Advanced search
Publication Cover
Knowledge Management Research & Practice Volume 20, 2022 - Issue 3
Submit an article Journal homepage
1,984
Views
4
CrossRef citations to date
0
Altmetric
Original Articles

Knowledge sharing and protection in data-centric collaborations: An exploratory study

Johannes P. ZeiringerBusiness Analytics and Data Science-Center (BANDAS-Center), School of Business, Economics and Social Sciences, University of Graz, AustriaCorrespondence[email protected]
&
Stefan ThalmannBusiness Analytics and Data Science-Center (BANDAS-Center), School of Business, Economics and Social Sciences, University of Graz, Austria
Pages 436-448 | Received 18 Mar 2021, Accepted 04 Sep 2021, Published online: 07 Oct 2021

ABSTRACT

Digital supply chains (SCs) and data-centric collaborations have boosted data exchange between companies and, combined with recent advancements in data science, have brought a new type of knowledge risks . This paper presents an exploratory interview study investigating knowledge risks in data-centric collaborations. The aim is to gain insights into the current perception and awareness of knowledge risks and approaches to data-centric collaborations to encounter them. The authors conducted 27 interviews with 15 experts in a two-stage semi-structured interview study. The first stage identified three kinds of approaches for managing knowledge risks in data-centric collaborations: (1) informal, (2) preventive and (3) proactive, which were validated in follow-up interviews. All three approaches lead to different perspectives of sharing and protecting knowledge within the digital SC and relate to the business model and the level of innovation within the organisation.

1. Introduction

At the heart of modern manufacturing concepts such as Industry 4.0, a massive exchange of data in the background enables data-centric collaborations (Brettel et al., Citation2014; Kaiser et al., Citation2020). Using current data-science approaches, a reengineering of knowledge from such datasets becomes possible, establishing a new type of knowledge risk (Ilvonen et al., Citation2018). Hence, knowledge protection should pay attention to data-centric collaborations arising in the context of digital supply chains (SC) (Zeiringer & Thalmann, Citation2020).

Owing to the massive amount of data exchanged in digital SCs, organisations typically do not know which knowledge can be extracted from exchanged datasets (Ilvonen et al., Citation2018). These datasets are usually collected by sensors, equipped on machines, in combination with Internet of Things (IoT) technology (Schniederjans et al., Citation2019). The datasets are exchanged to optimise the SC operations and are thus intentionally shared with SC partners. However, as organisations are unaware of the knowledge that can be extracted from the datasets, this exchange is not yet covered by (knowledge) risk management (Fruhwirth et al., Citation2021; Ilvonen et al., Citation2019; Kaiser et al., Citation2020; Zeiringer & Thalmann, Citation2020; Birkel & Hartmann, Citation2019).

Furthermore, SC partners and the SC itself change more frequently within the digital SC, making the digital SC more complex (Zeiringer & Thalmann, Citation2020). One implication is that traditional risk management approaches, which are often limited to direct suppliers, have reached their limits. According to Durst and Zieba (Citation2017), knowledge risk management research lacks an understanding of the awareness of knowledge risks within the organisation and the actions set by organisations to tackle them. Research is particularly scarce when it comes to knowledge risks and threats related to data exchange (Ilvonen et al., Citation2018).

The challenge of protecting knowledge within a SC is not new, but traditional knowledge risk management has focused mainly on human- or document-centric knowledge risks (Trkman & Desouza, Citation2012), while the risks resulting from comprehensive data exchange between SC partners have received little attention (Zeiringer & Thalmann, Citation2020). In this paper, we respond to the call for more research in this emerging topic in knowledge risk management (Ilvonen et al., Citation2018) and investigate current challenges and measures for knowledge risk management in data-centric collaborations. The research question (RQ) reads as follows:

How do actors of digital SCs perceive knowledge risks arising from data-centric collaborations and how do they respond?

We conducted an exploratory interview study because details about the appearance of knowledge risks arising from data-centric collaborations are scarce and have not yet been conceptualised. While there is a view on the protection of human-centric or document-centric knowledge, knowledge resulting from data-centric collaboration remains unnoticed (Kaiser et al., Citation2019).

2. Background

Digitalisation within the SC has changed over the last few decades. Starting with the simple electronic exchange of delivery notes to Industry 4.0, in which machines communicate without human commands and foster high adaptability and a flexible design for manufacturing processes (Bahroun & Harbi, Citation2015; Ivanov et al., Citation2019; Zeiringer & Thalmann, Citation2020). As a result, a digital SC has emerged. This does not differ in terms of whether the goods or services are physical or digital, but rather in how processes within the SC are innovated and changed using modern technologies (Büyüközkan & Göçer, Citation2018). A digital SC includes a comprehensive exchange of data and is a multi-layered production network that can be flexibly and quickly optimised and (re)composed (Zeiringer & Thalmann, Citation2020).

The management of knowledge risks in the context of SCs is part of SC risk management (SCRM) (Fan & Stevenson, Citation2018; Ho et al., Citation2015).

