 8–25) (Balugani et al. 2020, p. 1742) have already made some concrete proposals, and others propose its close connection with another strategic challenge such as sustainability (Ogrean 2018, pp. 526–536). Also related to operational resilience is the possibility of future studies on the operation of intelligence to support operational resilience in decision-making by crisis committees, business continuity and incident response teams. Other possible lines of research that emerge from this study:
-
Transfer this methodology to small and medium-sized companies, with a simpler survey that facilitates online responses from a larger number of companies, and that allows for comparison of key points with the first study carried out in large companies.
-
Based on the ASIS SSE-2022 Senior Security Executive Standard (ASIS 2022a) the managerial implications of security leadership and its ability to influence the promotion of operational resilience through ESRM could be further explored academically.
-
Resilience capability will depend to a large extent on the expertise of the organisation's specialists and managers (Groenendaal and Helsloot 2020, pp. 102–109), which is why it is necessary to propose new models of intervention for managers who sit on committees and exercise leadership in crisis management (Lalonde 2011, pp. 443–464).
-
Deepen in operational areas, potentially within the security area of responsibility such as intelligence, information security or operational resilience (incident management, business continuity and crisis management) transversally throughout the organisation.
References
AEC. 2019. Integración De Sistemas De Gestión. https://www.aec.es/web/guest/centro-conocimiento/integracion-de-sistemas-de-gestion. Accessed 9 Jun 2021
Alderson, David L., Gerald G. Brown, and W.M. Carlyle. 2015. Operational Models of Infrastructure Resilience. Risk Analysis 35 (4): 562–586. https://doi.org/10.1111/risa.12333.
Aleem, Azeem, Alison Wakefield, and Mark Button. 2013. Addressing the Weakest Link: Implementing Converged Security. Security Journal 26 (3): 236–248. https://doi.org/10.1057/sj.2013.14.
Alijoyo, A. and Stefiany Norimarna. 2021. The Role of Enterprise Risk Management (ERM) using ISO 31000 for the Competitiveness of a Company that Adopts the Value Chain (VC) Model and Life Cycle Cost (LCC) Approach.
Al-Terki, Abdulaziz. 2013. The Role of Operational Risk in ERM Framework. https://www.grc-summit.com/middleeast/2013/downloads/day2/3-Role-of-OpRisk-in-Enterprise-Risk.pdf. Accessed 7 Mar 7 2022
Anderson, Evan E., and Joobin Choobineh. 2008. Enterprise Information Security Strategies. Computers & Security 27 (1): 22–29. https://doi.org/10.1016/j.cose.2008.03.002.
ANSI/ASIS. 2012. PSC.1: 2012—Management System for Quality of Private Security Company Operations–Requirements with Guidance. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+PSC.1-2012+(R2017).pdf. Accessed 4 Oct 2021
ANSI/ASIS. 2012. Security Management Standard Physical Asset Protection. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+PAP.1-2012.pdf. Accessed 12 Nov 12 2021
ANSI/ASIS. 2017. ANSI/ASIS ORM.1–2017 Security and Resilience in Organizations and their Supply Chains. https://www.asisonline.org/publications--resources/standards--guidelines/orm/. Accessed 11 Apr 2022
ANSI/ASIS/RIMS. 2015. ANSI/ASIS/RIMS RA.1–2015—Risk Assessment. https://webstore.ansi.org/preview-pages/ASIS/preview_ANSI+ASIS+RIMS+RA.1-2015.pdf. Accessed 9 Oct 2021
Arena, Marika, Michela Arnaboldi, and Giovanni Azzone. 2010. The Organizational Dynamics of Enterprise Risk Management. Accounting Organizations and Society 35 (7): 659–675.
Arena, M., G. Azzone, E. Cagno, A. Silvestri, and P. Trucco. 2014. A Model for Operationalizing ERM in Project-Based Operations through Dynamic Capabilities. International Journal of Energy Sector Management 8 (2): 178–197.
