Cass Business School City of London
Risk Assessment and Risk Management in E-Commerce Environment
Thomas Lagkas Supervisor: Dr. George Tsogas
The project is submitted as part of the requirements for the award of the MSc in Management
London July 2007
1
ACKNOWLEDGEMENTS Many people helped me to complete this study and I would like to sincerely thank all of them. First of all, I would like to acknowledge my supervisor Dr Tsogas G. for his support and advice. I also want to thank the members of the Brainstorming group, who kindly agreed to help me and make the practical part of my study possible. Many thanks to Dr Lagkas D. T., Dr Kastanis J., Sanidas M., and Papanastasiou C. Last but not least, I want to thank my family and friends for their constant support. This year would have been impossible if they hadn’t stood by my side.
2
ACKNOWLEDGEMENTS Many people helped me to complete this study and I would like to sincerely thank all of them. First of all, I would like to acknowledge my supervisor Dr Tsogas G. for his support and advice. I also want to thank the members of the Brainstorming group, who kindly agreed to help me and make the practical part of my study possible. Many thanks to Dr Lagkas D. T., Dr Kastanis J., Sanidas M., and Papanastasiou C. Last but not least, I want to thank my family and friends for their constant support. This year would have been impossible if they hadn’t stood by my side.
2
ABSTRACT E-Commerce is a new and very rapidly growing market that presents great challenges to risk managers. This study is focused on the assessment and management of risks threatening e-trading businesses. First, two techniques, Documented Knowledge and Brainstorming, were used to identify the most important risks. Using two identification techniques proved advantageous as several risks were only recognized by only one of them. At a later stage, Cervone’s method was used to measure and prioritize the identified risks. Among the four risk areas identified by the author the most significant proved to be the “Technical Environment” and the “Customer relationship”. This is why risk management teams should focus on both security of their systems and on gaining customer’s trust. Several controls aiming to secure those areas were suggested.
3
EXECUTIVE SUMMARY Taking as a fact the fast changing environment of EC and the risks that arise in it, the aim of this study is to analyze those risks. Specifically, the focus of this study is on the risks that are related to the ‘electronic’ part of the business and all the implications this might cause, as opposed to the ones that are common to any kind of business. The focus of this study is on Risk Assessment and Risk Management.
Risk
Assessment
includes
Identification,
Risk
Measurement
and
three Risk
processes;
Risk
Prioritization.
Risk
Communication, which is also a part of Risk Analysis, will not be examined because specific company’s information is not available. By
using
Brainstorming
and
Documented
Knowledge
as
identification techniques, a list of risks that threat companies in EC environment was generated. The Brainstorming group focused on EC areas that present great potential of risks arising. Those areas are; Customer and EC, Regulations and EC, Technical risks in EC and Organization and EC. After identifying potential risks by using both techniques as mentioned above, the Brainstorming group evaluated those risks in terms of Probability, Impact and discrimination based on the cubic structure of Cervone (2006). After measuring the risks an overall risk factor was calculated for each risk by using Cervone’s formula and risks were prioritized based on this score. It is a well known fact that EC is heavily depended on its technical part. This was also proved by the results of this study, as 50% of the
4
critical risks identified were sourcing from technical issues. Furthermore, the results pointed out the importance of customers’ trust in EC and the significance of the B2C relationship in general. Another 20% of the critical risks were related to Organization’s strategy. More specifically, risks related to the quality of employees are considered as crucial for Ebusinesses operations. Finally, laws and regulations pose the smallest threat for E-businesses as controls for such issues are considered ‘as built ‘in processes or as prerequisites for businesses to start operating in EC environment. Considering the results of Risk Assessment, Risk Management should initially focus on the critical areas of risk. Thus risks arising from hardware/software or customers should be dealt first. This study reported and proposed certain controls that risk managers should consider in the way of protecting the company’s assets in order to mitigate such risks. Sharing risk with insurance companies should also be considered as a measure against risks with low probability and high impact, such as natural disasters. In EC environment risk managers should focus initially on security issues regarding information integrity and secondly on customers’ expectations.
5
TABLE OF CONTENTS ACKNOWLEDGEMENTS..................................................................................... 2 ABSTRACT........................................................................................................... 3 EXECUTIVE SUMMARY ...................................................................................... 4 TABLE OF CONTENTS........................................................................................ 6 TABLE OF FIGURES ........................................................................................... 8 1.
INTRODUCTION ............................................................................................ 9
1.1
OVERVIEW ..................................................................................................... 9
1.2
AIM AND OBJECTIVES .................................................................................... 9
2.
LITERATURE REVIEW ............................................................................... 11
2.1
RISK ............................................................................................................ 11
2.1.1
RISK - DEFINITIONS ................................................................................... 11
2.1.2
RISK ASSESSMENT .................................................................................... 11
2.1.2.1.
Risk Identification ................................................................................ 14
2.1.2.2.
Risk Measurement .............................................................................. 17
2.1.2.3.
Risk Prioritization................................................................................. 20
2.1.3
RISK MANAGEMENT ................................................................................... 20
2.1.4
RISK COMMUNICATION .............................................................................. 21
2.2
E-COMMERCE .............................................................................................. 22
2.2.1
E-COMMERCE - DEFINITIONS ..................................................................... 22
2.2.2
E-COMMERCE ENVIRONMENT .................................................................... 24
6
2.2.3
CURRENT SITUATION ................................................................................. 25
2.2.4
AREAS OF CYBER- RISK ............................................................................ 26
3.
METHODOLOGY......................................................................................... 29
3.1
RISK ASSESSMENT ...................................................................................... 30
3.1.1
RISK IDENTIFICATION ................................................................................. 30
3.1.1.1.
Documented Knowledge ..................................................................... 31
3.1.1.2.
Brainstorming ...................................................................................... 32
3.1.2 3.2 4.
RISK MEASUREMENT AND RISK PRIORITIZATION ......................................... 35 RISK MANAGEMENT ..................................................................................... 35
RESULTS AND DISCUSSION .................................................................... 36
4.1
IDENTIFIED RISKS ......................................................................................... 36
4.2
RISK MEASUREMENT AND PRIORITIZATION .................................................... 43
4.3
RISK MANAGEMENT...................................................................................... 45
5.
CONCLUSION ............................................................................................. 49
REFERENCES.................................................................................................... 52
7
TABLE OF FIGURES Figure 1 The Risk Assessment Process ...................................... 14 Figure 2 History of E-commerce term .......................................... 23 Figure 3 Risk Analysis Process.................................................... 30
8
1. INTRODUCTION 1.1 Overview We are living in the age of internet, where a vast number of services
and
products
can
be
viewed
and
purchased
on-line.
Consequently, on-line markets are growing rapidly and offer business opportunities to companies regardless their size or their geographical location. Companies enjoy benefits from online trading and purchasing, such as low operating costs, quick response to customers’ needs and improved efficiency. However, what grows even faster than online markets is their exposure to new risks. Due to the fast grow of internet use, new risks for customers and organizations arise. Companies that conduct their business online have to protect their assets against risks that have never been dealt before, not even from insurance companies.
1.2 Aim and Objectives Due to the high importance of risk management in E-Commerce environment my aim is to further research and analyze potential or existing risks. Using resources ranging from the World Wide Web (WWW) to published journals and books I will endeavor to meet the following objectives: 1. Generation of a list of risks that companies in E-Commerce might face.