Hand in hand with digitalisation, data-centric collaborations have emerged. As data is an important asset in the organisation and helps to improve SC activities, the goal of data-centric collaborations is to minimise manual intervention in SC processes and maximise efficiency (Chen et al., Citation2016; Vyatkin, Citation2013). The key characteristic of such collaborations is comprehensive data exchange, which can be used to optimise production processes (Thalmann et al., Citation2018).

An important prerequisite for SC partnerships is mutual trust. Trustworthiness is achieved by mutual respect, open data sharing and fair relationships, and it helps to overcome barriers in collaborations (Jones et al., Citation2014; Spekman & Davis, Citation2016). Furthermore, trust can increase the level of commitment in SC partnerships and decrease uncertainty (Fawcett et al., Citation2017; Kwon & Suh, Citation2005). Trust has varying levels and does not always lead to performance improvement (Michalski et al., Citation2019). Data-centric collaborations, where tacit knowledge can be created by sensors and collected data, show a new dimension of trust issues that leads to reluctant actions by collaborators, as traditional measures like trust building may not be effective (Kaiser et al., Citation2020). This issues can lead to barriers and failures, because a lack of trust or the fear of partners becoming competitors due to the exchange of data is imminent (Raweewan & Ferrell, Citation2018).

Organisations must take protective measures if data are shared outside the organisation as knowledge risks may arise (Durst & Zieba, Citation2017; Krogh, Citation2012). As knowledge is tacit and volatile, it is difficult to protect. Particularly in collaborations, different people have access to valuable knowledge (Elliott et al., Citation2019). It is therefore important that no unintentional outflow of knowledge takes place but that knowledge flows needed for operation and innovation continue. Knowledge protection is therefore difficult to enforce within SC partnerships but is essential for knowledge risk management (Durst et al., Citation2019; Loebbecke et al., Citation2016) In the existing literature, knowledge protection often refers to documented explicit knowledge such as patents or contracts or to tacit knowledge bounded to employees (Hurmelinna‐Laukkanen, Citation2011; Olander et al., Citation2011). Little is known about (explicit or tacit) knowledge which can be made available with modern data science approaches involving domain experts (Birkel & Hartmann, Citation2019; Schniederjans et al., Citation2019). Knowledge risks arising from the exchange of datasets can hardly be covered by traditional measures focusing on documents and people and thus more research is urgently needed (Ahmad et al., Citation2014; Durst & Zieba, Citation2017; Hernandez et al., Citation2015; Loebbecke et al., Citation2016; Manhart & Thalmann, Citation2015). Since there is this gap in the knowledge of how knowledge is protected in this context and whether trust or technical measures also play a role here, we investigate the perceptions and treatment of this problem in industrial organisations.

3. Procedure

As little is known about knowledge risks arising from data-centric collaborations, we used an exploratory research approach to investigate how knowledge risks arising from data-centric collaborations are perceived.

3.1. Data collection

We applied a two-step semi-structured interview study (Flick, Citation2013). In the first step, we collected primary insights, and in the second step, we validated our preliminary interpretations and findings. Fifteen experts involved in SC operations, such as SC managers, IT managers or consultants, risk managers, product managers and managing directors, were interviewed. Two thirds of the interviewees were affiliated with large enterprises (LE) and one-third with small- and medium-sized enterprises (SMEs). Careful attention was paid to not only who was interviewed but also how many interviewees were required. As the number of interviews progressed, saturation was reached, and now new insights were gained. The semi-structured interview guidelines and the challenges and countermeasures for knowledge risks in data-centric collaborations were based on a literature review (anonymised for peer review). The first guideline was pretested with a researcher in the field and adapted slightly afterwards. Appendix A shows the final interview guidelines for the first stage.

3.1.1. First interview stage

Within the first stage of interviews, we discussed the data exchange in SC partnerships, protection measures, respectively security plans, knowledge risk related incidents and the balancing of knowledge sharing and protection. All interviews were held virtually and audio recorded, and the authors took additional notes during the interviews. The first round of interviews was conducted between March and June 2020, with 15 representatives from industries such as chemicals, semiconductors, mechanical engineering, and automotive and lasting 57 minutes on average (see ).

Table 1. Interview statistics first and second stage

The interviews were mostly held in German, although two-thirds of the involved organisations were multinational LEs from the manufacturing sector. One-third were SMEs, including IT or risk management consultants. The consultants’ contribution complemented the statements of the industry representatives well and gave a broad overview of the situation in various industrial sectors. The interviewees were numbered from 1 to 15, whereby the first 10 representatives were from LEs and the remaining five were from SMEs.

A first analysis of the transcripts was conducted after the first round to attain primary insights. During this data analysis, it appeared that risk perception and response are intertwined. Thus, we decided to describe both together and established three approaches for dealing with knowledge risks from data-centric collaborations. During the data analysis, additional questions regarding the implications of the approaches emerged. To investigate the implications in more depth and to validate the interpretations done in the data analysis, interim findings were shown to interviewees in the second stage.

