Turnbull report – Making e-commerce less risky.

An organisation’s ability to exploit and control market globalisation is inexorably linked to its implementation of e-commerce strategies, but this increasing reliance on technology, combined with regulatory pressure and a shortage of skills has created a multitude of risks, which will only increase with the growth of e-commerce. These could have significant impacts on businesses, such as extreme financial loss, commercial embarrassment or regulatory implications. One serious danger with these new risks is that boards may not make a connection with the Turnbull governance on risk control when implementing e-commerce, particularly where e-commerce has been implemented and controls need to be applied retrospectively. Consequently, the board’s level of understanding of the risks and the ability to manage them may not be commensurate with the perceived opportunities, significantly increasing the likelihood of their being unable to positively demonstrate the ability to manage risks. This will make it difficult to direct the business, damaging the confidence of clients, regulators and staff, as well as significantly impairing their ability to develop and sell new business. The Turnbull Report is the latest corporate guidance for internal control published by the Institute of Chartered Accountants. It places particular emphasis on the discipline of risk management: “A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which (a company) is exposed. Since profits are the reward for successful risk taking in business, the purpose of the internal control is to help manage and control risk appropriately rather than to eliminate it.” “This (guidance) should be incorporated by the company within its normal management and governance processes. It should not be treated as a separate exercise undertaken to meet regulatory requirements.” All organisations should review their approach to e-commerce from the Turnbull perspective, because it may reveal symptoms that show they are not managing their risks effectively. The following are the symptoms that they should watch for: – the understanding of risk and the level of sophistication towards analysing and managing risk varies across the organisation, and the understanding of risk is localised; – decisions are not based upon a systematic and effective understanding of risk; – responsibility for critical areas is often given to external organisations with little control over risk, or without an assessment of how the external service provider will manage risk; – strategic initiatives and projects are often setting over ambitious schedules, or failing to meet their objectives and targets; – there are marked differences between IT service provision and users’ requirements; – the connection between overall business and IT strategy, and the operational and developmental activities of the organisation, are often not demonstrable. To manage risk effectively in e-commerce, or when, more generally, attempting to conform to the requirements of the Turnbull report, organisations need: – clear understanding and definition for risk across the organisation, which is clearly communicated and understood; – organisational structure conducive to the management and communication of risk; – consistent and systematic approach to managing risk; – understanding of the overall risk faced by the organisation across the numerous areas of risk that it faces; – allocation of sufficient time and resources to give internal control and risk management; – appropriate delegation of authority, with accountability and regard to acceptable risk; – timely identification of key business, operational and financial risks facing the company, including the likelihood of the risks materialising and the potential impact on the business; – risk management through the supply chain, reflected in contracts with suppliers; – use of historical information to improve assessment and management of risk; – commitment to skills and training, ensuring all staff understand and can manage risk; – assessment of staff and external suppliers on their ability to manage risk effectively. Perhaps the most salient question articulated in the Turnbull report, which should focus the board when considering e-commerce strategies, involves “explaining how the company has maintained a sound system of internal control and, in reporting to shareholders, it has reviewed the effectiveness of the system.” The report adds: “The board should, as a minimum, disclose where applicable that there is an ongoing process for identifying, evaluating and managing the company’s key risks that is regularly reviewed by the board and accords with this guidance.” Kelvin Lack is a partner at Insight Consulting. He has managed business and project risk, and has also written and lectured extensively on the subject.

Related reading