9
2. Evaluation of those risks, regarding their impact on the companies. 3. Prioritization of risks identified and evaluated. 4. Examine existing or suggest new ways to manage those risks (control, share/transfer, diversify/avoid). E-Commerce has not yet been fully explored as it only emerged just a decade ago and is rapidly evolving since then. This is why it is hard to pin down its exposures, which are changing fast too. I hope that this study will provide further insights towards minimizing those exposures.
10
2. LITERATURE REVIEW 2.1 Risk 2.1.1 Risk - Definitions The Oxford English Dictionary (2007) definition of risk is "a chance or possibility of danger, loss, injury or other adverse consequences". Furthermore, according to Society for Risk Analysis (SRA) glossary, risk is the potential for realization of unwanted, adverse consequences to human life, health, property, or the environment; estimation of risk is usually based on the expected value of the conditional probability of the event occurring times the consequence of the event given that it has occurred.
2.1.2 Risk Assessment The first step in risk analysis is risk assessment as a prerequisite to risk management. According to McNamee and Selim (1998), risk assessment comprises from three stages: •
risk identification
•
risk measurement and
•
risk prioritization. Risk Assessment is an important procedure in the whole risk
analysis process as it defines the objectives of risk management. Saywer et al. (2003), states that management uses risk assessment as part of ensuring the success of the entity. He also argues that another use of risk assessment is that as a tool in the hands of management in the process of designing new systems.
11
In addition, the importance of risk assessment is also highlighted by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which specifically focuses on how this is being used in internal control environment. According to COSO (2006), risk assessment is a key element of many internal control models, such as the COSO (2006) integrated framework for internal control. While searching through the existing literature regarding the topic of risk assessment I came to the conclusion that authors give different definitions to Risk Assessment. For example Main (2004) uses the term ‘Risk Assessment’ to describe what others like McNamee and Selim (1998) describe as “Risk Assessment” and “Risk Management”. Main (2004) in his report “Risk assessment: A review of the fundamental principles” states that the Risk assessment process mainly comprises by four stages: 1.
Identify hazards.
2.
Assess risk.
3.
Reduce risk.
4.
Document results. In addition he, states that the objective of the risk assessment
process is to reduce risks to an acceptable (or tolerable) level. More specifically, he divides the assessment process in stages as shown in figure 1. Lichtenstein (1996), while analyzing the risk assessment process as a fundamental decision-making process in the development of information security, he divides it in two stages; a risk analysis process that defines the scope of risk assessment, identifies information resources (assets), and determines and prioritizes risks to the assets; and the
12
second stage where, a risk management process makes decisions to control unacceptable risks. Others like Ziegenfuss (1995) use the term ‘Risk Assessment’ to describe a certain stage of what McNamee and Selim (1998) and Sawyer et al. (2003) define as risk assessment. More specifically Ziegenfuss (1995), from internal auditor’s point of view, divides the whole process into three stages; identifying units of the organization to be audited; ranking those units in terms of audit exposure (risk assessment); and allocating resources to as many units as possible (audit scheduling) based on the risk assessment rankings. While comparing the different points of view of different authors as described above, it is easy to conclude that while their main structure of risk analysis and the use of the term “Risk Assessment” differentiate, the specific processes that they use to achieve reduction of the risk’s impact, are similar. However, in this research, I will use the terminology and structure of the risk analysis as directed by McNamee and Selim (1998); Sawyer et al. (2003), which divide the risk analysis process in three stages: 1.
risk assessment (identification, measurement, prioritization)
2.
risk management (control the risk, share or transfer the risk,
diversify or avoid the risk) and 3.
risk communication (between experts, expert to management,
management to public).
13
Figure 1, The Risk Assessment Process 1) Set the limits/scope of the analysis. 2) Identify tasks and hazards. Reevaluate task
3) Assess risk-initial Risk scoring system 4) Reduce risk. Hazard control hierarchy
The Risk Assessment
5) Assess risk-residual.
Process
Risk scoring system
No
6) Residual Risk Acceptable?
New or next hazard
7) Results/documentation
Evaluation complete
Source: Main. B. W. Risk Assessment: Basics and Benchmarks
2.1.2.1. Risk Identification Risk identification is a process that reveals and determines the possible organizational risks as well as conditions, arising risks. By risk
14
identification the organization is able to study activities and places where its resources are exposed to risks (Williams et al., 1998). The risk identification process is probably the most important in the series of processes that are used in risk analysis. If risk managers do not succeed in identifying all possible losses or gains that challenge the organization, then these non-identified risks will become non-manageable (Greene and Trieschmann, 1984). Unidentified risks pose even greater danger for organizations as they are unexpected and can be accounted as vulnerabilities for the entity. Searching through the existing literature on “Risk Identification” I found a number of techniques that can be used in the process of identifying the risks. Different authors emphasize and describe different risk identification techniques. Acording to McNamee and Selim (1998) internal auditors use a number of methods to identify risks in any endeavor: •
The asset approach : identifying risk from the perspective of the assets’ size, type, portability and location.
•
The external environment approach : identifying risk from the perspective of possible changes to the external environment or context.
•
The threat scenario approach : Identifying risk using a narrative of likely scenarios for specific threats such as natural disasters or frauds. (McNamee 1996). Although McNamee and Selim’s (1998), point of view on
identification techniques is divided in different risk approaches (assets, environment and threat scenario), Main (2004) refers to more specific
15
methods which risk assessment teams can use to identify risks. He states that depending on the complexity of the situation, some or all of the following may apply: •
Use intuitive operational and engineering sense; this is paramount throughout the process.
•
Examine system specifications and expectations.
•
Review relevant codes, regulations and consensus standards.
•
Interview current or intended system users or operators.
•
Consult checklists.
•
Review studies from other similar systems.
•
Consider the potential for unwanted energy releases and exposures to hazardous environments.
•
Review historical data, such as industry experience, incident investigation reports, and manufacturer's literature.
•
Brainstorming. In addition, Royer (2000) states two common identification
techniques,
the
experienced-based
and
the
brainstorming-based.
Experienced-based are based on the risk managers experience of previous identified risks, giving him the advantage to learn from this experience how to deal with the existing risks or how to protect the organization from past risks that might arise again. This technique, in a broader perspective, can include other techniques that are focusing more in the past or present risk situation rather than the future one. Taking into account the identification methods stated by Main (2004) risk managers’
16
experience could also be based in reviews of checklists, historical data, similar studies, and generally in any kind of documented knowledge. During Brainstorm sessions, group members verbally identify risks and have the opportunity to build on each others ideas. To achieve the desired outcome it is essential to select participants that are familiar with the topics discussed. There is also need for relevant documentation to be provided. Finally, the facilitator that leads the group must be aware of the risk process, and a note-taker should be appointed to capture the ideas that are being discussed. A structured brainstorming session, where each group member presents an idea in turn, may be used where not all group members are participating. Structured brainstorming ensures participation by all group members. (Acquisition Community Connection, 2007).
2.1.2.2. Risk Measurement The measurement of risks previously identified could be either quantitative or qualitative and of course different tools are being used in each case. The quantitative approach to determination of risk parameters requires analysis of historical data through statistical analysis. In many instances, quantitative data is hard to achieve and is restricted to very small domain of the problem where historical trends could be sustained (Ahmed A. et al., 2007). Quantitative approach needs historical statistical information in order to be accurate, however this is not always available to the risk management team, thus the qualitative approach is more commonly used. A number of techniques can be found in the existing literature.
