e-Commerce: Managing the Risks

Business Risk and e-Commerce

E-commerce of one sort or another has been with us for well over a decade in the form of electronic funds transfer and electronic data interchange. However, what has changed in the last few years is the tight integration of the supply and payment chains by e-links to the extent where loss of one link may affect the whole chain. Business concatenation is like fast dense traffic on a motorway: when accidents happen, reaction time is near zero; the resulting accident engulfs many; and the innocent may be those harmed most.

E-commerce is more than the Internet – but the Internet highlights some of the key challenges and risks. Businesses are leaping into e-commerce and many of them are ill prepared to handle the downside. Some have barely considered the dangers and look only for the crock of gold under the e-rainbow.

The pitfalls are many:

• The business is often not designed or organised to support the speed of change e-business creates.
• There is heavy dependency on third parties. The business cannot control the means of accessing it and any access failure is likely to be attributed to the business. The same may apply to service delivery, especially if the service is provision of information. How do you protect a delivery channel over which you have little or no control?
• Failure may come from trying to adapt, link with or integrate existing systems that are not sufficiently responsive or flexible.
• Time dimensions have collapsed. In the e-game one has little time to deal with the strategic, one can only identify risk. The priority is to protect the "now". It is a real time market driven environment.
• e-trading creates time zone issues – every e-business is expected to be open 24 hour / 365 days a year. Support needs to match the opening hours.
• Internet and Intranets give power to accumulate information (in terms of industrial espionage, they provide the capability to accumulate little bits of information to provide a competitor with the big picture).
• Traditional ways of limiting risk and demand (e.g. market segmentation) may not work: wide deployment means that demand can be instantaneous, overwhelming and devastating.
• E-commerce provides unparalleled speed and scale of publishing information –globally, simultaneously – for good and ill. If things go wrong, it is transparent to the world.
• Traditional businesses are not isolated from e-commerce risks - they are developing e-commerce businesses whose failure can damage the traditional company and, indeed, its industry.
• Established businesses face increased competition, since e-presence can put a small business in the same league as a big business.
• There is a significant risk of hypertextuality (masquerading) and illicit use of meta-tags by competitors to direct your prospects to their sites.
• The supplier cannot completely control the people accessing it: in terms of volume, duration, frequency – and good- or ill-will.
• New businesses are being designed specifically for e-commerce - failure of access could cause bankruptcy.
• While there is governance on dot.com start-ups, their managers are often young and inexperienced in business.
• Target groups may not be known or may be difficult to contact in a crisis.
• Customers have become promiscuous: they have zero tolerance and customer defection is only one mouse click away. This may aggravate customer churn: customers have one-click patience and no loyalty. To retain customers, response and availability are key (although the customer may have a preference and may try you first next time).
• Early warnings and second chances can be elusive: success or failure can be almost instant.
• The implications of the UK RIP Act harmonised with the Human Rights Act, contains rules on email and phone interception: the legal issues for ISPs are unclear.

When things go wrong, the go wrong quickly and expensively. E-commerce applications have something in common with Call Centre operations – except that, with e-commerce, any problem is public. Table 1 indicates potential losses from downtime of on-line applications.

Table 1: Cost of Downtime

Source: Contingency Planning Research & Dataquest

When Charles Schwab, the internet broking company, suffered outages of four or more hours in February to April 1999, one source put their losses at $30m and subsequent spend on creating a more resilient infrastructure at $70m. Charles Schwab also took a share value hit when a professor posted an adverse note on a bulletin board.

E*Trade’s downtime incidents of over 5 hours during February to March 1999 are said to have cost the company $3m – but caused the share price to drop 22%.

How IT Projects are Changing

A friend in a leading financial institution told me that, one Friday, he had seen a news item on television announcing that his company was launching a new financial e-service in eight days time. That was the first he had heard of it and he had to implement it. Not surprisingly, the new service was flawed and was quickly withdrawn, to adverse publicity. The old adage "you can have it right, you can have it cheap, or you can have it now" applies.

The driving force behind this apparently suicidal approach is simply that each company feels it has to beat the competition to the draw: speed to market is placed above caution and safety. The traditional way of introducing a new project is abandoned: no detailed feasibility study, requirements specification, analysis, development, testing ….. it all takes too long in the e-world. Applications are frequently therefore developed "shooting from the hip" often with scant regard to security, resilience, robustness, quality assurance, quality control and continuity capability. It is hoped that these can be added later – but all too frequently this proves expensive, difficult or impossible.

The current challenge is that, too often:

• The existing IT systems and infrastructure may not support the new requirement.

• Business Units change requirements rapidly and expect IT to respond "on the fly".

• Information required to respond effectively is not easily identified ahead of time.
• Business Units lack awareness of dependability and continuity issues.
• The resulting application, if successful, will become embedded in and vital to the business.

Pressure is on developers to provide an effective response and flexibility in the face of the intense time pressure, frequently unidentified hazards and uncertainty.

The successful IT projects therefore will find a way to observe the traditional disciplines in a streamlined way and to think about these key issues at project inception. They will develop a toolkit of standards and controls that ensure security and dependable operation of the production application.

