Only a few years ago, the Internet was a relatively new phenomenon. E-mail and interactive websites offered the prospect of a radical shift from traditional business models to transactions almost exclusively conducted electronically.
To a great extent, this prospect has arrived. Wherever possible, organisations are seizing the opportunity to: market themselves through websites as opposed to conventional brochures; employ e-mail as a core business communication tool instead of traditional post; and supply goods and services electronically without the need for the physical presence of the consumer. The development and rapid expansion of businesses using the Amazon (www.amazon.com) model is testimony to the rapid and all-pervasive development of Internet technologies in the modern marketplace.
IT of any description is now critical for the survival of almost every organisation. Without IT, few business or professional concerns could hope to survive, let alone prosper, in the modern marketplace.
IT is an essential tool for every organisation. Without IT, their administrative systems would be inadequate; business communications would be wholly impractical; marketing strategies would be slow and cumbersome; mobile business communications would be virtually ineffective in terms of time and convenience; and general business activities would not be viable.
All organisations now compete in a global market in which communication is instantaneous and competition for business is fierce. IT enables organisations to act with speed and agility. The different applications of IT enable them to engage in business activities that might otherwise be wholly impractical.
IT enables small organisations to compete with larger ones by addressing the needs of their customers proactively, efficiently, quickly and cost-effectively in a way that could not possibly be achieved otherwise.
The power and capacity of IT enables organisations to service volume markets or niche markets equally competitively. In other words, properly introduced, deployed and employed, IT enables organisations to compete in almost any market. The idea of an organisation expecting to conduct business competently and profitably without adequate IT support in the modern global marketplace is unthinkable.
Internet technologies dramatically increase the importance of IT to every business and professional concern. Whereas traditional IT, such as accounting, may generally be regarded as ‘back-office’ systems, Internet technologies emerge as an offshoot of traditional IT and spawn an entirely new concept of IT systems.
Internet technologies are now dominant technologies, to the extent that any reference to IT automatically implies the inclusion of Internet technologies. What are Internet technologies? The categories of this model of IT are expanding rapidly. In the very early days, Internet technologies were limited to e-mail and the World Wide Web. Now, there is a proliferation of Web-based IT to the extent that almost all IT is Web based. Early developments included intranets and extranets, followed by Web-based telephony, known as Voice over IP (VoIP).
From these seemingly basic technologies, Web 2.0 has arisen. ‘Web 1.0’ technologies were largely passive technologies. For instance, websites providing brochure-type information and offering only limited opportunities for interactivity were typical of Web 1.0 technologies. They were technologies to which users responded rather than technologies which required user participation.
Web 2.0 technologies are quite the reverse. Models of Web 2.0 technologies, such as FaceBook, MySpace and Twitter, together with the rapid increase in blogging (the practice of posting weblogs) are essentially proactive Internet technologies. Here, participants exchange thoughts, ideas and personal details through electronic postings in as much or as little detail as they fancy.
With constructive content, weblogs can build into a significant body of knowledge. It is not unknown for organisations to encourage the posting of informative and relevant weblog content in order to generate interest in a website.
It might be argued that Wikipedia is a typical example of Web 2.0 technology. In this model, users post relevant and constructive information on a particular topic, citing authorities for propositions which become an authoritative body of knowledge and an information resource.
Web 2.0 users regard Internet technologies routinely as an interactive information and communications resource in which any number of participants might be involved. These technologies are not limited to what are widely regarded as ‘social’ networks. Professional networks, such as LinkedIn, operate for professionals to exchange opinions and network electronically to develop their business contacts and learn new ideas in their business activities.
The development of traditional IT systems and networks into a proliferation of Internet technologies which comprise a substantial knowledge resource offers opportunities for worldwide communication, enabling instant communication between any number of participants, either generally or between members of professional interest groups. This means that Internet technologies have become business tools that are equally important as the traditional IT from which they were created. Some of the principal business-value features are considered below.
Initially, the importance of Internet technologies lay in their suitability as a marketing tool. E-mail marketing strategies enable the circulation of marketing information to a mass market of consumers in a way that is quite impossible by traditional mail.
