5 Strategy

Scenario 1. If an organization so far has applied an exclusive market-oriented strategy, then external determinants such as customers’ demands, the organiza-

5.3 Success factors, barriers and risks

5.3.3 Knowledge risks

This section defines the concept of knowledge risk. The concept employs an operational risk perspective that is focused on business processes and knowledge assets that are affected by knowledge risks. Moreover, a process for management of knowledge risks is defined in section 5.3.4. Section 5.3.5 then gives an outlook to an explorative empirical study in this increasingly important research field within KM.

Risk management has long been recognized as integral part of management, but companies have embraced this topic only recently as consequence of e.g., dynamic environments, networked IT-infrastructures, prominent bankruptcies and subse- quent regulations like Sarbanes-Oxley-Act, EU’s 8^th Directive, Basel II, HIPAA or KonTraG. Despite the acknowledged importance of knowledge assets, predomi- nantly market, credit and operational risks are targeted, whereas risks that affect knowledge assets, also called knowledge risks, are considered marginally at most.

From the perspective of strategic management, the knowledge-based view which has been developed on the basis of the resource-based view ²²⁸ stresses the importance of knowledge assets for competitive advantage. The term asset can be defined “as firm-specific resources that are indispensable to create value for firms”

(Nonaka et al. 2000, 20). Tangible assets can be subdivided into physical assets like plants or machines as well as in financial assets, whereas intangible assets lack physical embodiment and include for example brands, reputation, licenses or skills²²⁹. Knowledge assets are considered as the subset of intangible assets (Teece 2002, 15) that is based on knowledge.

Knowledge can reside on different media²³⁰ (see Figure B-18). The primary media knowledge resides on are employees who provide skills and experiences²³¹. Knowledge can be embedded in organizational routines, procedures and struc- tures²³². Organizational capabilities bundle knowledge assets in order to contribute directly or indirectly to the creation of value (Grant 2001, 118). Knowledge can also be incorporated into objects which comprise different forms of intellectual property, e.g., patents, as well as products and services²³³. From the perspective of the knowledge-based view, IT infrastructures can also be seen as knowledge assets that support the incorporation of knowledge into products and services by helping to document, by administrating and by providing access to documented, codified knowledge (Marr et al. 2004, 562).

The term risk is discussed heterogeneously in management and economics and focuses either on its causes or its impacts. As one of the pioneers, Knight (1921, 231) defined risk as “measurable uncertainty” whereas in Gallati’s view risk is “a condition in which exists a possibility of deviation from desired outcome that is

228. See e.g., Wernerfelt 1984, Barney 1991, Grant 1991, 1996a, 1996b, Spender 1996a and section 5.1.1 - “From market-based to knowledge-based view” on page 94.

229. E.g., Barney 1991, 110f, Hall 1992, 136ff, Grant 2001, 111ff, Lev 2005, 300.

230. E.g., Nonaka et al. 2000, 20ff, Cummings/Teng 2003, 43f.

231. E.g., Mentzas et al. 2003, 27, Marr 2004, 4.

232. E.g., Matusik 2002, 465, Szulanski/Jensen 2004, 348.

233. E.g., Sullivan 1999, 133, Contractor 2000, 245, Lev 2005, 200.

expected or hoped for” (Gallati 2003, 8). Deviations can refer to targets, plans or results of a decision. Positive deviations are considered as opportunities and nega- tive deviations are called threats or risks in a narrow sense (Hillson 2003, 17).

Risks can be analyzed on a strategic or on an operational level. Compared to oper- ational risks, strategic risks are characterized by long-term impact, more interact- ing variables, and higher degree of abstraction and are thus harder to identify, assess and manage. Risks on an operational level are focused on day-to-day busi- ness and can be defined as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” (Basel 2005, 140).

FIGURE B-18. Knowledge assets focussed in knowledge risk management

KM initiatives certainly should be regarded as strategic interventions. Thus, it is worthwhile thinking about (1) strategic risks involved in the organization’s (core) competencies and strategic knowledge assets as well as (2) strategic risks involved in the KM initiatives and the planned measures, instruments and systems them- selves. However, it is difficult to identify, assess and control strategic knowledge assets the reason of which lies in their intangible nature. Consequently, the chal- lenges of corresponding risk assessments are even higher compared to the already substantial challenges involved in strategic risk management focussed on tangible or financial assets. Thus, in the following the focus is on operational risks involved in the handling of knowledge being well aware that an organization’s strategy ulti- mately should include aspects of strategic management of knowledge risks.

Knowledge risks as a subset of operational risks are consequently focused on the operational business processes and defined as in Box B-4.