17
McNamee and Selim (1998), state some risk measurement methods that are usually used by internal auditors. Those are: •
Direct
Probability
Estimates :
Measuring
risk
by
assigning
probabilities to an event’s likelihood and consequence. •
Normative tables : Measuring and classifying risk into categories such as “High”, “Medium”, and “Low” based on a description of the conditions or expected consequences..
•
Comparative Risk Ranking : Measuring one risk against another in relative terms or by using special ranking tools such as pair-wise comparisons (the Analytic Hierarchy Process) By reviewing the existing literature I concluded that a commonly
used technique in qualitative measurement of risk, is the matrix analysis (Sawyer 2007; Royer 2002; McNamee and Selim 1998; Cervone 2006). Although there are different versions of this technique, the main idea is the same in all of them. The matrix takes into consideration two dimensions; the probability of the examined risk occurring; and the impact of the risk in the case of occurrence. The evaluation of probability and impact is done in ways of “low”, “medium” and “high”. In my opinion, the most effective version, between the ones I reviewed, is Cervone’s. He takes the matrix in the third dimension by adding a new parameter called ‘discrimination’. According to Cervone (2006) ‘discrimination’ is based on criteria from Kendrick (2003) and is unique within simple decision-based models. It provides an additional perspective that is designed to gauge the impact of the risk to the overall framework of the project, rather than looking at each risk as an independent variable within the project. The levels of discrimination are:
18
•
High effect – one point – project objectives are at risk, this risk will result in a mandatory change to scope, schedule, or resources.
•
Medium effect – three points – project objectives will be achieved, but significant replanning will be required.
•
Low effect – five points – no major plan changes will result; the risk is an inconvenience or can be handled with minor overtime work. For the other dimensions Cervone uses a similar grading system as
follows: According to Cervone (2006) the first dimension, impact, is taken directly from the research of Lansdowne (1999) and uses a five-point scale for evaluating risk impact: •
Critical risk – five points – would cause program failure.
•
Serious risk – four points – would cause major cost or schedule increases and secondary requirements may not be achieved.
•
Moderate risk – three points – would cause moderate cost/schedule increases; important requirements would still be met.
•
Minor risk – two points – would cause only small cost/schedule increases.
•
Negligible risk – one point – would have no substantive effect on cost or schedule. The second dimension, probability, is based on Kendrick’s (2003)
rubric of: •
High probability – five points – likely occurrence with a 50 percent or greater chance.
19
•
Medium probability – three points – unlikely with a 10 percent to 49 percent chance of occurrence.
•
Low probability – one point – very unlikely with a 10 percent or less chance of occurrence.
2.1.2.3. Risk Prioritization The next step towards Risk Assessment is Risk Prioritization. After evaluating and measuring the possible risks and their factors, those have to be ranked. This step is not considered by all authors as a separate part of the overall risk analysis. For example, Cervone (2006) deals with the risk ranking as a process that is embedded in the risk evaluation process. Although he refers to the whole process not as Risk Evaluation but as Risk Prioritization most of his discussion in the chapter is related to evaluating risks rather than prioritizing them. Risk prioritization is mainly the natural outcome of the evaluationmeasurement of the risks, as after this step risks can easily be ranked by their severity and, therefore, overall potential impact on the project. The risk prioritization process essentially provides risk management team the necessary information regarding which are the top risks that need to be managed.
2.1.3 Risk Management Key concepts in risk management are the acceptance of a certain amount of risk as the price for operations and the expectation of some rewards; in other words managers put assets at risk to achieve objectives,
20
so a certain level of risk is to be expected (McNamee and Selim 1998). In order to manage risk properly, there is a number of methods risk managers can use. Risk managers have to approach risk both pro-actively and reactively in order to avoid risk, reduce the likelihood of risk, reduce the impact of risk, transfer risk, or to retain the risk (Royer, 2000), McNamee and Selim (1998) and Risk Management Standard AS/NZS 4360). Risk avoidance is the most effective way of managing risk. This entails making a decision not to enter into a new way of doing business because of the inherent risks this would introduce. (Business Link, 2007) Risks are shared, transferred, apportioned through contractual arrangements so that the total burden of risk does not fall on one operation or one organization (McNamee and Selim, 1998) Finally, according to McNamee and Selim (1998), risk’s likelihood and impact can be reduced by establishing proper internal control systems.
2.1.4 Risk Communication Risk communication is the last stage in the risk analysis process. This is an essential part of the overall effort to deal with existing and potential risks as everybody that is involved in the organization needs to have a clear view and understanding of those risks. This is why McNamee and Selim (1998) state as critical parts of risk communication the following: •
Expert-to-expert communication through common language in order to combine risk expertise.
•
Expert-to-management communication in order to gain the support needed to face organization’s risks.
21
•
Management to the public communication.
2.2 E-Commerce 2.2.1 E-commerce - Definitions When it comes to defining risk in EC, there is not a widely acceptable definition. Mceachern’s (2001) terminology for risk in the ECommerce environment is “Cyber Risk”. The United Nations Centre for Trade Facilitation and Electronic Business (UN/CEFACT/ ECAWG, 1997) defines E-Commerce as doing business electronically. More specifically CEFACT states EC as the sharing of structured or unstructured business information by any electronic means with suppliers, customers and other partners to conduct and execute trade transactions in business-to-business and business-toconsumer activities, without regard to business sectors, size of the enterprises concerned or the value of the transaction. According to Leyshon et al (2005) the term ‘E-Commerce’ emerged around 1995, this being the year of Netscape’s Initial Public Offering (IPO) on NASDAQ and the year that technology companies such as Dell and Cisco began to utilize the Internet for commercial transactions. Leyshon et al. (2005), also state that the first use of the term ‘E-Commerce’ in a publication was in November 1993, in an article in the Californian paper, the San Jose Mercury News. As shown in figure 2 the term E-Commerce and related terms such as ‘Electronic Commerce’ or ‘Electronic Commerce and Internet’ which were referred to by scientific texts became more common around 1999-2000.
22
Through all mankind history, the ways of trading had constantly been changing due to man’s ambition to do business faster, easier and cheaper. This happened in ways of speed, people participating in the processes, geographical range of trade etc. A most recent way of trading before the age of Internet, that is in a way similar to E-Commerce, was catalog shopping. People were choosing the products through catalogs and they were purchasing through phone orders. Under this perspective E-Commerce is the present improved way of doing business. This did not come without drawbacks. Many dangers and risks endeavor this newly discovered field.
Figure 2 History of E-commerce term
Comparison of Web of Science (WOS) scientific texts with reference to the terms ‘ECommerce’, ‘electronic commerce’, and ‘electronic commerce’and the ‘internet’. (Source
23
Leyshon A. et al. 2005)
2.2.2 E-Commerce environment Environment in general, according to The American Heritage Dictionary of the English Language (2007) is the totality of circumstances surrounding an organism or group of organisms, especially: •
The combination of external physical conditions that affect and influence the growth, development, and survival of organisms
•
The complex of social and cultural conditions affecting the nature of an individual or community. Regarding the E-Commerce environment E. R. Cooley (2006)
divides it in immediate and external environment. Immediate environment consists of: •
the customers that purchase or bid online,
•
the suppliers of the products or the services, and
•
the intermediaries. Intermediaries are those that provide their services in order to bring
closer sellers and buyers by making a purchase feasible. Such intermediaries are banks, internet providers etc. Furthermore, a key element of the immediate environment of ECommerce is competition. Competitors are considered as part of the immediate environment in the basis that competition holds key role in the way business is being conducted in the specific marketplace, thus it affects directly every company that is doing business in this market.
