Managing the Risks of e-Business

Dr Nigel Upton

Centre for the Network Economy

CNE WP03/2001

Abstract

E-Business is risky business. The first step towards managing and minimizing the risks must

be to be aware of what those risks are. Although the specific risks will vary between

companies, it is possible – using what we have learnt about the Network Economy – to

identify a set of seven sources of risk. Three of these sources are to be found beyond the

organization’s boundaries: criminals, the commercial environment and legal systems. The

other four risk sources emanate from within the organization: people, processes, technology

and business strategies. This paper looks at each of these seven sources of risk, using real

examples, and suggests practical actions that companies can take to reduce their exposure to

e-business risks.

1

Introduction

Fresh ways of doing business, new revenue streams, lower costs – e-business offers all these

opportunities, and more. But it is not all plain sailing. Many pure-play “dot-coms” have

failed, while established companies that invest in e-business and get it wrong face a less

profitable future – and those that do not react fast enough face no future at all [Hamel and

Sampler, 1998]. These are not arbitrary outcomes; rather, they stem from having no or poor

quality information and management decisions. The risks of e-business are everywhere.

Executives have a duty to recognize, gauge and limit those risks.

So what are the risks to be considered when building an e-business organization or e-business

capabilities? Perhaps the two most obvious candidates are the possibility of downtime of

corporate computer systems and the threat posed by hackers trying to attack those systems.

But there exists a broader set of e-business risks than just these two exposures.

First, however, it is helpful to set out a framework for describing these different types of risk. The figure shows the seven risk types that will be considered. A distinction is made between the four risks that have their source within the organization (people, processes, technology, strategy) and the three whose source lies beyond the boundaries of the organization (bad guys, business environment, legal systems). These sources are not isolated from one another. For instance, the significance of the risk of computer viruses created and released into the wild by the ‘bad guys’ depends on the capabilities of the people, processes and technology within a target business. This framework can be used to construct a checklist of e-business.

2

BadGuys Commercial

Environment

Legal Systems

People

Processes Technology

Business Strategy

Figure 1: Generic Sources of e-Business Risk

It is well-known that the significance of a risk depends on two parameters – impact and

probability of occurrence. The prime objective of risk management is to minimize the impact

and/or the probability.

Figure 2: Measuring and Reducing Risks

The Bad Guys

One set of risks comes from those individuals or organizations who, for whatever reason, are

intent on engaging in activities which are illegal (or at least unethical) and potentially

disruptive to the business. Examples of such actions include: fraud, graffiti, denial of service,

viruses and cyber-squatting.

In 2000 the Association of Payment Clearing Services reported £226 million of credit card

fraud, of which £40 million was due to Internet and telephone transactions. More

significantly, the percentage rise in Internet and telephone fraud was 146% compared to 53%

overall. The risk of Internet fraud is borne by the business affected, rather than by the

consumer. Vigilance is essential. For example, suspicion should be aroused if the delivery

address is different from the credit card holder’s address.

One of the benefits of having a website has been the opportunity to promote the company by

telling the world about its products, services and capabilities. This assumes that that what the

3

large

small

0% 100%

impact

chance

customer sees is the same as what the business posted on its website! But if you build a wall

and invite people to write on it, you may find that what they say demotes your cause. For

instance, this can occur if a company sets up a ‘chat room’ in which anyone can post their

views. Web ‘graffiti’ has the potential to cause great embarrassment. This should be realized

from the outset and appropriate measures put in place, such as moderation of chat room

discussions. Also, it is wise to go about implementing preventative measures in a quiet way

because claiming that a site is “100% secure from attack” will only act to encourage those

who are intent on causing damage.

For companies that rely heavily on Internet trade, ‘denial of service’ should be considered a

major risk. This involves someone interfering with the technology in such a way as to prevent

the company from carrying out its Internet-based business activities. The company’s

computer systems are caused to disconnect from the Internet or to fail completely. This may

be accompanied by the threat of extortion. Some famous Internet names have been affected

by denial of service including Yahoo!, e-Bay, CNN.com, Amazon and E*Trade. This is

hardly surprising since the most successful companies have the most to lose.