ASIS. 2022a. ASIS SSE-2022a Senior Security Executive Standard. https://store.asisonline.org/senior-security-executive-standard.html?utm_source=email&utm_medium=email-ssestandard&utm_campaign=standards-guidelines&utm_content=2022-may. Accessed 4 Jun 2022
ASIS. 2022b. ESRM Maturity Assessment. https://www.asisonline.org/publications--resources/esrm/esrm-survey/. Accessed 11 Apr 2022b
ASIS Foundation. 2022. The State of Security Management: A Baseline Phenomenological and Empirical Study. https://store.asisonline.org/the-state-of-security-management.html?utm_source=newsletter&utm_medium=eurodynamics&utm_campaign=foundation&utm_content=2022. Accessed 11 May 2022
ASIS International. 2019. Enterprise Security Risk Management (ESRM) Guideline. https://www.asisonline.org/publications--resources/news/press-releases/asis-releases-new-enterprise-security-risk-management-esrm-guideline/. Accessed 19 Dec 2020
Aven, Terje. 2017. How some Types of Risk Assessments can Support Resilience Analysis and Management. Reliability Engineering & System Safety 167: 536–543. https://doi.org/10.1016/j.ress.2017.07.005.
Balugani, Elia, Maria Angela Butturi, Delroy Chevers, David Parker, and Bianca Rimini. 2020. Empirical Evaluation of the Impact of Resilience and Sustainability on Firms’ Performance. Sustainability (basel, Switzerland) 12 (5): 1742. https://doi.org/10.3390/su12051742.
Bank of England. 2021. Operational Resilience of the Financial Sector. https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector. Accessed 12 Apr 2022
BCBS. 2021. Basel Committee on Banking Supervision—Revisions to the Principles for the Sound Management of Operational Risk. https://www.bis.org/bcbs/publ/d515.pdf. Accessed 30 Jan 2022
BCBS. 2019. OPE Calculation of RWA for Operational Risk—OPE30 Advanced Measurement Approaches. https://www.bis.org/basel_framework/chapter/OPE/30.htm?tldate=20220224&inforce=20191215&published=20200327&export=pdf. Accessed 12 Jul 2022
Bernardo, Merce, Marti Casadesus, Stanislav Karapetrovic, and Iñaki. Heras. 2012. Do Integration Difficulties Influence Management System Integration Levels? Journal of Cleaner Production 21 (1): 23–33. https://doi.org/10.1016/j.jclepro.2011.09.008.
Bernardo, Merce, Maria Gianni, Katerina Gotzamani, and Alexandra Simon. 2017. Is there a Common Pattern to Integrate Multiple Management Systems? A Comparative Analysis between Organizations in Greece and Spain. Journal of Cleaner Production 151: 121–133. https://doi.org/10.1016/j.jclepro.2017.03.036.
Bernardo, Merce, Katerina Gotzamani, Fotis Vouzas, and Marti Casadesus. 2018. A Qualitative Study on Integrated Management Systems in a Non-Leading Country in Certifications. Total Quality Management & Business Excellence 29 (3–4): 453–480. https://doi.org/10.1080/14783363.2016.1212652.
Bharathy, Gnana K., and Michael K. McShane. 2014. Applying a Systems Model to Enterprise Risk Management. Engineering Management Journal 26 (4): 38–46.
Borodzicz, Edward P., and Steven D. Gibson. 2007. Corporate Security Education: Towards Meeting the Challenge. Security Journal 20 (2): 142. https://doi.org/10.1057/palgrave.sj.8350032.
Brooks, David J. 2010. What is Security: Definition through Knowledge Categorization. Security Journal 23 (3): 225–239. https://doi.org/10.1057/sj.2008.18.
BSI. 2014. BS 65000:2014 Guidance on Organizational Resilience. https://www.bsigroup.com/en-GB/our-services/Organizational-Resilience/#:~:text=Organizational%20resilience%20is%20defined%20by,order%20to%20survive%20and%20prosper%22. Accessed 15 Mar 2022
BSI. 2015. BS 11600 Security Management—Strategic and Operational Guidelines. https://shop.bsigroup.com/products/security-management-strategic-and-operational-guidelines/standard. Accessed 2 Nov 2021
Burnard, Kevin John, and Ran Bhamra. 2019. Challenges for Organisational Resilience. Continuity & Resilience Review 1 (1): 17–25. https://doi.org/10.1108/CRR-01-2019-0008.
Burns, Maria G. 2016. Logistics and Transportation Security: A Strategic, Tactical, and Operational Guide to Resilience. Boca Raton: CRC Press.
Calvo, Miguel Ángel Carmona and Miguel Ángel Rivas Zapata. 2010. Desarrollo De Un Modelo De Sistema Integrado De Gestión Mediante Un Enfoque Basado En Procesos. 4th International Conference on Industrial Engineering and Industrial Management: 1555–1564.