24
Moreover, Cooley (2006) argues that external environment of ECommerce is comprised by elements such as law, public opinion cultures, ethical and moral constraints, economy and technology.
2.2.3 Current situation A survey released by The St. Paul Companies (2002), called “The E-Frontier 2002: Continuing Threats to Corporate Risk Management” , reports some very interesting figures. It is reported that while more than half of the companies surveyed engage directly in E-Commerce and another 16% plan to launch such enterprises in the next year, only one in five IT managers and one in ten risk managers rate Internet risk as “major”. Despite that, 75% of both groups see technology risk increasing over the next two to three years. An outstanding outcome of the survey was that employees have a poor understanding of cyber-risk, which consequently has bad impact in the overall E-Commerce risk management. Even more striking is the fact that, although, about three-fourths of risk managers and IT managers rate employees’ understanding as “fair” or “not very good”, less than half the companies are doing anything about it. Furthermore, regarding the gaps in “Cyber-risk” management and the survey shows that among the 251 risk managers and 250 IT managers interviewed, most risk managers say they rely on their IT investment and “prevention” to reduce Internet-related risk. They also argue that their current insurance policies offer sufficient protection. However, only about half of the risk managers surveyed have actually reviewed their existing policies in order to assess whether they are covered for Internet liability exposures, the survey says.
25
Further research of the author revealed that several companies acknowledge the significance of Cyber-risk and carry out risk management practices focusing especially on E-Commerce risks. For example, PayPal Inc, a unit of eBay Inc., identified its exposures to internet fraud and the great impact those have on its business. One of the actions taken by PayPal Inc. in order to mitigate the risk of online identity theft was to offer to its customers, free download of anti-phishing software. One of the most liable to exposure areas of the E-market is on-line payment. Companies differentiate on their payment strategies from one another in order to reduce the possibility of such exposures occurring. According to Gamble R. (2000) there are three e-payment methodologies: •
Business to business (B2B) e-marketplaces that introduce buyers and sellers through their sites and send them offline to arrange settlement in traditional ways.
•
Some leave it to the choice of the buyer to determine how to initiate payment and to the seller to initiate collection when payments are overdue. Only purchase orders, invoices etc. are being handled online.
•
Finally, a growing number of companies are working with ECommerce support businesses or directly with lenders and buyers to allow settlement to occur over their sites.
2.2.4 Areas of Cyber- Risk While examining the literature regarding the classification of Cyberrisk I discovered that there is a number of different ways of categorizing risk in Electronic Commerce environment.
26
Grzebiela (2002) suggests four levels of risk in E-Commerce: •
Technical risk level, which includes risks associated mostly with security exposures and generally exposures that are related to defaults in hardware and software.
•
Individual risk level, including exposures of the company related to user’s privacy.
•
Economic risk level, which is related to those economic effects that result in loss in sales or reputation.
•
Societal risk level. This risk level includes risks that derive from factors such as industry espionage, e-terrorism etc. Mcnamee and Chan (2001) define three critical areas in managing
risk in E-Commerce: •
Customer expectation,
•
Reputation and
•
Information integrity. McDaniel (2000) pays more attention to the company’s assets
classifying Cyber-risks in two categories: •
first-party losses and
•
third-party losses. First-party losses refer to exposures that impact on hardware,
software, networks and other assets of the e-businesses such as attacks from hackers invading physical or logical security. On the other hand, third-party losses include risks that derive from unsatisfied customers, due to bad service which might result from first-party losses. As we can see
27
there is a strong link between those two categories although this is not always the case. Lastly, Wat et al. (2005) identified ‘technical’, ‘organizational’, and ‘environmental’ as primary source categories of Cyber-risk. In the technical risk category they address mostly risks associated with security issues, arising from defaults in software (firewalls, antivirus, anti-spyware etc.) or hardware. They also suggested that the human factor using the above systems can cause gaps in security, either by mistake or with intention. The organizational risk category includes risks that derive mainly from lack of organizational resources such as money, time, and staff. Environmental risks are considered those that derive from exposures through interactions of the e-companies with third-parties, i.e. customers, government (regulation), suppliers etc.
28
3. METHODOLOGY
As stated before, the aim of this study is to assess and manage the risks related to E-Commerce. The objectives that have to be met in order to fulfill this aim are: 1. Generation of a list of risks that companies in E-Commerce might face. 2. Evaluation of those risks, regarding their impact on the companies. 3. Prioritization of risks identified and evaluated. 4. Examine existing or suggest new ways to manage those risks (control, share/transfer, diversify/avoid). In this chapter I will describe the methodology I will use in order to meet the above objectives. The overall sequence of stages that form the Risk Analysis process is shown in Figure 3. The part of Risk Communications will not be discussed in this study
29
Figure 3
Risk Analysis Process
Risk Analysis Risk Assessment
Management to the Public
Between Experts
Risk Communication
Risk Identification
Risk Measurement
Expert to Management
Share/Transfer the Risk
Risk Prioritization
Control the Risk
Diversify/Avoid the Risk
Risk Management
3.1 Risk Assessment 3.1.1 Risk Identification In order to identify existing or potential risks in EC environment I will use two identification techniques. The two techniques to be used in this study are “Documented Knowledge” (DK) and “Brainstorming”.
By
combining those techniques, I intend to take advantage of past experience, found in DK (Royer, 2000), in addition to new ideas that are expected to arise in a brainstorming session. My belief is that, this approach will give much more accurate results than if only one of the techniques was used, as I will be able to:
30
•
consider risks that have already occurred in the past and examine whether it is possible to arise again in the future,
•
expose areas of uncertainty regarding the current situation and
•
predict future risks that might arise in the area of interest helping this way in taking measures to prevent those.
3.1.1.1. Documented Knowledge Documented Knowledge is not a technique as well specified as brainstorming, as it is based on research, studies, surveys, case studies, checklists, articles and generally any kind of past experience on the subject EC risks. By conducting a research on previous studies that identify risks related to EC I will be able to have a better understanding of the risks that arose in the past and thus create a more complete list of risks, in addition to the brainstorming results. More specifically, while examining the existing literature regarding past and current risks of EC I found a number of studies that identified a number of risks, using several different techniques. The sources I will use are: •
A Delphi survey on EC project development risks by Addison T. (2003),
•
An exploratory factor analysis on EC potential risks by Wat F.K.T. et al. (2005) and
•
An article on EC risks, a publication in “Property & Casualty/Risk & Benefits Management” by Howard S. L. (2000).
•
A technical paper “A conceptual risk framework for internal auditing in e-commerce” by Pathak J. (2004)
31
•
A paper by Pavlou A. P. (2003) with the title “Consumer acceptance of Electronic Commerce: Integrating trust and risk with the technology acceptance model”
•
A publication by McNamee and Chan (2001) “Understanding Ecommerce risk”.
