Abstract
Purpose
This research paper investigates how companies incorporate digital compliance, particularly data security and protection, as a fundamental aspect of corporate digital responsibility (CDR). We address the gap in understanding the institutionalization of digital compliance as a part of CDR.
Design/methodology/approach
Using institutional theory, we assess the impact of coercive, mimetic and normative forces on digital compliance. We used survey data from 162 predominantly large German companies and analyzed it through ordinary least squares (OLS) regressions.
Findings
Mimetic forces, driven by competitor knowledge, substantially affect digital compliance. Normative forces related to professional knowledge are also influential, while coercive forces exerted by customers have no significant impact on the adoption of digital compliance. In a supplemental analysis, the study highlights the moderating role of organizational agility.
Research limitations/implications
CDR is not limited to digital compliance. Future research should explore higher levels of CDR and consider stakeholders beyond customers. The focus on large German companies may limit generalizability.
Practical implications
The findings stress the importance of understanding competitive landscapes and professional discourses. Managers should be aware of these institutional forces and incorporate them into strategic planning for digital compliance and CDR.
Originality/value
This research extends institutional theory to digital compliance, offering insights into CDR-related corporate behavior and strategy, emphasizing the importance of competitor awareness and professional norms to manage digital risks.
Keywords
Citation
Schrödter, A. and Weißenberger, B.E. (2024), "The institutionalization of digital compliance", Management Decision, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/MD-03-2024-0498
Publisher
:Emerald Publishing Limited
Copyright © 2024, Armando Schrödter and Barbara E. Weißenberger
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
The digital transformation is increasingly impacting every aspect of our lives with the continuous development and advancement of technologies such as cloud computing, robotics or artificial intelligence, creating, sharing and processing tremendous amounts of “big” data. As a result, innovative ways to enhance future profitability for companies emerge. However, recent years have also highlighted the potential negative impacts associated with the application of digital technologies as well as data collection and utilization, whether it be data breaches or discrimination by artificial intelligence. To systematically address these risks, (supra-) national regulations (e.g. AI-Act or GDPR) as well as societal pressures demand their integration in risk management and governance processes. While mandatory policies often define but minimum standards, companies can voluntarily take responsibility beyond legal requirements, e.g. to gain competitive advantages. Given the rapid dissemination, malleability, ubiquity and pervasiveness of digital technologies, we argue in line with Lobschat et al. (2021), Mihale-Wilson et al. (2022) and Carl et al. (2024) that the concerns related to digital transformation need to be explicitly addressed as Corporate Digital Responsibility (CDR) in addition to the well-established concept of Corporate Social Responsibility (CSR).
CDR is thus understood as a cross-sectional field of CSR that focuses on the effects of the digital transformation, specifically the creation and operation of digital technologies and data (Lobschat et al., 2021). More precisely, we define CDR as an organizational practice, comprising voluntary corporate strategies and measures to identify, mitigate and prevent negative societal impacts of the creation and operation of digital technologies and data as well as to leverage them to further support societal concerns.
In a related vein to risk management theory (see Kaplan and Mikes, 2012), the implementation of CDR can be organized along three different categories: compliance, operational, and strategic CDR. At the compliance level, CDR aligns with risk management and aims at reducing negative impacts on a company’s stakeholders or society at large (first-level CDR). The second level extends CDR to operational measures that enable companies to address stakeholders’ or societal concerns within the existing operational business model by using digital technologies (second-level CDR). Finally, at the strategic level, CDR is extended to a core aspect of a firm’s responsibility within its business model, integrating it comprehensively into its structures and processes (third-level CDR). While CDR – similar to CSR – is not solely altruistic, it can be turned into a business case by providing comparative competitive advantages (e.g. Saeidi et al., 2015), enhancing customer trust and loyalty (e.g. Martínez and Rodríguez Del Bosque, 2013), motivating employees (e.g. Barakat et al., 2016), and yielding other benefits identified in the CSR literature.
Despite the prevalence of digital technologies, there is but limited research on digital responsibility issues (e.g. Lobschat et al., 2021; Mihale-Wilson et al., 2022; Carl et al., 2024). This paper aims to address this gap by providing insights into mechanisms through which companies take up regulations and expectations regarding digital compliance (first-level CDR) as an antecedent and crucial aspect of digital responsibility. We define digital compliance as the adherence to laws, regulations, and guidelines related to data protection, data security, and other digital responsibility issues. This encompasses mandatory legal requirements as well as basic voluntary measures adopted by companies to ensure responsible digital practices. Focusing on extrinsic motivations such as social pressure and other external influences, the study uses institutional theory as a theoretical framework. By systematically deducing key drivers of corporate social behavior and understanding the underlying mechanisms using survey data, this research intends to support managers in effectively responding to their changing environment and formulating appropriate strategies. To illustrate these mechanisms, the study examines data security and data protection, which are widely emphasized areas of digital compliance (see Carl et al., 2024, p. 13; Schoenheit et al., 2019, pp. 46–47).
In addition to exploring the institutionalization of digital compliance, this paper also explores the moderating effects of organizational agility on the implementation of digital compliance. This supplementary analysis aims to uncover nuanced insights into how organizational agility, defined as an organization's capacity to adapt swiftly and effectively to external and internal changes (Teece et al., 2016), influences the adoption of digital compliance.
The remainder of this article will proceed as follows. In Section 2, we present the theoretical framework to describe social organizational behavior, followed by Section 3 in which we explore potential drivers of digital compliance using institutional theory and derive our hypotheses. We then describe our methodological approach in Section 4. The results of our hypothesis testing are presented in Section 5, Section 6 provides an insight into the supplementary aspect of organizational agility. In Section 7, we discuss the findings acquired and finally, in Section 8, conclude our study.
2. Theoretical framework
Data security and data protection are critical pillars of CDR for both businesses and consumers (see Carl et al., 2024). Unlike many other dimensions of CDR, these aspects are explicitly mandated by (supra-) national law in most developed countries (see Lobschat et al., 2021), making them classic compliance issues (see Carl et al., 2024). However, within the broader context of CDR and corporate responsibility in general, voluntariness plays a crucial role, as emphasized by the prevailing view in the CSR literature (see meta-analyses, e.g. Sarkar and Searcy, 2016; Dahlsrud, 2008). Viewed through the lens of corporate responsibility, companies have the opportunity to voluntarily exceed these legal and regulatory requirements, aiming to securing strategic advantages (see Carl et al., 2024).
There are various theories with different perspectives on why and how organizations voluntarily engage in social behavior. Legitimacy theory suggests that companies engage in social and environmental activities to gain and maintain legitimacy in society as a whole (e.g. Dowling and Pfeffer, 1975; Suchman, 1995). However, it lacks specificity in identifying concrete drivers of social behavior (see Parker, 2005). Stakeholder theory, on the other hand, considers individual stakeholders, their expectations, and their relationships with an organization (see Freeman, 1984). While these strategic or managerial approaches provide valuable insights into the instrumental use of various measures to gain societal support (see Suchman, 1995), they also have limitations in fully describing or predicting organizational behavior.
Institutional theory complements both theories by also presupposing the pursuit of legitimacy (see Scott, 2014, p. 75; Deegan, 2002) through the fulfillment of societal expectations, but additionally describing how organizations respond to sector-wide social and institutional structuration dynamics that go beyond the direct control of individual organizations (see Suchman, 1995). It provides a broader perspective on corporate responsibility, considering various institutional mechanisms that influence the relationship between organizations and society beyond mere stakeholder pressure (see Babiak and Trendafilova, 2011; Campbell, 2007). Institutional theory attempts to further explain organizational change and the adoption of certain practices, processes, or structures by proposing several mechanisms that increase the homogeneity of organizations (isomorphism), which ought to improve their fit with their environment (see DiMaggio and Powell, 1983; Bondy et al., 2012). According to DiMaggio and Powell (1983), these mechanisms can be classified as coercive, mimetic, and normative forces.
