ArticlePublisher preview available

Integrated security management model: a proposal applied to organisational resilience

Authors:
Jose Marquez-Tejon at King Juan Carlos University
Jose Marquez-Tejon
Monserrat Jimenez Partearroyo at King Juan Carlos University
Monserrat Jimenez Partearroyo
Diana Benito Osorio at King Juan Carlos University
Diana Benito Osorio
Read publisher preview
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

The purpose of this article is to contribute scientifically to the thematic areas of organisational resilience and security risk management by providing a model of a flexible security management system that can be integrated with other management systems and be applied to the operational dimension of organisational resilience. To this end, the literature on security risk and operational resilience has been reviewed, as well as on security governance models based on enterprise security risk management and other international standards that allow integration with business processes. During the study, an incipient production of specific models that determine the maturity of different management systems was observed in the academic sphere, with a gap being detected in terms of security management system maturity models linked to organisational governance and enterprise risk management, which would facilitate their inclusion in the organisation's integrated management system in a practical way. It is concluded that the proposed model provides scientific support to practitioners, and, to a greater extent, to companies and other organisations irrespective of their size, sector of activity or location.
Figures - available from: Security Journal
This content is subject to copyright. Terms and conditions apply.
A preview of this full-text is provided by Springer Nature.
Learn more
Content available from Security Journal
This content is subject to copyright. Terms and conditions apply.
Vol.:(0123456789)
Security Journal (2024) 37:375–398
https://doi.org/10.1057/s41284-023-00381-6
ORIGINAL ARTICLE
Integrated security management model: aproposal
applied toorganisational resilience
JoseMarquez‑Tejon1 · MontserratJimenez‑Partearroyo1 ·
DianaBenito‑Osorio1
Accepted: 10 May 2023 / Published online: 2 June 2023
© The Author(s), under exclusive licence to Springer Nature Limited 2023
Abstract
The purpose of this article is to contribute scientifically to the thematic areas of
organisational resilience and security risk management by providing a model of a
flexible security management system that can be integrated with other management
systems and be applied to the operational dimension of organisational resilience. To
this end, the literature on security risk and operational resilience has been reviewed,
as well as on security governance models based on enterprise security risk man‑
agement and other international standards that allow integration with business pro‑
cesses. During the study, an incipient production of specific models that determine
the maturity of different management systems was observed in the academic sphere,
with a gap being detected in terms of security management system maturity models
linked to organisational governance and enterprise risk management, which would
facilitate their inclusion in the organisation’s integrated management system in a
practical way. It is concluded that the proposed model provides scientific support to
practitioners, and, to a greater extent, to companies and other organisations irrespec‑
tive of their size, sector of activity or location.
Keywords Integrated management systems· Enterprise risk management·
Organisational resilience· Operational resilience· Security management system·
Crisis management
* Jose Marquez‑Tejon
jose.marquez‑tejon@outlook.com
Montserrat Jimenez‑Partearroyo
montserrat.jimenez@urjc.es
Diana Benito‑Osorio
diana.benito@urjc.es
1 Universidad Rey Juan Carlos, Paseo de los Artilleros, s/n, 28032Madrid, Spain
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... In a later study (Marquez-Tejon et al., 2023), it was observed that security risk in organisations would come under the, what is known as, operational risks and that the security function, besides managing those risks within its scope, may also be assigned a transversal function through which it exercises governance of the preparedness and response strategies associated with the OR. This encompasses not only risk management but also the management of response plans associated with crisis management, business continuity and incident management. ...
... Although there is an emerging academic production of specific models that determine the maturity of different management systems, there was a gap in terms of the security management system's maturity models linked to the governance of OR and ERM, which would also facilitate their practical inclusion in the organisation's integrated management system. To help bridge this gap, an OR management system maturity model, through the security function called ERMsec© (Marquez-Tejon et al., 2023), was proposed to provide scientific support to practitioners and, to a greater extent, to companies and other organisations regardless of their size, sector of activity or geographical location. ...
... This is becoming increasingly important, especially in large organisations. Hence, this study's main approach is, on the one hand, to analyse security risk management and resilience in companies, based on the ERMSec© model (Marquez-Tejon et al., 2023) obtained from internationally-recognised standards (ISO 2236, ISO 22301, ISO 22320, ISO 31000 or ISO 28000, among others); mainly those included in the main benchmark of the Spanish stock market "IBEX 35" (BME, 2022a); and, on the other hand, to diagnose their strategic contribution to the resilience of their organisation. ...