3.1.2. Second interview stage

In the second interview stage, we interviewed 12 of the same 15 experts from the first stage. The findings of the first round of interviews, i.e., the three initial approaches, were shared with the interviewees. After discussing the risk perception and the response of each approach, the implications for company performance were discussed in detail. The interviewees were asked to be rigorously critical of the initial classification. An example of feedback is that several interviewees were dissatisfied with the first proposed title of approach number three (initial name: “preventive & reactive”) and suggested renaming it into proactive. Also, implications regarding innovation levels and knowledge management were presented and discussed in the context of the interviewees’ organisations.

The second stage of interviews took about 15 minutes on average (see ) and was conducted between August and October 2020. Since the final implications emerged solely through this two-stage process, the second stage of the interviews is to be seen as equivalent to the first.

3.2. Data analysis and coding

All interviews were audio recorded, transcribed and cleansed. We analysed the transcripts by applying the structured content analysis according to Mayring (Citation2000). Transcripts were coded using MAXQDA Plus 2020 in an informed inductive approach, taking the previously conducted literature into account.

An analysis of the first-stage interviews produced categories comprising awareness building and applied measures, balancing knowledge sharing and protection, characteristics of digital SC and data exchange, and knowledge risk-related incidents (see ). Different subcategories were also created for each category. During the coding, new categories inductively emerged. The inter-rater agreement was aligned consecutively and fed back by several research colleagues.

The analysis of the second-stage interviews, developed the coding scheme based on that developed in the first stage. Nevertheless, new insights emerged, and while the discussion with the interviewees was only used for general iterations, the coding was adjusted and complemented. The three approaches that emerged from the coding were subdivided into aspects of general attitude, organisational embedding, context of application, limitations of measures and impact regarding innovation. The excerpts used for this paper were translated and double checked by the authors. In the following section, excerpts from both rounds are used equally.

4. Findings

We identified three different approaches to how the interviewees dealt with the knowledge risks emerging from data-centric collaborations. An approach is understood to be actions that are set by the organisation to balance knowledge sharing and protection. The description of each approach comprises the general attitude towards knowledge sharing and protecting, how it is carried out in the specific industry, how risks are perceived, what the resulting limitations are and what impact the approach has on innovation.

The first approach is informal. It is characterised by trusted partnerships with few assessments. Decisions are often based on “gut-feeling” and potential knowledge risks resulting from data-centric collaborations are seen as too abstract. The second approach is preventive. Within this approach, organisations need conviction to collaborate long term and every partnership needs thorough assessments and a clear benefit for the business decision. Strict preventive measures are put in place before sharing data and there is a high-risk perception.

The third approach is proactive. It is labelled by organisations as being very open and highly specialised. The organisation’s knowledge is seen as constantly outflowing and awareness is given that potential risks are always there.

All interviewees were confronted with the three approaches in the second-stage interviews. The interviews assigned their organisation, departments or SC partners to one of the approaches.

4.1. Informal approach

4.1.1. General attitude

The core aspect considered within this approach is trust. Trust indicates a confident relationship between the SC partners, and if trust is sufficient, they share the data. While trust does not mean to be blind, it does involve taking a leap of faith to a certain extent. However, the interviewees confirmed that when it comes to sharing, everything necessary to collaborate in the best possible way is shared and, over time, strong partnerships develop. For organisations relying on the informal approach, we found no evidence that this has changed due to digitalisation. Partnerships are so interwoven that there is a kind of dependency, and behavioural patterns are “just” adopted to data-centric collaborations:

With every dataset I give out, I’m also giving away a certain amount of knowledge. … Nevertheless, it is necessary, and we have actually considered it because of the long-term partnerships with suppliers. Over time a strong partnership has developed. When we bring new suppliers on board and have them produce according to the drawing, we find that it doesn’t fit or that some of the drawings don’t fit because the relationships are so strong and certain things have changed over time, but we often don’t follow it up properly in certain datasets. (I_5)

The last sentence shows that the interviewee is aware of the limitations of this approach but has little incentive to make any changes. The interviewee also shows a tendency towards persistence and less incentive to open up to new partners. Long-term collaborations with both customers and suppliers are fostered and data are also exchanged based on the need-to-know principle, but this is rather to avoid a lot of questions resulting from big datasets exchanged than to avoid espionage. Interviewees reported that the industry is very specialised and that collaboration is informal due to the few partners and interwoven nature of collaboration.

4.1.2. Organisational embedding

If a partner has a “trusted” status, all data necessary in the context of collaboration are shared. This means that there are fewer knowledge risks than concerns of information overload. An assessment of the knowledge risks and making decisions about whether to share are the responsibility of the individuals and are based on gut feelings. Interviewees reported no or only vague organisational rules or instructions on these decisions and that there must be a clear benefit from the cooperation. Several interviewees answered our question about organisational or technical support as follows:

“The biggest decision support system is probably still the so-called gut feeling. Some people do analysis, but the whole thing is also difficult to evaluate” (I_15).