Previous research has addressed institutional influences related to disclosures about data security and data protection (see, e.g. D'Arcy and Basoglu, 2022; Jeyaraj and Zadeh, 2020), but not the implementation itself. In general CSR research, scholars have examined how these forces impact the implementation of CSR practices directly (see, e.g. Bondy et al., 2012; Jamali and Neville, 2011; Ozdora-Aksak and Atakan-Duman, 2016; Perez-Batres et al., 2010), yet their findings vary, likely due to the broad interpretations and applications of CSR. By focusing specifically on data security and data protection, we aim to narrow this gap and investigate how institutional pressures affect the practical implementation of these critical aspects of CDR.
3. Hypothesis development
3.1 Primary stakeholders and coercive pressure
Coercive isomorphism is the first explanation of organizational change according to institutional theory. This process is induced by pressure exerted by stakeholders on whom an organization depends, which coerce the organization to comply with these stakeholders’ expectations to reduce the risk of losing legitimacy (see DiMaggio and Powell, 1983). This force includes the capability of stakeholders to impose sanctions on organizations to influence future behavior through formal (e.g. legal trials) or informal (e.g. boycotts) processes (see Scott, 2014, pp. 59–60).
In consideration of the current state of the digital transformation, where companies progressively implement digital technologies in their processes and products while customer data is becoming an increasingly integral part thereof, we argue that customers are one of the most affected stakeholders with respect to digital compliance and should therefore be given particular attention. In this paper we will thus focus on pressure exerted by customers, while stressing that possible impacts of other important stakeholders (e.g. employees, suppliers) should be investigated in future research.
Customers generally can exert much pressure, posing a direct economic threat tied to the potential loss of the social license if the company fails to meet their expectations (see Gunningham et al., 2004; Lynch-Wood et al., 2009). However, it is not sufficient to regard customer power in isolation, since it goes hand in hand with customer interest, i.e. the willingness to use their power (see Lynch-Wood et al., 2009). In 2019, Schoenheit et al. (2019) conducted a representative survey about CDR-related issues from the consumers’ point of view for the German Advisory Council for Consumer Affairs. The survey provided evidence that consumers set a high value especially on data security as well as protection and that they primarily hold companies responsible for it (see Schoenheit et al., 2019, pp. 13, 46–47). Consequently, those factors also influence whether a company stands out in a positive or negative manner with respect to digital responsibility (see Schoenheit et al., 2019, pp. 26, 40). Still, the study further revealed that a positive perception of digital compliance, on average, does not necessarily translate to a greater willingness to pay. Conversely, the absence of digital compliance significantly heightens the likelihood of losing customers (see Schoenheit et al., 2019, pp. 35–36, 41). This indicates that digital compliance is perceived as a must-be requirement according to Kano’s (Kano et al., 1984) model of customer satisfaction (see Matzler et al., 1996). These must-be requirements lead to dissatisfaction when they are not met, but only to “a state of not dissatisfied” when they are fulfilled (see Matzler et al., 1996; Carl et al., 2024). A similar mechanism is also described by the expectation-disconfirmation theory (Oliver, 1980). This would imply that customers take digital compliance for granted and consequently do not directly express their respective expectations (see Matzler et al., 1996). Even though meeting these requirements is crucial for a firm’s competitiveness (see Matzler et al., 1996), it is not directly communicated by the customers themselves.
We thus propose that there is no link between digital compliance and coercive pressure exerted by customers. Since we cannot directly measure coercive pressure, we instead consider the intensity of companies’ exchange with customers, which ought to be how coercive pressure should be imposed on those companies. We therefore hypothesize:
The intensity of a company’s exchange with customers does not promote its digital compliance.
3.2 Copy and paste legitimacy: mimetic forces
The second mechanism used to describe the institutional adaption of corporate structures and practices according to institutional theory are mimetic forces. Essentially, mimetic isomorphism describes that companies imitate their competitors as a response to uncertainty regarding their own legitimacy (see DiMaggio and Powell, 1983; Suchman, 1995). This uncertainty can arise from technological or business change (see Jeyaraj and Zadeh, 2020; Matten and Moon, 2008), changes in customer expectations as well as unclear or lacking government regulation (see Bondy et al., 2012). When mimicking their competitors’ behavior – which they perceive as legitimate and successful (see DiMaggio and Powell, 1983; Matten and Moon, 2008) and thus “proven and tested” – companies can reduce their risk of losing legitimacy (see Unerman and Bennett, 2004) by not attracting negative attention for deviating.
In the context of digital compliance – and the digital transformation in general – many companies are faced with uncertainty (see Warner and Wäger, 2019). The vast malleability of digital technologies and data not only raises questions regarding the numerous opportunities but also the downsides and risks (see Lobschat et al., 2021), which are often neither completely grasped nor considered, since in most cases there are no concrete regulations or guidelines. The issues around data protection and security are broadly known and have been publicly discussed for decades now. For this reason, there already are (supra-) national legal regulations addressing the collection and use of data – like the GDPR of the EU. Such laws provide guidelines and therefore ought to reduce uncertainties regarding legitimate behavior (see Bondy et al., 2012). Since policies often merely define minimum standards and leave areas of discretion, companies still have opportunities to engage in data protection and security beyond legal requirements, which will likely grant them competitive advantages. Furthermore, the enormous progress of AI applications introduces numerous factors that contribute to uncertainty such as their malleability, complexity, and opacity. We argue that these factors encourage companies to closely monitor their competitors and engage in imitative actions. We thus hypothesize:
The greater a company’s knowledge about its competitors, the higher is its engagement in digital compliance.
3.3 Professional values and norms: normative influences
The third explanation of organizational change proposed by institutional theory is normative forces, presuming that organizations (or members thereof) are influenced by normative systems (see Larrinaga-Gonzáles, 2007, p. 157). These normative systems consist of both desirable objectives – values – as well as the appropriate ways to aim for them – norms (see Scott, 2014, p. 64). In contrast to coercive forces, where self-interest plays a superior role, normative systems induce a certain behavior by routines and beliefs, so they do not necessarily align with financial objectives (see Larrinaga-Gonzáles, 2007, p. 157).
DiMaggio and Powell (1983) refer to the process of incorporating normative systems as professionalization. According to their definition, it results from members of a profession collectively striving to define the conditions and methods of their work, bring forth skilled professionals, and establish a cognitive framework for their professional autonomy (see DiMaggio and Powell, 1983).
There are several ways by which organizations adapt similar normative systems and thus practices through professionalization: Formal (e.g. university) education and professional networks and associations that can spread methods, best practices, etc. via external normative discourses (see DiMaggio and Powell, 1983; Suchman, 1995).
With respect to digital compliance these mechanisms are likely to apply as well. Some aspects can already be found in normative systems distributed by international professional associations such as the Institute of Electrical and Electronic Engineers, which provides a code of conduct for software engineers as well as standards and guidelines for data security (see Lobschat et al., 2021). Since theory and practice are progressively developing awareness of the relevance of digital compliance, it is increasingly reflected in topics addressed in professional trainings, conventions, trade magazines etc. We hence argue that if a company engages in these professional exchanges, it is more likely to adopt the respective normative systems. We thus hypothesize:
The greater a company’s professional information input, the more it engages in digital compliance.
4. Research design
The data used in the analysis was obtained from an existing dataset from a survey conducted in 2018 that examined several drivers of economic sustainability, including digital transformation, market position and customer knowledge. The survey focused on the company as a whole and did not include respondent characteristics. Overall, the dataset consists of 162 German companies, with a majority (71.6%) being large (more than 500 employees). Sample characteristics can be found in the Table A1.