Whenever information is required about goods and services supplied by organisations, a consumer’s first reaction is to visit an organisation’s website. Here there is an excellent opportunity for an organisation not only to market itself but, at the same time, to secure a purchase.
A further advantage is that the Internet enables marketing strategies undertaken through websites to be conducted globally at any time of the day or night – a strategy which is impossible in traditional marketing models.
Marketing through brochure websites has developed into interactive participation by prospective customers, who are often invited to take part in surveys and competitions and provide their views on the products and services on offer.
An extension of website marketing is the webinar – the Web version of a seminar – where prospective customers visit an organisation’s website to listen, pose questions and provide feedback to an organisation offering educational information on the value and importance of its goods and services.
Sometimes as part of a marketing strategy, but not always so, organisations offer professional and trade information and guidance as part of its service to its customers. The idea behind this is not necessarily philanthropic.
The purpose of the strategy is to draw in new and existing customers through the provision of useful, relevant and timely information upon which the customer becomes increasingly reliant.
As a result, the customer relies on the organisation’s site as a valuable resource and repeatedly returns to it for information and advice. This is a strategy commonly used by professional organisations supplying services to the business community.
A few years ago, electronic commerce was in a comparatively embryonic state. While electronic transactions and online businesses were emerging, generally, there was a significant element of mistrust. This arose largely from:
• the absence of the consumer from the conducting of the transaction;
• the perception of transmitting a remittance online without fully understanding how the transaction was being handled;
• general concerns over the security of the whole process.
Now, however, there is an abundance of confidence and a comparatively relaxed approach by consumers and organisations alike to transacting online. Consumers routinely make holiday reservations, bank online and make significant purchases, to name but a few transactions which are conducted online from start to finish. Beyond this, consumers now place far more trust in the information that is available online. Comparison sites of all descriptions are springing up and claim to offer interested consumers significant benefits in using their sites to shop around for bargains, particularly in the field of insurance quotations.
Most organisations recognise the importance of developing e-commerce strategies. For the organisation, benefits arise from the speed and relative simplicity of electronic transactions. For the consumer, the undoubted convenience of online transacting, for instance for the weekly supermarket shop, has now become a key factor in the increasing popularity of electronic transacting.
Internet technologies are now so popular that many organisations have adopted business strategies and models that are firmly embedded in, and rely entirely upon, the proper functioning of Internet technologies.
One of the earliest examples is LastMinute.com, which was formed in the early years of the ‘dotcom’ boom. The model of the business is based on consumers’ need for last-minute solutions, for instance the need to find a gift at short notice. By logging on to the LastMinute.com website, the consumer can identify a suitable gift, pay online and have the gift delivered online almost immediately.
This type of strategy is not confined to commerce and industry. The professions also recognise the advantages of online strategies. The legal sector, in particular, has adopted online strategies in the conveyancing process.
Many law firms offer clients the opportunity to log on to a secure area of the firm’s website and track the progress of their cases. As long ago as the late 1990s, solicitor Neil Davidson developed the concept of the ‘virtual office’, which provided law firms with a networked connection to a central office repository for the conducting of mainly IT and back-office functions.
The business strategy of almost every organisation is bound to take account of the influence of Internet technologies because their impact is all-pervasive. More important is the fact that Internet technologies can offer significant customer benefits in terms of a more cost-effective, speedy and quicker service.
The ability of Internet technologies to offer lines of electronic communication has made possible the emergence of online strategic alliances.
Again, the legal sector has developed a number of initiatives in this area. Law firms form online strategic links with estate agents and lenders in which the firm’s website becomes a repository of information about the progress of a (conveyancing) transaction and enables interested parties to log on and establish the position.
In this connection, the Land Registry has developed a prototype system of electronic conveyancing. The focal point is an electronic grid which enables parties to the transaction to log on and identify the current stage of the transaction – and, incidentally, where responsibility lies for the causes of any delay!
The real impact of Internet technology is probably only just beginning. As it is, the effects have already been radical enough. Competently deployed and suitably applied, Internet technologies are able to reduce costs, increase speed and efficiency and provide a global reach.
