Critical Areas of Risk for Retailers to Focus On

The very nature of a good retailer is to be agile. This ability is not only useful in deftly navigating changing customer demands, supply chain challenges, and competitive threats, but also in surviving the complex risk environment that we find ourselves in.

Without a doubt, the last 24 months have certainly proven themselves to be challenging to say the least. There have been few periods in the last decade that have rivaled the risk complexity and demand on our attention and efforts than what we’ve recently experienced.

For certain, steering our way through a global pandemic has sharpened all of our abilities to deal with dynamic government regulations, workforce shortages, and supply chain issues. The big question though is, “What’s next?” followed by “What do we do about it?”

As we look ahead, there are many things that can draw our attention in making our organizations more resilient. However, speaking directly, here are four key risk areas that every retailer should be focused on and working to mitigate right now:

Cybersecurity

It seems to be a no-brainer that every retailer (large, small and everything in between) should have a good cybersecurity team and program in place. Retailers have long been the target of cybercriminals, and as we become more omnichannel and digitally focused, bad actors will only continue to attempt to exploit every possible vulnerability. While the average cost of a data breach is on the rise (currently in the $3 million to $4 million range), the greater concern really lies in the broader-reaching impact of the loss of credibility and trust with the person we value most — our customer.

Another equally disturbing and very visible trend that's escalating is the impact of cybersecurity attacks on physical operational capabilities (or more technically stated the risk in IT/OT convergence). The more that our infrastructures become interconnected, the greater the fragility of the entire system.

Just look at the recent past. In September 2020, Universal Health Services experienced a ransomware attack that forced it to shut down IT operations at 400 locations and deliver patient care using backup processes. In 2021, the Colonial Pipeline Company suffered a ransomware attack that led to the shutting down of a major oil pipeline for several days impacting the East Coast. Later that year, JBS (the largest meat producer globally) forced a shutdown of several of its production plants in the U.S. for a period due to a cyberattack.

Think about that for just a moment. What would it mean to your retail operation to lose temporary access to your point-of-sale systems, e-commerce sites, inventory systems, or logistics systems? What would the impact be on your business?

What should you do? Ensure that there's very focused engagement from your cybersecurity leadership and program around the cyber risk landscape, gaps and vulnerabilities, standards (e.g., NIST) and resourcing, and their ability to identify, protect, deter, respond and recover effectively.

Crime

Dealing with crime is nothing new for the retail industry. As long as there have been stores, there have been shopkeepers trying to ward off would-be shoplifters and other criminal activity. What's of interest and concern is the increasing trend of criminal activities compounded by the other environmental factors that reduce criminal deterrence (e.g., reduced sentencing, reduced law enforcement capabilities, etc.).

"Crime" in and of itself is a broad topic, and different types of crime should employ different mitigating strategies and tactics. Therefore, here’s a quick way to bucket the activity into something more actionable:

1. Nonviolent Crime: Generally considered as property crime, such as theft (including shoplifting), vandalism, criminal mischief, etc.
2. Violent Crime: Think anything that involves the threat of or actual injury/death of another (e.g., aggravated battery, armed robbery, murder, etc.).
3. Organized Retail Crime (ORC): Coordinated efforts of groups of bad actors to steal from and defraud businesses. While ORC can most certainly encompass both nonviolent and violent crime, how you track, monitor and move to thwart organized crime may require different strategies.

What should you do? Work with your asset protection/loss prevention leadership teams to ensure there are sound strategies in place to address your specific circumstances in each of these three buckets. Successful organizations understand crime at both a local level as well as an aggregated macro view. Employ a risk methodology that helps you prioritize and apply resources effectively. Monitor results and adjust quickly.

Natural and Manmade Disasters

Natural and human-caused emergencies and crises are also nothing new and have been around since before there were stores. Regardless of whether you think they will get worse/more frequent or not, the fact is they will continue to impact retail operations and the livelihood of our employees, customers and communities.

The key lies in understanding the risks that are inherent in the places that you operate, impacting environmental factors (e.g., building codes, government response capabilities, etc.), how your company prepares and mitigates potential impacts, and its ability to identify, assess, triage, respond to and recover from events.

What should you do? Engage with a cross-section of your company in developing a holistic strategy to address and resource activities/programs that will not only help you mitigate impacts, but may also help you prevent and avoid some threats altogether. Develop great situational awareness. Invest in efforts that help you prepare as much as possible on the front end before a crisis occurs and respond effectively and efficiently once it does.

Compounding Events

The reality is that few things ever occur in isolation. However, many organizations create strategies or plans that tackle singular threats or events. Good planning must be more flexible and account for the compounding of events. Think hurricane + looting; earthquake + communications outage; or the one we’ve all recently dealt with, pandemic + all of the above. Compounding events have an impact on our response capabilities, resource availability and the manner in which we react to a situation.

What should you do? Practice for compounding events and develop an agile framework for dealing with crises.

If the last 24 months has taught us anything, it’s that our agility — that thing that makes us great retailers — is more important now than ever before in being able to navigate current and future risk environments. Only by rapidly learning from our recent past, applying those learnings to mature our organizations, and being ready for what’s to come will we find ourselves as successful as possible as soon as possible.

Jason Jackson is the vice president of customer experience for Infinite Blue, a leading provider of business continuity/disaster recovery planning and response management software.