Most survey items were measured using a six-point Likert scale, indicating respondents' agreement levels ranging from “strongly disagree” to “strongly agree”. A six-point scale eliminates the midpoint, forcing respondents to make a more definitive choice, which can lead to more accurate reflections and higher data quality in some contexts (see Weijters et al., 2010). Research indicates that scales without a neutral option mitigate central tendency bias, where respondents might otherwise default to the convenient midpoint instead of further reflecting (see Chyung et al., 2017; Velez and Ashworth, 2007). However, the absence of a midpoint might introduce biases if it aligns with the participant's genuine response, e.g. ambivalence (see, e.g. Garland, 1991; Weijters et al., 2010). In our context, employing scales typically ranging from “strongly disagree” to “strongly agree” to assess organizational practices (opposed to, e.g. personal opinions), a midpoint interpreted as “neither disagree nor agree” would not be meaningful. Thus, we conclude that the potential data quality improvement justifies the exclusion of a midpoint. Unless stated otherwise, the items used in this study were scaled accordingly and have been standardized for the analysis. The constructs and items used can be found in the Tables A2–4.
4.1 Dependent variable
The variable to be explained by our models is Digital Compliance. We operationalized the construct through three items capturing different aspects of data security and data protection. Investment in data security assesses the extent to which a company allocates resources to ensure data security, reflecting financial commitment to digital compliance. The number of measures to ensure data protection indicates operational efforts aimed at protecting data, and systematic training provided to employees on data protection and security highlights organizational efforts to foster a culture of compliance (see Cram et al., 2017; Puhakainen and Siponen, 2010). Since these indicators address different aspects of digital compliance and are not interchangeable, we treated the construct as formative (see Diamantopoulos and Winklhofer, 2001), allowing us to add the items up. Additional statistical analyses reinforce the assumption of a formative nature of the construct (Cronbach's alpha: 0.58; average inter-item correlation: 0.31). Descriptive statistics for these items can be found in Table 1.
4.2 Independent variables
To measure the coercive forces directly exerted by customers (H1), we used a single item that describes the extent to which a company engages in an intensive and regular exchange with customers. This item shows a high correlation with the related item “We are very close to our customers; we know their wishes and expectations.” (r = 0.83). Knowing the wishes and expectations of customers comes partly from an exchange with them. It can thus be assumed that the exchange with customers, as queried by our item, is a channel through which customers communicate their wishes and expectations (e.g. data protection and security). Accordingly, this interaction could allow customers to exert pressure. Since the specific channel is not determined in the related item, the information could also come from professional sources such as conferences, which would relate to normative forces. Therefore, we have decided not to include this variable in the analysis. Instead, we believe that the single item provides a reliable measurement for coercive forces. This is further emphasized by the item's understandability. Thus, it meets the theoretical requirements for a reliable single item (see Bergkvist and Rossiter, 2007).
To investigate mimetic forces (H2), we considered companies' knowledge about their competitors through various means such as trade journals, internet research, trade fairs, and congresses. We used respondents' information on the number of channels and measures they use to collect competitor information systematically. Although this variable doesn't indicate the intensity or efficiency of information collection, we argue that a greater variety of channels used leads to more information input and greater knowledge about competitors. We also included participants' agreement to the statement about extensive knowledge about their strongest competitor to capture the extent to which companies handle information about successful competitors in their competitive environment. Overall, both items depict ways in which companies obtain information about competitors that they can eventually use to imitate them. These two variables contribute to the construct on different levels. It was thus treated as a formative construct and the items were combined into an additive score, further supported by both items being weakly correlated (r = 0.46; see Bollen and Lennox, 1991).
To measure normative forces (H3) we considered the collection of customer information through professional sources (e.g. congresses, trade fairs and magazines) – opposed to direct communication with customers – as a potential explanation for normative isomorphism (see DiMaggio and Powell, 1983; Kauppi and Luzzini, 2022). We used a variable indicating the number of professional channels and measures used by companies to obtain customer information. Additionally, we examined whether norms and values related to digital compliance are systematically conveyed when dealing with digital and technological trends through these channels, so we included a count variable representing the number of channels used to gain such information. Both variables cover the acquisition of information through professional channels that enable the professionalization and adoption of digital compliance. The standardized variables were combined to form the construct, as they cover different aspects.
Table 2 provides descriptive insights into the used items.
4.3 Control variables
Given the necessity of digitization for digital compliance, we assume that it plays a significant role in explaining digital compliance. We therefore included the stated digitization level in various areas, i.e. human resources, administration, development, purchasing, production, marketing, and sales. These areas are distinct and not interchangeable, so we presume a formative construct (see Bollen and Lennox, 1991) and have therefore added the individual items.
Another factor influencing digital compliance is CSR engagement. We propose that companies with a strong CSR focus also tend to have the necessary societal awareness, structures, and processes that indirectly support digital compliance. Similar to Feder and Weißenberger (2019), we measured CSR engagement across public welfare, environment, market, and workplace, considering how committed companies are to these areas beyond their core business activities. Like other researchers, we view CSR as a formative construct comprising these different aspects (e.g. Feder and Weißenberger, 2019; Gjølberg, 2009; Martínez and Rodríguez Del Bosque, 2013), so we were able to build the construct by adding the items.
To account for other influences, we controlled for company size, measured by the number of employees, presuming that larger companies often face stricter regulations and higher societal expectations (see Lynch-Wood et al., 2009). Different industries may also exhibit varying digital compliance due to industry-specific development and distribution of normative systems as well as expectations and respective pressure (see Ozdora-Aksak and Atakan-Duman, 2016). Additionally, we included the average age of employees as a control variable, recognizing that, e.g. older employees may have lower technology-related comprehension. Table 3 provides descriptive statistics for these control variables.
5. Analysis and results of hypotheses testing
To statistically test the developed hypotheses, we performed Ordinary Least Squares (OLS) regressions for two models: Model 1 examines the effects of the explanatory variables (i.e. exchange with customers, knowledge about competitors and professional information input) on digital compliance while excluding the control variables, whereas Model 2 further incorporates them. The results of the regression analysis of both models are shown in Table 4.
The results of Model 1 show that the included variables explain 18.9% of the variance of digital compliance. Only professional information input has a statistically significant (positive) effect, likely biased due to its inclusion of information on digital technology, which indirectly contributes to higher digitization and thus endogeneity (see Hamilton and Nickerson, 2003). The results of Model 2 further indicate this: After controlling for these effects, the influence of professional information input on digital compliance remains significant, but decreases by approximately half in magnitude, while digitization exhibits a highly significant positive effect. The inclusion of control variables has also caused knowledge about competitors to become statistically significant. Control variables are included to account for confounding factors that might bias the true relationship between the dependent and independent variables. Without these controls, the effect of knowledge of competitors is likely masked. By including control variables such as digitization and CSR engagement, we absorbed these influences, reducing omitted variable bias and thus endogeneity (see Wooldridge, 2016, pp. 78–81). This revealed a more precise estimate for the effect of competitor knowledge on digital compliance. The effect from the exchange with customers remains statistically indistinguishable from zero. Among the remaining control variables only company size exhibits a significant (positive) influence on digital compliance, while the average age of employees does not. The industry (not tabulated) adds 13% points to the explained variance of digital compliance, likely due to exposure and visibility differences and industry-specific norms. Additionally, CSR activities do not significantly promote digital compliance. Overall, including these control variables has more than doubled the adjusted R2 to 0.4317.
After having standardized all independent variables, the generalized variance inflation factors (VIF) were below 2 for all predictors, which indicates that multicollinearity is likely not an issue.
The regression analysis therefore provides support for all three hypotheses H1, H2 and H3.
