Managing the Risks of e-Business

advertisement
Managing the Risks of e-Business
Dr Nigel Upton
Centre for the Network Economy
CNE WP03/2001
Abstract
E-Business is risky business. The first step towards managing and minimizing the risks must
be to be aware of what those risks are. Although the specific risks will vary between
companies, it is possible – using what we have learnt about the Network Economy – to
identify a set of seven sources of risk. Three of these sources are to be found beyond the
organization’s boundaries: criminals, the commercial environment and legal systems. The
other four risk sources emanate from within the organization: people, processes, technology
and business strategies. This paper looks at each of these seven sources of risk, using real
examples, and suggests practical actions that companies can take to reduce their exposure to
e-business risks.
1
Introduction
Fresh ways of doing business, new revenue streams, lower costs – e-business offers all these
opportunities, and more. But it is not all plain sailing. Many pure-play “dot-coms” have
failed, while established companies that invest in e-business and get it wrong face a less
profitable future – and those that do not react fast enough face no future at all [Hamel and
Sampler, 1998]. These are not arbitrary outcomes; rather, they stem from having no or poor
quality information and management decisions. The risks of e-business are everywhere.
Executives have a duty to recognize, gauge and limit those risks.
So what are the risks to be considered when building an e-business organization or e-business
capabilities? Perhaps the two most obvious candidates are the possibility of downtime of
corporate computer systems and the threat posed by hackers trying to attack those systems.
But there exists a broader set of e-business risks than just these two exposures.
First, however, it is helpful to set out a framework for describing these
different types of risk. The figure shows the seven risk types that will be
considered. A distinction is made between the four risks that have their
source within the organization (people, processes, technology, strategy)
and the three whose source lies beyond the boundaries of the
organization (bad guys, business environment, legal systems). These
sources are not isolated from one another. For instance, the significance
of the risk of computer viruses created and released into the wild by the
‘bad guys’ depends on the capabilities of the people, processes and
technology within a target business. This framework can be used to
construct a checklist of e-business.
Bad
Guys
People
Business
Strategy
Processes
Commercia
l
Environme
nt
Technology
Legal
Systems
2
Figure 1: Generic Sources of e-Business Risk
It is well-known that the significance of a risk depends on two parameters – impact and
probability of occurrence. The prime objective of risk management is to minimize the impact
and/or the probability.
large
impac
t
small
0%
chance
100
%
Figure 2: Measuring and Reducing Risks
The Bad Guys
One set of risks comes from those individuals or organizations who, for whatever reason, are
intent on engaging in activities which are illegal (or at least unethical) and potentially
disruptive to the business. Examples of such actions include: fraud, graffiti, denial of service,
viruses and cyber-squatting.
In 2000 the Association of Payment Clearing Services reported £226 million of credit card
fraud, of which £40 million was due to Internet and telephone transactions. More
significantly, the percentage rise in Internet and telephone fraud was 146% compared to 53%
overall. The risk of Internet fraud is borne by the business affected, rather than by the
consumer. Vigilance is essential. For example, suspicion should be aroused if the delivery
address is different from the credit card holder’s address.
One of the benefits of having a website has been the opportunity to promote the company by
telling the world about its products, services and capabilities. This assumes that that what the
3
customer sees is the same as what the business posted on its website! But if you build a wall
and invite people to write on it, you may find that what they say demotes your cause. For
instance, this can occur if a company sets up a ‘chat room’ in which anyone can post their
views. Web ‘graffiti’ has the potential to cause great embarrassment. This should be realized
from the outset and appropriate measures put in place, such as moderation of chat room
discussions. Also, it is wise to go about implementing preventative measures in a quiet way
because claiming that a site is “100% secure from attack” will only act to encourage those
who are intent on causing damage.
For companies that rely heavily on Internet trade, ‘denial of service’ should be considered a
major risk. This involves someone interfering with the technology in such a way as to prevent
the company from carrying out its Internet-based business activities. The company’s
computer systems are caused to disconnect from the Internet or to fail completely. This may
be accompanied by the threat of extortion. Some famous Internet names have been affected
by denial of service including Yahoo!, e-Bay, CNN.com, Amazon and E*Trade. This is
hardly surprising since the most successful companies have the most to lose.
