Literature Review

A risk management approach of possible risks faced by hotels during the current technological transition

Mario Roma Momma D14126773

The Effective Manager (MANG9001)

MSc Hospitality Management

18/11/2015

2,751 words

2

TABLE OF CONTENTS

1 – INTRODUCTION 3

1.1 DEFINITION OF RISK FROM A BUSINESS PERSPECTIVE 3

1.2 RISK MANAGEMENT AND STRATEGIC FLEXIBILITY 3

1.3 THE PURPOSE OF THIS PAPER 4

2 – THE SOURCES OF RISKS 5

2.1 WHICH ONES ARE THEY? 5

2.2 - HOTEL INFORMATION TECHNOLOGY (IT) SECURITY 8

2.3 – THE COST OF (NOT) MANAGING THE RISK OF IT SECURITY 8

2.4 - THE RISK OF BAD ONLINE REVIEWS 9

3 - CONCLUSION 10

4 – SAFE ASSIGNMENT (4%) 11

3

1 – Introduction

1.1 Definition of risk from a business perspective

Risk management is a model that qualitatively or quantitatively analyses a business

environment in terms of risks, based on a particular strategy that aims to reduce

and/or eliminate potential negative outcomes derived from exploring opportunities

(Waring & Glendon, 1998; Crockford, 1991; Aven, 2009). Thus, properly managing the

risks involved in exploring opportunities can lead to positive outcomes, as it is

demonstrated by Grace, Leverty, Philips & Shimpi (2015). In addition, Aven (2009)

defends that one of the main categories of risk management in a company is the

strategic risk, which is related to its long-term strategy and plans, being technology,

amongst others risks, a crucial one. (Aven, 2009, Waring & Glendon, 1998: 333-58).

1.2 Risk Management and Strategic flexibility

According to Vecchiato (2015), companies need to be prepared to radically transform

an organization given the rapid evolution of technology, the rivalry environment

amongst competitors and globalization. This scenario forces companies to always be

alert for the need to change, to be agile and adaptable (Markides, 2004).Hence it is

relevant to assess the extent to which a company can manage the risks involved in

quickly adapting to radical changes. In addition, given an uncertain new scenario, it is

crucial to understand not only what could be a detriment but more importantly, what

the potential benefits of managing risks are (Aven, 2009).

Technology has been rapidly evolving and according to Thakran & Verma (2013) the

hotel industry is passing from a disintermediation era to a hybrid era, driven by new

interactive technology, which affects the way that rooms are distributed and the

relationship between hotels and guests, implying that hotels must change the way that

technology has been lately seen and used.

Certainly, hotels have to define corporate and marketing strategies under this

uncertain new technological environment and it is suggested that risk management

plays an important role in order to be strategically flexible (Dwyer, Cvelbar, Edwards,

Mihalic, 2014). Assessing uncertainties starts by gathering information about the

possible problems and threats, followed by assessing the risk big picture, estimating

4

risk frequencies, analyzing causes, consequences, cost-benefit and cost-effectiveness.

As a final phase, the risk must be treated by comparing with acceptance criteria and,

when needed, implement risk reduction measures. (Waring & Glendon, 1998: 25;

Aven, 2009:9).

1.3 The purpose of this paper

The next paragraphs address the relevant aspects regarding the way that hotels could

proactively manage risk when facing new technologies. The objective is to analyze

what risks a hotel is facing by having to adapt to new technologies, as Waring &

Glendon (1998) argue that one of the major concern of a firm is related to the timing

and speed of changing to a new technology as well as choosing the wrong technology

for a firm’s changing needs. As a conclusion, this paper recommends risk management

strategies for hotels in order to successfully adapt to new, as well as to suggest

possible areas for future research.