6. Supplemental analysis: the moderating effect of organizational agility
6.1 Theoretical background of organizational agility
So far, our investigation has mainly considered different information input and ignored possible factors influencing the processes from the information input to digital compliance. Given the dynamic nature of the digital transformation and societal expectations, it is necessary for companies to have structures and processes that enable them to adapt quickly and flexibly. We therefore propose organizational agility as a moderator of isomorphism to better understand the link between isomorphic forces and the actual realization of digital compliance.
Teece et al. (2016) describe organizational agility as an organization’s ability to efficiently and effectively reallocate its resources towards value-enhancing activities in response to internal and external circumstances. This agility requires so-called dynamic capabilities, which are crucial for adapting to the changing environment and actively shaping it as well (see Teece et al., 2016). Teece (2007) categorizes these capabilities as sensing and shaping opportunities and threats, seizing opportunities, and transforming assets (see Warner and Wäger, 2019).
Given the disruptive impact of digital transformation on organizations and their environments, the importance of dynamic capabilities is evident (see Vial, 2019). This is particularly applicable in uncertain settings, where there is no specific risk that can be mitigated (see Teece et al., 2016). Uncertainty not only arises from emerging digital trends and resulting complex value networks regarding customer demands (see Vial, 2019), but also from the respective digital responsibility.
6.2 Measures of dynamic capabilities
We employed several items to describe organizational agility. Similar to Ramachandran (2011), who investigated the influence of dynamic capabilities on CSR practices, we combine sensing and seizing capabilities and further consider transformation capabilities proposed by Teece (2007). Accordingly, the former capabilities involve perceiving social conditions, identifying and addressing social issues, and designing responses to mitigate them, whereas the latter describe leveraging internal and external resources to implement the designed responses and build the required infrastructure (see Ramachandran, 2011).
Exploratory factor analysis affirmed the existence of only two distinct constructs identified as sensing/seizing as well as transformation capabilities. Sensing and seizing capabilities are represented by items assessing companies' engagement with and preparedness for external developments and challenges, while transformation capabilities are depicted by items related to internal processes and resource allocation. The specific items used in the study can be found in the Table A5. We argue that both agility constructs are reflective because the latent variables are likely to influence all the indicators included within each construct.
The statistical analysis reveals satisfactory internal consistency for both constructs (Cronbach's Alpha: 0.844 for sensing/seizing capability and 0.758 for transformation capability). We therefore computed the respective variables for sensing/seizing and transformation capability by using the regression-based factor scores obtained from factor analysis.
6.3 Analysis and results
To analyze the moderation effects, we have extended the models presented above by introducing interaction terms of the two aspects of agility and the respective predictors exchange with customers, knowledge about competitors and professional information input. As in the previous models, we performed an OLS regression for the statistical analysis of the effects, the results of which are shown in Table 5.
The regression results show that organizational agility plays a significant moderating role only in the relationship between knowledge about competitors and digital compliance. Notably, two opposing moderating effects show: while sensing/seizing capability positively influences the effect, transformation capability negatively moderates it.
Including the interaction terms also has impacts on the main effects and their interpretation. When investigating moderation effects, the main effect represents the influence of the predictor variable on the dependent variable in the case of the moderator variable taking the value “0” (see Wooldridge, 2016, p. 178). To reduce multicollinearity, all predictors, including the moderators, were standardized (and thus centered). Therefore, the value “0” of these standardized variables corresponds to the mean of the original variables. Consequently, the coefficient regarding the main effect describes the effect of the predictor on the dependent variable when the dynamic capabilities are at their average values (see Wooldridge, 2016, p. 178). We can therefore deduce that for average dynamic capabilities only the effect of knowledge about competitors remains significant.
We again looked at the generalized VIFs of the included variables to ensure that multicollinearity is not an issue. Only two interaction terms slightly exceeded a generalized VIF of 2, which is generally not problematic, since they generate multicollinearity by definition (see Jaccard and Turrisi, 2003, pp. 27–28).
7. Discussion
7.1 Academic and practical implications
Our study contributes to the academic discourse by extending institutional theory to the realm of digital compliance, offering new insights into how coercive, mimetic, and normative forces shape corporate behavior in the digital age. By analyzing the conditions under which companies engage in digital compliance, our research sheds light on institutional drivers that influence this fundamental aspect of CDR and contributes to the broader literature on CSR with a digital focus. It does not only show that the framework proposed by institutional theory is applicable to digital compliance, but it also finds some concrete drivers that allow important theoretical and practical implications to be derived.
As expected, customer pressure was not found to drive digital compliance, possibly because customers do not directly express their expectations. The results of our hypothesis testing show no significant effect of exchange with customers on digital compliance, supporting our hypothesis. However, it is important to stress that the absence of evidence is not evidence of absence (see Altman and Bland, 1995). So, we cannot conclusively reject nor confirm the hypothesis. Nevertheless, this finding aligns with the literature on customer satisfaction and the CDR-related survey conducted by Schoenheit et al. (2019), which indicates that customers highly value CDR, particularly data protection and security, but take it for granted and are thus unwilling to pay more for it (see Schoenheit et al., 2019, pp. 35–36). It can be deduced from Kano's model of customer satisfaction (Kano et al., 1984) that their expectations are also not specifically directed towards the company (see Matzler et al., 1996) and coercive pressure is not strongly exerted, according to institutional theory.
To meet customer expectations and mitigate related risks, companies should proactively address compliance issues. However, it is questionable whether this applies to all levels of CDR. Although Schoenheit et al. (2019) covered digital responsibility in general, we strongly suspect that compliance-related concerns such as data protection and data security are considered must-be requirements, while other more recent and less-known aspects are not. Practical examples suggest that certain requirements transition from being attractive (not expected and not communicated; see Matzler et al., 1996) to becoming must-be requirements over time, as customers increasingly take them for granted (see Min et al., 2018). This must be considered when transferring the results of our study to other dimensions of CDR.
In contrast to that, adapting to competitors' behavior strongly drives digital compliance. Our regression analysis showed that a company's knowledge about competitors exhibits the strongest effect on digital compliance among the central variables considered. This effect remained significant even when interaction terms were included, i.e. for average values of agile capabilities. This suggests that mimetic forces, in line with CSR literature (e.g. Bondy et al., 2012; Ozdora-Aksak and Atakan-Duman, 2016; Perez-Batres et al., 2010), influence the engagement in digital compliance, further supporting our assumption that digital responsibility and its underlying technologies lead to high uncertainty. This knowledge can be used on the part of the government, NGOs and standard setters to provide clarification and guidelines on the opportunities and risks of digital technologies. Though, these adaptations also indicate that industry standards have been developing and are likely to become more established if proven to be appropriate. Managers should recognize that addressing institutional pressures can reduce or even prevent legal regulations that result from a lack of voluntary responsibility (see Nikolaeva and Bicho, 2011). These mandatory regulations are often stricter and can lead to competitive disadvantages by reducing regulatory flexibility (see Gunningham et al., 2004) as well as adaptiveness to specific organizational properties and hindering innovative practices (see Lynch-Wood et al., 2009).
A third conclusion is that the professionalization of digital compliance leads companies to adopt normative systems, which in turn promotes digital compliance itself. While some authors have found normative isomorphism regarding CSR among companies (e.g. Ozdora-Aksak and Atakan-Duman, 2016), other studies did not (e.g. Jamali and Neville, 2011; Bondy et al., 2012). We argue that one reason for this could be that digital compliance is less company-specific than CSR, particularly in data protection and data security, as underlying values and practices are directly linked to the digital technologies themselves and do not necessarily differ much between companies. Consequently, the distribution and adoption of respective normative systems should be facilitated. Of course, the effect cannot be attributed solely to moral considerations. We believe that especially higher-level CDR also positively influences a company's financial performance, making it a lucrative part of their business cases. Therefore, investigating the impact of CDR on corporate financial performance is crucial for understanding corporate behavior and deriving practical recommendations. Like CSR, managers are more likely to implement CDR practices for strategic reasons if a positive link between CDR and financial performance is proven (see Orlitzky et al., 2003; Hillman and Keim, 2001).