They offer opportunities to develop novel business models and propositions because of the very nature of the technologies themselves. Examples include:
• e-mail enabling communications to be sent round the world in seconds;
• websites offering marketing and transactional opportunities worldwide;
• intranets enabling any organisation to develop, record and archive its knowledge base into a formidable repository of intellectual property;
• extranets enabling organisations to forge online links and alliances with strategic allies such as introducers and referrers, as well as providing customers with access to secure areas for the monitoring and performance of their transactions;
• Internet technologies enabling economies of scale to be achieved because they can be deployed for the volume provision of goods and services;
• Internet technologies being programmed for use in the service of specialist and niche markets and personalised services, where the technology is developed to very close specifications;
• Web 2.0 technologies offering the opportunity for a broad exchange of concepts, strategies and business development opportunities based on the facilities for information sharing that they offer.
Each of these illustrations supports the prospect of a continuing and radical change in business models throughout both commerce and the professions.
Released at the Infosecurity Europe Conference and Exhibition in April 2010, the Information Security Breaches Survey 2010, published by PriceWaterhouseCoopers, revealed some concerning statistics regarding corporate information security. Some of the findings recorded:
• the cost of a breach is between £27,500 and £690,000;
• the most security breaches to date;
• a threefold increase in malicious attacks compared with the previous year.
Although the use of Internet technologies has developed at a rapid pace and penetrated all areas of commerce, industry and the professions – as well as government agencies and academic institutions – in fact every area of modern life, their deployment presents significant risks with potentially catastrophic implications arising from any mismanagement. In order to understand what these risks are and how they can be managed, it is necessary to appreciate why they arise.
Risks arising from the use of Internet technologies develop principally from the fact that they are disruptive technologies. The full implications of their use are not always properly understood until problems arise – in other words, when risks, which have not been assessed and managed, become crises. In their present state of development, it is fair to say that, to some extent, Internet technologies are anarchic in nature.
Internet technologies introduce new ways of conducting business and promulgating information. In almost every area of life, Internet technologies can alter traditional processes and introduce new models. For instance:
• Internet technologies are not confined within any recognisable structure or framework.
• The speed of communication and dissemination of information changes consumer and supplier relationships and gives power to the customer, whose expectations are raised.
• Internet technologies recognise no boundaries and are essentially global in nature.
• Internet technologies have the capability of replacing intermediate services; for instance, insurance cover can be arranged directly through an insurer’s website without the need for brokerages – similarly, brokerages are threatened by the emergence of comparison websites.
Effectively, what emerges is the appearance of a new engine in an old model. In the traditional model, managing consumer expectations is more straightforward. However, the speed and efficiency of Internet technologies empowers the consumer and places the onus on the supplier to respond effectively in order to retain market share.
Key features of the differences between the traditional and Internet models include the following.
• In the traditional model, change tends to be gradual and structured; in the Internet model, change tends to be sudden, unstructured and with wide-ranging effects.
• The traditional model, on the whole, is not subject to global scrutiny; the Internet model exposes every organisation to global vulnerabilities with the potential for far-reaching consequences.
• In the traditional model, strategic alliances are formed relatively close at hand with familiar organisations and agencies; in the Internet model, strategic alliances may be formed globally without any real knowledge of the partners concerned.
• In the traditional model, skills and competence are generally acquired through the development of long-term know-how; in the Internet model, technical skills are developed and acquired rapidly, and, furthermore, they are frequently skills not recognised in the traditional model.
• In the traditional model, statutory, regulatory, codified and compliance provisions are easily identified and their application is relatively straightforward; in the Internet model, the application of similar provisions is far more challenging because Internet technologies are able to transcend boundaries.
Internet technologies, therefore, introduce fundamental changes which are quite unfamiliar in the traditional business model. Globalisation, together with the absence of a recognisable legal and compliance framework and the speed, flexibility and agility of Internet technologies provide an unprecedented change in the manner in which commercial and professional services are delivered.
Internet technologies demand transparency, openness and trust between customers, organisations, suppliers, strategic allies, introducers, stakeholders and shareholders, because Internet technologies are, by their nature, transparent. Internet technologies introduce novel concepts for providing goods and services which are not recognised in the traditional business model. Internet risk arises from these new concepts.
