ETechnology and Electronic Enablement Risk

Electronically enabled business risk management defi nes organizational strategies encompassing all reasonable efforts to preserve the integrity of information assets and corporate tangible and intangible assets. The emergence of the internet as a critical business tool has created a host of new exposures for companies establishing a presence on the web, as well as for those providing the products and services needed to operate on the internet. If the organization has a website, intranet or extranet, accepts credit card details online or even simply sends email to customers, then the business is potentially wide open to a number of legal and fi nancial risks.

As the complexity and breadth of business alliances increase, and the reliance on cross- organizational supply chains increases, overall risk management needs to address these trends. Because outsourcing is also on the rise, so is vulnerability to corporate asset theft.

Any damage or security breaches to networked connections have ramifi cations for fi nancial loss throughout the supply chain.

Computers streamline internal and external communication, track information, and help companies retain their competitive edge. Electronic enablement trends are towards real time enterprises with automated information fl ow and greater transparency throughout the extended enterprise. Such technology also raises signifi cant legal issues in the workplace that every company must face – some old risks in new forms, some entirely new risks that are now emerging such as:

• Electronic security issues of identifi cation, authorization and authentication

• Infrastructure is vulnerable to unsophisticated attacks, particularly interconnected infrastructure such as telecommunications and power generation and distribution which has ripple effects through the economy if the situation goes on long enough

• Careless employee email messages that result in multi-million dollar liability when produced in the discovery stage of litigation

• Offensive jokes on the company email system may trigger employer liability and adverse publicity

• Postings in chat rooms about the company that within a matter of hours could drastically reduce the company’s share value or jeopardize a public offering

• A fi red employee using the company email system to distribute confi dential salary information to all remaining employees.

EBusiness risks are not all physical and neither are the solutions. Protecting the company against the fi nancial risks of copyright infringement, credit card fraud and transmission of computer viruses can be diffi cult if not impossible to achieve in a physical sense. Companies can help manage these risks by establishing effective policies and procedures such as:

• Electronic communications policies

• Electronic record keeping policies

• Confi dential information policies and security procedures

• Intranet policies and oversight of intranet content to ensure a no harassment/discrimination/

hostile work environment risk

• Electronic monitoring guidelines

• Employee departure procedures to minimize risk to IT systems

• Procedures to bullet-proof the company’s confi dential information from electronic security breaches

• Insurance policies against credit card fraud and internet liabilities associated with ownership of a website and the day-to-day use of email by employees and others. This should include indemnity for legal liability arising from claims for infringement of copyright, defamation, unauthorized use of trade names or logos, and the unintentional transmission of a computer virus.

All businesses require a life cycle approach to risk management. This approach considers that a business, particularly one that is undergoing electronic enablement, is in a constant state of development, reengineering and refi nement. As a company’s electronic development evolves from concept to initial development, production and ongoing maintenance, enterprise-wide risk management solutions need to apply accordingly at each stage.

The integrated process addresses the evolution of critical electronic business elements including: evolving business goals, corporate structure changes, rapidly changing technologies, changes in outsourcing relationships, physical location changes and expansion, and changing international considerations.

Disaster Management Planning

Part of a good overall risk management strategy is the development of disaster management and business continuity plans. These are particularly pertinent in a business world in which both natural (e.g. fl oods and fi re) and human disasters (e.g. terrorism) occur regularly around the world – see Byte Idea this chapter on ESRI.

Immediately after a major disaster, there is the possibility of loss of life resulting in the affl icted company being deprived of key strategy and direction management at a critical juncture. In addition to loss of life, loss of data and infrastructure may occur. This latter issue has serious implications for fi nancial loss, loss of customer confi dence, loss of trust and for the disruption of the operations of business partners. Thus, every company must, when considering disaster management strategies, also consider the impact of strategic business allies being infl icted with a disaster.

The shocking events of 11 September 2001, when the World Trade Center in New York City was destroyed by terrorist attacks, caused a signifi cant toll on human life and disrupted communications and business operations.

Apart from the diffi cult task of ensuring their employees were safe or being helped, companies also had to ensure the continuity and viability of their businesses. In the aftermath of the disaster, it was obvious that companies with a disaster management strategy that included having a good business continuity plan (BCP) in place were relatively less damaged in terms of business discontinuity than those without. The following section deals with developing business continuity plans which comprise the essential ingredients of a disaster management plan.

The Business Continuity Plan (BCP)

A business continuity plan (BCP) defi nes what needs to be done and the resources required to run operations in the event of an interrupting incident or disaster. Its purpose is to minimize the impact of fi nancial and human loss and provide an acceptable level of business capability until normal business operations are continued to its customers, business partners, investors and suppliers. Having a BCP ensures an organized and orderly response in the event of a

major incident or disaster, and enables management to provide direction and advice to affected business departments or units. A BCP comprises three major components: risk assessment, contingency planning (which is the process of creating, testing and maintaining a plan to recover from any form of disaster) and disaster recovery (the purpose of a disaster recovery plan (DRP) is to recover mission-critical technology and applications at an alternative site.

A DRP is a critical part of the BCP process and should be prepared to address each level of risk.

Byte Idea – ESRI