After considering agile capabilities, we only found a significant moderating influence on the relationship between knowledge about competitors and digital compliance. In line with the theory presented, sensing/seizing capability positively affects digital compliance as companies that efficiently select and assess information are more likely to digitally comply after observing competitors. However, our initial assumption that transformation capability would amplify the effect of competitor knowledge on digital compliance is contradicted by a negative effect. Companies with low transformation capabilities might rely more on efficient risk management as they are less able to react quickly and flexibly to sudden changes or events. They gain the required awareness by observing their competitors, which leads them to engage more in digital compliance. In contrast, companies with high transformation capability gain certainty by observing competitors but rely on their flexibility to address identified risks instead of investing in digital compliance. After all, corporate behavior is a consequence of complex trade-offs: While establishing a risk management system is often less costly and more efficient than developing and maintaining flexibility (see Teece et al., 2016), being agile brings advantages in specific situations. Companies can then, e.g. concentrate on other more value-creating activities based on data instead of data protection, which will likely restrict their actions.
While we do not encourage such behavior, (short-term) economic motivations cannot be disregarded. Still, anticipating risks rather than reacting is strategically important, as problem-solving becomes less efficient and effective after an event has occurred (see Gunningham et al., 2004). Companies will prioritize reaction over prevention if the costs of adjustments and negative externalities are low, which might be more likely with digital technologies (e.g. software) (see Teece et al., 2016).
However, the question arises why these mechanisms do not seem to work with other isomorphic forces. Regarding the exchange with customers, it can be intuitively explained since there was no significant effect on digital compliance to begin with. However, when it comes to professional information input, comparing it to knowledge about competitors helps to understand the missing moderation effect. The adoption of best practices regarding data security and protection, defined by professional networks and associations in the form of, e.g. standards and guidelines (see Lobschat et al., 2021), are likely driven by the necessity to avoid competitive disadvantages and meet baseline compliance requirements (see Bondy et al., 2012). This necessity would apply across organizations regardless of their agility. The activities observed among competitors likely extend beyond these basic requirements when competitive advantages are pursued. An additional argument for this explanatory approach is that baseline requirements and related risks, once professionalized, are well-known and thus less uncertain, making agility less significant in this context (see Teece et al., 2016). Teece et al. (2016) argue that capabilities for risk avoidance differ from those for seizing opportunities, making agile capabilities context-sensitive. Consequently, companies may not effectively utilize their dynamic capabilities to seize opportunities in relation to digital compliance.
These observations suggest that managerial motivations outweigh ethical motivations, which is indicated by agile companies engaging less in preventive measures related to competitive disadvantages but instead rely on their flexibility. On the other hand, agile capabilities that improve the efficiency and effectiveness in identifying and anticipating societal challenges promote the adaptation to the company’s environment.
7.2 Limitations and future research
Nonetheless, there are several limitations that must be considered. A major limitation stems from the measurement of our independent variables. For each of the three isomorphic forces, we examined channels through which these forces were expected to operate (exchange with customers, knowledge about competitors, and professional information input). While these provide interesting insights, we did not measure the forces themselves, such as the exertion of pressure, the imitation of competitors, or the aspiration to conform to norms. Although we argue that the use of these channels can serve as proxies for the forces, we recognize that this cannot be equated with direct measurement. Future research could undertake a more nuanced distinction of these effects. The second major limitation relates to the interpretation of the results concerning Hypothesis 1. As hypothesized, we did not find a significant effect of coercive pressure. However, the absence of evidence is not evidence of absence, meaning that our hypothesis cannot be conclusively confirmed or refuted based solely on this study. Additionally, it is important to stress that digital responsibility extends beyond digital compliance, and our findings likely do not extend to higher-level CDR and issues that are less prominent and established. Future research has the potential to uncover potentially arising differences. Furthermore, future investigations could explore expectations and pressures from stakeholders beyond customers, which may present different dynamics and influences on digital compliance and responsibility. Finally, the study primarily focused on large German companies, which may limit the generalizability of the findings to other contexts or smaller enterprises. Further research is necessary to validate these findings across different organizational settings and cultures.
8. Conclusion
The digital transformation offers significant benefits for the economy and society but also carries risks that companies should consider. In this study, we focused on digital compliance as the foundation of CDR. Our aim was to examine how companies incorporate this facet of digital responsibility through institutionalization processes.
Institutional theory has laid the foundation that allowed us to show that digital compliance has been widely institutionalized, at least with respect to data protection and security. Companies adopt the underlying norms and values through professionalization and imitate practices of their competitors. Digital compliance is seen as desirable, likely due to reasons such as avoiding competitive disadvantages, reducing uncertainty, gaining legitimacy, but likely also ethical considerations. However, customers do not seem to directly exert pressure regarding digital compliance, likely because these aspects are now taken for granted and therefore not explicitly demanded.
In summary, the findings of this study provide valuable insights into the institutionalization of digital compliance that can assist managers in developing a deeper understanding of the underlying mechanisms and incorporating them into their strategic decision-making regarding the opportunities and constraints associated with digital compliance as well as shape the institutional framework to their advantage. Furthermore, this study contributes to the existing body of literature by providing insights into the relatively unexplored field of digital compliance in the context of CDR. These findings serve as a foundation for future research in this area, offering potential avenues for further exploration and advancement of the field.