The principal risks arising from Internet technologies can be conveniently divided into three categories: technology risk; legal and compliance risk; and operational risk.
This category of risk has its origins in the technology employed in the fabric of the Internet. The most obvious example is the proliferation of computer viruses and their capacity to embarrass organisations, affect system performance and occasionally lead to system failure. This risk is most obviously managed by the deployment of up-to-date anti-virus software.
Another technology risk area is the communication of sensitive and confidential information by unencrypted e-mail. Here, an organisation may need to equip itself with adequate encryption facilities and educate personnel on their use and application.
Legal and compliance risk
This category of risk arises from failure to comply with statutory and regulatory provisions that govern the use of Internet technologies. In some ways, this is the most problematic category of risk to manage adequately.
The disruptive and radical changes that Internet technologies bring to commerce, industry and the professions were considered earlier. A key issue is that most statutory and regulatory provisions are enacted for what might be termed terrestrial concerns. They are not always easy, or practical, to apply to the ethereal and global nature of the Internet. An example of this is Cloud Computing, which is considered later.
In simple terms, most legal and compliance risks will be addressed by observance of the statutory or regulatory provisions governing the circumstances. However, in some cases, such as the application of relevant law and jurisdiction in global disputes, these provisions can be extremely complex and very difficult to apply.
Operational risk
This category of risk arises from business and professional strategies and practices that an organisation adopts in providing goods and services, the manner in which the organisation manages its employees, and the policies and procedures implemented to govern the organisation’s relationship with its customers.
In practical terms, management of operational risk is addressed by the introduction of policies and protocols that govern employee conduct in using Internet technologies. Examples include policies for: the use of e-mail; the use of the World Wide Web; the management of the organisation’s website; and data protection compliance.
Each of these risk areas exists for every organisation employing Internet technologies and each raises important considerations for all organisations. In order to address these risks, organisations need to assess the level of expertise at their disposal. If there are insufficient skills and competence available, the recruitment of suitable personnel may be necessary. Proper control of each of these risk areas raises significant management implications for any organisation.
These categories are not mutually exclusive and in many respects they overlap. For instance, managing information security issues might involve each of the three categories. There might be a technological solution (the introduction of a security solution), a legal compliance solution (compliance with data protection provisions), and an operational solution (training employees in the proper handling of data through appropriate acceptable use policies). A similar example of overlap might include the downloading of unacceptable material from the Internet.
It is important that the three categories are not considered in isolation and that the identification of Internet risk is mapped across all categories in order to obtain a complete management solution.
What are the implications of failing to take adequate measures to address the risks that arise from use of Internet technologies? Every organisation is different and risks affect organisations in different ways. Some of the most significant implications are listed below.
The speed, cost-effectiveness and efficiency with which Internet technologies enable organisations to provide goods and services offer the opportunity for organisations to enhance their reputation significantly in a competitive marketplace.
However, in a marketing environment where excellence of performance is a key factor, any incident which damages this will have a significantly adverse effect on an organisation. In the Internet environment, reputation is hard won, but easily lost. System down time, service interruption caused by a virus, racial or sexual innuendo in an e-mail; or inaccurate or misleading information posted on a website can damage the reputation of any organisation in an instant.
In certain situations, organisations that mismanage Internet risk can find themselves subject to civil or criminal proceedings. Examples include the following:
• infringement of certain provisions of the Data Protection Act 1998 (DPA) can result in criminal proceedings which can carry heavy fines; a number of law firms have been fined for having failed to register with (notify) the Information Commissioner (ICO);
• posting sexually or racially discriminatory material on a website or inclusion of such material in an e-mail may lead to prosecution under equality legislation;
• publishing obscene material in an e-mail is a criminal offence under the Obscene Publications Act 1959 (OPA);
• monitoring employees’ use of e-mail and accessing the World Wide Web may result in proceedings if the provisions which govern this are not strictly observed.