3.1.1.2. Brainstorming The effectiveness of a Brainstorming session is heavily depended on the people participating. The background of all members of the Brainstorming group should be considered. In this case, I decided to select five individuals with different professions and areas of knowledge, who would be able to contribute to the results from different perspectives. The fields of expertise of the members chosen, including myself, are Computer Networks (security), Computer software-hardware, Law, Psychology and Management. Those specialists were chosen because they are familiar with the areas that present great potential for risk to arise. My intention is to get information and ideas regarding key risk areas of E-Commerce, which are •
The internet and the networks that are used to make E-Commerce transactions feasible
•
Hardware and software.
•
The laws and regulations that E-Commerce companies have to comply with.
•
The customers’ behavior and expectations in E-Commerce environment and
•
Management of information and resources.
32
The five people that will participate in the brainstorming session including myself are: •
Dr Lagkas D. Thomas who is specialist in Computer Networks,
•
Dr Kastanis Jason who is a professional expert in subjects related to Computer science, programming Vitual Environments, hardware and statistics,
•
Sanidas Michael who is a professional lawyer,
•
Papanastasiou Chrisoula who is a psychologist and
•
myself Lagkas G. Thomas, postgraduate student of Msc in Management. The basic problem that I had to face was that not all members of
the Brainstorming group live in London, thus I had to find a way to bring the team together. Acting in that direction, I introduced the use of Microsoft Windows Live Messenger BETA 8.5 and web-cameras to conduct a teleconference. Another issue I had to deal with was the internet connection speed, as it is an essential factor in order to achieve good performance of the audio and video online and thus a proper communication. Using five different computers connected on the Internet would make the faster internet connections slow down to speeds of the slower connections. This is why in order to avoid that we only used only two computers. Three members of the group will meet in an office in Thessaloniki and the rest two in my home, here in London at 15-7-2007 17:00 UK GMD. Between the different kinds of brainstorming sessions I decided to use the structured one. Structured Brainstorming dictates each member to
33
add a risk when his/her turn comes. I will be the facilitator of the session, being the one responsible to put on the table the areas of risk on which the team has to express ideas. Those areas of risk will be Customer and EC, Regulations and EC, Technical risks in EC and Organization and EC. Also, a note-taker is to be appointed. Specifically, the brainstorming session will follow certain rules. The session will be divided in two parts. In the first part I as the facilitator will ask the team to write in notes their ideas that come first in their minds. Then each participant will state one idea at a time following a clock-wise sequence and the note-taker will write them in an A1 piece of paper so that all members can see them. After all the first ideas are recorded on the piece of paper the team will take a break for about 15 minutes. As soon all members come back from the break, the second part of the brainstorming session will begin. At this part I will firstly state the area of risk where the members have to add risks using the same way as in part one (one risk at a time). I will move on the discussion to different areas of risk when no new risks are expressed. Members will be free to add risks at any time, in areas of risks that were already discussed. Also, members will be able to add on others ideas but no criticism will be allowed. Moreover, I thought that if the Brainstorming group read the list of risks generated from the other studies it would affect their clear thinking. This would result in repeating the risks they have read, whereas my expectation from this group is to be highly creative by expressing ideas sourcing by each member’s expertise thus I will only show to the group the risks identified by other studies after the end of the brainstorming session.
34
3.1.2 Risk Measurement and Risk Prioritization In this part of my research, my intention is to critically assess the impact and the probability of occurrence of the identified risks as well as prioritize them. The assessment of the identified risks will be qualitative as opposed to quantitative, due to lack of available historical data. The qualitative assessment of the risks will be achieved by using risk assessment matrices similar to those proposed by Cervone (2006). Matrices of this type are formed by three dimensions instead of two; “impact”, “probability”, and “discrimination”. The brainstorming group after identifying the potential risks of EC will move on to evaluate those risks in addition to those identified by other studies. The point system that will be used by the Brainstorming group in order to measure the identified risks will be that proposed by Cervone (2006) as described in previous chapter. Each risk will be marked separately by all team members in terms of all three dimensions mentioned above. For each dimension of each risk the members will argue and decide on the points to be assigned. Then, by using Cervone’s formula (see F1) the team will be able to prioritize the identified and measured EC risks in terms of severity of risk. Overall Risk Factor = (Probability x Impact)/ Discrimination (F1)
3.2 Risk Management During Risk management and by taking into account the results of the previous steps my intention is to examine existing or propose new ways to deal with the risks that were either identified by the Brainstorming group or by previous studies and researches (DK).
35
4. RESULTS AND DISCUSSION 4.1 Identified risks The studies that I used in the ‘Documented Knowledge’ method identify two different types of risks; the type that it is associated to the enature of EC and the type that affects all businesses in general. This second type of risks is outside of the scope of this study and the Brainstorming group was also advised not to take it into account. After discussing on the potential risks of EC, the brainstorming group concluded in a list of potential risks. All members contributed in the construction of the list as it was a structured brainstorming session, as mentioned above. The generated list of risks was classified into four categories; Customers and EC, Regulations and EC, Technical risks in EC and Organization and EC. At this point, I need to stress that in the initial list of risks that was generated by the group, a number of risks were more or less describing the same exposure. This is why after the end of the brainstorming session I had to clear out the duplicated risks. While examining the existing literature on identified risks in the EC environment I noticed that there are a number of risks that weren’t identified by the brainstorming group. Also, there were risks identified by the brainstorming group, which were not identified by any of the other sources that I used. At this point, I should stress that the risks identified by both techniques are either from a wider or a more detailed point of view. This means that some risks that the brainstorming group has identified might be included in a wider risk category or analyzed in smaller fractions
36
of risk factors, depending on the different approaches of the other researchers and the level of detail of the techniques they used. As expected, by using these two identification techniques (Brainstorming and Documented Knowledge) more risks were identified than if only one of them was used. Following is the list of the identified risks with a description of each risk. The method that was used to identify each risk is also noted; “B” denotes Brainstorming while “DK” denotes Documented Knowledge.
Customers and EC 1.
Loss of customers’ private data (B&DK). The risk of customers
losing the private data that they transmit online while purchasing from an EC company should be seriously considered by businesses that use EC. The “loss” of that information is usually the result of hackers who are trying to steal and exploit those data for personal profit without the customer’s approval. This risk was also identified by Howard S. L. (2000) as ‘Data protection’ and by Pathak, J. (2004) as ‘Information at risk’. 2.
Customers’ monetary loss (B&DK). While purchasing online,
customers can experience monetary losses for a number of reasons (i.e. identity theft, transfer of money to fake EC businesses etc.). Customers have to interact not with a salesman but with impersonal software which is accompanied with a number of vulnerabilities and can be exploited. The monetary loss risk was also identified by Pavlou A. P. (2003).
37
3.
Lack of understanding of web-page design principles (DK). The
web-site of EC companies is the first interaction point between the customer and the EC company. If it lacks the basic principles on how it is designed it can create a bad first impression, thus it won’t attract customers. Addison T. (2003). 4.
Failure to gain and sustain long-term brand loyalty (B&DK). In the
fast changing environment of EC, relationships with customers become more temporal. Failure to gain and sustain long-term brand loyalty endangers the company’s success. The risk was also identified by McNamee and Chan (2001) 5.
Lack of customers’ trust on internet technology (B&DK). If E-
businesses are not investing in promoting the use of internet as a way of purchasing, customers’ trust on internet technology will be low thus this will reflect badly on E-businesses popularity and profits. Customer’s trust on internet technology was also tackled by Pavlou (2003). 6.
