Due to its direct link to end consumers, the retail sector is particularly exposed to the current economic slowdown and rising cost of living. While this may mean that short-term strategic adjustments are needed, to remain resilient in this environment it is crucial to closely monitor and address risks to critical infrastructure.
The global economy has been very volatile in recent years, disrupted by the pandemic and the war in Ukraine, both of which have affected supply chains and consumer behaviour. The retail sector has adjusted to these challenges by boosting the online presence and home deliveries, showing the necessary flexibility to adjust to a changing environment.
The online push has, however, also reduced lead times and increased competition to meet consumer expectations. Pressure is likely to remain high as household incomes are squeezed due to price inflation and consumer confidence takes a dip.
Consumer confidence index (CCI)
Amplitude adjusted, Long-term average = 100, Jan 2014 – Jan 2023
Source: OECD (opens a new window)
The need for speed, efficiency, and reliability of processes in the retail sector have also increased the dependence on two key functions: fulfilment/distribution centres and digital infrastructure. Reassessing and adjusting the risk management processes in place for these two areas on a regular basis is particularly necessary because the higher the digitisation level of the business, the shorter the recovery window.
1. Fulfilment/distribution centres
Fulfilment/distribution centres are core elements of retail companies and without appropriate risk controls, an outage can, if prolonged, result in a business’ failure.
One of the main risks to this type of facility is usually from fire, or other physical damage-related events. Arguably, the more automated fulfilment centres are, the higher the fire risk. This is the result of:
very high storage densities,
limited access,
electronic conveyancing systems,
high racking, and
cold storage requirements.
In a widely publicized case, a UK online grocer had to cancel (opens a new window) thousands of orders after a fire at a fulfilment centre in south-east London in July 2021. The online grocer said the blaze started when three of the robots that help pick its groceries collided. It was the second fire involving robots at the online grocer. Another facility burned down in 2019 after an electrical fault.
In 2017, a British online fashion retailer experienced a fire (opens a new window) at its distribution centre in Germany that destroyed stock worth about GBP6.25 million. Its main distribution centre in the UK also caught fire in 2014, causing GBP30 million worth of damage.
Another major risk for fulfilment/distribution centres is from natural catastrophes (natcats) such as storms, wildfires, or floods. While the level of risk exposure depends heavily on the geographical location, climate change is making severe weather events less predictable and increasing the likelihood in locations previously deemed low risk.
Fulfilment/distribution centres are often multimillion worth structures, and while the reconstruction cost may be covered by insurance, the process may take two years and cause severe business interruption and damage to the brand. Stock may still come in but can’t be stored and managed appropriately while clients choose to move to competitors as service levels fail to satisfy.
2. Risk to digital infrastructure
While the digitisation push in the retail sector during the pandemic has created greater efficiencies and reduced lead times, it has also increased existing and added new vulnerabilities. Malfunctioning software or a cyber-attack can trigger prolonged outages that, similarly to fulfilment/distribution centres, can, in a worst-case scenario, cause the business’ failure.
For online retailers, even short outages can severely impact the balance sheet. Several major online retailers are thought to have lost around GBP1 billion (opens a new window) during a global internet outage in June 2021 that lasted around one hour.
A cyber-attack targeting a UK discount retailer has caused the closure of some of the retailer’s stores (opens a new window) due to till issues, delayed the resupply of stock and online order deliveries to customers.
Even a week after a ransomware attack, a British multinational postal service and courier company was still working with security authorities (opens a new window) "to mitigate the impact".
Retail/restaurants topped the list of the most impacted industries by cyber incidents in December 2022, according to data compiled by corporate investigation and risk consulting firm Kroll.
Cyber incidents in retail/restaurants (previous 6-months comparison)
Source: Kroll, IR Spotlight Trends Report December 2022
Even if core systems are down just for a short period, clients may already have moved to a competitor and it can be quite difficult to lure them back, potentially causing a long-term financial impact. It is therefore crucial that retailers focus on the business’ core vulnerabilities and test them regularly to create effective recovery plans.
No system will ever be entirely ‘bullet proof’. However, by implementing the appropriate strategies to anticipate and control the impact of disruptive events, businesses can enhance their preparedness and responses during times of crises.
Recommendations
Utilise lessons learned from internal and external risk events to improve the business’ preparedness and response strategies. These should also be used to inform wider business continuity planning.
Frequently review and update governance policies and frameworks to account for the accelerating pace of risk evolution and emerging risks. Considering the ever-changing risk landscape and external circumstances, a business’s approach to resilience management should be consistently monitored and improved, to ensure effectiveness and relevance of the activities and controls in place.
Establish a risk-focused culture. Instilling a culture that understands the implications and interconnectedness of risks across an organisation is important for enhancing corporate resiliency. Such knowledge, and the associated individual accountability for risk, will help support the organisation in its response to future disruptive events.
Ensure consistent training, upskilling and succession planning of personnel. People are the engines of any organisation, driving both continuity and growth. Therefore, it is essential to ensure that the appropriate skillset and expertise is consistently available within the organisation, including in relation to risk management.
Establish and allocate clear risk responsibilities. Every business is exposed to a myriad of risks, of varying types and characteristics, across its different divisions and functions. Hence, it is important for the appropriate personnel to monitor and manage the risks relevant to their areas of expertise. Moreover, understanding the correlations between risks and how they impact each other is important to establish effective intra-organisational collaborations to manage interconnected exposures. An effective three lines of defence model will help support this.
Explore how risk advisors could enhance your risk approach and corporate resiliency. Due to the complexity and multi-layered nature of risks, seeking the support of risk professionals can ensure the development of a holistic unified approach.
Undertake regular scenario testing to ensure response strategies are relevant and effective (e.g. considering scenarios such as loss of fulfilment/distribution centres and IT-related disruptions).
For further information, please contact:
Michael Kay ACII, Head of Retail Practice Group, SVP
T: +44 (0)161 828 3304
E: michael.kay@lockton.com
Matthew Couchman, Risk Management Executive, Vice President
T: +44 (0)20 7933 1549
E: matthew.couchman@lockton.com
