E-Com Risk Basics
A personal perspective*
by Al R. Vilcius
This discussion focuses on risk in electronic
commerce, understood here in the broad sense - i.e. not just internet trade,
or even just electronic cash for that matter. It deals with the business
of "moving the bits", as outlined in "The
Intelligent Society" , facilitated by
the corporate and personal use of smart cards.
Business activity necessarily gives rise
to risk due to uncertainty: no one can predict exactly what will happen
in the "real world" (even when that "real" is "virtual"), or guarantee
outcomes with reasonable certainty. In fact:
are synonymous terms at a "primitive" (ie.
undefined) level that generally apply to the financial states of a business
Financial businesses characteristically
have three main sources of risk, understood as possible causes for losses
Leaving legal and regulatory issues aside
for this discussion, prudential management at an economic level requires
that capital should be attributed to each of these three main
sources of risk.
Credit and market risks are generally dealt
with in the domains of Corporate (or personal) Finance and Investment banking:
it is of course lending activity that gives rise to credit risk and market
price variation that generates market risk. While these traditional
banking business activities certainly have to contend with operational
risk also, the relatively new and emerging business of electronic commerce
has some different characteristics. In particular, smart card based
products such as pre-paid electronic cash can be managed so that
they contain operational risk only.
capital is the basic support or foundation
for a financial business (or any business for that matter); it provides
funds to keep the business alive (i.e.. solvent) in the event of unfavorable
variances in its rights and obligations to profitable cash flows, present
The fact that risk requires capital for
a business is what drives the need for quantification of risk in economic
terms. Quantification of credit and market risks are reasonably well
understood, while putting a number on operational risk with any degree
of accuracy has been rather illusive. This is primarily because there
are no scientifically based theoretical foundations for operational risk
comparable to those established for credit and market disciplines.
The approaches used for operation risk quantification have generally been
"soft" in the sense of relying on subjective assessments rather than "hard"
analytics. This seems to be due to the large number of human factors
involved that defy characterization with any amount of precision.
Nevertheless, the approach using simulation modeling together with monte
carlo analysis of the distribution of possible outcomes appears promising.
Capital for a (regulated) financial business
typically comes in three flavors:
A deep discussion of the subtleties of these
different types of financial measures would take this discussion too far
astray. Nevertheless, here is a quick review:
actual - reported on the balance sheet
regulatory - constraint to doing business
economic - basis for business decisions
For electronic commerce, the business can
be positioned and managed in such a way that only capital for operational
risk needs to be considered:
All businesses, including those entities participating
in electronic commerce (but excluding various government entities), and
in particular the entities that create (or manufacture) electronic value
of any sort, need to have some positive net worth in order to be deemed
solvent from an accounting and legal standpoint.
Regulations set minimum amounts of actual
capital that a financial business must maintain; it is reported periodically
on an accounting and "formula" basis, and compliance is a condition to
continue operating. Under current BIS guidelines (given a favourable
interpretation that electronic value is not a deposit instrument), the
regulatory capital required is nil, thereby it does not represent an immediate
constraint on electronic commerce. The caveat is that BIS is developing
further capital requirements for operational risk as well which may change
For prudential reasons, independent of accounting
or regulatory formulas, management must make the hardest assessment of
business risk on strictly economic terms. This gives the direction for
resource allocation and volume decisions; this basis is economic capital,
which may also be added to the list of synonyms for risk given above.
Ops risk is usually defined for a financial
business as all risk that is not credit or market. As such, ops risk has
many and varied sources: financial leverage, plus "oops" sources for which
there is at least one per control and procedure in the business, plus the
vagaries of the market place itself in terms of acceptance and usage factors.
This sort of contra-positive definition makes for an unwieldy grab-bag
of un-quantifiable items, and therefore we need to focus.