Low quality of service (delays on delivery etc.) (B&DK). In any kind
of marketplace, quality of service is a major factor of success. Especially in EC environment where B2C relationships are temporal and impersonal, quality of service plays key role in creating and sustaining this relationship. Aubert et al. (1998) report this risk as ‘Vendor provides poor quality service’. 7.
Misunderstanding the user/customer requirements (DK). It is more
difficult and at the same time more crucial for e-businesses to understand users’/customers’ requirements, through the impersonal relationship B2C. Addison T. (2003) identified this risk and focused in the need of ebusinesses to meet not only customers’ the requirements but also those of
38
users (which can be considered as potential customers). If those requirements are misunderstood, there is the danger that wrong objectives might be put in place by the e-businesses. 8.
Failure to manage end user expectations (DK). McNamee and
Chan (2001) identified this risk pointing out the inability of e-businesses to meet users’ expectations. This new channel of transactions (EC) requires extra attention as the customer has a number of alternatives to choose from. This risk mainly illustrates the inability of the business to provide the advertised or expected service.
Regulations and EC 9.
Copyright and/or trademark violation (DK). A common risk is the
illegal use of trademarks by other E-businesses, by the use of meta tags (indexing information placed on a Web site to make it more readily accessible by internet search engines; McNamee and Chan 2001), in order to imply affiliations that do not exist. 10.
Certain products might be banned in some countries (B). Due to the
nature of EC, businesses usually interact with customers from all over the world. Shipping products which are banned by local regulations might result in fines, law suits and reputation issues. 11.
Incompletion of contract terms (DK). This risk was identified by
Klepper and Jones (1998). The risk of incompletion of contract terms refers to any inconsistencies related to customers, vendors, employees, on behalf of the e-business. Risk managers should focus on this risk because it could damage the company’s image rendering the company as not trustworthy.
39
Technical risks in EC 12.
Hacker attacks at vulnerable areas of software to gain access to
sensitive information (B&DK). Hackers is a major threat for E-businesses as they are usually taking advantage of software vulnerabilities in order to steal, destroy, or manipulate sensitive data. It is a major risk that companies should closely investigate. Hackers’ attacks is a common risk that companies in EC environment have to face. Bandyopadhyay et al., (1999); refer to this threat as ‘Hacker gaining unauthorized access’. 13.
Denial of service attacks (B&DK). Apart from accessing sensitive
information, hackers can cause the system to crash by attaching it with multiple requests per second; which the system cannot handle. The probability of this risk occurring is high. Even major E-businesses such as Amazon.com and eBay suffered from such crashes many times in the past. More specifically Bandyopadhyay et al. (1999) refer to ‘Malicious code attacks’ as a cause of system’s crashes. Furthermore , Nahar et al. (2000) examine the situation of systems failing due to ‘site or network overload and disruption’. 14.
System’s failure caused by natural disaster (fire, lightning, flood etc.)
(B&DK). Natural disasters is a risk that all businesses, regardless their enature, have to consider, mostly while designing the physical placement of hardware equipment. However due to the fact that EC is heavily depended on hardware equipment, extra measures should be taken to protect the systems failing due to natural disasters.
40
Also identified by Bandyopadhyay et al. (1999), as ‘Natural disasters caused equipment failure’. 15.
Physical attacks (terrorists, unsatisfied customers) (B). Depending
on the political situation, the reputation of the company as well as the principles and ideas that it communicates (which might be in conflict with others’ ideas) there might be high risk for certain businesses. This risk has a low probability of occurring; however, due to the international range of operations of E-businesses in addition to unstable political situation in certain regions this risk shouldn’t be disregarded. 16.
Disruption of system’s functionality due to industrial espionage (DK).
Competition is not always legitimate; industrial espionage is a risk that always existed and businesses should protect themselves from it. Martinez (1996) reports this risk from a more general point of view and refers to it as ‘Threat of sabotage in internal network’. 17.
Use of outdated or inappropriate software (B&DK). The risk of
using outdated or inappropriate software is a risk depending on how trustworthy and informed is the software supplier regarding current software releases. This risk should be heavily considered by E-businesses, as outdated or inappropriate software could be the reason for numerous security issues. Addison (2003) refers to this risk as ‘Applying incorrect technology’, combining the risk of using both incorrect software and hardware, which is also a crucial risk for e-businesses. 18.
Inadequate backup systems (B&DK). As EC systems’ failures
result in major losses in terms of money, inadequate backup systems expose the assets of the companies. Ratnasingham (1998). However,
41
backup systems are considered as built in processes of the system and the risk lies in how well those systems will react in case of emergency. 19.
Inadequate testing procedures (DK). Addison T. (2003) argued that
technological newness is a source of risk for businesses that use EC, because
new
technologies
need
a
testing
period
before
being
implemented (by both companies and users) in order for vulnerabilities to surface.
Organization and EC 20.
Non trustworthy employees responsible for sensitive information (B).
The risk of having non trustworthy employees handling sensitive customer or organization data can influence other aspects of the business, such as reputation and security. 21.
Insufficient policies on refunds, product returns (B). Lack of policies
regarding refunds or product returns can heavily affect the reputation of Ebusinesses. Moreover, policies can protect the company from unusual demands from customers in terms of refunds. 22.
Untrained-inexperienced staff (B&DK). The risk of employing
untrained or inexperienced staff is caused by inadequate recruiting procedures. The EC marketplace is an environment where highly technical knowledge is needed at a number of positions so that potentially dangerous, for the system, situations can be dealt adequately. This risk was also identified by Addison (2003) who refers to it as ‘Lack of E-Commerce project experience’ and also as ‘Retaining skilled staff’.
42
23.
Dependence on multiple products and suppliers (DK). Addison T.
(2003). Many companies that use EC sell a big number of different products and deal with numerous different suppliers. Although this gives the companies a wider focus group, it also exposes them in a number of risks sourcing in the relationships with the various suppliers and the quality of a broad range of products. 24.
Selling online products that need physical examination by the
customer before purchase (B). Not all products can be sold online in terms of customer’s need to personally inspect them before purchasing. Certain products such as clothes and shoes need to be physically examined before a purchase can take place. 25.
Misleading online demonstration of products (B). Using misleading
images, photos, videos or descriptions of the products on sale discourage customers from purchasing or raise over-expectations and should be avoided.
4.2 Risk measurement and prioritization After identifying the potential risks of EC, the brainstorming group was called to measure and prioritize those risks, as well as those identified by others. This was implemented by using Cervone’s method for risk evaluation and prioritization (see Methodology). The outcome of this process is shown in table 1.