Sample characteristics
| Frequency | Percentage | |
|---|---|---|
| Employees (full-time equivalent) | ||
| <500 | 46 | 28.4 |
| 500–1.999 | 52 | 32.1 |
| 2.000–10.000 | 45 | 27.8 |
| >10.000 | 19 | 11.7 |
| Branches of industry | ||
| Art, culture and sports | 1 | 0.6 |
| Automobile and vehicle construction | 10 | 6.2 |
| Banking and financial services | 6 | 3.7 |
| Construction | 8 | 4.9 |
| Consulting | 6 | 3.7 |
| Consumer goods and trading | 26 | 16 |
| Education and science | 3 | 1.9 |
| Energy, water and environment | 10 | 6.2 |
| Health care and social affairs | 12 | 7.4 |
| Industry and engineering | 30 | 18.5 |
| Insurance | 3 | 1.9 |
| Internet and information technology | 11 | 6.8 |
| Manufacturing | 4 | 2.5 |
| Marketing, PR and design | 1 | 0.6 |
| Personnel services | 3 | 1.9 |
| Pharma and medical technology | 4 | 2.5 |
| Public sector, associations and institutes | 3 | 1.9 |
| Tourism and gastronomy | 5 | 3.1 |
| Transportation and logistics | 6 | 3.7 |
| Other | 10 | 6.2 |
Source(s): Table by authors
Survey items (dependent variable)
| Label | Item |
|---|---|
| Digital compliance | |
| DC_Aa | Our company invests a sufficient amount in data security |
| DC_Bb | What measures do you apply in your company that ensure the protection of your company data? |
| DC_B1 | Password protection for all IT systems |
| DC_B2 | Encryption of data |
| DC_B3 | Regular check of the log files |
| DC_B4 | Encrypted e-mail communication |
| DC_B5 | Training on data security for managers |
| DC_B6 | Further training on data security for IT specialists |
| DC_B7 | Further training on data security for other employees |
| DC_B8 | Others |
| DC_B9 | We do not take any of these measures to protect our company data |
| CDF_Cb | On which digital topics do you offer regular, systematic training for your employees? (Data protection/security) |
Note(s): aSix-point Likert scale; bMultiple choice
Source(s): Table by authors
Survey items (independent variables)
| Label | Item |
|---|---|
| Exchange with customers | |
| CFa | We maintain an intensive and regular exchange with our customers |
| Knowledge about competitors | |
| MF_Aa | We have extensive knowledge about our strongest competitors |
| MF_Bb | Which channels and measures do you use at least once a year to systematically collect information and data on your largest competitors? |
| MF_B1 | Internet research |
| MF_B2 | Publications, e.g. annual reports or press releases |
| MF_B3 | Fairs |
| MF_B4 | Congresses |
| MF_B5 | External agency or consultant |
| MF_B6 | Others |
| MF_B7 | We do not systematically collect information and data on our largest competitors |
| Professional information input | |
| NF_Ab | Which channels and measures do you use at least once a year to systematically collect information and data on your customer target groups? |
| NF_A1 | Internet research |
| NF_A2 | Publications, e.g. studies or press articles |
| NF_A3 | Fairs |
| NF_A4 | Congresses |
| NF_A5 | External agency or consultant |
| NF_A6 | Feedback platforms |
| NF_A7 | Others |
| NF_A8 | We do not systematically collect information and data on our customer target groups |
| NF_Bb | Which channels and measures are used in your company to systematically collect information on new technical and digital trends and developments? |
| NF_B1 | Internet research |
| NF_B2 | Fairs/Congresses |
| NF_B3 | Presentations |
| NF_B4 | Trade publications, e.g. magazines, podcasts |
| NF_B5 | Training courses and seminars |
| NF_B6 | External agency or consulting |
| NF_B7 | Others |
| NF_B8 | We do not use any of the aforementioned channels and measures to systematically collect information on new technical and digital trends and developments |
Note(s): aSix-point Likert scale; bMultiple choice
Source(s): Table by authors
Survey items (control variables)
| Label | Item |
|---|---|
| Level of digitizationa | |
| Please evaluate the extent to which the digitization of processes in the following areas has already been pushed forward in your company | |
| DIG_1 | HR/Personnel |
| DIG_2 | Administration |
| DIG_3 | Development |
| DIG_4 | Purchasing |
| DIG_5 | Production |
| DIG_6 | Marketing |
| DIG_7 | Sales |
| Level of CSRa | |
| How strongly is your company involved in the following areas well beyond your actual business and visible to the public? | |
| CSR_1 | Welfare (e.g. art/culture/education) |
| CSR_2 | Environment (e.g. climate/animal protection) |
| CSR_3 | Market (e.g. respect for human rights in supply chains) |
| CSR_4 | Employees (e.g. health measures) |
| Firm size (measured by number of employees; full-time equivalent) | |
| <500 | |
| 500–1.999 | |
| 2.000–10.000 | |
| >10.000 | |
| Age of employees | |
| What is the average age of the workforce in your company? (Age rounded to whole years) | |
| Industry | |
| Art, Culture and Sports | |
| Automobile and Vehicle Construction | |
| Banking and Financial Services | |
| Construction | |
| Consulting | |
| Consumer Goods and Trading | |
| Education and Science | |
| Energy, Water and Environment | |
| Health Care and Social Affairs | |
| Industry and Engineering | |
| Insurance | |
| Internet and Information Technology | |
| Manufacturing | |
| Marketing, PR and Design | |
| Personnel Services | |
| Pharma and Medical Technology | |
| Public Sector, Associations and Institutes | |
| Tourism and Gastronomy | |
| Transportation and Logistics | |
| Other | |
Note(s): aSix-point Likert scale
Source(s): Table by authors
Survey items (organizational agility)
| Label | Item |
|---|---|
| Sensing/seizinga | |
| SE_1 | Our company thoroughly deals with significant developments in the fields of politics, economy, society, technology, ecology and law |
| SE_2 | We are well prepared for the significant developments relevant to our company |
| SE_3 | We are able to adapt quickly to changes in the dynamic environment of our industry |
| SE_4 | Our managers are quick to adapt to new challenges, e.g. to adjustments in corporate strategy |
| Transformationa | |
| TR_1 | Our internal processes run smoothly |
| TR_2 | Our employees are always provided with the resources and competencies to achieve corporate objectives |
| TR_3 | Our employees learn quickly |
Note(s): aSix-point Likert scale
Source(s): Table by authors
Data source disclaimer: The data used in this study were collected in a survey conducted for the periodical magazine “Stern” (Gronwald, S., Wolf-Doettinchem, L., 2019. Unternehmen Zukunft. Stern 34/2019, 95–102). The authors did not receive any financial compensation and the study was conducted independently.
Descriptive statistics of the items used for the dependent variable
| Min | Max | Mean | SD | |
|---|---|---|---|---|
| Digital compliance | −3.31 | 1.29 | 0 | 1 |
| Investment in data security | 1 | 6 | 5.09 | 1.08 |
| No. of measures used for data protection | 1 | 8 | 5.65 | 1.62 |
| Employee trainings on data protection and security (0 = no, 1 = yes) | 0 | 1 | 0.78 | 0.42 |
Note(s): Min.: minimum, Max.: maximum, SD: standard deviation
Source(s): Table by authors
Descriptive statistics of the items used for the independent variables
| Min | Max | Mean | SD | |
|---|---|---|---|---|
| Exchange with customers | −3.90 | 0.82 | 0 | 1 |
| Knowledge about competitors | −3.44 | 1.66 | 0 | 1 |
| No. of channels used to collect information about competitors | 0 | 6 | 3.50 | 1.42 |
| Knowledge about strongest competitor | 1 | 6 | 4.80 | 1.11 |
| Professional information input | −2.97 | 1.47 | 0 | 1 |
| No. of channels used to collect information about customers | 0 | 7 | 3.80 | 1.89 |
| No. of channels used to collect Information about digital trends | 0 | 7 | 5.00 | 4.26 |
Note(s): Min.: minimum, Max.: maximum, SD: standard deviation
Source(s): Table by authors
Descriptive statistics of the control variables
| No. of items | Min | Max | Mean | SD | |
|---|---|---|---|---|---|
| Level of digitization | 7 | 10 | 42 | 28.93 | |
| Level of CSR engagement | 4 | 4 | 24 | 17.61 | 4.39 |
| Age of employees | 1 | 28 | 50 | 40.39 | 4.26 |
Note(s): Min.: minimum, Max.: maximum, SD: standard deviation. Firm Size and Industry are not tabulated, since they are already included in Table A1
Source(s): Table by authors
Results of hypotheses testing
| Model 1 | Model 2 | |
|---|---|---|
| Coercive forces | ||
| Exchange with customers | −0.021 | −0.099 |
| Mimetic forces | ||
| Knowledge about competitors | 0.102 | 0.242* |
| Normative forces | ||
| Professional information input | 0.388*** | 0.180* |
| Control variables | ||
| Level of digitization | 0.312*** | |
| Level of CSR engagement | 0.080 | |
| Firm size | 0.248** | |
| Age of employees | −0.006 | |
| N | 162 | 152 |
| R2 | 0.2040 | 0.5289 |
| R2adjusted | 0.1890 | 0.4317 |
Note(s): Table 4 shows the results obtained by OLS regression with Digital Compliance as dependent variable. The entries represent the standardized coefficients (β), and the respective statistical significance is indicated by * for p < 0.05, ** for p < 0.01 and *** for p < 0.001. For better readability the table does not contain the dummy variables used to control for the industry; they still have been considered in Model 2. Intercept is 0 for both models, since all variables have been standardized
Source(s): Table by authors
Regression results of the moderating effect of organizational agility
| Coercive forces | |
| Exchange with customers | −0.030 |
| X sensing/seizing | 0.100 |
| X transformation | 0.037 |
| Mimetic forces | |
| Knowledge about competitors | 0.344** |
| X sensing/seizing | 0.270* |
| X transformation | −0.283* |
| Normative forces | |
| Professional information input | 0.045 |
| X sensing/seizing | −0.217 |
| X transformation | 0.024 |
| Control variables | |
| Level of digitization | 0.287*** |
| Level of CSR engagement | 0.086 |
| Firm size | 0.221** |
| Age of employees | 0.011 |
Note(s): Table 5 shows the results obtained by OLS regression with digital compliance as dependent variable including organizational agility as moderating factor. The entries represent the standardized coefficients (β), and the respective statistical significance is indicated by * for p < 0.05, ** for p < 0.01 and *** for p < 0.001. For better readability the table does not contain the dummy variables used to control for the industry; they still have been considered. Intercept is 0 since all variables have been standardized
N = 151, R2 = 0.5801, R2adjusted = 0.4581
Source(s): Table by authors
References
Altman, D.G. and Bland, J.M. (1995), “Statistics notes: absence of evidence is not evidence of absence”, BMJ, Vol. 311 No. 7003, p. 485, doi: 10.1136/bmj.311.7003.485.