In civil proceedings, damages or an injunction may be ordered for:
• misleading material posted on a website on which a visitor to the site relied to his or her detriment;
• the posting of libellous statements on a website without lawful excuse or justification;
• the loss of confidential and sensitive data as a result of system failure;
• the posting of copyright material on a website without permission of the copyright holder;
• erroneously entering into online contracts which are not then fulfilled.
There are numerous circumstances in which an organisation can be exposed to proceedings for infringement of legal and compliance responsibilities or failure to take adequate precautions in employing Internet technologies.
Failure to manage systems and processes introduced by Internet technologies can irreparably damage consumer relationships.
A website that posts outdated and inaccurate information is a major disincentive to any potential customer visiting the site with the intention of making a transaction. It is a clear indication that an organisation lacks interest in, and respect for, actual and potential customers.
Frequent system down time resulting in delayed provision of goods and services, or frequent interruptions to online services will soon affect an organisation’s customer relationships. In the context of finding new suppliers or sources of information, the Internet breeds a promiscuous and unforgiving consumer who rarely offers an organisation another chance.
The cumulative effect of these implications is a serious impact on an organisation’s business strategy. Reputations carefully and painstakingly established over a long period of time are suddenly lost and may never be restored. Criminal proceedings attract unwanted publicity and damage the competitive reputation in the marketplace at a stroke.
As a result, an organisation may have to cease trading temporarily and even reconstitute its business plan. A number of organisations have been fined several hundred thousands of pounds recently for data protection breaches.
Any organisation that fails to take account of the risks inherent in Internet technologies, and then fails to adopt an adequate risk management strategy for their avoidance or containment, puts at risk nothing less than its very existence.
If there is one strategy for addressing, and ultimately controlling, the anarchic features of Internet technologies, it is the application of sound governance principles.
Governance principles enable an organisation to manage the tools of its trade (for instance, IT and Internet technologies), its business activities and its personnel in such a way as to:
• provide value and return on investment for shareholders and other stakeholders;
• realise the objectives in its strategic business plan.
In respect of Internet risk, there are three categories of governance to be addressed: corporate governance, IT governance and project governance.
Corporate governance principles emanate from the Board of Directors or Partners and should be applied throughout all levels of management of the organisation.
In essence, corporate governance is a business strategy based upon transparent decision making; the establishment of lines of accountability and responsibility; securing shareholder and stakeholder value; and the adoption of sound risk management strategies, including information security.
Corporate governance is a culture created by the Board and Partners to be reflected throughout the organisation.
The unpredictable, rapid and occasionally haphazard emergence of solutions based on the application of Internet technologies calls for specific governance principles to be applied for the management of IT strategies.
IT governance is a subset of corporate governance. IT strategies need direction and management in exactly the same way as the overall strategic business plans of an organisation.
IT governance is essentially a framework within which IT is designed, deployed and managed in such a way as to ensure that its employment and application remain aligned to the organisation’s business objectives.
This principle applies to all IT infrastructures, platforms and applications, of which the management and administration should also embrace the principles of corporate governance as IT governance principles are introduced.
The implementation of IT governance principles is supported by various tools and methodologies. The most notable is the international standard, BS ISO/IEC 38500:2008, which is a standard developed for directors and senior managers for the corporate governance of information technology. It provides organisations with a framework of principles for the achievement of the effective use of IT and provides a model for the Board’s involvement in IT projects.
In accordance with true governance principles, the standard addresses the interests of stakeholders and provides guidance on the evaluation of corporate governance of IT.
Project governance may be regarded as a subset of corporate governance, sitting alongside IT governance. Most business activities surrounding IT are, in effect, projects.
Project governance is a set of principles that addresses the development, management and conclusion of projects. The key constituents of project governance principles comprise clear leadership and commitment at the highest (board) levels; the procurement of adequate resources; suitable lines of accountability and responsibility; the adoption of appropriate project management and implementation methodologies; and relevant risk management strategies.
Few organisations confine themselves to only one IT project. In theory, the use, encryption, management, storage and archiving of e-mail are all sub-projects of the single project of e-mail management.
The development, maintenance and supervision of an organisation’s website are three sub-projects of a single project – the organisation’s web strategy.
Outsourcing some or all of an organisation’s IT function is a third project that calls for the application of governance principles.