It might be assumed that the vast majority of large companies have taken action to protect

their systems against attack by computer viruses. However, some work carried out by Upton

Blessing Ltd in the first quarter of 2001 shows that it would be wrong to make such an

assumption about smaller firms. Approximately 40% of the 38 small firms surveyed had

either no or inadequate anti-virus protection. Software is part of the solution, but staff

awareness and clear procedures are just as important.

Cyber-squatting (also known as ‘abusive registration’) occurs when someone registers a

domain name with which they have no legitimate connection and then tries to sell it at a

highly inflated price. The majority of Court judgements have found in favour of the true

brand owner and against the cyber-squatter. However, legal actions distract management

attention. Also, the creation of a web presence would need to be delayed until the dispute is

resolved. It is essential to register company, product and service names with the Internet

authorities as early as possible.

Commercial Environment

4

There are also perfectly legitimate activities and changes in the commercial environment that

can threaten a company. Customer behaviour, supplier performance and exchange rate

movements all impact on today’s and tomorrow’s profits.

Top tier companies have shown great interest in supporting and developing business-to-

business (B2B) exchanges (e-marketplaces). What will be the effect on second tier and other

firms further down the supply chain? One of the consequences is the aggregation of power by

the top tier businesses in a given industry. The aim is clear – to drive down cost. And, in no

small measure, that will have the effect of reducing margins further down the supply chain.

Procurement may have been ‘hit and miss’ in the past in terms of whether the best buy price

was obtained, but Internet technologies can sweep away customer ignorance. The risks for the

supplier are that they are seen to be uncompetitive or that by lowering their prices they

become unprofitable. It is essential to understand what is going on and to react in a way that

customers can warm to. Companies will always want suppliers, unless we are to see vertical

integration on an unprecedented scale. The real implication is that the management of

customer-supplier relationships and non-price factors will become even more important.

All businesses depend on their suppliers to a greater or lesser degree. For e-businesses three

areas of particular concern are out-sourced IT operations, transportation/logistics and

disintermediation. For instance, if the company’s website is hosted by an Internet Service

Provider (ISP) then the product promotion and sales depends on the ISP’s ability to keep the

site ‘on the air’. Likewise, it is essential that goods reach their destination on time, therefore

the performance of logistics suppliers should be monitored carefully. Contingency plans

should be in place so that a switch can be made to alternative suppliers promptly if the

original IT or logistics suppliers fail. It is a question of balance. Web-based businesses have

tended to place most emphasis on the web front-end - this is what is ‘exciting’, new and

‘techie’. But, for the customer, satisfaction comes with taking hold of the product rather than

just ordering it. Finally, there is also the risk of disintermediation whereby a supplier

implements a strategy that cuts out the middleman and sells straight to your customer.

The business risk due to exchange rate movements depends more on the sophistication and

experience of the company than on its move into e-commerce. However, part of the

commercial attraction of the Internet has been the opportunity of even small businesses to sell

to a global market. These businesses may begin to trade internationally without managing

their exposure to adverse exchange rate movements. A simple answer is to charge in the

company’s home currency, thus transferring the risk to the customer; although this approach

may result in lost sales.

5

6

Legal Systems

The third external source of risk to be considered here is that of the laws and regulations

which are intended to govern business operations.

There is an increasing amount of relevant legislation that companies need to be aware of. In

the UK this includes the laws relating to Regulation of Investigatory Powers, E-

Communications, Data Protection and even Human Rights. For instance, if a company intends

to read the e-mails of its staff then it must explain this to them in advance and make it a

contractual term of their employment.

Apart from new legislation introduced in response to new e-business technology, it is

essential to remember that all the usual rules still apply – e-businesses do not get a special

dispensation! In particular, the laws about rules of copyright, patents, acceptance and offer,

trademarks and data protection all apply. For example, a UK software company embedded

within its website computer code a trademark name owned and used by one of its rivals. The

trademark was included as a ‘meta-tag’ – a keyword used by search engines to help people

find a website, although the meta-tag cannot be seen on the normal web page that appears on

the user’s screen. The Court rules that this constituted infringement of copyright.

Consideration must also be given to the laws of other countries in which the business may

now operate through its e-business channels.

Legal advice should be sought as early as possible to avoid any possible difficulties that could

arise.