5

2 – The sources of risks

Technology has been rapidly advancing and the hotel industry is trying to keep up with

the technological advancements (Carlino, 2014). It is suggested that the businesses

that struggle to adapt miss good opportunities and run the risk of allowing competitors

to build better competitive advantages (Vecchiato, 2015). It is argued that the hotel

industry is facing the need of changing to self-service technology (SST) as well as to

adapt to new security needs, which combined can form the competitive advantages of

better enhanced customer services and safe operations (Kim, Farrish and Schrier,

2011; Kelly, Lawlor & Mulvey, 2013). Also, Thakran & Verma (2013) argue that hotels

are now living the hybrid technological era where guests today have a combination of

different devices (computers, tablets, smartphones and possibly interactive glasses) to

visit the hotel’s channels to compare and book rooms, and to share experiences at any

time of the day (Carlino, 2014; Thakran & Verma, 2013). Therefore, it is plausible to

accept that such real-time long-reaching exposure can offer significant risks to a hotel

that deserve to be properly managed.

2.1 Which ones are they?

According to Meuter, Ostrom, Roundtree & Bitner (2000) SST is a technology-based

service that allows customers to independently generate outcomes, without the need

of an employee involvement. Besides the fact that literature specifically discussing the

risks that SSTs offer to a hotel do not seem to be a priority, analyzing studies on

consumer behavior and evaluation of SSTs usage (Shamdasani, Mukherjee & Malhotra,

2008; Kelly et al., 2013; Meuter et al., 2000) as well as the long term effect of SSTs

(Scherer, Wünderlich & Wangenheim, 2015), can indicate the potential risks involved.

Carlino (2014) interviewed hotel owners and operators about the technological trends

and it is implied that guests, specially the premium ones, tend to prefer SST check-ins.

However Kelly et al. (2013), with their exploring study on customer experience with

SSTs provided insights in terms of potential risks generators for hotels. Such topics

include consumer preferences, price, security, trust, privacy and effectiveness. In

relation to preferences and price, Kelly et al. (2013) argue that yet, that are people

that would rather speak to a person instead of engaging with a SST kiosk because of

6

various reasons. Hence, there is a contrast between Kelly’s et al. (2013) findings and

the observations made by one of Carlino’s (2014) interviewee, and this contrast

configures a risk in the sense that, from a hotel point of view, it is not straightforward

to understand if it is good to invest in a technology that some customers might like it

and some others would not. In addition, in terms of price, customers expect to pay a

lower price when booking online instead of buying through a person (Kelly et al.,

2013). The risk thus increases: not only a hotel would not know the acceptance level of

the investment made on SSTs but also its customer is expecting a lower price. It is not

clear that the hotel could reduce its price by having the costs of investment in a SST

technology, the regular maintenance of it and yet having a payroll as an expense.

In terms of security and privacy, when a money transaction occurs, customers prefer

to deal only with trusted companies, which reinforces the argument that technology

risk is the main concern when purchasing online and can significantly reducing the

consumer intention to spend in case the hotel does not have a certain level of trust

amongst customers for instance (Herrero & San Martin, 2012).

Despite the difficulty of finding articles specifically discussing the risks involved in

implementing SSTs in hotels, one can argue that, according to Waring & Glendon

(1998) and Aven (2009), hotel managers and owners should assess these risks by

understanding the causes and consequences as well as the cost-benefit and cost-

effectiveness of the risks. One of the interviewees from Carlino (2014) argues that, in a

hotel, the two major concerns in terms of technology are the costs involved and the

return on investment (ROI). Here, it would not be a bad idea for researchers to focus

on empirically studying the financial return and feasibility of hotel investments on SST.

The financial risk in terms of investments in new technologies and the respective ROI

cannot be neglected. As it is suggested by Scherer et al. (2015), firms should not switch

to SSTs completely, implying that customers would be disloyal to a firm if they faced

the extremes of either having only the option of a technology-based SST or only the

option of a personal service. A mix of service channels could thus be the solution. If yet

there are people that look for a personal assistance, and the reasons for that seem to

be significant (Kelly et al., 2013), a hotel must assess the risk of investing a

considerable amounting of money to implement SST and still need to have employees

to do the same job that the SST does. It is not yet clear if a hotel would have double

7

the cost instead of reducing costs in the case where SST entirely substitutes

employees. For instance, what if there is a high perceived risk when using a hotel SST

due to a potential cyber attack (Cellan-Jones, 2015), or even because of several

possible dissatisfaction incidents (Meuter et al., 2000), customers stopped using SST

and went all back to the regular face to face mode? This is the type of assessment that

Waring & Glendon (1998) exemplifies and that is not very clear in a hotel context. As it

is suggested by Aven (2009) and Waring & Glendon (1998) this is an investment risk

that should be measured and carefully dealt in terms of feasibility, measured by the

savings estimations versus the cost that employees would still represent for the

company.

