Managing the Risks of e-Business Dr Nigel Upton Centre for the Network Economy CNE WP03/2001 Abstract E-Business is risky business. The first step towards managing and minimizing the risks must be to be aware of what those risks are. Although the specific risks will vary between companies, it is possible – using what we have learnt about the Network Economy – to identify a set of seven sources of risk. Three of these sources are to be found beyond the organization’s boundaries: criminals, the commercial environment and legal systems. The other four risk sources emanate from within the organization: people, processes, technology and business strategies. This paper looks at each of these seven sources of risk, using real examples, and suggests practical actions that companies can take to reduce their exposure to e-business risks. 1 Introduction Fresh ways of doing business, new revenue streams, lower costs – e-business offers all these opportunities, and more. But it is not all plain sailing. Many pure-play “dot-coms” have failed, while established companies that invest in e-business and get it wrong face a less profitable future – and those that do not react fast enough face no future at all [Hamel and Sampler, 1998]. These are not arbitrary outcomes; rather, they stem from having no or poor quality information and management decisions. The risks of e-business are everywhere. Executives have a duty to recognize, gauge and limit those risks. So what are the risks to be considered when building an e-business organization or e-business capabilities? Perhaps the two most obvious candidates are the possibility of downtime of corporate computer systems and the threat posed by hackers trying to attack those systems. But there exists a broader set of e-business risks than just these two exposures. First, however, it is helpful to set out a framework for describing these different types of risk. The figure shows the seven risk types that will be considered. A distinction is made between the four risks that have their source within the organization (people, processes, technology, strategy) and the three whose source lies beyond the boundaries of the organization (bad guys, business environment, legal systems). These sources are not isolated from one another. For instance, the significance of the risk of computer viruses created and released into the wild by the ‘bad guys’ depends on the capabilities of the people, processes and technology within a target business. This framework can be used to construct a checklist of e-business. Bad Guys People Business Strategy Processes Commercia l Environme nt Technology Legal Systems 2 Figure 1: Generic Sources of e-Business Risk It is well-known that the significance of a risk depends on two parameters – impact and probability of occurrence. The prime objective of risk management is to minimize the impact and/or the probability. large impac t small 0% chance 100 % Figure 2: Measuring and Reducing Risks The Bad Guys One set of risks comes from those individuals or organizations who, for whatever reason, are intent on engaging in activities which are illegal (or at least unethical) and potentially disruptive to the business. Examples of such actions include: fraud, graffiti, denial of service, viruses and cyber-squatting. In 2000 the Association of Payment Clearing Services reported £226 million of credit card fraud, of which £40 million was due to Internet and telephone transactions. More significantly, the percentage rise in Internet and telephone fraud was 146% compared to 53% overall. The risk of Internet fraud is borne by the business affected, rather than by the consumer. Vigilance is essential. For example, suspicion should be aroused if the delivery address is different from the credit card holder’s address. One of the benefits of having a website has been the opportunity to promote the company by telling the world about its products, services and capabilities. This assumes that that what the 3 customer sees is the same as what the business posted on its website! But if you build a wall and invite people to write on it, you may find that what they say demotes your cause. For instance, this can occur if a company sets up a ‘chat room’ in which anyone can post their views. Web ‘graffiti’ has the potential to cause great embarrassment. This should be realized from the outset and appropriate measures put in place, such as moderation of chat room discussions. Also, it is wise to go about implementing preventative measures in a quiet way because claiming that a site is “100% secure from attack” will only act to encourage those who are intent on causing damage. For companies that rely heavily on Internet trade, ‘denial of service’ should be considered a major risk. This involves someone interfering with the technology in such a way as to prevent the company from carrying out its Internet-based business activities. The company’s computer systems are caused to disconnect from the Internet or to fail completely. This may be accompanied by the threat of extortion. Some famous Internet names have been affected by denial of service including Yahoo!, e-Bay, CNN.com, Amazon and E*Trade. This is hardly surprising since the most successful companies have the most to lose. It might be assumed that the vast majority of large companies have taken action to protect their systems against attack by computer viruses. However, some work carried out by Upton Blessing Ltd in the first quarter of 2001 shows that it