It might be assumed that the vast majority of large companies have taken action to protect
their systems against attack by computer viruses. However, some work carried out by Upton
Blessing Ltd in the first quarter of 2001 shows that it would be wrong to make such an
assumption about smaller firms. Approximately 40% of the 38 small firms surveyed had
either no or inadequate anti-virus protection. Software is part of the solution, but staff
awareness and clear procedures are just as important.
Cyber-squatting (also known as ‘abusive registration’) occurs when someone registers a
domain name with which they have no legitimate connection and then tries to sell it at a
highly inflated price. The majority of Court judgements have found in favour of the true
brand owner and against the cyber-squatter. However, legal actions distract management
attention. Also, the creation of a web presence would need to be delayed until the dispute is
resolved. It is essential to register company, product and service names with the Internet
authorities as early as possible.
Commercial Environment
4
There are also perfectly legitimate activities and changes in the commercial environment that
can threaten a company. Customer behaviour, supplier performance and exchange rate
movements all impact on today’s and tomorrow’s profits.
Top tier companies have shown great interest in supporting and developing business-tobusiness (B2B) exchanges (e-marketplaces). What will be the effect on second tier and other
firms further down the supply chain? One of the consequences is the aggregation of power by
the top tier businesses in a given industry. The aim is clear – to drive down cost. And, in no
small measure, that will have the effect of reducing margins further down the supply chain.
Procurement may have been ‘hit and miss’ in the past in terms of whether the best buy price
was obtained, but Internet technologies can sweep away customer ignorance. The risks for the
supplier are that they are seen to be uncompetitive or that by lowering their prices they
become unprofitable. It is essential to understand what is going on and to react in a way that
customers can warm to. Companies will always want suppliers, unless we are to see vertical
integration on an unprecedented scale. The real implication is that the management of
customer-supplier relationships and non-price factors will become even more important.
All businesses depend on their suppliers to a greater or lesser degree. For e-businesses three
areas of particular concern are out-sourced IT operations, transportation/logistics and
disintermediation. For instance, if the company’s website is hosted by an Internet Service
Provider (ISP) then the product promotion and sales depends on the ISP’s ability to keep the
site ‘on the air’. Likewise, it is essential that goods reach their destination on time, therefore
the performance of logistics suppliers should be monitored carefully. Contingency plans
should be in place so that a switch can be made to alternative suppliers promptly if the
original IT or logistics suppliers fail. It is a question of balance. Web-based businesses have
tended to place most emphasis on the web front-end - this is what is ‘exciting’, new and
‘techie’. But, for the customer, satisfaction comes with taking hold of the product rather than
just ordering it. Finally, there is also the risk of disintermediation whereby a supplier
implements a strategy that cuts out the middleman and sells straight to your customer.
The business risk due to exchange rate movements depends more on the sophistication and
experience of the company than on its move into e-commerce. However, part of the
commercial attraction of the Internet has been the opportunity of even small businesses to sell
to a global market. These businesses may begin to trade internationally without managing
their exposure to adverse exchange rate movements. A simple answer is to charge in the
company’s home currency, thus transferring the risk to the customer; although this approach
may result in lost sales.
5
6
Legal Systems
The third external source of risk to be considered here is that of the laws and regulations
which are intended to govern business operations.
There is an increasing amount of relevant legislation that companies need to be aware of. In
the UK this includes the laws relating to Regulation of Investigatory Powers, ECommunications, Data Protection and even Human Rights. For instance, if a company intends
to read the e-mails of its staff then it must explain this to them in advance and make it a
contractual term of their employment.
Apart from new legislation introduced in response to new e-business technology, it is
essential to remember that all the usual rules still apply – e-businesses do not get a special
dispensation! In particular, the laws about rules of copyright, patents, acceptance and offer,
trademarks and data protection all apply. For example, a UK software company embedded
within its website computer code a trademark name owned and used by one of its rivals. The
trademark was included as a ‘meta-tag’ – a keyword used by search engines to help people
find a website, although the meta-tag cannot be seen on the normal web page that appears on
the user’s screen. The Court rules that this constituted infringement of copyright.
Consideration must also be given to the laws of other countries in which the business may
now operate through its e-business channels.
Legal advice should be sought as early as possible to avoid any possible difficulties that could
arise.
