E-Com Risk Basics
A personal perspective*
by Al R. Vilcius

This discussion focuses on risk in electronic commerce, understood here in the broad sense - i.e. not just internet trade, or even just electronic cash for that matter.  It deals with the business of "moving the bits", as outlined in "The Intelligent Society" , facilitated by the corporate and personal use of smart cards.

Business activity necessarily gives rise to risk due to uncertainty: no one can predict exactly what will happen in the "real world" (even when that "real" is "virtual"), or guarantee outcomes with reasonable certainty. In fact:

are synonymous terms at a "primitive" (ie. undefined) level that generally apply to the financial states of a business enterprise.

Financial businesses characteristically have three main sources of risk, understood as possible causes for losses or under-performance:

Leaving legal and regulatory issues aside for this discussion, prudential management at an economic level requires that  capital should be attributed to each of these three main sources of risk. Credit and market risks are generally dealt with in the domains of Corporate (or personal) Finance and Investment banking: it is of course lending activity that gives rise to credit risk and market price variation that generates market risk.  While these traditional banking business activities certainly have to contend with operational risk also, the relatively new and emerging business of electronic commerce has some different characteristics.  In particular, smart card based products such as  pre-paid electronic cash can be managed so that they contain operational risk only.

The fact that risk requires capital for a business is what drives the need for quantification of risk in economic terms.  Quantification of credit and market risks are reasonably well understood, while putting a number on operational risk with any degree of accuracy has been rather illusive.  This is primarily because there are no scientifically based theoretical foundations for operational risk comparable to those established for credit and market disciplines.  The approaches used for operation risk quantification have generally been "soft" in the sense of relying on subjective assessments rather than "hard" analytics.  This seems to be due to the large number of human factors involved that defy characterization with any amount of precision.  Nevertheless, the approach using simulation modeling together with monte carlo analysis of the distribution of possible outcomes appears promising.

Capital for a (regulated) financial business typically comes in three flavors:

    1. actual - reported on the balance sheet
    2. regulatory - constraint to doing business
    3. economic - basis for business decisions
A deep discussion of the subtleties of these different types of financial measures would take this discussion too far astray. Nevertheless, here is a quick review:
  1. All businesses, including those entities participating in electronic commerce (but excluding various government entities), and in particular the entities that create (or manufacture) electronic value of any sort, need to have some positive net worth in order to be deemed solvent from an accounting and legal standpoint.
  2. Regulations set minimum amounts of actual capital that a financial business must maintain; it is reported periodically on an accounting and "formula" basis, and compliance is a condition to continue operating.  Under current BIS guidelines (given a favourable interpretation that electronic value is not a deposit instrument), the regulatory capital required is nil, thereby it does not represent an immediate constraint on electronic commerce. The caveat is that BIS is developing further capital requirements for operational risk as well which may change this argument.
  3. For prudential reasons, independent of accounting or regulatory formulas, management must make the hardest assessment of business risk on strictly economic terms. This gives the direction for resource allocation and volume decisions; this basis is economic capital, which may also be added to the list of synonyms for risk given above.
For electronic commerce, the business can be positioned and managed in such a way that only capital for operational risk needs to be considered:
not yet
Ops risk is usually defined for a financial business as all risk that is not credit or market. As such, ops risk has many and varied sources: financial leverage, plus "oops" sources for which there is at least one per control and procedure in the business, plus the vagaries of the market place itself in terms of acceptance and usage factors. This sort of contra-positive definition makes for an unwieldy grab-bag of un-quantifiable items, and therefore we need to focus.

In addition to financial leverage (which needs to be part of any business case to set volume targets anyway), there are lots of "oops" ways for a business to loose money or to under-perform:

However, for entities involved in the creation of electronic value, there is only one direct financial loss: Hence counterfeit is the focus for the quantifiable financial risk assessment for such entities, and is stated in terms of economic capital.

It is business activity that generates the potential for gains and/or losses, and generally gains/losses are directly proportional to the amount of activity.

Electronic commerce business activity could be measured by:

    1. number of participants at five levels:
        1. consumers
        2. merchants
        3. members
        4. territories
        5. franchises
    2. composition of portfolios (for diversification) in each of the five levels above as determined by:
        1. industry/socio-economic group
        2. location, physical or virtual
        3. size, in financial terms
    3. amounts of value permitted to reside on and to flow through each smart card, and between such cards i.e..  structures of flow and limit relationships
    4. timing, speed, and patterns of value flows (value circles, leading to a topology for the smart card "space")
    5. amount of value remaining on cards as:
        1. float in circulation
        2. transition
        3. escheat
        4. inventory (distributors of value)
        5. latent (creators of value)
    6. number of devices (or slots) capable of interacting with a smart card.
    7. issued and redeemed amounts of electronic value, at any time, by issuing and acquiring entity. i.e.. net float composition and decomposition.
    8. total value of goods and services traded using electronic value in comparison to totals for cash, credit, debit, and the whole economy.

The primary financial risk management objective is to preserve float value.

Counterfeit loss cannot be seen from the accounting of float funds alone - additional information is required.

This additional information needs to be extracted from the measures of  business activity listed above, plus other environmental factors that relate to the general economy such as money supply, money laundering activity indicators, country risk, etc.

Nevertheless, financial risk must always come down to a measure of variance, and this variance is quantified in terms of economic capital.

For example: Giving away money has no risk because there is no variance - the outcome is deterministic, but making a loan does involve risk - the outcome is stochastic. While risk is based on an analysis of variance, pricing is based on the mean or expectations. It is through this distribution of outcomes that risk and pricing are inextricably linked in what is often called the "principle of differentiated capital".

Economic capital must therefore be a key input to business decisions because it measures the amount of resource allocation required in comparison to other opportunities.

The key management decision is to choose a level of risk appetite - only management can set the boundaries for the business within which it must operate.

This gives rise to the critical resource allocation decision based on risk/reward because economic capital is a scarce resource for every financial business.

Business decisions are then based on a comparison of returns which are a ratio of profit to risk.

For example: a low profit/low risk business may compare favorably to a medium profit/high risk business, depending on the risk appetite decisions made by management. The profit part of the ratio is based on the business approach while the denominator is the risk management piece, based on the choices made to generate revenues, and thereby must be regarded as an integral part of doing the business.

The quantification then becomes an iterative process to ensure that product and volume characteristics give rise to economic risk that does not exceed risk appetite.

A starting point for any electronic commerce business would be to estimate float through volumes and averages, set a reasonable detection point (value and time) based on the investment the business is willing to make (in prevention, detection, and response), together with an upgrade process that is suitable and consistent with respect to growth.

This sets a base level of "normality" against which variation can be measured and "abnormalities" can be identified.

Refinements are achieved through modeling which takes into account additional factors that measure business activity, and the sensitivity of these factors.

This process ultimately leads to simulation and a measure of the variance of simulated outcomes which represent possible future states of reality under a variety of conditions and scenarios that represent the sources of uncertainty.

A more detailed discussion of simulation modeling with monte carlo analysis will be given elsewhere.

*General Disclaimer: The views expressed herein are strictly personal and do not necessarily reflect those of any group, organization, or business entity;
Copyright © 1998 by Al R. Vilcius, Toronto, Canada

Please send e-mail to:   AL.R@VILCIUS.com

  BACK to SymDR home page