But this risk either seems to be neglected or really well assessed. The number of hotels

opting for self service check-in is growing (Worgull, 2014). From a different angle, yet it

is not clear either how to manage the risks related to mass dismissal of employees in

case they all were substituted, or the risk of data security, as passport details, needed

for checking-in, could be stolen.

Customer perceptions of technological risks can be related to security and privacy as

pointed by Kelly et al (2013) and Shamdasani et al. (2008) argue that the usage of SSTs

is subject to a certain level of uncertainty that directly affects the perceived value of

service quality however, when this uncertainty is properly managed, it raises the

chance of its continuous usage and could improve customer satisfaction. Hence,

deeply understand the customers’ perceived risks of implementing SST is crucial in

order to not lose customers due to low levels of quality service perception. As it is

suggested by Shamdasani et al. (2008), a possible way to overcome this potential risk is

to educate customers by providing easy step-by-step guides and live demonstrations

of how secure to perform transactions online is. Although Shamdasani’s et al. (2008)

findings come from the context of internet banking, these insights could also be

studied in a hotel context. Herrero & San Martin (2012) suggest that companies

offering e-commerce platforms can reinforce safety and privacy in order to strengthen

their trust. This addresses the issue of sales decrease due to the technology risk but, it

does not address the issue from a risk management perspective, and that is where the

gap lies on. One could question the extent to which a firm is losing because of that

8

perceived risk and assess the level of riskiness and then decide whether or not, to

invest in technology.

These literature gaps offer researchers insights for further investigation. For example,

to evaluate the technological-based risks of SSTs and the impact on ROI or on

customer retention in hotels.

2.2 - Hotel information technology (IT) security

Not only should hotel managers consider internal system failure and environmental

hazards that could damage the system, but external threat is a major risk to be

managed (Waring & Glendon, 1998). A hotel operator interviewed by Carlino (2014)

argued that maintain IT security is not an easy task. Despite the facts that, (a) it is a

Payment Card Industry (PCI) Security Standards Council’s (SSC) requirement to have IT

security policies (PCI, 2015), and (b) hotels seem to not face significant budget

constraints to invest in IT security measures (Kim et al., 2011), O’Connor (2007) argues

that the majority of third-party online companies are not able to ensure that

customers’ data are protected, supporting the argument that hotels lack of technology

security risk management (Kim et al., 2011). The heart of the IT risk lies on not having

(a) a dedicated it department (Kim’s et al., 2011), (b) a high level of IT security

expertise (DeMicco, 2007), (c) employees with IT training and background and (d) high

protection data software that meets PCI’s requirements (Kim et al., 2011). The possible

consequences of badly managing this risk is alarming: according to PCI SSC, a firm

having an IT security incident faces severe reputation damage, catastrophic losses,

lawsuits and cancelled accounts (PCI).

2.3 – The cost of (not) managing the risk of IT security

DeMicco (2007) argue that the most frequent computer crimes committed to a hotel

are hacking (accessing private data without authorization), theft of technology and

fraud. The same month that this paper was being written, Talk Talk, a phone and

broadband service provider that has more than four million customers in the UK, had

their entire customer’s data, that were not all encrypted (safe), stolen, including

names, addresses, dates of birth, emails, phone numbers, credit card numbers and

bank details, which resulted in an instantly share price drop of circa 10% (Cellan-Jones,

9

2015). According to Law & Jogaratnam (2005), Kim, Lee & Ham (2013) and O’Connor

(2007), hotel information systems hold important information about customers,

making hotels an easy prey for cyber criminals. And it is not only about a hotel

assessing the level of vulnerability, it is also about assessing the quantitative risk, or

potential losses (Waring & Glendon, 1998). With the Talk Talk example, the question

that could have been asked before the incident is what the maximum compensation to

be paid per customer would be, which multiplied by over four million customers would

have given the total possible loss of such an unmanaged risk. That number might have

motivated the company to at least make sure the data was encrypted.