We have looked at the three external sources of risk (criminal activity, the commercial
environment and legal systems). Let us now consider the four internal sources of risk (people,
processes, technology, strategy).
7
People
It sounds somewhat negative to say that ‘people’, that is managers and staff, are a source of
risk. They are also the most potent force that a company has to reduce its risk exposure.
Nonetheless the purpose here is to be systematic and it is therefore necessary to consider the
ways in which a company’s personnel can give rise to business risks.
The main issue is one of lax attitudes and lack of understanding. However, it is also possible
that a current or former member of staff could deliberately take disruptive action – becoming
one of the ‘bad guys’.
It has been said that the Internet is about the 3 C’s: Communication, Content and Commerce.
The use of e-mail and websites as communication media has certainly been central to the
adoption of the Internet. But the potential misuse of these media poses a threat to the ebusiness. The following examples provide evidence that such risks have already materialized
for some firms. The examples concern data security, the sending of defamatory e-mails and
the publication of untrue information on the web.
When a company holds personal and sensitive details about customers, it is essential that staff
are briefed and motivated to avoid actions that could compromise the security of that data.
This is especially true with respect to financial data, such as bank balances or credit card
numbers. For instance, an individual’s financial data must not be available to other external
users of a web-based banking service. And a company should never send customer credit card
details by e-mail. Incidents such as these have occurred at at least two UK banks. The result is
a lowering of confidence in the organization’s ability to conduct e-business in a way that is in
the best interests of its customers. The damage is compounded if the subsequent public
relations activities fail to acknowledge that the incident is being treated as something of
serious concern to the company.
There are at least two UK examples of settlements being made between companies as the
result of defamatory internal e-mails. One involved a financial services company paying out
£450,000 and the other concerned a utility that had to paid out over £100,000 [Mason,
December 1999/January 2000].
Websites can also be a source of risk. An individual asked a leading ISP to remove from a
newsgroup an e-mail that purported to come from him. The ISP had hosted the site - it
8
provided the computer server systems on which the message resided - but the ISP had not
posted the message. The ISP made a decision was made not to remove the message. As a
consequence the ISP had to pay about £500,000 including legal costs.
Mistakes in online advertising could have commercial consequences. In particular, staff must
take care to enter the correct price information. For example, one UK retailer put a decimal
point in the wrong place and advertised TVs for £2.99 each, while a major IT supplier
advertised laptop computers for $1. Although action by consumers to try to force the suppliers
to honour their offers did not materialize in these cases, this should not be considered
sufficient to make a company feel safe to publish erroneous price information.
Everybody is fallible, but awareness training and robust procedures can help to reduce the
chance of erroneous information being published. Employees need to appreciate that, when
they post information on the web, they are actually publishing – not just entering something
onto a computer. And that when they send e-mails these could lead to legal action against the
company for defamation; this even applies to internal e-mails.
Business Processes
The effectiveness and efficiency of a company’s business processes can give rise to a further
set of risks. Arguably, these are risks that a company brings upon itself, perhaps through a
preoccupation with the more visible aspects of managing day-to-day operations. Two
examples will be considered – intellectual property and reliability of delivery.
There has been increasing recognition of the value of the knowledge and information that a
business ‘owns’ and of the need to protect these assets. For instance, for any e-business, data
integrity must be assured. Also, intellectual property must be protected as fully as possible.
Part of the solution is to protect intellectual property (IP) rights through legal contracts, but
there should also be preventative action to ensure that everyone in the organization
appreciates the IP value and acts to maintain it in their day-to-day work. The protection of
computer data and intellectual property both require having rigorous processes in place,
including telling all staff who should be their initial internal point of contact when in doubt.
A business that fails to meet its customers’ delivery expectations is risking the loss of its
customer base. This may be failure to deliver physical goods by the agreed time or it could be
9
failure to respond to customer e-mail enquiries promptly [Voss, 2000]. Time-critical
deliveries are a particularly potent area of risk. For instance, a well-know toy company made
no friends when it told its customers on 22 December 1999 that orders placed after the 14
December would not be delivered in time for Christmas.
Technology
Information and communication technologies are at the heart of an e-business. Properly
managed, these technologies become a key enabler of business success. But what when things
go wrong? If these technologies form a ‘digital nervous system’ then an organization that
depends on them will find itself in trouble when they fail. Three issues can be focused on
here: website downtime, mission-critical applications and data integrity.