We have looked at the three external sources of risk (criminal activity, the commercial

environment and legal systems). Let us now consider the four internal sources of risk (people,

processes, technology, strategy).

7

People

It sounds somewhat negative to say that ‘people’, that is managers and staff, are a source of

risk. They are also the most potent force that a company has to reduce its risk exposure.

Nonetheless the purpose here is to be systematic and it is therefore necessary to consider the

ways in which a company’s personnel can give rise to business risks.

The main issue is one of lax attitudes and lack of understanding. However, it is also possible

that a current or former member of staff could deliberately take disruptive action – becoming

one of the ‘bad guys’.

It has been said that the Internet is about the 3 C’s: Communication, Content and Commerce.

The use of e-mail and websites as communication media has certainly been central to the

adoption of the Internet. But the potential misuse of these media poses a threat to the e-

business. The following examples provide evidence that such risks have already materialized

for some firms. The examples concern data security, the sending of defamatory e-mails and

the publication of untrue information on the web.

When a company holds personal and sensitive details about customers, it is essential that staff

are briefed and motivated to avoid actions that could compromise the security of that data.

This is especially true with respect to financial data, such as bank balances or credit card

numbers. For instance, an individual’s financial data must not be available to other external

users of a web-based banking service. And a company should never send customer credit card

details by e-mail. Incidents such as these have occurred at at least two UK banks. The result is

a lowering of confidence in the organization’s ability to conduct e-business in a way that is in

the best interests of its customers. The damage is compounded if the subsequent public

relations activities fail to acknowledge that the incident is being treated as something of

serious concern to the company.

There are at least two UK examples of settlements being made between companies as the

result of defamatory internal e-mails. One involved a financial services company paying out

£450,000 and the other concerned a utility that had to paid out over £100,000 [Mason,

December 1999/January 2000].

Websites can also be a source of risk. An individual asked a leading ISP to remove from a

newsgroup an e-mail that purported to come from him. The ISP had hosted the site - it

8

provided the computer server systems on which the message resided - but the ISP had not

posted the message. The ISP made a decision was made not to remove the message. As a

consequence the ISP had to pay about £500,000 including legal costs.

Mistakes in online advertising could have commercial consequences. In particular, staff must

take care to enter the correct price information. For example, one UK retailer put a decimal

point in the wrong place and advertised TVs for £2.99 each, while a major IT supplier

advertised laptop computers for $1. Although action by consumers to try to force the suppliers

to honour their offers did not materialize in these cases, this should not be considered

sufficient to make a company feel safe to publish erroneous price information.

Everybody is fallible, but awareness training and robust procedures can help to reduce the

chance of erroneous information being published. Employees need to appreciate that, when

they post information on the web, they are actually publishing – not just entering something

onto a computer. And that when they send e-mails these could lead to legal action against the

company for defamation; this even applies to internal e-mails.

Business Processes

The effectiveness and efficiency of a company’s business processes can give rise to a further

set of risks. Arguably, these are risks that a company brings upon itself, perhaps through a

preoccupation with the more visible aspects of managing day-to-day operations. Two

examples will be considered – intellectual property and reliability of delivery.

There has been increasing recognition of the value of the knowledge and information that a

business ‘owns’ and of the need to protect these assets. For instance, for any e-business, data

integrity must be assured. Also, intellectual property must be protected as fully as possible.

Part of the solution is to protect intellectual property (IP) rights through legal contracts, but

there should also be preventative action to ensure that everyone in the organization

appreciates the IP value and acts to maintain it in their day-to-day work. The protection of

computer data and intellectual property both require having rigorous processes in place,

including telling all staff who should be their initial internal point of contact when in doubt.

A business that fails to meet its customers’ delivery expectations is risking the loss of its

customer base. This may be failure to deliver physical goods by the agreed time or it could be

9

failure to respond to customer e-mail enquiries promptly [Voss, 2000]. Time-critical

deliveries are a particularly potent area of risk. For instance, a well-know toy company made

no friends when it told its customers on 22 December 1999 that orders placed after the 14

December would not be delivered in time for Christmas.

Technology

Information and communication technologies are at the heart of an e-business. Properly

managed, these technologies become a key enabler of business success. But what when things

go wrong? If these technologies form a ‘digital nervous system’ then an organization that

depends on them will find itself in trouble when they fail. Three issues can be focused on

here: website downtime, mission-critical applications and data integrity.