would be wrong to make such an assumption about smaller firms. Approximately 40% of the 38 small firms surveyed had either no or inadequate anti-virus protection. Software is part of the solution, but staff awareness and clear procedures are just as important. Cyber-squatting (also known as ‘abusive registration’) occurs when someone registers a domain name with which they have no legitimate connection and then tries to sell it at a highly inflated price. The majority of Court judgements have found in favour of the true brand owner and against the cyber-squatter. However, legal actions distract management attention. Also, the creation of a web presence would need to be delayed until the dispute is resolved. It is essential to register company, product and service names with the Internet authorities as early as possible. Commercial Environment 4 There are also perfectly legitimate activities and changes in the commercial environment that can threaten a company. Customer behaviour, supplier performance and exchange rate movements all impact on today’s and tomorrow’s profits. Top tier companies have shown great interest in supporting and developing business-tobusiness (B2B) exchanges (e-marketplaces). What will be the effect on second tier and other firms further down the supply chain? One of the consequences is the aggregation of power by the top tier businesses in a given industry. The aim is clear – to drive down cost. And, in no small measure, that will have the effect of reducing margins further down the supply chain. Procurement may have been ‘hit and miss’ in the past in terms of whether the best buy price was obtained, but Internet technologies can sweep away customer ignorance. The risks for the supplier are that they are seen to be uncompetitive or that by lowering their prices they become unprofitable. It is essential to understand what is going on and to react in a way that customers can warm to. Companies will always want suppliers, unless we are to see vertical integration on an unprecedented scale. The real implication is that the management of customer-supplier relationships and non-price factors will become even more important. All businesses depend on their suppliers to a greater or lesser degree. For e-businesses three areas of particular concern are out-sourced IT operations, transportation/logistics and disintermediation. For instance, if the company’s website is hosted by an Internet Service Provider (ISP) then the product promotion and sales depends on the ISP’s ability to keep the site ‘on the air’. Likewise, it is essential that goods reach their destination on time, therefore the performance of logistics suppliers should be monitored carefully. Contingency plans should be in place so that a switch can be made to alternative suppliers promptly if the original IT or logistics suppliers fail. It is a question of balance. Web-based businesses have tended to place most emphasis on the web front-end - this is what is ‘exciting’, new and ‘techie’. But, for the customer, satisfaction comes with taking hold of the product rather than just ordering it. Finally, there is also the risk of disintermediation whereby a supplier implements a strategy that cuts out the middleman and sells straight to your customer. The business risk due to exchange rate movements depends more on the sophistication and experience of the company than on its move into e-commerce. However, part of the commercial attraction of the Internet has been the opportunity of even small businesses to sell to a global market. These businesses may begin to trade internationally without managing their exposure to adverse exchange rate movements. A simple answer is to charge in the company’s home currency, thus transferring the risk to the customer; although this approach may result in lost sales. 5 6 Legal Systems The third external source of risk to be considered here is that of the laws and regulations which are intended to govern business operations. There is an increasing amount of relevant legislation that companies need to be aware of. In the UK this includes the laws relating to Regulation of Investigatory Powers, ECommunications, Data Protection and even Human Rights. For instance, if a company intends to read the e-mails of its staff then it must explain this to them in advance and make it a contractual term of their employment. Apart from new legislation introduced in response to new e-business technology, it is essential to remember that all the usual rules still apply – e-businesses do not get a special dispensation! In particular, the laws about rules of copyright, patents, acceptance and offer, trademarks and data protection all apply. For example, a UK software company embedded within its website computer code a trademark name owned and used by one of its rivals. The trademark was included as a ‘meta-tag’ – a keyword used by search engines to help people find a website, although the meta-tag cannot be seen on the normal web page that appears on the user’s screen. The Court rules that this constituted infringement of copyright. Consideration must also be given to the laws of other countries in which the business may now operate through its e-business channels. Legal advice should be sought as early as possible to avoid any possible difficulties that could arise. We have looked at the three external sources of risk (criminal activity, the commercial environment and legal systems). Let us now consider the four internal sources of risk (people, processes, technology, strategy). 