e-Commerce, embedding the risk

Risk management, compliance and governance within e-commerce and treasury

e-Commerce, embedding the risk

In our first article on our e-Commerce initiative, we concluded that in many organizations the fast growth of e-Commerce activities has led to an increased need for integration with the existing treasury framework. In this article we will focus more on how to organize your risk management around e-Commerce in the Treasury organization.

As described in our previous article, the e-commerce flows, often disconnected from the treasury framework, bring along a new and increased group of risks to the company due to the nature and volume of these activities. One of the functions of the treasury framework is to monitor and mitigate financial risks that are created in the course of business. In this perspective it is time to align the new activities within the existing framework.

e-Commerce risks

Within the corporate risk matrix, we will find various fields of risks touched upon by e-commerce, as there are:

  1. Financial risks
    Here we look for example at fraudulent payments, resulting in a non-receipt of funds against goods delivered or via identity theft resulting in a payment from a non-ordering individual that has to be refunded. One could mitigate this risk by making a well-balanced decision on the payment instruments mix per portfolio, combined with a very strict monitoring on the buyer’s identity and behavior.
    Another example is found within the area of FX-risks by dealing with multi-currencies in combination with different settlement cycles. The latter also touches directly on the (non-) availability of liquidity which in combination with payment terms could run into credit and counterparty risk. This all requires the alignment with the overall (financial) risk policy of the company.
  2. Non-financial risks (business or operational risks)
    The non-financial risk is found in how well we know and how we do business with our selected client basis, in line with the overall mission, drivers and vision of the company. By performing the correct due diligence on the counterparty (Know your Customer – KYC) we avoid doing business with none-compliant parties. Next to the company’s counterparty appetite the company also needs to ensure that they comply with the applicable regulations, sanctions screening and embargoes against countries, companies and listed individuals. The accessibility of e-commerce also gives new opportunities to electronic malpractice in various forms. Only by applying a thorough due diligence on your customer basis as well as a constant monitoring on irregularities protects the company against these risks. These should be key criteria in selecting your third-party service provider (PSP), providing you with the applicable tooling.

Below figure, reflecting Zanders’ view on corporate and enterprise risk management shows the possible areas of impact affected by e-commerce activities. It gives a clear view on the wider impact of e-commerce throughout the overall risk matrix.

Figure 1: Scope of Financial Risk Management

Treasury Framework

The above-mentioned risk categories should preferably be monitored, mitigated and controlled at a central level. The existing treasury control framework being the heart of the financial operations looks like the applicable place for this. This framework could be reflected in the below treasury activities and treasury enablers.

Figure 2: Treasury Activities and Enablers

By embedding the e-commerce activities and applicable risks to the above framework we can immediately make a translation to a practical approach for controls on your e-commerce activities, for example:

  • Make them a part of your regular bank account management and banking landscape;
  • Add a dedicated paragraph on e-commerce in the impacted Treasury policies;
  • Integrate and connect to the existing process & system landscape (connecting the dots);
  • Formulate a governance & control framework with applicable KPIs and reporting.

The combination and integration of the e-commerce activities will create a solid and multi-level layer of defense. Regular training of all staff involved on the various aspects of risk & compliance is a strict requirement to maintain a solid first and second line of defense in the company. Altogether this means a continuous circle of activities within a multidisciplinary team environment. Commercial opportunities should be weighed against financial and non-financial risks by appropriate representatives in the company.


In order to apply the right governance, one still often ends up with the classical risk management approach found in the COSO/ERM model. This model is rightfully based on the organization’s goals, assuming they are the correct reflection of the various and divergent interests of the stakeholders.

However, this model has also received criticism over time for, amongst others, the following reasons:

  1. Its conceptual and theoretical approach.
  2. The lack of a concrete plan of approach.
  3. The struggle on internal control within the multiple hierarchical levels.

Taking in account the operational character as well as the rapid evolving environment of e-Commerce, one would prefer a more practical, environmental and dynamic approach. Such an approach can be found in a more risk-based approach of the so-called Diamond Model (MAB, 2019), a more practical approach of governance that fits well into e-commerce. The four presented governance-processes of Steer, Control, Justify and Feedback offer good tools for managing short-term goals in a fast-changing e-Commerce environment:

  • Manage: Due to the COVID-19 pandemic many corporations have adjusted their short-term strategy. Integrating this now more strategically calls for clear KPI-settings and reporting.
  • Control: As per above argumentation embed your e-commerce activities in the overall risk framework with necessary adjustment to risk policies and reporting requirement.
  • Feedback: Challenge yourself on these new and ongoing changing models and products on a regular basis to make sure your apply to the latest regulatory standards and product offering.
  • Justify: E-Commerce becomes a strategic item on the agenda, relevant for the company’s success story. Make sure to communicate appropriately with both internal and external stakeholders (for example, through the Annual Report) in order to keep everyone aligned and on-board.

With the continuous evaluation and monitoring one will be able to manage, monitor and adjust the e-commerce strategy as integrated part of the financial operations of the company in today’s fast changing environment. Treasury and Commerce will act fully aligned in supporting the mission & objectives of the company in a risk-controlled way. Also, to the key (external) stakeholders, nowadays increasingly underwriting the necessity of e-commerce, the integrated risk strategy will bring a necessary level of comfort.


E-commerce has become an inclusive part of our business models, this calls for a review and update of the applicable risk, compliance and governance matrixes. Given the dynamic and fast-changing environment, there is a demand for a practical and risk-based approach. Integrating e-commerce into the company’s treasury & risk framework seems like a logic next step in the ongoing journey of the Treasurer.

1) Claasen, U. (2019). Handboek Risicomanagement, Boom|Management Impact. Deventer: Management Impact| Boom Uitgevers.
2) Van Rijswijk M.(2015) Handboek Integriteit en Compliance, business contact, Amsterdam/Antwerpen: Uitgeverij Business Contact.
3) De Bos A., Lanting GJ., Van Mechelen R.,Van der Ven M. (2019). Naar een praktisch contingentie-model voor goed MKB-bestuur. Maanblad voor Accountancy en 4) Bedrijfseconomie 93(5/6) (2019), 171-181.
5) Van StaverenM.TH. (2019). Whitepaper: Risico is geen probleem. Management Impact.
6) Hartog, E. (2021), Masterclass Thesis e-Commerce, the new risk, Masterclass Riskmanagement, Compliance & Governance, NIBE.