Central Bank of Ireland. 2021. Cross Industry Guidance on Operational Resilience. https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp140/cross-industry-guidance-on-operational-resilience.pdf. Accessed 8 Jan 2022
CMMI Institute. 2020. Capability Maturity Model Integration. https://cmmiinstitute.com/cmmi. Accessed 21 Mar 2022
Commonwealth of Australia. 2016. Organisational Resilience—Good Business Guide. https://www.organisationalresilience.gov.au/Documents/Organisational-Resilience-Good-Business-Guide.PDF. Accessed 29 Apr 2022
COSO. 2017. ERM—Integrating with Strategy. https://www.coso.org. Accessed 23 Feb 2022
Crump, J. 2015. Corporate Security Intelligence and Strategic Decision Making Taylor and Francis. https://doi.org/10.1201/b18399.
Dahms, Ted. 2010. Resilience and Risk Management—Dahms Argues that Compliance Against a Universal Set of Rules Reduces Resilience. Australian Journal of Emergency Management 25 (2): 23–28.
Dau, Luis Alfonso, Elizabeth M. Moore, and Max Abrahms. 2018. "Global Security Risks, Emerging Markets and Firm Responses: Assessing the Impact of Terrorism." In Contemporary Issues in International Business: Institutions, Strategy and Performance, edited by Davide Castellani, Rajneesh Narula, Quyen T. K. Nguyen, Irina Surdu and James T. Walker, 79–97. Cham: Springer International Publishing.
Deloitte. 2013. Exploring Strategic Risk: A Global Survey. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-exploring-strategic-risk.pdf. Accessed 12 Feb 2022
Denyer, David. 2017. Organizational Resilience: A Summary of Academic Evidence, Business Insights and New Thinking. BSI and Cranfield School of Management: 8–25.
Domingues, Pedro, Paulo Sampaio, and Pedro M. Arezes. 2016. Integrated Management Systems Assessment: A Maturity Model Proposal. Journal of Cleaner Production 124: 164–174. https://doi.org/10.1016/j.jclepro.2016.02.103.
Doo, Song Il. 2019. A Study on Legal Risk Under Enterprise Risk Management & Management System Centered on the Board of Directors. Journal of Hongik Law Review 20 (1): 651–684.
Duchek, Stephanie. 2019. Organizational Resilience: A Capability-Based Conceptualization. Business Research: 1–32.
European Commission. 2020. Directive of the European Parliament and of the Council on the Resilience of Critical Entities. https://ec.europa.eu/home-affairs/counter-terrorism-and-radicalisation/protection/critical-infrastructure-resiliance_en. Accessed 14 Feb 2022
Falasca, Mauro, Christopher W. Zobel, and Deborah Cook. 2008. A Decision Support Framework to Assess Supply Chain Resilience. Proceedings of the 5th International ISCRAM Conference: 596–605.
Federal Reserve Board. 2020. Agencies Release Paper on Operational Resilience. https://www.federalreserve.gov/newsevents/pressreleases/bcreg20201030a.htm. Accessed 10 Jan 2022
Feeney, David R. 2019. A Brief Guide to ESRM Implementation. https://www.asisonline.org/security-management-magazine/articles/2019/11/a-brief-guide-to-esrm-implementation/. Accessed 23 Feb 2022
Feeney, D. and Houchens, T. 2019. ASIS Guideline on ESRM: First Look. https://cdn.fs.pathlms.com/tPdFQJCwRVGYLJSUKzwA. Accessed 19 Jan 2022
FERMA. 2021. The Role of Risk Management in Corporate Resilience. https://www.ferma.eu/publication/the-role-of-risk-management-in-corporate-resilience/. Accessed 25 Apr 2022
Gartner. 2021. Definition of Operational Resilience—IT Glossary. https://www.gartner.com/en/information-technology/glossary/operational-resilience. Accessed 15 Mar 2022
George, Richard, and Rob I. Mawby. 2013. Security at the 2012 London Olympics: Spectators’ Perceptions of London as a Safe City. Security Journal 28 (1): 93–104. https://doi.org/10.1057/sj.2013.37.
Gibson, C.A., and M. Tarrant. 2010. A “Conceptual Models” Approach to Organisational Resilience. Australian Journal of Emergency Management 25 (2): 8–14.
Goosman, Ashley. 2022. Evolving Corporate Crisis Response Coordination for Maximum Resilience. Journal of Business Continuity & Emergency Planning 15 (3): 237–244.