Risk Management Principles: Working with e-Commerce Projects

A risk management approach is crucial to success in e-business. The need is for proactive risk mitigation both in development and in operations. Step one is to assess and reduce the risk to an acceptable minimum using the formula:

Residual risk =Likelihood x Impact

controls

Step two establishes the impact of service loss, over time, to identify the Maximum Acceptable Outage (MAO). This process will justify the investment in resilience and diversity. Redundancy needs to be built into web and application servers – all servers should need to be hit before a site is "off the air". The need is for resilience and redundancy in a web site just as it is in a "normal" telecommunications infrastructure.

The basic BC principles apply:

• Identify resources and recovery strategies
• Ensure the resources are available and recovery strategies are tested

Maybe there are lessons we learn from dealing operations (which has been effectively e-commerce for years). There, the margins for error are clearly defined. This does not usually apply to e-commerce and maybe it should.

The Balance Between Speed and Risk: Solutions

The first principle is that business controls still apply: the EDIFACT framework provides an overall protection.

One organisation helps to redress the balance between speed to market and safety by including a security specialist in the development team.

Another approach was outlined by Brian Mackay of CheckFree Corporation at the recent UK Survive conference for business continuity professionals. The e-commerce developments are placed within the context of a Business Continuity Methodology using Risk Analysis and Business Impact Analysis to create Risk Profiles.

The Risk Profiles describe the current risk status in a non-judgemental fashion and identify critical components that can effect availability. These Risk Profiles are then used to develop a Tier Rating for the infrastructure component .

The Tier structure comprises:

• Tier 1 – Continuous Availability (Full recovery in less than 5 hours. This implies redundancy / diversity and a tested business continuity plan is mandatory).
• Tier 2 – High Availability (Can sustain a limited outage of up to 24 hours. This implies appropriate redundancy / diversity and a tested business continuity plan is mandatory).
• Tier 3 – Standard Availability (Can sustain limited outage of up to 48 hours. This implies appropriate redundancy / diversity and development and testing of a business continuity plan is encouraged).
• Tier 4 – Delayed Availability (Can sustain an outage longer than 48 hours. A business continuity plan is not a requirement).

This approach may be adapted to suit most organisations: the implication is that a new project would be placed into one of the four Tiers and afforded appropriate resilience.

Over the last five years, forward-looking enterprises have matured from IT disaster recovery to the protection of the whole business. E-Commerce companies are likely to find out what telcos have been discovering for some years: when technology is the business, you cannot recover the business without recovering the infrastructure. Where the infrastructure relies on interdependent critical components, the only real way to protect it is in replication, redundancy, diversity and resilience. The main emphasis needs to be on dependability and continuity rather than on recovery.

Technology is bringing some solutions. Devices like UDMA (Ultra Direct Memory Access) fault-tolerant RAID arrays will help. UTF (Unicode Transformation Format) developments promise more consistent and reliable e-mail transfer. Many mail gateways and systems cannot handle the entire US-ASCII character set (those based on EBCDIC, for example), and so UTF-7 contains provisions for encoding characters within US-ASCII in a way that all mail systems can accommodate. Other new technology may bring both benefits and new challenges: Ericsson has transformed its Bluetooth® wireless know-how into consumer products, chipsets, modules and development tools. Bluetooth® Intellectual Property is now being licensed and will revolutionise the way people and their digital devices communicate and interconnect – in the office, in the home and on the move. The new generation of Internet-enabled TVs will hugely expand the pool of potential e-customers, offering alternate connectivity.

However, recovery capability is the long-stop, either in-house or from commercial business continuity service vendor. Part of the overall risk management approach may also involve disaster recovery contracts for quick re-supply of equipment and a standby site (hot site) with equipment pre-installed standby equipment and services.

Recovery companies are going to change to respond in minutes, not hours, which suggests that they have to change their business model. There may be legal implications also. Recovery services are going to have to become data management companies as part of their customer companies’ network

Perhaps a different style of management is needed to run e-commerce. Reacting to threats as they arise is a continuum of incident management. This may be new to some industries but is normal in transport industry and on the trading floor.

Some organisations have set up an Event Management & Response Team. The message is that response has to be quicker:

• Organisations need to be more pre-emptive with media management.
• "Pull the blinds" to limit public view of problems.
• Innovation and creativity is needed to regroup. This attitude is likely to be inherent in successful e-commerce companies.
• A standard pre-planned approach may not be suitable: any plan may need to be tailored at the time of the event.
• Communication is vital – internally, with customers / stakeholders, the media and financial analysts.
• Early warning systems help - identify key risk indicators.

If possible, e-commerce players should ensure that an alternative source for satisfying customer demand is available (e.g. a Call Centre). In fact, e-commerce has strong parallels with the Call Centre.

An immediate response is essential: create a holding pattern and then fix the problem. The good e-commerce businesses search the media for e-commerce incidents every morning and apply those scenarios to their own business. They do scenario planning every day. Where things can – or do - go wrong response is like a military operation. Potential and actual incidents and responses are constantly re-appraised.

It is not just hype, e-commerce really does have unlimited potential. The successful e-players will be those enterprises that manage its risks and take its security, reliability and recovery seriously. Those that do not are likely to fall at the first obstacle.

©and credit to: Andrew Hiles, 2000

Founder and former Chairman Survive and Director, Kingswell, consultants in enterprise risk management and business continuity. Andrew can be contacted through info@kingswell.net

Tel: +44 (0)1865 822010 Fax: +44 (0)1865 822011