2.4 - The risk of bad online reviews

As implied by Thakran & Verma (2013), a bad online review can be disseminated to

anywhere in the globe in seconds through several devices and in several platforms.

Perhaps this is a risk that could also be managed simply because not surprisingly,

negative online reviews can reduce a hotel’s sales (Xie, Zhang & Zhang, 2014).

However, despite the fact that most managers are aware of the importance that

customers give to online reviews, only a reduced number actually respond to negative

ones Freed (2011). Cheng & Loi (2014) argue that not only controlling the internal

problem that generated the bad online review, managers can control how to

effectively respond to bad online reviews. However, Xie et al. (2014) argue that when

bad reviews are specifically related to cleanliness, the more the manager respond to

such reviews the worse is the guest’s cleanliness perception.

Despite the fact that this topic has been well discussed over the past years, and

provides possible solutions from a risk management perspective, an empirical study

measuring the possible online risk generators, their actual value to the hotel and the

possible paths to the decision making process could be considered.

10

3 - Conclusion

It was strived to demonstrate that as the technology advances and hotels become

more adept to implement technology-based platforms, risks emerge in terms of (1)

system failure, consumer behavior disapproval and investments, (2) hacking,

customers’ data theft and trust, and (3) bad online reviews. In a rapidly evolving

business landscape these risks configure a major threat by potentially (a) losing the

basis to create competitive advantage, which is financial resources, customer

relationship and quality service (Kim et al., 2011; Kelly et al., 2013; Scherer et al., 2015;

Shamdasani et al., 2008; DeMicco, 2011), and (b) being less strategic flexible because

of lack of understand and management of external uncertainties (Vechiatto, 2015;

Markides, 2004; Shimizu & Hitt, 2004). Saied (1990) published a very general guide

demonstrating the appropriate approaches that managers needed to consider in

regards to hotel risk management. Evidentially, given the article’s date of publication,

online-based technology was not part of the content, however security, training and

emergency procedures (crisis situation) had a clear list of indispensable “checklist” in

order to maintain the hotel’s security. Scholars could turn their attention to such

approach and empirically update it by including the risks involving the new

technologies above discussed.

As shown, literature forming the basis of potential IT security risks that hotels face is

available. The literatures here reviewed provide basis for the problem definition and

objects of risk, the initial steps of risk management (Waring & Glendon, 1998; Aven,

2009). However, the only hotel risk management article was published in 1990 when

hotels did not depended on the same technology available today.

It is clear the risks for a hotel in adapting to new technologies, what is not clear is the

hotel’s approach to risk assessment, analysis of cause and consequences, cost-benefit

and cost-effectiveness in the context of having to change or adapt to new

technologies.

11

4 – Safe Assignment (4%)

12

List of References

Aven, T. (2009) Risk Analysis, Assessing Uncertainties Beyond Expected Values and

Probabilities, England: Wiley Carlino, N (2014) Owners/operators share their top technology needs, goals, Hotel Business,

Tech Trends, August, pp. 18-26 Cellan-Jones, C. (2015) TalkTalk cyber-attack: Website hit by 'significant' breach, United

Kingdom: BBC. Available from: http://www.bbc.com/news/uk-34611857 [31/10/2015] Cheng, V. T. P. & Loi, M. K. (2014) Handling Negative Online Customer Reviews: The Effects of

Elaboration Likelihood Model and Distributive Justice, Journal of Travel & Tourism Marketing, 31, pp. 1-15

Crockford, N. (1991) Risk Management – Insurance Learner, London: Whiterby DeMicco (2007) To Be Secure or Not to Be: Isn’t This the Question? A Critical Look at Hotel’s

Network Security, International Journal of Hospitality & Tourism Administration, 8(1), pp. 43-59

Dwyer, L. M., Cvelbar, L. K., Edwards, D. J. & Mihalic, T. A. (2014) Tourism Firms’ Strategic

Flexibility: the Case of Slovenia, International Journal of Tourism Research, 16, pp. 377-387

Freed, J. Q. (2011) How to respond to hotel reviews, Hotel News Now. Available from

http://www.hotelnewsnow.com/Article/5276/How-to-respond-to-hotel-reviews [30/10/2015]