They also consider using their “gut-feeling” for business decisions in data-centric collaborations as a reliable instrument and while they know “some people do analysis”, they stick solely to trust because it is difficult to evaluate from their viewpoint. One major reason for this perspective and not as part of the “people do analysis” group is the lack of technical and organisational support and guidance because it is not explicitly regulated in the organisation. This means that employees lack awareness about risk management in their organisation. However, several interviewees stated that they frequently refer to contract clauses.

The second major perspective is that due to the familiar, long-term and interwoven collaboration, less emphasis is placed on constant monitoring and prevention when exchanging data, which could lead to situations that are possibly risk-related:

And yes, it happens here and there that external partners know our processes better than we do” (I_5).

This excerpt indicates that the collaborator is treated like an internal colleague who knows the same level of detail or may even a little more.

4.1.3. Context of application

Within this group, data-centric collaboration means that there is a comprehensive exchange of data and a dependency and penetration on IT systems. Collaboration is often based on shared software applications with partners. Everything that fits into the context of collaboration is shared, but proper process documentation is insufficient.

However, changes to SC partners are scarce and changing demands in production are only served by the trusted partners; thus, it is difficult for new partners to join. In this case, data are shared primarily for the purpose of manufacturing products and less to foster joint innovation. Regarding these implications, I_15 mentioned during the second-stage interview,

“I have to let that sink in because I recognised that exactly before. With the personal trust level [informal approach], it [innovation] just happens, but it is not intended!” (I_15).

4.1.4. Limitations of measures

This approach has two major limitations. First, the organisations do not have the resources to conduct proper risk management and, second, due to the interwoven and trusted SC relationship, they have little awareness of possible knowledge risks, as one IT consultant summarised:

And we actually have a lot of customers who say, “Yeah, we would like to do it. But we have neither the people nor the money nor the time”. And that’s what I would say are the challenges – the challenges are largely resources and awareness. (I_15)

Limited awareness of the knowledge risks is also a consequence of limited resources and know-how on data science topics. Consequently, employees are not sufficiently trained to identify and deal with knowledge risks.

From a technical viewpoint, it was stated that all systems are state of the art, but inflexible. Thus, organisations have standard security measures implemented, but the sharing of data with SC partners is mostly authorised and thus in line with security plans. The challenge is that these organisations have no defined rules on what to share (or not to share) with whom. This, however, would require approaches to analyse big datasets systematically regarding possible knowledge risks. Also, legal measures do not contribute to increasing trust, highlighting the need for more suitable instruments.

4.1.5. Impact of the approach

The individual judgment of decision makers plays an important role, and most decision makers are cautious and rather dismissive of new partnerships and innovation:

“I would say that in times where most people decide on the basis of their gut feeling and don’t see ultra-benefit, I think that most people are rather cautious and rather rejecting” (I_2).

By eliminating fluctuating SC partners, transparency and trust is maintained. There is little incentive to deviate as long as the model works and the partners in the SC follow the same approach. The informal approach applies well to organisations that produce physical products and operate in more conservative industries. Interviewees using this approach said that they do business by making the product good and they pay less attention to data to do so. Therefore, the perspective of knowledge risks is rather neglected within this approach, since the core component is rather the production of physical goods and these are considered to be so complex that a loss of knowledge seems less likely. As Interviewee 2 stated:

“Even if a competing company … has … knowledge about the exact process of how it is produced, I don’t think they can simply imitate it to the same extent in high-quality products” (I_2).

Notably, one of the interviewees, after being confronted with this approach during the second-stage interview, noted that he considered his organisation”s approach to be critical because of its neglect of constant monitoring, and he would provide these insights into the organisation’s risk management to challenge their processes.

4.2. Preventive approach

4.2.1. General attitude

Decision makers in organisations with a preventive approach need to be convinced to share data within a SC partnership. Trust is important but is not, on its own, sufficient and the main requirement is a thorough assessment and monitoring of SC partners:

Of course, the issue of trust is important for this. As the saying goes, trust, but verify – you have to, I believe, you have to trust each other within partnerships. But only to a certain extent, having control over that or having control over the framework is more important. (I_5)

The attitude towards sharing is that only what is really necessary to collaborate with the partner is being shared. Employees are aware that the unrestricted sharing of knowledge in the context of the collaboration (as in the first practice) is desirable. But at the same time, it is necessary to make compromises to avoid unwanted knowledge spill-overs. When it comes to balancing knowledge sharing and protection, it is clearly a business decision; it is about balancing opportunities and risks, and a clear benefit must be given.

The interviewees also pointed out that the benefit must be clear and that the organisation is very risk averse. Trust is a prerequisite and part of the risk assessment, but not the dominant or only prerequisite. It is stated that too much knowledge sharing results in potential dangers, and it is safer for both parties if this is prevented. This finding shows that the data-centric collaboration focuses mainly on operative SC management rather than innovation. However, with trusted partners, only data that are really necessary is shared.

Let me put it this way: the data that we collected in production was not exchanged with our suppliers. They don’t need to know that either. … And these are things, of course … you give a certain … a certain trust to your suppliers, it is a partnership, but the internal data will not be shared … . We have checklists and tools for dealing with the data. (I_10)

As I_10 pointed out, he needs to be convinced that suppliers really need the data and that this is also formalised via checklists in the organisation. Because decision makers must document the decisions (i.e., via checklists), they are much more risk averse and cautious.