43
Table 1
Risk
Rank Risk # 1
13
2
17
3
5
4
12
5
24
6
7
7
8
8
18
Denial of service attacks Use of outdated or inappropriate software Lack of customers' trust on internet technology Hacker attacks stealing sensitive information Selling online products that need physical examination by the customer before purchase Misunderstanding the user/customer requirements Failure to manage end user expectations Inadequate backup systems
9
19
10
22
11
23
12
10
13
14
14
15
15
25
16
2
17
3
18
6
19
11
20
16
21
4
22
21
23
1
24
9
25
20
Overall Probability Impact Discrimination Risk Factor 5
5
1
25
5
5
1
25
5
4
1
20
5
4
1
20
5
4
1
20
3
5
1
15
3
5
1
15
3
5
1
15
Inadequate testing procedures
3
5
1
15
Untrained-inexperienced staff
3
5
1
15
5
4
3
6,7
5
3
3
5
1
5
1
5
1
5
1
5
5
3
3
5
3
4
3
4
1
4
1
4
3
4
3
4
1
4
1
4
3
4
3
4
5
3
5
3
3
3
3
3
3
2
3
2
5
2
5
2
1
4
3
1,3
Dependence on multiple products and suppliers Certain products might be banned in some countries System's failure caused by natural disaster Physical attacks (terrorists, unsatisfied customers) Misleading online demonstration of the product Customers' monetary losses Lack of understanding of webpage design principles Low quality of service (delays on delivery etc.) Incompletion of contract terms Disruption of system’s functionality due to industrial espionage Failure to gain and sustain longterm brand loyalty Inadequate policies on refunds, product returns Loss of customers' private data Copyright and trademark violations Non trustworthy employees responsible for sensitive information
Customer and EC Regulations and EC Technical risks in EC Organization and EC
Table 1 clearly demonstrates the 10 major risks which put in danger the assets of e-businesses. Regardless the low probability of occurrence, risks 14 and 15 should also be considered as major risks because of their great potential impact. Risk managers should take them seriously into consideration and work on ways to mitigate them, because they can cause major system failures; thus major losses that might even threat the company’s vitality, It is also evident that 5 out of those 10 major risks are related to the technical part of EC. This is an expected outcome because EC is heavily depended on hardware and software to make transactions feasible. Also noticeable is that 3 out of the 10 major risks are related to customer to business relationship (C2B), highlighting this way another area of EC where risk managers should focus on. Finally, two risks are associated with the organization, whereas regulations risks are not considered to be critical threats for the EC systems.
4.3 Risk management The first 10 risks in Table 1 are those that mostly threat EC businesses’ vitality and should be the ones to be dealt immediately by senior management. Taking that into consideration, I intend to report existing controls that e-businesses put in place in order to deal with these risks and also propose new ones for the risks that no controls were found. The key in risk management is to achieve a balance between risks and prevention activities. According to Viehland D.
(2001), risk
management also includes balancing costs versus benefits for any reduction of risk. Simply put, the cost of risk management measures to reduce the threat should not exceed the value of what is being protected.
45
In cases like risks 14 and 15, where there is low probability of occurrence but impact and discrimination are high, the solution is to transfer/share
those
risksto/with
third
parties
such
as
insurance
companies. Regarding the technical part of EC where E-businesses are mostly exposed to threats such as hackers, denial of service attacks, viruses, software vulnerabilities etc. controls should be put in place to mitigate those threats. Such controls are: •
Firewalls.
•
Antivirus programs with updated viruses databases.
•
Trustworthy and professional software-hardware suppliers.
•
Backup systems and testing procedures should constantly be audited to ensure proper functioning.
•
Recruitment of trained and experienced staff to deal with technical issues. Following, the technical part, the customer related risks are also
critical for E-businesses (see Table 1). This area of risk should be closely monitored in order for senior management to act properly. According to Huff et al. (2000), in order to mitigate risks such as risks 5, 7, and 8, trust between customer, business and internet technology should be achieved. They proposed a number of ways to achieve that: •
Make it easy for customers to make personal contact (e.g., use tollfree telephone numbers with minimal wait time).
•
Use e-mail and the WWW to keep customers informed of their order's status.
46
•
Use secure server technology to enhance the customer's sense of security and boost confidence.
•
Belong to industry self-regulatory bodies and/or use reputable assurance services (e.g., WebTrust, eTrust).
•
Provide a useful FAQ (frequently asked questions) page.
•
Show physical presence. For example, Homegrocer features pictures and a short text description of each of their staff - real people = a real company.
•
Publish prominently an unambiguous policy regarding information privacy.
•
Use a clear, simple purchasing process that includes clear information on returned goods policies.
•
Make sure there are no surprises, such as failing to mention anything about border duties or extra shipping charges. Furthermore, in the area of risks related to customer Pavlou P.
(2003) adds that an objective of e-businesses should be to achieve high level in the ease of use of the system in order to build on the trust between customer and business. About organizational risks in EC environment and especially about risk 24, (Selling online products that need physical examination by the customer before purchase) which was ranked 5 th, risk managers should carefully select the products that are to be sold online. They should acknowledge the difference between products that a description of their characteristics posted on the web-page gives enough information to the
47
customer and those that need personal inspection before purchase (i.e. shoes). In addition to this, organizations using EC should invest on their HR department and especially on their recruitment procedures. As mentioned, EC is an area where technical knowledge and experience is essential in order to avoid exposures of the system and to assure proper and safe functionality of the system. Also, the need of trustworthy employees is a standard, as e-businesses deal with customer sensitive data which would damage the business’ reputation if they were exploited. Finally, risks associated to the laws and regulations are not considered to be serious threats for E-businesses. Although this is an area that constantly changes businesses have to comply with current legislation to protect themselves and their customers. E-businesses that form contracts online need to inform users about: •
all technical steps required to conclude the contract, i.e. "click this box",
•
whether the concluded contract will be filed by the company and whether it will be accessible,
•
the languages offered for the conclusion of the contract ,
•
any relevant codes of conduct to which you subscribe, and information on how these can be consulted electronically (Business Link 2007).
48
5. CONCLUSION
As a result of combining two techniques, Documented Knowledge and Brainstorming, the outcome of the risk identification, measurement and prioritization was more accurate and complete, than if I had used only one of those techniques. However, Documented Knowledge contributed more than Brainstorming in meeting the objectives of this study. The risks that were identified refer to the -e- aspect of EC, excluding this way risks that are associated with businesses in general. I divided the areas of potential risk in: Customer and EC, Regulations and EC, Technical risks in EC and Organization and EC. Using the two techniques mentioned I was able to identify 25 risks related to EC. According to the results 8 risks were related to the technical part of EC, 8 to the customer and EC area of EC risk, 6 were related to the organization and EC and finally only 3 risks were sourcing from laws and regulations in EC environment. The identified risks were then measured by the Brainstorming group by using parameters such as probability of risks occurring, impact on business’ assets and discrimination, based on Cervone’s cubic-structure which is similar to Traeger’s (2005). Following to that, I prioritized the measured risks in terms of severity and, therefore, overall potential impact on the project. The outcome of this process is shown in table 1. E-commerce is risk-based due to the technologies involved (Sutton and Hampton, 2003), which may expose a business's data and systems to unknown outsiders. According to the results 50% of the 10 most critical
49
risks of EC are related to the technical part of it such as software/hardware security. Taking this into consideration, the Technical area of EC can be characterized as the major source of critical risks. Management should closely monitor this area in order to put in place the proper controls that will help in protecting the company’s systems and consequently its assets. The next risk area that needs extra caution is the customer related risk in EC. Risks that are sourcing from customer account for 30% of the major EC risks. This suggests that customer’s behavior and expectations are a significant source of risks for E-businesses. Of course this is a fact for all kind of businesses. However in EC environment due to the impersonal and temporal B2C relationship it is even more difficult to understand and predict customer trends and behaviors and thus it is difficult to mitigate those risks. Investing on gaining customer’s trust should be the key objective of EC businesses. Risks sourcing from the organization account for 20% of the major EC risks. More specifically the kind of products sold online and the risk of recruiting untrained or inexperienced staff puts in danger e-businesses in ways of reduced profits, bad customer service, damaged reputation, and inability to deal with critical situations such as system failures. Investing in the HR department can mitigate risks that source from organization’s employees. In addition to this, the marketing department should thoroughly consider the limitations of products that need physical examination by the customer before sale. Finally, the results of the prioritization showed that risks drawn from the area of laws and regulations are not considered to be critical for ebusinesses. Although regulations in EC environment are constantly changing causing confusion to e-businesses’ legal departments, risks
50
related to this area do not usually impact on companies assets or completion of objectives. This is mainly due to the fact that procedures related to laws and regulations are built in to the structure of the organizations and generally do not need extra controls or actions. For example the risk of incompletion of contracts on behalf of the company should not be considered as a possibility. In order to generate a more complete list of risks, a combination of more identification techniques should follow this study. In addition to this, the results of the measurement process would be more accurate if I could use quantitative instead of qualitative techniques to evaluate the identified risks. Taking into account that new risks arise constantly due to the fast changing environment of EC, the risk assessment should be a continuous process of all e-businesses. Thus, further research in effective risk management should be made on this relatively new market, in order for companies to protect themselves from exposures that threat their assets.