Organisational resilience management model: a case study of joint stock companies operating in Spain
Article
Full-text available
  • Mar 2024
  • Int Enterpren Manag J
Organisational resilience has become an increasingly important topic for businesses in recent years, as disruptions and unexpected events can have a significant impact on their operations, reputation, and financial performance. Such were the case with the COVID-19 pandemic, the cyberattacks on essential services or the recent conflict in Ukraine, all of which entail long-term disruptions that affect strategic business objectives. To ensure continuity of operations, it is essential to establish a comprehensive approach to enterprise risk management and increase resilience through internationally recognised standards such as COSO-ERM, ISO 31000, ISO 28000 or ISO 22316. The objective of this study will be to test a maturity model that will provide scientific support to professionals and, to a greater extent, to companies and other organisations. It assesses an organisation's security and resilience management system maturity level against internationally-recognised standards, with this model allowing them to visualise its evolution in subsequent updates. The proposed model has been tested through a survey that was carried out anonymously among the main companies included in the Spanish IBEX 35 stock index. It is an innovative model that can pave the way for new trends in entrepreneurship and management in terms of organisational resilience, after being empirically tested in a real business environment. It is also a direct transfer to the industry and allows for the creation of new strategies in service operations that support resilience.
View
... Organizations should engage in thorough background checks and assess the security practices of potential suppliers (Shimels & Lessa, 2023). Regular audits should be conducted to ensure adherence to security standards, such as ISO 28000, which specifically addresses the security management of the supply chain (Marquez-Tejon et al., 2023). The timely and accurate sharing of information plays a vital role in effective supply chain security. ...
Securing the Digital Supply Chain Cyber Threats and Vulnerabilities
Chapter
  • Dec 2023
The digital supply chain has become an integral part of modern business operations, enabling efficient and streamlined processes. However, with the rapid advancement of technology, the supply chain landscape has become increasingly vulnerable to cyber threats and attacks. This chapter explores the critical issue of cybersecurity within the context of the digital supply chain, aiming to equip professionals and practitioners with the knowledge and strategies to safeguard their operations. Lastly, the chapter sheds light on emerging technologies and future trends and concludes with a call to action for securing the digital supply chain. It also highlights the future challenges and directions in cybersecurity for the supply chain, urging professionals to stay vigilant and adapt to evolving strategies and technologies. Overall, this chapter serves as a comprehensive guide for securing the digital supply chain, empowering readers to fortify their operations against cyber threats and ensure the resilience of their supply chain networks.
View
Enhancing Anti-Money Laundering and Counter-Terrorist Financing Strategies through Integrated Cybersecurity and Compliance Measures
Article
Full-text available
  • Apr 2024
This research study investigated the integration of cybersecurity measures into Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) strategies within financial institutions. The study aimed to assess the current state of AML/CTF strategies, evaluate the integration of cybersecurity measures, and investigate the impact of integrated cybersecurity and compliance measures on AML/CTF effectiveness. A quantitative approach was employed, utilizing surveys and statistical analyses to collect and analyze data from 400 participants in financial institutions. The findings revealed a significant positive correlation between the effectiveness of AML/CTF strategies and compliance with AML/CTF regulations. Additionally, the study found that a positive perception of the importance of cybersecurity was associated with a higher level of integration in AML/CTF operations. However, while compliance and cybersecurity integration had a positive impact on AML/CTF effectiveness, perception did not show a significant impact. The study concluded by discussing the implications of these findings and suggesting future research directions to enhance the integration of cybersecurity measures into AML/CTF strategies. These findings contribute to the understanding of the complex interplay between cybersecurity, regulatory compliance, and anti-financial crime strategies within financial institutions, providing valuable insights for policymakers and practitioners in the field. Keywords: Anti-Money Laundering (AML); Counter-Terrorist Financing (CTF); Cybersecurity; Regulatory Compliance.
View
Flexibility and Resilience in Corporate Decision Making: A New Sustainability-Based Risk Management System in Uncertain Times
Article
Full-text available
  • Aug 2021
Risk management plays a key role in uncertain times, preventing corporations from acting rashly and incorrectly, allowing them to become flexible and resilient. A global turbulence such as the COVID-19 pandemic has had a strong impact on individual companies and entire economic sectors, raising the question of whether a paradigm shift is necessary, in order to enable a new cycle of development that is much environmentally, socially and economically sustainable. This environmental and socioeconomic context of profound uncertainty forces organizations to consider more carefully the risk factors affecting their business continuity, as well as how these factors relate to sustainability issues. However, there is a gap in knowledge about how risk management systems relate to sustainability management systems, and how both of them exert influence on business performance, especially from a theoretical point of view. The aim of this study is to address this gap, by developing a new interpretative framework for the analysis of risk management strategies in organizations. This approach has been identified in economic hermeneutics as an innovative methodological tool to improve the knowledge of risk and design the most appropriate management strategies. The paper provides two main results: the first one is the construction of a theoretical model that relates risk management to sustainability management; the second one is an operational framework of multidimensional risk assessment useful for analysis at different levels (business, competitive scenario and system). Finally, the model also makes it possible to carry out a sustainability assessment through risk evaluation in the perspective of the sustainable development goals.