In conclusion, this approach uses a clear policy for data sharing. Sharing data with collaborators focuses mainly on operative SC management and is a clear business decision. In risk averse organisations, the business value must be clear before data are shared.

4.2.2. Organisational embedding

Organisations within this group rely on the complexity of their knowledge. The need to assess critical datasets is given, and tools to analyse are desired. Balancing is a permanent review of organisational, technical and legal measures. Furthermore, there is an awareness that standardised products represent a high risk for imitation and organisations within this group are very cautious. For products with high complexity and unique character, knowledge risks are expected to be less likely. However, the risk perception is high, as they only share data “the customer can also measure”. The high-risk perception is also a result of continuous employee training and awareness building, as one interview stated:

You have to make employees aware of what is critical and what is not. The employees have to understand what the risks are, and which data and information are critical, and which are not, because only then can they assess it better. (I_13)

Part of the assessment the interviewee described involves legal instruments. Employees know about legal instruments, such as NDAs, but they are also aware that they are difficult to enforce if something happens. The insufficient protection via legal instruments is the major reason for avoiding the sharing of datasets. Thus, the interviewees described more technical approaches to dealing with the risks. Primarily, they use shared software applications and apply security measures. However, traditional approaches reach their limits as the SC becomes multi-layered and more integrated towards a data-centric collaboration.

4.2.3. Context of application

Within this approach, there is a comprehensive exchange of data and a high penetration of IT systems. New partners must pass a thorough assessment and fewer data are shared compared to the informal approach.

Organisations already apply data science approaches, but they are mostly in a developing phase without clear purposes. The interviewees stated that data collection and data analysis are essential for process optimisation. However, they are not automated and need human supervision. The interviewees also pointed out that at least somebody looks at the datasets and thinks about the risks that can emerge from sharing them. When it comes to avoiding knowledge loss, these organisations are very risk averse, as interviewee eight noted:

We were always technologically careful to protect ourselves against copycats as far as possible. So, our software people are paranoid. Thank God for that. And so, the thing that we can’t technologically do, that we protect our knowledge, I don’t think we’re afraid of that, I would have said. (I_8)

Therefore, organisations following this approach are rather conservative businesses and are more cautious about protecting their knowledge than those in approach one. As far as dealing with knowledge risks, a specific case was mentioned in which the organisation did not trust the collaborator after the thorough assessment and continuously checked for violations. The interviewee also said that technical and legal measures were subsequently weighed up to prevent the potential loss of knowledge. Even if the follow-up assessment is not automatised (the trigger was a “gut feeling”), employees have a high awareness to search for the suspicious.

4.2.4. Limitations of measures

The interviewees showed a high awareness of potential knowledge risks, and corresponding limitations are commonly known. The entire SC audit is important so that technical, organisational and legal measures are taken to prevent incidents. It was also noted that, despite extensive assessment, potential risks can never be excluded. One severe limitation of this approach is that the assessment is laborious and takes time:

I would like to emphasise the tremendous effort that these NDAs and this processing have taken for this agreement or for such a possible cooperation. NDAs are very much connected with time and back and forth, discussions etc. Nothing happened for three months, nothing, that”s dead time. (I_9)

In this sense, the NDA is the formal obligation to start the collaboration and the internal check and assessment processes required a lot of time. Several interviewees criticised the so-called dead time.

From a technical viewpoint, organisations have good basic protection, but when it gets to protecting know-how, the capabilities are limited. One IT-consultant reflected on his industrial customers:

In general, the organisations all have relatively good basic protection … . But unfortunately, you have to ask yourself the question: We are not talking about someone stealing some information somewhere, but that someone in our digital SC … . They can perhaps extract the know-how and get the IP accordingly. And there it is mostly missing. (I_14)

In conclusion, organisations have solid protection, but they are less sensitive about collaboration partners; thus, protection measures regarding knowledge loss are missing.

4.2.5. Impact of approach

Organisations in this group have an awareness of the risk of reengineering knowledge from shared datasets, and with time, organisations are becoming more sensitive to this risk. Some interviewees explained that there have already been effects where the organisation has recognised that there are also certain characteristics to excerpt in datasets, and they can learn from such things. However, it is difficult to describe this in a structured way or to name central risks up front.

The awareness of possible knowledge risks in data-centric collaborations within this group is high. The benefit must be clearly given to sharing datasets, and these organisations need legal instruments. There is a tendency to refuse innovation out of uncertainty instead of being more open, which one interviewee described as follows:

But when I say now that I”m doing a digital supply chain like this with a supplier and exchanging data in terabyte sizes. I”m taking a risk because I”m putting the data on the outside. And who knows what”s inside, I don”t really know what”s inside … . As soon as this uncertainty factor grows, and becomes a little bit bigger, you become very careful. (I_9)

Several interviewees in the second-stage interview confirmed that mitigating arising knowledge risks is difficult to tackle and there is no general solution approach.