Downtime is one of the big enemies of an e-business. It causes lost business and, more
significantly, it can mean lost customers – why should a customer return to a website which
does not work? One well-known UK high street retailer had to take its e-business off-line for
two months because of data overload and security problems. This is much more than just
embarrassing. Such an event undermines customer confidence in the company’s ability to
handle transactions and its ability to protect sensitive personal data. After all, why should a
customer trust his or her personal data to a company that cannot even manage its own
information systems? Downtime could also have legal implications if it leads to a company
failing to keep a guarantee; for instance, if it fails to provide electronic delivery by a
contracted date.
Behind the web-front, the technology that says “we are open for business”, there is the back
office where the customer orders are translated into goods and services ready for delivery.
Just as the heart of a manufacturing company can be found on the factory floor, so the heart of
an e-business will be found in the mission-critical application software in the back office.
And, just as with the machines on the shop floor, so these mission-critical ‘apps’ must be well
managed, maintained and developed.
Even if the front and back office systems are running well, a company will have a problem if
data integrity is compromised. This could be caused by internal negligence, misfortune or
hacking from outside the company. For instance, in our recent study of small companies it
was found that 42% of the 38 small companies visited did not have an adequate procedure for
backing-up data.
10
Business Strategy
Finally, perhaps the greatest risk lies in the choice of business strategy. There must be a
viable route to profitability. The emergence of the Network Economy does not wipe away the
fact that, over an appropriate period, a company must be capable of generating a positive
balance of discounted cash-flows.
Business strategies must be viable, acceptable and sustainable. Let us look at each of these
three concepts and illustrate them with examples based on real-world e-business experiences.
A strategy needs to be viable; that is, it needs “to make sense” and to be offering a product or
service that the market wants now or in the future. A grocery auction is unlikely to be viable
because people will not be prepared to invest more time than the price gains are worth.
Acceptability is about the reactions of other stakeholders. An operation aimed at
disintermediating car dealers will not work if there are powerful suppliers (car
manufacturers) who prefer to sell through their dealer networks. Thus, an e-business needs to
consider the acceptability of its business strategy to the most powerful organizations in the
supply chain.
Finally, on the route to profit, it must be possible to protect a product or service from
imitation or legal action for a sufficient period of time. A peer-to-peer system for sharing
music files may be an exciting use of technology and a concept that attracts millions of users,
but if it cannot be defended as fair practice in the courts then it is not sustainable as a
business strategy.
In cases such as these, it is easy to be critical with hindsight. But innovation carries the
promise of high reward as well as the risk of failure. And innovations that fail at the firm level
may in the long-run benefit other parts of the same business, other companies or society. A
mix of entrepreneurial zest and grey-haired management experience is perhaps the best way
to approach the development of new business strategies in the Network Economy.
11
Risk Source:
Check risk issues:
Bad Guys
- fraud
- graffiti
- denial of service
- virus attack
- cyber-squatting
Commercial Environment
- customer behaviour
- supplier performance
- exchange rate movements
Legal System
- e-business legislation
- standard commercial laws
- laws in overseas markets
People
- attitudes to data security
- defamatory e-mails
- advertising on the web
Processes
- intellectual property
- delivery of products/services
Technology
- website downtime
- mission-critical systems
- security
Business Strategy
- viability
- acceptability
- sustainability
Figure 3: A Checklist of e-Business Risk Issues
Conclusions
The risk classification model presented here provides a starting point for the management of
e-business risks. The seven risk types can be used to form a practical template for sketching
out the possible specific risks that a company needs to consider. Each of these risks needs to
be evaluated in terms of their scale of impact and probability of occurrence. Finally the risks
need to be managed actively and in a way that recognizes the interdependence between risk
types. Future research will concentrate on extending and validating the e-business risk model
presented here.
12
References
Hamel G. and J. Sampler, The e-Corporation: More than just Web-based, It’s Building a New
Industrial Order, Fortune, 7 December 1998.
Mason S., Electronic Signatures: The Technical and Legal Ramifications, Computers and
Law, volume 10, issue 5, December 1999/January 2000.
Voss C., Developing an eService Strategy, Business Strategy Review, volume 11, issue 1,
Spring 2000.
13
Download