7 People It sounds somewhat negative to say that ‘people’, that is managers and staff, are a source of risk. They are also the most potent force that a company has to reduce its risk exposure. Nonetheless the purpose here is to be systematic and it is therefore necessary to consider the ways in which a company’s personnel can give rise to business risks. The main issue is one of lax attitudes and lack of understanding. However, it is also possible that a current or former member of staff could deliberately take disruptive action – becoming one of the ‘bad guys’. It has been said that the Internet is about the 3 C’s: Communication, Content and Commerce. The use of e-mail and websites as communication media has certainly been central to the adoption of the Internet. But the potential misuse of these media poses a threat to the ebusiness. The following examples provide evidence that such risks have already materialized for some firms. The examples concern data security, the sending of defamatory e-mails and the publication of untrue information on the web. When a company holds personal and sensitive details about customers, it is essential that staff are briefed and motivated to avoid actions that could compromise the security of that data. This is especially true with respect to financial data, such as bank balances or credit card numbers. For instance, an individual’s financial data must not be available to other external users of a web-based banking service. And a company should never send customer credit card details by e-mail. Incidents such as these have occurred at at least two UK banks. The result is a lowering of confidence in the organization’s ability to conduct e-business in a way that is in the best interests of its customers. The damage is compounded if the subsequent public relations activities fail to acknowledge that the incident is being treated as something of serious concern to the company. There are at least two UK examples of settlements being made between companies as the result of defamatory internal e-mails. One involved a financial services company paying out £450,000 and the other concerned a utility that had to paid out over £100,000 [Mason, December 1999/January 2000]. Websites can also be a source of risk. An individual asked a leading ISP to remove from a newsgroup an e-mail that purported to come from him. The ISP had hosted the site - it 8 provided the computer server systems on which the message resided - but the ISP had not posted the message. The ISP made a decision was made not to remove the message. As a consequence the ISP had to pay about £500,000 including legal costs. Mistakes in online advertising could have commercial consequences. In particular, staff must take care to enter the correct price information. For example, one UK retailer put a decimal point in the wrong place and advertised TVs for £2.99 each, while a major IT supplier advertised laptop computers for $1. Although action by consumers to try to force the suppliers to honour their offers did not materialize in these cases, this should not be considered sufficient to make a company feel safe to publish erroneous price information. Everybody is fallible, but awareness training and robust procedures can help to reduce the chance of erroneous information being published. Employees need to appreciate that, when they post information on the web, they are actually publishing – not just entering something onto a computer. And that when they send e-mails these could lead to legal action against the company for defamation; this even applies to internal e-mails. Business Processes The effectiveness and efficiency of a company’s business processes can give rise to a further set of risks. Arguably, these are risks that a company brings upon itself, perhaps through a preoccupation with the more visible aspects of managing day-to-day operations. Two examples will be considered – intellectual property and reliability of delivery. There has been increasing recognition of the value of the knowledge and information that a business ‘owns’ and of the need to protect these assets. For instance, for any e-business, data integrity must be assured. Also, intellectual property must be protected as fully as possible. Part of the solution is to protect intellectual property (IP) rights through legal contracts, but there should also be preventative action to ensure that everyone in the organization appreciates the IP value and acts to maintain it in their day-to-day work. The protection of computer data and intellectual property both require having rigorous processes in place, including telling all staff who should be their initial internal point of contact when in doubt. A business that fails to meet its customers’ delivery expectations is risking the loss of its customer base. This may be failure to deliver physical goods by the agreed time or it could be 9 failure to respond to customer e-mail enquiries promptly [Voss, 2000]. Time-critical deliveries are a particularly potent area of risk. For instance, a well-know toy company made no friends when it told its customers on 22 December 1999 that orders placed after the 14 December would not be delivered in time for Christmas. Technology Information and communication technologies are at the heart of an e-business. Properly managed, these technologies become a key enabler of business success. But what when things go wrong? If these technologies form a ‘digital