4.3. Proactive approach

4.3.1. General attitude

Organisations with a proactive approach have a common understanding to deliberately share more than necessary. Trust is still the basis for sharing, but it plays a less important role. Balancing knowledge sharing and protecting is a business decision, but proactive measures are also taken into consideration.

This is shown through the fact that preventive measures are in place to avoid knowledge risks, but the interviewees also thought about strategies for mitigating unwanted knowledge spill-overs. The interviewees also mentioned that sharing more than necessary can be reasonable, although there was an awareness that doing so could harm the organisation:

There is a certain awareness that you don’t always have to say everything. But on average, I would say that we give away a little too much than we would like … . The customer then does the next project with a competitor. And then they will talk and say, “But back then, a year ago, we did it this way”. Then exactly this methodology that we are developing will go to our competitors. So, the risk is clear to us. (I_4)

The interviewees pointed out that they know the risks of sharing but that they decide to share because they are thinking about proactive approaches. In this regard, the most important strategy is to move faster than the competitors, especially in terms of product life cycles, which are usually very short:

For a certain period of time, which is, I would say one, two or three years, depending on the product group. It”s just very short-cycled. The next generation usually comes in the same year or a year later … . You have to compare the two. Where does that get us? And the risk, if it occurs, multiplied by a probability, by an expected value and that should then be lower. And I am still convinced that you can only win here if you do it cleverly. (I_7)

This high speed of innovation leads to a more open sharing culture. Several interviewees reported that proactively offering solutions and staying one step ahead could be the response to knowledge loss.

4.3.2. Organisational embedding

Organisations approach knowledge risk management in a SC in a very systematic and rational manner. In contrast to the more emotional and gut feeling approaches of the first two approaches, interviewees see the complexity of imitation and knowledge protection as a pure business decision.

Knowledge leakage is seen as being constantly given and therefore as something that needs to be managed. The interviewees were aware of the limitations of legal instruments and the clear decision processes in place within the organisation. Furthermore, it was proposed that all bureaucratic forms and steps should be automated. However, compared to the preventive approach, the reaction time is crucial, and the potentials of collaborations, especially future innovations and business opportunities, were highlighted, as one interviewee pointed out:

Yes, from my point of view, the whole issue is shifting from hardware to software … . In our organisation, it is also the case that we are now increasingly raising the areas that programme the software for (anonymised). From this point of view, everything is moving towards data driven business opportunities. It is the future. (I_7)

With limited domain knowledge and limited access to data, data driven business opportunities cannot work, so an organisation must already be very open and highly specialised.

4.3.3. Context of application

Organisations that apply the proactive approach have a more service-oriented character. They offer supportive software, methods and solutions with their physical products. To maintain their competitive advantage, constant innovation is needed, as one interviewee pointed out:

The customer learns how we do it. And that”s why, of course, know-how also flows to the customer. In every engineering project, not only is the result handed over, but know-how always flows to the customer as well … . The answer to that is innovation. That is the special training of the people. In the next project, they have to make it better than the previous one. (I_4)

As the interviewee explained, organisations already have a high awareness, and they implement measures to deal with knowledge risks. Further, those organisations frequently adopt data-driven business models and thus, exchanging data is a key aspect of their value proposition. Protecting critical knowledge is necessary, and not only is prevention considered, but reaction is also part of the business decision. Therefore, there is a high awareness of the knowledge risks and risk management, and risk scenario testing is important.

The interviewees mentioned new challenges arising from implementing data-driven business models. Not only can data flow away, but also insights from models or services, as Interviewee 4 pointed out:

You have to protect your knowledge either by pricing or by not selling everything you know; you have to withhold certain information. But in principle, if I have an API, and I can query it 10 million times, then at some point I’ll have pulled out all the knowledge that’s in there and I could reproduce it. (I_4)

The interviewees clearly see the challenges of their new business models, but it is only a matter of time and resources until their SC partner reengineers it. The interviewees also mentioned that organisations respond proactively through innovation.

4.3.4. Limitations of measures

The interviewees stated that legal measures, such as patents, do not guarantee protection, and a misuse of knowledge must always be expected. Deterrence approaches, such as threatening collaborators with reputational damage, were mentioned as possible proactive protection strategies against the unlawful use of third-party knowledge. Deterrence appears to be effective, as a memory effect will occur somewhere in the market and collaborators know which organisations are imitating and will no longer do business with them. However, even if the organisations have a high awareness, they are looking for appropriate tool support, as one interviewee explained

“From the point of view of infrastructure, we are still also lacking lots of tools to do that. So, it”s still very cumbersome to the entire process of receiving data and ensuring that that data is secure” (I_12).

If it cannot be assured that the data are secure, the sharing of the data is not ensured and this, in turn, would be the most devastating limitation of this approach. This idea goes hand in hand with an observation that an interviewee shared in the second-stage interview:

But if the SC partner says: “I am one hundred percent preventive, I forbid all my suppliers this kind of collaboration”, then there are different approaches [in partnerships]. Depending on the position of power or strength, this can be very difficult to manage. (I_4)

This excerpt shows that organisation size and negotiating position can have a major impact on the planned approach to collaboration and can lead to challenges.