Babiak, K. and Trendafilova, S. (2011), “CSR and environmental responsibility: motives and pressures to adopt green management practices”, Corporate Social Responsibility and Environmental Management, Vol. 18 No. 1, pp. 11-24, doi: 10.1002/csr.229.
Barakat, S.R., Isabella, G., Boaventura, J.M.G. and Mazzon, J.A. (2016), “The influence of corporate social responsibility on employee satisfaction”, Management Decision, Vol. 54 No. 9, pp. 2325-2339, doi: 10.1108/MD-05-2016-0308.
Bergkvist, L. and Rossiter, J.R. (2007), “The predictive validity of multiple-item versus single-item measures of the same constructs”, Journal of Marketing Research, Vol. 44 No. 2, pp. 175-184, doi: 10.1509/jmkr.44.2.175.
Bollen, K. and Lennox, R. (1991), “Conventional wisdom on measurement: a structural equation perspective”, Psychological Bulletin, Vol. 110 No. 2, pp. 305-314, doi: 10.1037/0033-2909.110.2.305.
Bondy, K., Moon, J. and Matten, D. (2012), “An institution of corporate social responsibility (CSR) in multi-national corporations (MNCs): form and implications”, Journal of Business Ethics, Vol. 111 No. 2, pp. 281-299, doi: 10.1007/s10551-012-1208-7.
Campbell, J.L. (2007), “Why would corporations behave in socially responsible ways? An institutional theory of corporate social responsibility”, Academy of Management Review, Vol. 32 No. 3, pp. 946-967, doi: 10.5465/amr.2007.25275684.
Carl, K.V., Mihale-Wilson, C., Zibuschka, J. and Hinz, O. (2024), “A consumer perspective on Corporate Digital Responsibility: an empirical evaluation of consumer preferences”, Journal of Business Economics, Vol. 94, pp. 979-1024, doi: 10.1007/s11573-023-01142-y.
Chyung, S.Y.Y., Roberts, K., Swanson, I. and Hankinson, A. (2017), “Evidence-based survey design: the use of a midpoint on the Likert scale”, Performance Improvement, Vol. 56 No. 10, pp. 15-23, doi: 10.1002/pfi.21727.
Cram, W.A., Proudfoot, J.G. and D'Arcy, J. (2017), “Organizational information security policies: a review and research framework”, European Journal of Information Systems, Vol. 26 No. 6, pp. 605-641, doi: 10.1057/s41303-017-0059-9.
Dahlsrud, A. (2008), “How corporate social responsibility is defined: an analysis of 37 definitions”, Corporate Social Responsibility and Environmental Management, Vol. 15 No. 1, pp. 1-13, doi: 10.1002/csr.132.
Deegan, C. (2002), “Introduction: the legitimising effect of social and environmental disclosures – a theoretical foundation”, Accounting, Auditing and Accountability Journal, Vol. 15 No. 3, pp. 282-311, doi: 10.1108/09513570210435852.
Diamantopoulos, A. and Winklhofer, H.M. (2001), “Index construction with formative indicators: an alternative to scale development”, Journal of Marketing Research, Vol. 38 No. 2, pp. 269-277, doi: 10.1509/jmkr.38.2.269.18845.
DiMaggio, P.J. and Powell, W.W. (1983), “The iron cage revisited: institutional isomorphism and collective rationality in organizational fields”, American Sociological Review, Vol. 48 No. 2, pp. 147-160, doi: 10.2307/2095101.
Dowling, J. and Pfeffer, J. (1975), “Organizational legitimacy: social values and organizational behavior”, Pacific Sociological Review, Vol. 18 No. 1, pp. 122-136, doi: 10.2307/1388226.
D'Arcy, J. and Basoglu, A. (2022), “The influences of public and institutional pressure on firms' cybersecurity disclosures”, Journal of the Association for Information Systems, Vol. 23 No. 3, pp. 779-805, doi: 10.17705/1jais.00740.
Feder, M. and Weißenberger, B.E. (2019), “Understanding the behavioral gap: why would managers (not) engage in CSR-related activities?”, Journal of Management Control, Vol. 30 No. 1, pp. 95-126, doi: 10.1007/s00187-019-00275-y.
Freeman, R.E. (1984), Strategic Management: A Stakeholder Approach, Pitman, Boston.
Garland, R. (1991), “The mid-point on a rating scale: is it desirable?”, Marketing Bulletin, Vol. 2, pp. 66-70.
Gjølberg, M. (2009), “Measuring the immeasurable?”, Scandinavian Journal of Management, Vol. 25 No. 1, pp. 10-22, doi: 10.1016/j.scaman.2008.10.003.
Gunningham, N., Kagan, R.A. and Thornton, D. (2004), “Social license and environmental protection: why businesses go beyond compliance”, Law and Social Inquiry, Vol. 29 No. 2, pp. 307-341, doi: 10.1111/j.1747-4469.2004.tb00338.x.
Hamilton, B.H. and Nickerson, J.A. (2003), “Correcting for endogeneity in strategic management research”, Strategic Organization, Vol. 1 No. 1, pp. 51-78, doi: 10.1177/1476127003001001218.
Hillman, A.J. and Keim, G.D. (2001), “Shareholder value, stakeholder management, and social issues: what's the bottom line?”, Strategic Management Journal, Vol. 22 No. 2, pp. 125-139, doi: 10.1002/1097-0266(200101)22:2<125::AID-SMJ150>3.0.CO;2-H.
Jaccard, J. and Turrisi, R. (2003), Interaction Effects in Multiple Regression, 2nd ed., Vol. 72, Sage, Thousand Oaks, CA.
Jamali, D. and Neville, B. (2011), “Convergence versus divergence of CSR in developing countries: an embedded multi-layered institutional lens”, Journal of Business Ethics, Vol. 102 No. 4, pp. 599-621, doi: 10.1007/s10551-011-0830-0.
Jeyaraj, A. and Zadeh, A. (2020), “Institutional isomorphism in organizational cybersecurity: a text analytics approach”, Journal of Organizational Computing and Electronic Commerce, Vol. 30 No. 4, pp. 361-380, doi: 10.1080/10919392.2020.1776033.
Kano, N., Nobuhiku, S., Fumio, T. and Shinichi, T. (1984), “Attractive quality and must-be quality”, Hinshitsu (Journal of Japanese Society for Quality Control), Vol. 14 No. 2, pp. 39-48.