In addition to financial leverage (which
needs to be part of any business case to set volume targets anyway), there
are lots of "oops" ways for a business to loose money or to under-perform:
However, for entities involved in the creation
of electronic value, there is only one direct financial loss:
customer dissatisfaction based on transaction
mishandling, accessibility, system failures, etc.
brand or reputation damage
Hence counterfeit is the focus for the quantifiable
financial risk assessment for such entities, and is stated in terms of
counterfeit electronic value redeemed against
It is business activity that generates
the potential for gains and/or losses, and generally gains/losses are directly
proportional to the amount of activity.
Electronic commerce business activity could
be measured by:
number of participants at five levels:
composition of portfolios (for diversification)
in each of the five levels above as determined by:
location, physical or virtual
size, in financial terms
amounts of value permitted to reside on
and to flow through each smart card, and between such cards i.e..
structures of flow and limit relationships
timing, speed, and patterns of value flows
(value circles, leading to a topology for the smart card "space")
amount of value remaining on cards as:
float in circulation
inventory (distributors of value)
latent (creators of value)
number of devices (or slots) capable of interacting
with a smart card.
issued and redeemed amounts of electronic
value, at any time, by issuing and acquiring entity. i.e.. net float composition
total value of goods and services traded using
electronic value in comparison to totals for cash, credit, debit, and the
The primary financial risk management objective
is to preserve float value.
There are of course other important risk
management objectives that relate to preservation of the value of the investment
in the business and to market development for profit potential. However,
these are currently outside the scope of this discussion that is focusing
on quantifiable aspects of risk.
Counterfeit loss cannot be seen from the
accounting of float funds alone - additional information is required.
This additional information needs to be
extracted from the measures of business activity listed above, plus
other environmental factors that relate to the general economy such as
money supply, money laundering activity indicators, country risk, etc.
Nevertheless, financial risk must always
come down to a measure of variance, and this variance is quantified in
terms of economic capital.
For example: Giving away money has no
risk because there is no variance
- the outcome is deterministic,
but making a loan does involve risk
- the outcome is stochastic.
While risk is based on an analysis of variance,
pricing is based on the mean or expectations. It is through this distribution
of outcomes that risk and pricing are inextricably linked in what is often
called the "principle of differentiated capital".
Economic capital must therefore be a key
input to business decisions because it measures the amount of resource
allocation required in comparison to other opportunities.
The key management decision is to choose
a level of risk appetite - only management can set the boundaries for the
business within which it must operate.
This gives rise to the critical resource
allocation decision based on risk/reward because economic capital is a
scarce resource for every financial business.
Business decisions are then based on a
comparison of returns which are a ratio of profit to risk.
For example: a low profit/low risk business
may compare favorably to a medium profit/high risk business, depending
on the risk appetite decisions made by management.
The profit part of the ratio is based on the
business approach while the denominator is the risk management piece, based
on the choices made to generate revenues, and thereby must be regarded
as an integral part of doing the business.
The quantification then becomes an iterative
process to ensure that product and volume characteristics give rise to
economic risk that does not exceed risk appetite.
A starting point for any electronic commerce
business would be to estimate float through volumes and averages, set a
reasonable detection point (value and time) based on the investment the
business is willing to make (in prevention, detection, and response), together
with an upgrade process that is suitable and consistent with respect to
This sets a base level of "normality" against
which variation can be measured and "abnormalities" can be identified.
Refinements are achieved through modeling
which takes into account additional factors that measure business activity,
and the sensitivity of these factors.
This process ultimately leads to simulation
and a measure of the variance of simulated outcomes which represent possible
future states of reality under a variety of conditions and scenarios that
represent the sources of uncertainty.
A more detailed discussion of simulation
modeling with monte carlo analysis will be given elsewhere.
The views expressed herein are strictly personal and do not necessarily
reflect those of any group, organization, or business entity;
Copyright © 1998 by Al R.
Vilcius, Toronto, Canada
Please send e-mail to: AL.R@VILCIUS.com
BACK to SymDR home page