Grace, M.F., Leverty, J. T., Philips, R. D. & Shimpi, P. (2015) The value of investing in enterprise

risk management, The Journal of Risk and Insurance, 82(2), pp. 289-316 Herrero, A. & San Martin, H. (2012) Effects of the risk sources and user involvement on e-

commerce adoption: application to tourist services, Journal of Risk Research, 15(7), pp. 841-855

Kelly, P., Lawlor, J. & Mulvey, M. (2013) Customer decision-making processes and motives

for self-service technology usage in multi-channel hospitality environments, International Journal Electronic Customer Relationship Management, 7(2), pp. 98-116

Kim, H., Lee, D. & Ham, S. (2013) Impact of hotel information security on system reliability,

International Journal of Hospitality Management, 35, pp. 369-379 Kim, J. S., Farrish, J. & Schrier, t. (2013) Hotel Information Technology Security: Do Hoteliers

Understand the Risks?, International Journal of Hospitality & Tourism Administration, 14, pp. 282-303

Law, R. & Jogaratnam, G. (2005) A study of hotel information technology applications,

International Journal of Contemporary Hospitality Management, 17(2), pp. 170-180

13

Madanoglu, M. (2011) Entrepreneur’s Dilemma: Hotel Investments in Emerging Markets, FIU Hospitality Review, 29(2), pp. 55-69

Markides, C. (2004) What is strategy and how do you know if you have one?, Business Strategy

Review, 15(2), pp 5-12 Meuter, M. L., Ostrom, A. L., Roundtree, R. I. & Bitner, M. J. (2000) Self-Service Technologies:

Understanding Customer Satisfaction with Technoiogy-Based Service Encounters, Journal of Marketing, 64, pp. 50-64

O’Connor, P., 2007. Online consumer privacy: an analysis of hotel company behavior.

Cornell Hotel & Restaurant Administration Quarterly, 48(2), pp. 183–200. Payment Card Industry (PCI) Security Standards Council (2015) Requirements and Security

Assessment Procedures Version 3.1, PCI Data Security Standard Payment Card Industry (PCI) Why Comply with PCI Security Standards?, PCI Security Standards

Council. Available from https://www.pcisecuritystandards.org/security_standards/why_comply.php [30/10/2015]

Saied, J. (1990) Approaches to risk management, The Cornell H.R.A. Quarterly, August, pp. 45-

55 Scherer, A., Wünderlich, N. V. & von Wangenheim, F. (2015) The value of self-service: long-

term effects of technology-based self-service usage on customer retention, MIS Quarterly, 39(1), pp 177-200

Scott, I. (2015) How to respond to negative online reviews, Hotel News Now. Available from

http://www.hotelnewsnow.com/Article/15854/How-to-respond-to-negative-online-reviews [30/10/15]

Shamdasani, P., Mukherjeeb, A. & Malhotrac, N. (2008) Antecedents and consequences of

service quality in consumer evaluation of self-service internet technologies, The Service Industries Journal, 28(1), pp. 117-138

Shimizu, K. & Hitt, M.A. (2004) Strategic flexibility: Organizational preparedness to reverse

ineffective strategic decisions, Academy of Management Executive, 18(4), pp. 44-59 Thakran, K. & Verma, R. (2013) The emergence of hybrid online distribution channels in

travel, tourism and hospitality, Cornell Hospitality Quarterly, 54(3), pp. 240-247 Vecchiato, R. (2015) Strategic planning and strategic flexibility in turbulent environments,

Foresight, 17(3), pp. 257-273 Xie, K.L., Zhang, Z. & Zhang, Z. (2014) The business value of online consumer reviews and

management response to hotel performance, International Journal of Hospitality Management, 43, pp. 1-12

Waring, A. E. & Glendon, A. I. (1998) Managing Risk, Critical issues for survival and success into the 21st century, London: Cengage, pp. 3-45; 108-125; 333-358; 391-423

14

Worgull, S. (2014) More hoteliers opt for self-service check in, Hotel News Now, Available from: http://www.hotelnewsnow.com/Article/14752/More-hoteliers-opt-for-self-service-check-in [30/10/2015]