Gould, Julie E., Cathy Macharis, and Hans-Dietrich. Haasis. 2010. Emergence of Security in Supply Chain Management Literature. Journal of Transportation Security 3 (4): 287–302. https://doi.org/10.1007/s12198-010-0054-z.
Gracey, Aaron. 2020. Building an Organisational Resilience Maturity Framework. Journal of Business Continuity & Emergency Planning 13 (4): 313–327.
Groenendaal, Jelle, and Ira Helsloot. 2020. Organisational Resilience: Shifting from Planning-Driven Business Continuity Management to Anticipated Improvisation. Journal of Business Continuity & Emergency Planning 14 (2): 102–109.
Hillmann, Julia, and Edeltraud Guenther. 2021. Organizational Resilience: A Valuable Construct for Management Research? International Journal of Management Reviews : IJMR 23 (1): 7–44. https://doi.org/10.1111/ijmr.12239.
Hirschfield, Alex. 2004. Inter-Relationships between Perceptions of Safety, Anti-Social Behaviour and Security Measures in Disadvantaged Areas. Security Journal 17 (1): 9–20.
IRM. 2022. A Risk Management Standard. https://www.theirm.org/media/4709/arms_2002_irm.pdf. Accessed 30 Apr 2022
ISO. 2013. ISO/IEC 27001:2013 Information Technology—Security Techniques—Information Security Management Systems—Requirements. https://www.iso.org/standard/54534.html. Accessed 21 Feb 2022
ISO. 2017. ISO 22316:2017. Security and Resilience—Organizational Resilience—Principles and Attributes. https://www.iso.org/standard/50053.html. Accessed 8 Feb 2022
ISO. 2019a. ISO 22301:2019a Security and Resilience—Business Continuity Management Systems—Requirements. https://www.iso.org/standard/75106.html. Accessed 22 Feb 2022
ISO. 2019b. ISO 31000:2019b Risk Management–Principles and Guidelines. https://www.iso.org/standard/65694.html. Accessed 22 Mar 2022
ISO. 2021. Annex SL (Normative) Harmonized Approach for Management System Standards. ISO/IEC Directives, Part 1. https://www.iso.org/sites/directives/current/consolidated/index.xhtml. Accessed 30 Apr 2022
ISO. 2022. ISO 28000:2022. Security and Resilience—Security Management Systems—Requirements. https://www.iso.org/obp/ui/#iso:std:iso:28000:ed-2:v1:en. Accessed 4 May 2022
Jore, S.H. 2019. The Conceptual and Scientific Demarcation of Security in Contrast to Safety. European Journal for Security Research 4 (1): 157–174. https://doi.org/10.1007/s41125-017-0021-9.
Kalia, Vinay, and Roland Müller. 2015. Risk Management at Board Level—A Practical Guide for Board Members, 2nd ed. Austria: Haupt Bern.
Kallenberg, Kristian. 2009. Operational Risk Management in Swedish Industry: Emergence of a New Risk Paradigm? Risk Management (leicestershire, England) 11 (2): 90–110. https://doi.org/10.1057/rm.2009.6.
Karam, E. and F. Planchet. 2012. Operational Risks in Financial Sectors. Advances in Decision Sciences
Labaka, Leire, Josune Hernantes, and Jose M. Sarriegi. 2016. A Holistic Framework for Building Critical Infrastructure Resilience. Technological Forecasting & Social Change 103: 21–33. https://doi.org/10.1016/j.techfore.2015.11.005.
Lalonde, Carole. 2011. Managing Crises through Organisational Development: A Conceptual Framework. Disasters 35 (2): 443–464. https://doi.org/10.1111/j.1467-7717.2010.01223.x.
Leflar, James J., and Marc H. Siegel. 2013. Organizational Resilience : Managing the Risks of Disruptive Events : A Practitioner’s Guide, edited by Marc H. Siegel Boca Raton: CRC Press.
Leo, Martin. 2020. Operational Resilience Disclosures by Banks: Analysis of Annual Reports. Risks (basel) 8 (4): 1–15. https://doi.org/10.3390/risks8040128.
Maier, Dorin, Astrid Fortmüller, Irmer Sven-Joachim, and Andreea Maier. 2017. Development and Operationalization of a Model of Innovation Management System as Part of an Integrated Quality-Environment-Safety System. Amfiteatru Economic 19 (44): 302–314.
McManus, Sonia Therese. 2008. Organisational Resilience in New Zealand.