4.3.5. Impact of approach

Organisations are focusing more on the advantages of innovation and perform explicit steps in the direction of data driven business models. Our interviewees highlighted the importance of data exchange and considered it the basis from which to offer the customer better services than those based on traditional data sources. From this perspective, the effect of this approach may lead to an almost real time-based SC service activity instead of a classical production task. One IT consultant highlighted the following:

There is a need to become more open to have the innovation, to speed up, to have more collaboration in the supply chain, to have optimisation in the supply chain and at the same time keep an eye on the other side and to know what could happen. (I_15)

This approach uses the potentials of modern technologies and thus anticipates possible knowledge risks through too much knowledge sharing. The interviewees confirmed this observation in the second-stage interview. Related to the innovation drive, one interviewee stated:

I would sign that and say that it is a win-win situation. My organisation, if I had to assess it now in terms of our supplier relationships and customer and partner relationships in the IT world, where we collaborate a lot and develop software together, I think we do that relatively openly. I wouldn”t quite call us super progressive now, but very much so! (I_7)

Thus, this is an emerging approach, and there is a lot of room for improvement.

summarises the findings and compares the approaches.

Table 2. Comparison of approaches

5. Discussion

We identified three different approaches – (1) informal, (2) preventive and (3) proactive – to how organisations in data-centric collaborations deal with knowledge risks in digital SCs. These approaches can be viewed as steps of development and one step further in building awareness of knowledge risks, balancing knowledge sharing and making protection more holistic. Trust is the foundation of every approach. Previous studies have shown that trust in SC partnerships goes hand in hand with control and risk, which the three identified approaches showed (Das & Teng, Citation2001). Social relations in SC partnerships are important; otherwise, a lack of trust emerges and there is less willingness to share data. This finding emphasises the importance of trusting relationships in digital SCs (Alawamleh & Popplewell, Citation2012; Lotfi et al., Citation2013; Zeiringer & Thalmann, Citation2020).

The informal approach relies predominantly on trust; long-term partnerships are cultivated, and collaborators are treated almost like co-workers. No clear policies exist, and decisions are based on gut feelings in a rather ad-hoc manner. Hence, everything necessary in the context of collaboration is shared. An important variant in this regard seems to be the intertwined nature of the SC collaboration and the rare changes of partners. Missing structures and policies of decision-making make it hard to implement modern business analytics in such collaborations (Delen & Ram, Citation2018). Furthermore, in long-term relationships, it is known that information, respectively knowledge, sharing is common to improve the level of trust and keep the status of a trusted partner (Huong Tran et al., Citation2016; Kwon & Suh, Citation2005).

The preventive approach also builds on trust but adds thorough assessment and preventive measures. Data are only shared after a clear risk assessment and business decision. The approach is slow and bureaucratic and aims to prevent any unwanted knowledge leakage. However, this approach demands defined policies (e.g., education, checklists or guidelines) to do the assessments and to make business decisions related to sharing data within the collaboration. Organisations applying the preventive approach are less agile in their product development and innovation processes. Sharing of data, respectively information or knowledge, goes hand in hand with concerns about security and privacy and needs assessments (Loebbecke et al., Citation2016; Lotfi et al., Citation2013).

The proactive approach has clear policies and awareness building in place. As a result, employees have a high awareness of the knowledge risks. The speed of innovation and reputation are mentioned as proactive measures. Such organisations are highly innovative, flexible and use data-driven technologies to support the frequent switching of SC partners. The innovation driven through the sharing of knowledge is a promising method of successful collaboration, but urgently calls for a well-elaborated knowledge protection strategy (Elliott et al., Citation2019; Ilvonen et al., Citation2018). Possible technical approaches, such as grey-box modelling, are promising to deal with knowledge risks and foster innovation (Kaiser et al., Citation2020).

All our interviewees considered sharing necessary within all three approaches. Paradoxically, in the preventive approach, the willingness for sharing is the lowest, due to the strong focus on preventive measures and the bureaucratic permission process. Within the informal approach, even though only what is necessary is shared, less attention is paid to it because of the strong intertwined partnerships. The proactive approach generally assumes that the organisation should give more to move forward in the market, which corresponds with the findings in the literature showing that organisations with particularly high preventive and restrictive measures are usually less innovative compared to organisations that stimulate knowledge sharing (e.g., Estrada et al., Citation2016). Those who share more can achieve a high level of innovation. Notably, organisations with little monitoring can also benefit to a certain extent because they have a low risk perception (e.g., Estrada et al., Citation2016; Ritala et al., Citation2015; Zacharia et al., Citation2019). Further, being very restrictive on sharing has a negative impact on the implementation of new data-driven business models.

Referring to different measures, all three groups agree that there is a need for trained employees, latest IT systems and updated legal instruments because current NDA and patent regulations are difficult to enforce. This finding supports existing literature that highlights the limitations of legal measures for managing knowledge risks in data-centric collaborations (Zeiringer & Thalmann, Citation2020).