It is important to understand that all IT functions are, whether large or small, IT projects to which project governance principles must be applied. Many organisations will have numerous IT projects. These can result in a confused execution of an IT strategy. Projects may overlap or be mismanaged, or fail to provide a return on investment. As a result, ultimately, the organisation’s project strategy loses direction and consequently fails.
For this reason, project governance principles embrace the creation of a framework for the management of multiple projects – programme portfolio management (PPM).
Organisations use PPM methodology to identify and define the scope of each project within a specific portfolio and continually assess it against the general corporate governance principles of risk, stakeholder value, correct lines of accountability and responsibility, transparency of decision making, risk management and continual alignment with the organisation’s expressed business strategy and objectives.
Risk assessment and management are key components of corporate, IT and project governance principles. The application of governance principles is designed to ensure the welfare of shareholders and stakeholders, achievement of the organisation’s goals and objectives, and a return on investment.
None of these objectives is achievable in the absence of a comprehensive and properly executed risk management strategy. For this reason, risk assessment and management are core requirements in the application of corporate governance principles.
Risks abound in every Internet technology project and arise at strategic IT, legal and regulatory compliance, and operational levels. Effective application of corporate, IT and project governance principles enables these risks to be confronted and managed systematically.
Strategic risks arise, for instance, from the management of a website which offers advice and guidance to visitors. Care must be taken to ensure the advice is correct and timely and regard must be paid to the fact that the website is globally accessible and that advice may not be universally appropriate.
Legal and compliance risks arise most obviously from failure to comply with the DPA, for instance failing to ensure the safety and security of confidential data.
Operational risks arise, for instance, where employees may post defamatory or otherwise unsuitable comments on one of the many social websites, or indulge in online gambling, or contribute to newsgroups without permission or authority.
Risk identification, assessment and management are the responsibility of the Board and Partners. The establishment of a risk management framework is a function to be performed at board and partnership level.
Each organisation is different but such a wide variety of risks arise from Internet technologies that a dedicated risk manager is almost certain to be required. In larger organisations, a risk management team may be required comprising, or having access to, specialists in IT, legal and compliance, and personnel management. The risk management team should be led by, and accountable to, the risk manager, who in turn should be directly responsible either to the Board or to a senior manager who is accountable to the Board on recognised line management principles.
Corporate, IT and project governance principles are designed to ensure that an organisation performs cohesively and collectively towards the achievement of its strategic goals and objectives.
But why is the application of these principles so important? What do the principles bring to the ‘corporate table’? Governance principles are highly desirable, but why are they needed? There are a number of factors which, taken together, make a compelling case for the adoption of governance principles.
The application of governance principles ensures the organisation, through its board or partners, is able to maintain a close control over its strategies, functions and performance standards. In turn, this leads to a greater assurance that its goals and objectives are achievable in the long run.
A board or partnership that espouses governance principles is able to exercise direction over the control that the governance principles offer. In the case of IT strategies and IT projects in particular, all too frequently, over time, an organisation’s IT strategy becomes misaligned with its objectives and fails to provide anticipated returns on investment. Rigorous direction enforced in accordance with governance principles minimises this risk.
Corporate governance principles and their implementation are the responsibility of the Board and Partners. It is they who set the culture and establish the management framework within which the organisation implements strategy and achieves defined strategic objectives.
The assumption of control, direction and leadership by the Board and Partners, underpinned by transparent decision making, encourages a culture of accountability and responsibility throughout the organisation, which can be observed and implemented by personnel at all levels.
Organisations, the functions of which are properly controlled and directed under robust leadership supported by its personnel, are more attuned to the need to attain and maintain acceptable standards of performance arising from mutual respect between board and partners, management and subordinate staff.
Clear leadership and direction supported by transparent decision making help all levels of personnel to:
• understand fully the organisation’s strategy and the goals it is intended to achieve;
• appreciate their roles and responsibilities;
• understand the need for teamwork and a collective approach to achieving the organisation’s objectives.
The wide range of risks to which Internet technologies can give rise requires a collective approach towards, and a firm understanding of, methods of their management – both essential components of managing Internet technology risk.
18.119.110.139