Downtime is one of the big enemies of an e-business. It causes lost business and, more

significantly, it can mean lost customers – why should a customer return to a website which

does not work? One well-known UK high street retailer had to take its e-business off-line for

two months because of data overload and security problems. This is much more than just

embarrassing. Such an event undermines customer confidence in the company’s ability to

handle transactions and its ability to protect sensitive personal data. After all, why should a

customer trust his or her personal data to a company that cannot even manage its own

information systems? Downtime could also have legal implications if it leads to a company

failing to keep a guarantee; for instance, if it fails to provide electronic delivery by a

contracted date.

Behind the web-front, the technology that says “we are open for business”, there is the back

office where the customer orders are translated into goods and services ready for delivery.

Just as the heart of a manufacturing company can be found on the factory floor, so the heart of

an e-business will be found in the mission-critical application software in the back office.

And, just as with the machines on the shop floor, so these mission-critical ‘apps’ must be well

managed, maintained and developed.

Even if the front and back office systems are running well, a company will have a problem if

data integrity is compromised. This could be caused by internal negligence, misfortune or

hacking from outside the company. For instance, in our recent study of small companies it

10

was found that 42% of the 38 small companies visited did not have an adequate procedure for

backing-up data.

Business Strategy

Finally, perhaps the greatest risk lies in the choice of business strategy. There must be a

viable route to profitability. The emergence of the Network Economy does not wipe away the

fact that, over an appropriate period, a company must be capable of generating a positive

balance of discounted cash-flows.

Business strategies must be viable, acceptable and sustainable. Let us look at each of these

three concepts and illustrate them with examples based on real-world e-business experiences.

A strategy needs to be viable; that is, it needs “to make sense” and to be offering a product or

service that the market wants now or in the future. A grocery auction is unlikely to be viable

because people will not be prepared to invest more time than the price gains are worth.

Acceptability is about the reactions of other stakeholders. An operation aimed at

disintermediating car dealers will not work if there are powerful suppliers (car

manufacturers) who prefer to sell through their dealer networks. Thus, an e-business needs to

consider the acceptability of its business strategy to the most powerful organizations in the

supply chain.

Finally, on the route to profit, it must be possible to protect a product or service from

imitation or legal action for a sufficient period of time. A peer-to-peer system for sharing

music files may be an exciting use of technology and a concept that attracts millions of users,

but if it cannot be defended as fair practice in the courts then it is not sustainable as a

business strategy.

In cases such as these, it is easy to be critical with hindsight. But innovation carries the

promise of high reward as well as the risk of failure. And innovations that fail at the firm level

may in the long-run benefit other parts of the same business, other companies or society. A

mix of entrepreneurial zest and grey-haired management experience is perhaps the best way

to approach the development of new business strategies in the Network Economy.

11

Risk Source: Check risk issues:

Bad Guys - fraud- graffiti- denial of service- virus attack- cyber-squatting

Commercial Environment - customer behaviour- supplier performance- exchange rate movements

Legal System - e-business legislation- standard commercial laws- laws in overseas markets

People - attitudes to data security- defamatory e-mails- advertising on the web

Processes - intellectual property- delivery of products/services

Technology - website downtime- mission-critical systems- security

Business Strategy - viability- acceptability- sustainability

Figure 3: A Checklist of e-Business Risk Issues

Conclusions

The risk classification model presented here provides a starting point for the management of

e-business risks. The seven risk types can be used to form a practical template for sketching

out the possible specific risks that a company needs to consider. Each of these risks needs to

be evaluated in terms of their scale of impact and probability of occurrence. Finally the risks

need to be managed actively and in a way that recognizes the interdependence between risk

types. Future research will concentrate on extending and validating the e-business risk model

presented here.

12

References

Hamel G. and J. Sampler, The e-Corporation: More than just Web-based, It’s Building a New

Industrial Order, Fortune, 7 December 1998.

Mason S., Electronic Signatures: The Technical and Legal Ramifications, Computers and

Law, volume 10, issue 5, December 1999/January 2000.

Voss C., Developing an eService Strategy, Business Strategy Review, volume 11, issue 1,

Spring 2000.

13