51
REFERENCES
Acquisition Community Connection (ACC), (2007) ‘Risk Identification Techniques’, Defence Acquisition University (DAU), Available at: https://acc.dau.mil/CommunityBrowser.aspx?id=19181 Addison, T. (2003) ‘E-commerce project development risks: evidence from a Delphi survey’, International Journal of Information Management , Vol. 23, pp 25–40. Ahmed, A., Amornsawadwatana, S. & Kayis, B. (2007) “A review of techniques for risk management in projects”, Benchmarking: An International Journal , Vol. 14 No. 1, 2007 pp. 22-36. Aubert, B. A., Patry, M. & Rivard, S. (1998) ‘Assessing the risk of IT outsourcing’, Proceedings of the 31st Hawaii International Conference on System Sciences , 1998, Vol. 6, pp.685–692. Bandyopadhyay, K., Mykytyn, P. P. & Mykytyn, K. (1999) ‘A framework for integrated risk management in information technology’, Management Decision , Vol. 37, No. 5, pp.437–444. Bartleby.com, (2003) ‘The American Heritage Dictionary of the English Language, Houghton Mifflin Company’ , Available at: http://www.bartleby.com/61/ Business Link (2007) ‘ Managing Risk in E-Commerce’ , Available at: http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075386 080&r.s=sl. Cervone, H. F. (2006) “Managing Digital Libraries: The View From 30,000 Feet-Project Risk Management”, OCLC Systems & Services: International digital library perspectives , Vol. 22 No. 4, 2006, pp. 256-262. Cooley E. R. (2006) ‘Fundamentals ’, Lecture notes, [ONLINE]Available at: www.cs.kent.ac.uk/teaching/this_year/modules/CO/6/39/rec/lec/l2_f undamentals.ppt. COSO
(2006) Internal Control Integrated Framework Executive Summary, Available at: http://www.coso.org/publications/executive_summary_integrated_fr amework.htm
52
Gamble R. (2000) ‘Special report E-Commerce’s Hidden Secret: Trading and Procurement may become more efficient but Payment and Settlement Issues Abound’, Treasury & Risk Management , [ONLINE] Available at: www.treasuryandrisk.com Greene, M. R. & Trieschmann, J. S. (1984) Risk and Insurance , SouthWestern Publishing Co., Cincinati, OH. Grzebiela, T. (2002) ‘Insurability of electronic commerce risks’, Proceedings of the 35th Hawaii International Conference on System Sciences 2002 , pp.2393–2401. Howard, S., L. (2000) ‘Risk Management/Employee Benefits: E-commerce Risks Loom For Risk Mgrs’, Property & Casualty/Risk & Benefits Management , National Underwriter, 21 Feb., p 9. Huff, S., Wade, M., Parent, M., Schneberger, S., and Newson, P. (2000) ‘Critical Success Factors for Electronic Commerce’, Cases in Electronic Commerce , Irwin McGraw-Hill, pp. 450-461. Kendrick, T. (2003) Identifying and Managing Project Risk , American Management Association, New York, NY. Klepper, R. & Jones, W. O. (1998) Outsourcing Information Technology, Systems and Services , Prentice Hall PTR, Upper Saddle River, New Jersey. Lansdowne, Z. F. (1999) “Risk matrix: an approach for prioritizing risks and tracking risk mitigation progress”, Proceedings of the 30th Annual Project Management Institute , October 1999, Philadelphia, PA. Leyshon, A., French, S., Thrift, N., Crewe L. & Webb, P. (2005) ‘Accounting for E-Commerce: abstractions, Virtualism and the cultural circuit of capital’, Economy and Society , Volume 34 Number 3. Lichtenstein, S. (1996) ‘Factors in the selection of a risk assessment method’, Information Management & Computer Security, Vol. 4, pp. 20-25 Main, B. W. (2004) Risk Assessment: Basics and Benchmarks , MI: Design Safety Engineering Inc., Ann Arbor. Martinez, A. (1996) ‘What risk managers should know about the Internet’, Risk Management , Vol. 43, No. 11, pp.43–46.
53
McDaniel, M. (2000) ‘Covering the risks of E-Commerce’, American Agent & Broker , Vol. 72, No. 7, pp.20–30. Mceachern, C. (2001) ‘Don’t panic, Financial services firms seem to have cyber risk under control’, Wall Street & Technology , Vol. 19, No. 4, pp.38–39. Mcnamee D. and Chan S. (2001) “Risk watch: Understanding ECommerce Risk”, Internal Auditor , April 2001, p 60. McNamee, D. & Selim, G. (1998) Risk Management: Changing the Internal Auditor’s Paradigm , The Institute of Internal Auditors Research Foundation, USA. McNamee, D. (1996) Assessing Risk , FL: The Institute of Internal Auditors, Altamonte Springs. Nahar, N., Huda, N. and Tepandi, J. (2000) ‘Global electronic commerce process: business to business’, Business Information Technology Management: Alternative and Adaptive Futures , Macmillan Press, Basingstoke. Oxford English Dictionary (2007) Available at: http://www.oed.com/ Pathak, J. (2004) ‘A conceptual risk framework for internal auditing in ecommerce’, Managerial Auditing Journal , Vol. 19, No. 4, pp. 556564 Pavlou, A. P. (2003) ‘Consumer Acceptance of Electronic Commerce: Integrating Trust and Risk with the Technology Acceptance Model’, International Journal of Electronic Commerce , Spring 2003, Vol. 7, No. 3, pp. l0l-134. Ratnasingham, P. (1998) ‘EDI security: the influences of trust on EDI risks’, Computers andSecurity , Vol. 17, pp.313–324. Royer, S. P. (2000) “Risk Management: The Undiscovered Dimension of Project Management”, Project Management Journal , Vol. 31, No. 1, 6-13. Sawyer, B. L., Dittenhofer, A. M. & Scheiner H. J. (2003) Sawyer’s Internal Auditing- The Practice of Modern Internal Auditing, The Institute of Internal Auditors, USA. Society for Risk Analysis (2007) ‘Risk Analysis Glossary: P – R’ , Available at: http://www.sra.org/resources_glossary_p-r.php
54