nervous system’ then an organization that depends on them will find itself in trouble when they fail. Three issues can be focused on here: website downtime, mission-critical applications and data integrity. Downtime is one of the big enemies of an e-business. It causes lost business and, more significantly, it can mean lost customers – why should a customer return to a website which does not work? One well-known UK high street retailer had to take its e-business off-line for two months because of data overload and security problems. This is much more than just embarrassing. Such an event undermines customer confidence in the company’s ability to handle transactions and its ability to protect sensitive personal data. After all, why should a customer trust his or her personal data to a company that cannot even manage its own information systems? Downtime could also have legal implications if it leads to a company failing to keep a guarantee; for instance, if it fails to provide electronic delivery by a contracted date. Behind the web-front, the technology that says “we are open for business”, there is the back office where the customer orders are translated into goods and services ready for delivery. Just as the heart of a manufacturing company can be found on the factory floor, so the heart of an e-business will be found in the mission-critical application software in the back office. And, just as with the machines on the shop floor, so these mission-critical ‘apps’ must be well managed, maintained and developed. Even if the front and back office systems are running well, a company will have a problem if data integrity is compromised. This could be caused by internal negligence, misfortune or hacking from outside the company. For instance, in our recent study of small companies it was found that 42% of the 38 small companies visited did not have an adequate procedure for backing-up data. 10 Business Strategy Finally, perhaps the greatest risk lies in the choice of business strategy. There must be a viable route to profitability. The emergence of the Network Economy does not wipe away the fact that, over an appropriate period, a company must be capable of generating a positive balance of discounted cash-flows. Business strategies must be viable, acceptable and sustainable. Let us look at each of these three concepts and illustrate them with examples based on real-world e-business experiences. A strategy needs to be viable; that is, it needs “to make sense” and to be offering a product or service that the market wants now or in the future. A grocery auction is unlikely to be viable because people will not be prepared to invest more time than the price gains are worth. Acceptability is about the reactions of other stakeholders. An operation aimed at disintermediating car dealers will not work if there are powerful suppliers (car manufacturers) who prefer to sell through their dealer networks. Thus, an e-business needs to consider the acceptability of its business strategy to the most powerful organizations in the supply chain. Finally, on the route to profit, it must be possible to protect a product or service from imitation or legal action for a sufficient period of time. A peer-to-peer system for sharing music files may be an exciting use of technology and a concept that attracts millions of users, but if it cannot be defended as fair practice in the courts then it is not sustainable as a business strategy. In cases such as these, it is easy to be critical with hindsight. But innovation carries the promise of high reward as well as the risk of failure. And innovations that fail at the firm level may in the long-run benefit other parts of the same business, other companies or society. A mix of entrepreneurial zest and grey-haired management experience is perhaps the best way to approach the development of new business strategies in the Network Economy. 11 Risk Source: Check risk issues: Bad Guys - fraud - graffiti - denial of service - virus attack - cyber-squatting Commercial Environment - customer behaviour - supplier performance - exchange rate movements Legal System - e-business legislation - standard commercial laws - laws in overseas markets People - attitudes to data security - defamatory e-mails - advertising on the web Processes - intellectual property - delivery of products/services Technology - website downtime - mission-critical systems - security Business Strategy - viability - acceptability - sustainability Figure 3: A Checklist of e-Business Risk Issues Conclusions The risk classification model presented here provides a starting point for the management of e-business risks. The seven risk types can be used to form a practical template for sketching out the possible specific risks that a company needs to consider. Each of these risks needs to be evaluated in terms of their scale of impact and probability of occurrence. Finally the risks need to be managed actively and in a way that recognizes the interdependence between risk types. Future research will concentrate on extending and validating the e-business risk model presented here. 12 References Hamel G. and J. Sampler, The e-Corporation: More than just Web-based, It’s Building a New Industrial Order, Fortune, 7 December 1998. Mason S., Electronic Signatures: The Technical and Legal Ramifications, Computers and Law, volume 10, issue 5, December 1999/January 2000. Voss C., Developing an eService Strategy, Business Strategy Review, volume 11, issue 1, Spring 2000. 13