The behaviour of Nasdaq and UK technology stocks demonstrate the riskiness of current e-enterprise. Just because an organisation seems a good investment today doesn't mean it will tomorrow. Even the larger dotcoms are subject to massive risks, opportunities and exposures.

It's not surprising that many conventional businesses are reacting slowly to the e-commerce challenge. It's difficult to win a race when no-one is completely sure of the direction to be taken or the final destination.

Ideal electronic business is lean, cuts out middle-men, sells to the end customer, bids for work on the internet, solicits and responds to worldwide orders, and poaches customers or buys out traditional established business.

The reward mechanism, structure and philosophy of many organisations encourages short-term results at the expense of long-term gains. However, structured risk management and transparent corporate governance can help mitigate this, as values for managing current opportunities, impacts and consequences can be balanced. An example of this is the formal introduction of current and future risk values into managers' packages.

Many organisations believe the internet and associated e-business product offerings are vital to their success – that a decision not to participate is to lose market share and eventually die. They mitigate personal and corporate exposure by bringing in external consultancy. Some commission risk management reviews from specialists; others try to manage the reviews in-house, drawing from many different disciplines – lawyers, information security, hardware and software specialists, internet, physical security and risk management experts.

Net allies
New internet organisations are being formed through alliances, such as those between AOL and Time Warner, AOL and Deutsche Bank, Compaq and CMGI, Lycos and Basis and Netscape and Bay Networks. The benefits are obvious – more market penetration, lower development and delivery costs, and the strategic advantage of allowing each organisation to concentrate on what it believes are its strengths.

Yet not all alliances or partnership ventures work. Sometimes they are formed out of a sense of panic – neither side really understands what is required of it and many of the risks are subtle.

The e-commerce boom has also generated many companies with little substance supporting them – not necessarily be a bad thing, as they could be the lean, mean service provider we all want, but what happens if things go wrong?

This situation has spawned the term “bricks and mortar companies” – organisations that actually have a physical presence, rather than being run from a techno-freak's back room.

Enterprise-wise, due diligence is vital. E-risk managers should be wary of the potential partner who can't meet them at their premises nor introduce them to their facilities provider. There may be nothing wrong with a partner who is buying processing time from another company, but it's important to know how robust such important suppliers are.

Once a partner has been found that can provide the right level of service, tying the knot can be a challenge. Signing contracts and entering into service level agreements is a traditional method but, for smaller companies, it may be worth considering alternatives, such as an equity stake in the business. And getting a representative of the initiating company on the partner's board may be the best way to understand ongoing business trends and risks.

E-commerce may bring about a need to completely review the issue of contingency and disaster recovery, and associated risk management activities. If a business has moved from providing a 9-to-5 service in one country to a 24-7 service in several countries, it may be necessary to reconsider the contingency facilities for the IT, and even the business, processes.

If processing facilities are provided by a third party, this is an additional consideration for due diligence work. Disaster recovery facilities should be governed by the length of time an organisation can survive without an application before the situation becomes critical. If it's not possible to survive for more than a few minutes or hours without an application, then it is vital to have alternative facilities that can be switched in within that time frame.

There are also issues associated with the scalability of the equipment and software being used. The processing of business transactions for e-commerce may not be terribly sophisticated but the volume may quickly develop into something the organisation isn't used to seeing. It's important to understand the IT facilities being used, in terms of hardware and software. It may be possible to increase transaction processing volumes through the introduction of additional hardware but, for some poorly designed software, it may not be feasible to improve the transaction volumes, no matter how much is spent on hardware.

In circumstances where there's a need to move quickly to get a product or service out to the market place, it may not be desirable to develop an “end-to-end” processing solution within the initiating organisation. There is a risk associated with outsourcing and facility, but in many respects this is not new.

Two sides of the coin
Outsourcing and internet alliances are not universal panaceas. Even if service management, IT or portal provision is outsourced, the organisation is still exposed to a high level of reputation risk. Existing business relationships may metamorphose or fail altogether over time, and quality management and consistency checking become ever more important to ensure that the risks of e-business are controlled.

The scale and diversity of risks, exposures and opportunities in e-risk management is far greater than what has been discussed here. The evolution of e-commerce requires the application of every aspect of risk management.

On one side of the coin is a massive opportunity: the potential for new markets, more clients and highly automated, high volume services. On the flip side is the possibility of increased risks of fault, fraud and crime, or a large capital investment on a service that may become out of date through unforeseen developments or irrelevant because the right questions weren't asked at the start.

All of these can be mitigated through the implementation of an informed, resilient corporate governance, risk and opportunity management structure.

  • Carole Edrich is from KAI Corporation (Risk).