Mehravari, Nader. 2013. Resilience Management through use of CERT-RMM & Associated Success Stories. In 2013 Ieee International Conference on Technologies for Homeland Security (Hst): 119–125.
Milkau, Udo. 2021. Operational Resilience as a New Concept and Extension of Operational Risk Management. Journal of Risk Management in Financial Institutions 14 (4): 408–425.
NIAC. 2010. A Framework for Establishing Critical Infrastructure Resilience Goals. https://www.dhs.gov/xlibrary/assets/niac/niac-a-framework-for-establishing-critical-infrastructure-resilience-goals-2010-10-19.pdf. Accessed 21 Nov 2021
Nkurunziza, Annie Seilla. 2021. A Framework for Cybersecurity Risk Management: A Case of ICT SMEs in Nairobi, Kenya. Doctoral Dissertation, United States International University-Africa.
Ogrean, Claudia. 2018. Integrating Resilience and Sustainability into the Core Organizational Strategy—Is it Possible Or Imperative? Economic and Social Development: Book of Proceedings: 526–536.
Petruzzi, J., and R. Loyear. 2016. Improving Organisational Resilience through Enterprise Security Risk Management. Journal of Business Continuity & Emergency Planning 10 (1): 44–56.
Proença, Diogo, and José Borbinha. 2016. Maturity Models for Information Systems—A State of the Art. Procedia Computer Science 100: 1042–1049. https://doi.org/10.1016/j.procs.2016.09.279.
Proença, Diogo and José Borbinha. 2018. "Information Security Management Systems—A Maturity Model Based on ISO/IEC 27001."Springer International Publishing, Systems.
Saunders, W.S.A., and J.S. Becker. 2015. A Discussion of Resilience and Sustainability: Land use Planning Recovery from the Canterbury Earthquake Sequence, New Zealand. International Journal of Disaster Risk Reduction 14: 73–81. https://doi.org/10.1016/j.ijdrr.2015.01.013.
Settembre-Blundo, Davide, Rocío González-Sánchez, Sonia Medina-Salgado, and García-Muiña E. Fernando. 2021. Flexibility and Resilience in Corporate Decision Making: A New Sustainability-Based Risk Management System in Uncertain Times. Global Journal of Flexible Systems Management 22: 107–132. https://doi.org/10.1007/s40171-021-00277-7.
Shetty, S., M. McShane, L. Zhang, J. P. Kesan, C. A. Kamhoua, K. Kwiat, and L. L. Njilla. 2018. Reducing Informational Disadvantages to Improve Cyber Risk Management†. Geneva Papers on Risk and Insurance: Issues and Practice 43 (2): 224–238.
Standards Australia. HB 167–2006—Security Risk Management. https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/hb--167-2006. Accessed 25 Jan 2022
Stephenson, Amy Victoria. 2010. Benchmarking the Resilience of Organisations. Department of Civil & Natural Resources Engineering: University of Canterbury.
Trucco, Paolo, and Boris Petrenj. 2017. Resilience of Critical Infrastructures: Benefits and Challenges from Emerging Practices and Programmes at Local Level, 225–286. Dordrecht: Springer. https://doi.org/10.1007/978-94-024-1123-2_8.
White, Adam. 2013. The Impact of the Private Security Industry Act 2001. Security Journal 28 (4): 425–442. https://doi.org/10.1057/sj.2012.53.
**ao, Lei, and Huan Cao. 2017. Organizational Resilience: The Theoretical Model and Research Implication. ITM Web of Conferences 12: 4021. https://doi.org/10.1051/itmconf/20171204021.
Zeng, Sal X., Vivian W. Y. Tam, and N.. Le.. Khoa. 2010. Towards Effectiveness of Integrated Management Systems for Enterprises. Inzinerine Ekonomika-Engineering Economics 21 (2): 171–179.
Zeng, S.X., X.M. **e, C.M. Tam, and L.Y. Shen. 2011. An Empirical Examination of Benefits from Implementing Integrated Management Systems (IMS). Total Quality Management & Business Excellence 22 (2): 173–186. https://doi.org/10.1080/14783363.2010.530797.
Funding
This paper has been supported by Project PID2021-124641NB-I00 of the Ministry of Science and Innovation (Spain).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Marquez-Tejon, J., Jimenez-Partearroyo, M. & Benito-Osorio, D. Integrated security management model: a proposal applied to organisational resilience. Secur J 37, 375–398 (2024). https://doi.org/10.1057/s41284-023-00381-6
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-023-00381-6