View
Operational Resilience Disclosures by Banks: Analysis of Annual Reports
Article
Full-text available
  • Dec 2020
An array of developments impacting the financial services industry, such as increasing complexity, interconnectedness, third party dependencies and digitalization, means operational resilience will remain a significant area of concern for policy makers, investors and customers. The purpose of this study is to evaluate if banks are disclosing information on their operational resilience risk. The study initially reviews the regulatory landscape for operational resiliency. The recent annual reports of the GSIB banks are reviewed to identify if they have made references to operational resilience. Through text mining, a frequency analysis of terms related to operational resilience was done, followed by an evaluation to understand the existence of relationships between these terms. The study shows that the regulatory guidance for operational resilience is still evolving with much of the current impetus on cybersecurity. There is a notable gap between banks that have reported on operational resiliency and those that have not, with a few patterns visible. Research in the area of operational resilience is relatively new and limited, and this research for the first time analyses the disclosures related to operational resilience in annual reports. Further, for policymakers, it highlights the disparity in disclosures around this relatively new area of risk, thus calling for additional regulatory guidance.
View
Organisational resilience: Shifting from planning-driven business continuity management to anticipated improvisation
Article
Full-text available
  • Nov 2020
As unpredictable major-impact events are on the rise, many organisations have adopted an organisational resilience (OR) approach for dealing with these so-called 'black swan events. What OR comprises is subject to ambiguity and multiple interpretations. This article presents a perspective that makes a distinction between predictable risks and unpredictable major-impact events. The article argues that predictable risks would benefit from an adaptive and efficient business continuity management (BCM) capability. Using several cases, the article demonstrates how the adaptability and efficiency of BCM can be improved in practice. For unpredictable events, this article calls for a strategy of anticipated improvisation. Both strategies necessitate executives and regulators to accept less planning and to put more trust in the expertise of specialists and managers.
View
Organizational Resilience: A Valuable Construct for Management Research?
Article
Full-text available
  • Aug 2020
  • INT J MANAG REV
Recently, the concept of resilience has gained new momentum in organization studies. It is held to be a very promising concept to explain how organizations can survive and thrive amidst adversity or turbulence. However, findings from an earlier review about resilience in the organizational and business context show that, although empirical research on the concept has increased, there is still a need for more clarity in terms of its measurement. The aim of this paper is to present a systematic review of the organizational resilience construct that covers both conceptual and operational issues. We discuss why researchers criticize resilience for being fuzzy and move on to identify and analyse existing literature under the lens of construct development and taxonomies. With this study, we aim to point out conceptual problems for future researchers to address conceptual clarity and to develop a clearer, more parsimonious concept. We conclude with a suggestion about future measurement.
View
Empirical Evaluation of the Impact of Resilience and Sustainability on Firms’ Performance
Article
Full-text available
  • Feb 2020
The concepts of resilience and sustainability appear multi-dimensional and correlated, depending on the context. Operational sustainability practices can enhance the resilience of a firm, and support its growth. This study aims at analyzing the impact of a sustainability strategy, measured by means of a sustainability maturity index (SMI), on the financial performance of a company. Since the SMI is strictly correlated to resilience capabilities, the performed analysis represents a first level integration of the sustainability and resilience indicators in a common framework. A data sample from 53 organizations was collected through structured interviews and analyzed to identify possible relationships between the SMI and the financial performance indexes. The analysis does not support commonly reported arguments: we show that profitability does not show a significant relationship with sustainable strategic intent. Interestingly, firm country of origin, size of the organization, and market focus, likewise, do not have a significant relationship with SMI. Arguably, multi-dimensional company performance, including both financial and non-financial measures, should be considered to assess the impact of sustainability practices. Moreover, further investigations are needed to capture firms’ nonfinancial indicators of performance that are related to sustainability and resilience, for building up a unified framework enabling trade-off analysis.
View
Evolving corporate crisis response coordination for maximum resilience
Article
  • Jan 2022
Crisis management in large organisations should evolve response structures to prepare better for real-time, enterprise-wide events, and boost overall resilience. This paper proposes that organisations shift from an incident command structure to a more agile approach that reflects changes in business operations. This paper describes the evolution in Liberty Mutual Insurance's US operations practice from a more traditional emergency response team structure to an agile one that seeks to unify crisis teams globally and cross-functionally. The paper concludes that the adoption of a collaborative methodology across disciplines fundamentally increases organisational resilience.
View
View
View
Building an organisational resilience maturity framework
Article
  • Jan 2020
This paper discusses the challenges faced by organisations as disruptive events increasingly impact across operational, tactical and strategic operating levels. Organisations maintain the foundation of society by building the economy; they provide employment, wealth generation, material, services and community spirit. Simultaneously, they are being forced to diversify and innovate to maintain their share of global or local markets, thus inviting risk into the daily operating model. Organisations with a higher level of internal resilience are better poised to mobilise resources, allocate personnel and prioritise key functions, with leadership teams unafraid to make difficult decisions based on intelligence and evidence-based analysis, although there is still a limited understanding of how a resilience framework can benefit the bottom line. Effective leadership, evidence-based decision-making and business intelligence collection and dissemination are critical to success; however, to truly build resilience capability, organisations need to develop a learning organisation mentality, and move the concept of organisational resilience away from technology to become a people-focused strategy. Organisations must change the mentality of using resilience to generate short-term financial gains and instead focus on long-term sustainability.
View
View