Kaplan, R.S. and Mikes, A. (2012), “Managing risks: a new framework”, Harvard Business Review, Vol. 90 No. 6, pp. 48-58.
Kauppi, K. and Luzzini, D. (2022), “Measuring institutional pressures in a supply chain context: scale development and testing”, Supply Chain Management: International Journal, Vol. 27 No. 7, pp. 79-107, doi: 10.1108/SCM-04-2021-0169.
Larrinaga-Gonzáles, C. (2007), “Sustainability reporting – insights from neoinstitutional theory”, in Unerman, J., Bebbington, J. and O'Dwyer, B. (Eds), Sustainability Accounting and Accountability, Routledge, London, pp. 150-167.
Lobschat, L., Mueller, B., Eggers, F., Brandimarte, L., Diefenbach, S., Kroschke, M. and Wirtz, J. (2021), “Corporate digital responsibility”, Journal of Business Research, Vol. 122, pp. 875-888, doi: 10.1016/j.jbusres.2019.10.006.
Lynch-Wood, G., Williamson, D. and Jenkins, W. (2009), “The over-reliance on self-regulation in CSR policy”, Business Ethics: A European Review, Vol. 18 No. 1, pp. 52-65, doi: 10.1111/j.1467-8608.2009.01548.x.
Martínez, P. and Rodríguez Del Bosque, I. (2013), “CSR and customer loyalty: the roles of trust, customer identification with the company and satisfaction”, International Journal of Hospitality Management, Vol. 35, pp. 89-99, doi: 10.1016/j.ijhm.2013.05.009.
Matten, D. and Moon, J. (2008), “‘Implicit’ and ‘explicit’ CSR: a conceptual framework for a comparative understanding of corporate social responsibility”, Academy of Management Review, Vol. 33 No. 2, pp. 404-424, doi: 10.5465/amr.2008.31193458.
Matzler, K., Hinterhuber, H.H., Bailom, F. and Sauerwein, E. (1996), “How to delight your customers”, The Journal of Product and Brand Management, Vol. 5 No. 2, pp. 6-18, doi: 10.1108/10610429610119469.
Mihale-Wilson, C., Hinz, O., van der Aalst, W. and Weinhardt, C. (2022), “Corporate digital responsibility: relevance and opportunities for business and information systems engineering”, Business and Information Systems Engineering, Vol. 64 No. 2, pp. 127-132, doi: 10.1007/s12599-022-00746-y.
Min, H., Yun, J. and Geum, Y. (2018), “Analyzing dynamic change in customer requirements: an approach using review-based Kano analysis”, Sustainability, Vol. 10 No. 3, p. 746, doi: 10.3390/su10030746.
Nikolaeva, R. and Bicho, M. (2011), “The role of institutional and reputational factors in the voluntary adoption of corporate social responsibility reporting standards”, Journal of the Academy of Marketing Science, Vol. 39 No. 1, pp. 136-157, doi: 10.1007/s11747-010-0214-5.
Oliver, R.L. (1980), “A cognitive model of the antecedents and consequences of satisfaction decisions”, Journal of Marketing Research, Vol. 17 No. 4, pp. 460-469, doi: 10.1177/002224378001700405.
Orlitzky, M., Schmidt, F.L. and Rynes, S.L. (2003), “Corporate social and financial performance: a meta-analysis”, Organization Studies, Vol. 24 No. 3, pp. 403-441, doi: 10.1177/0170840603024003910.
Ozdora-Aksak, E. and Atakan-Duman, S. (2016), “Gaining legitimacy through CSR: an analysis of Turkey's 30 largest corporations”, Business Ethics: A European Review, Vol. 25 No. 3, pp. 238-257, doi: 10.1111/beer.12114.
Parker, L.D. (2005), “Social and environmental accountability research: a view from the commentary box”, Accounting, Auditing and Accountability Journal, Vol. 18 No. 6, pp. 842-860, doi: 10.1108/09513570510627739.
Perez-Batres, L.A., Miller, V.V. and Pisani, M.J. (2010), “CSR, sustainability and the meaning of global reporting for Latin American corporations”, Journal of Business Ethics, Vol. 91 No. S2, pp. 193-209, doi: 10.1007/s10551-010-0614-y.
Puhakainen, P. and Siponen, M. (2010), “Improving employees' compliance through information systems security training: an action research study”, MIS Quarterly, Vol. 34 No. 4, p. 757, doi: 10.2307/25750704.
Ramachandran, V. (2011), “Strategic corporate social responsibility: a ‘dynamic capabilities’ perspective”, Corporate Social Responsibility and Environmental Management, Vol. 18 No. 5, pp. 285-293, doi: 10.1002/csr.251.
Saeidi, S.P., Sofian, S., Saeidi, P., Saeidi, S.P. and Saaeidi, S.A. (2015), “How does corporate social responsibility contribute to firm financial performance? The mediating role of competitive advantage, reputation, and customer satisfaction”, Journal of Business Research, Vol. 68 No. 2, pp. 341-350, doi: 10.1016/j.jbusres.2014.06.024.
Sarkar, S. and Searcy, C. (2016), “Zeitgeist or chameleon? A quantitative analysis of CSR definitions”, Journal of Cleaner Production, Vol. 135, pp. 1423-1435, doi: 10.1016/j.jclepro.2016.06.157.
Schoenheit, I., Wallbott, T., Niedergesäß, U. and Carl, S. (2019), “Verbraucherbefragung CDR – Sachverständigenrat für Verbraucherfragen (Advisory Council for Consumer Affairs), Ergebnisbericht”, 19 November.
Scott, W.R. (2014), Institutions and Organizations: Ideas, Interests, and Identities, 4th ed., SAGE, Los Angeles.
Suchman, M.C. (1995), “Managing legitimacy: strategic and institutional approaches”, Academy of Management Review, Vol. 20 No. 3, p. 571, doi: 10.2307/258788.
Teece, D.J. (2007), “Explicating dynamic capabilities: the nature and microfoundations of (sustainable) enterprise performance”, Strategic Management Journal, Vol. 28 No. 13, pp. 1319-1350, doi: 10.1002/smj.640.
Teece, D.J., Peteraf, M. and Leih, S. (2016), “Dynamic capabilities and organizational agility: risk, uncertainty, and strategy in the innovation economy”, California Management Review, Vol. 58 No. 4, pp. 13-35, doi: 10.1525/cmr.2016.58.4.13.
Unerman, J. and Bennett, M. (2004), “Increased stakeholder dialogue and the internet: towards greater corporate accountability or reinforcing capitalist hegemony?”, Accounting, Organizations and Society, Vol. 29 No. 7, pp. 685-707, doi: 10.1016/j.aos.2003.10.009.
Velez, P. and Ashworth, S.D. (2007), “The impact of item readability on the endorsement of the midpoint response in surveys”, Survey Research Methods, Vol. 1 No. 2, pp. 69-74.
Vial, G. (2019), “Understanding digital transformation: a review and a research agenda”, The Journal of Strategic Information Systems, Vol. 28 No. 2, pp. 118-144, doi: 10.1016/j.jsis.2019.01.003.
Warner, K.S.R. and Wäger, M. (2019), “Building dynamic capabilities for digital transformation: an ongoing process of strategic renewal”, Long Range Planning, Vol. 52 No. 3, pp. 326-349, doi: 10.1016/j.lrp.2018.12.001.
Weijters, B., Cabooter, E. and Schillewaert, N. (2010), “The effect of rating scale format on response styles: the number of response categories and response category labels”, International Journal of Research in Marketing, Vol. 27 No. 3, pp. 236-247, doi: 10.1016/j.ijresmar.2010.02.004.
Wooldridge, J.M. (2016), Introductory Econometrics: A Modern Approach, 6th ed., Cengage Learning, Boston, MA.