The data analysis revealed that IS support is needed for knowledge risk management in digital SCs. Most of the organisations use in-house solutions for their decision support purposes or rely on gut feelings because of missing support. So far, organisations have not systematically checked their potential knowledge risks in digital SCs. However, a structured approach of knowledge risk management in SC is important (Kassaneh et al., Citation2021), and, if such specialised tools are available, such as for assessing knowledge risks in the context of data-driven business models, knowledge-risk management becomes more reliable (Fruhwirth et al., Citation2021).

All the interviewees showed a basic awareness regarding knowledge risks. Organisations within the first two groups stated that their knowledge is too complex to be reconstructed and that the danger is abstract. Nevertheless, the knowledge risk perception within the preventive group is high. Within the third group, the trade-off is already pointing in the direction that it is always possible to reconstruct knowledge and it is only a matter of time and resources. Existing literature contains existing insights into knowledge extraction from datasets, which could be used, for example, for better decision support (Bonde Thylstrup et al., Citation2019).

Also, in data-centric collaborations, human and financial resources and particularly time, are the most limiting factors. The training of employees to make them aware of potential knowledge risks is essential within all three approaches, and, as the literature shows, necessary in SCRM (Flöthmann et al., Citation2018; Ghadge et al., Citation2019; Riley et al., Citation2016). Furthermore, legal measures are outdated and there is a need for suitable legal instruments addressing the challenges of data-centric collaborations. Also, current security concepts do not appropriately take the reengineering of knowledge using modern data-science approaches into account. Thus, there is a need for a clear framework to overcome that shortage.

6. Conclusion, limitations and outlook

We identified three different approaches to dealing with knowledge risks in data-centric collaborations. We showed that the more advanced the approach (from informal to preventive to proactive), the more comprehensive is the analysis of risks and benefits. The interviewees described their need for IS support in this decision process and especially in identifying risks in shared datasets, as they are aware that critical risks can emerge out of them. Organisational processes are frequently perceived as a burden and legal measures as not applicable. Within all three approaches, there is an agreement that data sharing is necessary to maintain operations and to push for new innovations. The approaches can be viewed as steps of development, each as one step further in building awareness of knowledge risks and to balance knowledge sharing and protection more holistic.

For verification purposes, second-stage interviews were conducted, in which the interviewees were confronted with the assumptions made. These were confirmed to a large extent and complemented. In particular, the paradox that innovation suffers when there is little knowledge sharing under the preventive approach, while it flourishes under the informal and proactive approaches, was considered revealing. Overall, it appears that innovation performance relates differently to the approach of collaboration, and thus, the systematic approach to dealing with (knowledge) risks is also closely related. From a theoretical viewpoint, this finding contributes to knowledge protection research and further investigation is recommended. Practically speaking, the study helps managers with insights into knowledge protection approaches when data exchange is an important component of the collaboration. To answer the RQ, this study shows that basic awareness of knowledge risks emerging from data-centric collaborations is given.

This research is not without limitations. First, the conducted study was exploratory in nature and the sample was small. Furthermore, only experts from the DACH region were interviewed, but two-thirds of the involved organisations were large, multinational enterprises from the manufacturing sector. Another limitation was that the interviewed experts did not collaborate with each other, but we chose to focus on different industries to gain a broader view. If there were different partners within one collaboration interviewed, the results might differ, and further implications could have been made. Likewise, the sample is only a snapshot of current circumstances, and as there is a diverse field of industrial sectors, the three proposed approaches might also not be complete. Another limitation is that nearly all interviews were held in German and we had to translate them into English.

For future research, it would be interesting to evaluate to what extent and under which conditions knowledge can be reengineered out of exchanged datasets. As can be shown, there is a broad awareness of this topic, but no one has a clear idea of how to analyse this properly. Still, there is a broad belief in many organisations that the contained knowledge in produced goods is too complex to be reconstructed. It is important to find a way to make sure that knowledge is protected from the start and what the needed requirements are, including a proper knowledge risk management framework. Another future avenue is to focus on innovation, since it has been shown that minimising risk can stifle innovation.

References

Appendix A: Guideline first interview round

  1. Interviewee Introduction

  2. Definitions & Study Introduction

  3. Data exchange

    • Would you consider your company as part of a digital supply chain? What data is exchanged here?

    • Do you think critical risk could be included within the exchanged data sets?

  4. Protection measures/security plans?

    • Do you have protective measures to prevent the loss of critical knowledge(org./tech./legal)?

    • Are there security action plans for an incident?

  5. Knowledge risks related incidents

    • Were there any knowledge risk incidents in the past?

  6. Balancing Knowledge Sharing/Protecting

    • How do you deal with the fact that on the one hand you need to share data for collaboration and on the other hand you need to protect your critical knowledge?

    • How do you find the right balance here?

  7. Follow-up

    • Are you interested in the results of the study?

    • How can we send them to you?

Appendix B: Coding Scheme

Appendix B. Coding scheme with categories and examples

Download PDF

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.