Knowledge assets as the medium knowledge resides on are the targets that are affected by knowledge risks. This means that knowledge risks can concern knowl- edge bound to persons, knowledge incorporated in objects or social systems²³⁴.

234. See Figure B-18 on page 138.

documents, IT infrastructures, products, services

groups, teams, communities, processes, routines, structures

object social system

person skills, experiences,

expertise

This definition stresses both, the causes and the effects of knowledge risks. The five causes dependency, limited quality, insufficient transfer, loss and diffusion lead to the two effects lack or non-exclusivity of knowledge assets. A lack nega- tively affects designing, planning, monitoring, continuously improving and, in the perspective of operational risks, primarily execution of business processes. From a strategic and specifically a resource-based perspective, exclusivity of resources is a necessary condition for competitive advantages (Jordan/Lowe 2004, 243). The causes of knowledge risks are briefly discussed in the following together with some examples.

BOX B-4. Definition of knowledge risks²³⁵

1. Dependency on knowledge assets can result in a lack of these assets during the execution of business processes that can be characterized as shortage or non- availability. Dependencies can for example concern key employees or key skills of these employees as well as services of an alliance or outsourcing partner.

Also, problems with IT infrastructures that administrate documented knowl- edge, e.g., insufficient availability, inconsistency or data loss can lead to a lack.

2. Limited quality of knowledge assets can be assessed according to the four aspects content, i.e. e.g., correctness or timeliness of knowledge, the community in which knowledge is created and used, the development and deployment pro- cesses that provide the knowledge as well as the quality of the IT infrastructures used to provide access to documented knowledge or meta-knowledge about the knowledge sources²³⁶. Consequently, limited correctness, low applicability of knowledge or restricted accessibility of the supporting IT infrastructure can result in a lack of knowledge assets during execution of business processes.

3. Insufficient knowledge transfer in this case primarily refers to processes in which organizations attempt to get access to external knowledge that they can not create internally for reasons of time or cost which is an important means to extend the organizational knowledge base²³⁷. This is especially the case in knowledge cooperations. The very reasons for their establishment are to over- come specific knowledge problems and to develop new, applicable knowledge by a combination and integration of existing, possibly secured knowledge or by joint knowledge development²³⁸ which therefore requires uninhibited knowl-

235. Also Probst/Knaese 1998, 27, Lindstaedt et al. 2004, 2, Basel 2005, 140.

236. See section 7.2.5 - “Quality of contents” on page 299, also Eppler 2003, 68.

237. Baughn et al. 1997, 103; Teece 2000, 138.

Knowledge risks are a subset of operational risks, i.e. risks of loss resulting from inadequate or failed internal processes, people and systems or from external events, that are caused by (1) a dependency on, (2) a limited quality, (3) insuffi- cient transfer, (4) loss or (5) diffusion of knowledge assets and result in a lack or non-exclusivity of these assets.

edge transfer between the partner organizations. An attempt to transfer knowl- edge that cannot be carried out sufficiently supposedly can be caused by too rigid rules for knowledge transfer, also called overprotection, but also by vague rules. The latter leave employees hesitant about freely sharing knowledge because they are not aware what is expected from them and what would be con- sidered an act against the interests of the organization. This can result in a lack of the required knowledge assets.

4. Loss of knowledge assets is unrecoverable and also leads to a lack at the level of operational business processes. Examples are fluctuation of employees with unique knowledge, skills, social networks or experiences to other jobs within the organization (intra-fluctuation), to other organizations (inter-fluctuation) or due to their retirement (extra-fluctuation), non-documentation of knowledge, dele- tion of documented knowledge or malfunctioning of IT infrastructures including backup services²³⁹.

5. Diffusion means access to sensitive or competitive knowledge by non-autho- rized persons. Contrary to knowledge loss, diffusion means that knowledge is still available, but not exclusively to the organization. Some authors stress this risk and the possibly resulting dilution of competitive advantages, especially in inter-organizational settings as strategic alliances, clusters, joint ventures, (vir- tual) networks and professional communities²⁴⁰. Examples for knowledge diffu- sion risks are access to unauthorized persons, social or reverse engineering, loss or theft of unsecured, especially mobile devices with replicated documented knowledge or unsecured access to IT infrastructures.

Causes are not isolated from each other, but can also interact. For example, fluc- tuation of employees on the one hand leads to knowledge loss for processes, rou- tines and practices in which the employees participated. On the other hand, fluctua- tion bears risks that knowledge diffuses and its exclusivity is lost by re-applying firm-specific knowledge at a competing organization (Matusik/Hill 1998, 687).