A rapidly shifting social, business, political and economic environment is placing UK retailers on continuous watch as they adapt and react to new threats and challenges.
Historic risk management norms like crime and security are giving way to external threats in the registers of modern companies; but many of these are intangible such as protecting brand equity and are often considered very hard to measure or mitigate.
Meanwhile the increasing influence of technology affects almost every corner of the industry from distribution and the way shoppers interact with a brand; to the supply chain and its continuing search for peak efficiency.
As a result, technology, rather than store networks or stock, is becoming one of the single greatest assets and vulnerabilities identified by the industry’s risk management community.
1. Retail Inperspective
In this issue
Aon Risk Solutions
National | Retail Practice
Issue 6 November 2016
Introduction
A rapidly shifting social, business, political and economic environment is
placing UK retailers on continuous watch as they adapt and react to new
threats and challenges.
Historic risk management norms like crime and security are giving way to
external threats in the registers of modern companies; but many of these are
intangible such as protecting brand equity and are often considered very
hard to measure or mitigate.
Meanwhile the increasing influence of technology affects almost every corner
of the industry from distribution and the way shoppers interact with a brand;
to the supply chain and its continuing search for peak efficiency.
As a result, technology, rather than store networks or stock, is becoming one
of the single greatest assets and vulnerabilities identified by the industry’s risk
management community.
Daniel Fox
Aon Retail Practice Leader
The UK Retail Risk
Management Surveyp1 The UK Retail Risk
Management Survey
p3 Analysis – The External/
Intangible Threat
p4 Analysis – Cyber / IT Risk
p5 Analysis – Operational Risks
p6 Analysis – People / IT Risk
p8 Analysis – Financial,
Corporate, Crime and
Security Risk
p9 Meet the experts
Risk. Reinsurance. Human Resources.
2. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 2
This survey, conducted during April and May 2016 with the co-operation of the
British Retail Consortium, has researched in depth the opinions of risk managers
about how they perceive risk in the UK retail sector today. It draws on the opinions
of risk managers from UK retailers from every sub-sector including grocers, fashion,
department stores, DIY, wholesale and electricals.
For this report, we have also included industry insights from our own risk and
insurance experts at Aon UK and Aon Global Risk Consulting, alongside a number
of high profile retail industry figures who provided opinions on these issues at the
recent Aon sponsored British Retail Consortium Retail Symposium. While this data
was drawn prior to the EU Referendum, we maintain that it is essential for retailers
not to lose sight of the wide range of risks this survey uncovers.
I hope you find this report useful and enlightening and we look forward to hearing
any feedback you may have.
Key findings
The findings of the UK Retail Risk Management Survey 2016 reveal that UK retailers’
number one concern is the risk of ‘damage to reputation and brand’, with almost
three quarters of respondents confirming it is either a ‘High’ or ‘Very High’ threat
to their business.
This result underlines previous data published in 2015’s Aon Global Risk Management
Survey which placed damage to reputation as the second greatest risk amongst
retailers worldwide.
Industry insight
Rob Feldmann – CEO, Brand Alley
“Damage to reputation isn’t a risk in and
of itself, but a consequence of events.
Good risk management decision making
can certainly limit your losses.”
BRC Conference 2016
Failing to retain top talent / key people [PEOPLE] 3.548% 4% 29% 42% 17%
Growing sales / staying competitive [FINANCIAL] 3.504% 17% 25% 33% 21%
Failure to implement strategy internally or externally [CORPORATE] 3.464% 25% 13% 38% 21%
Working / Minimum wage costs [PEOPLE] 3.254% 21% 33% 29% 13%
UK Government regulations [EXTERNAL] 3.254% 17% 38% 33% 8%
Lack of technology infrastructure to support business needs [IT] 3.254% 17% 46% 17% 17%
Social media - negative brand impact [OPERATIONAL] 3.174% 17% 46% 25% 8%
Changing consumer trends [CORPORATE] 3.3313% 21% 8% 38% 21%
Changing consumer buying patterns [EXTERNAL] 3.3313% 21% 8% 38% 21%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Damage to reputation / brand [CORPORATE] 3.928% 21% 42% 29%0%
UK economic changes [EXTERNAL] 3.838% 21% 50% 21%0%
Increasing competition [EXTERNAL] 3.8317% 21% 25% 38%0%
Cyber crime / hacking / viruses / malicious codes [IT] 3.5013% 42% 29% 17%0%
Global economic challenges [EXTERNAL] 3.2917% 38% 46%0% 0%
Technology failure / systems failure [IT] 3.2125% 42% 21% 13%0%
EU Referendum [EXTERNAL] 3.2129% 33% 25% 13%0%
n Very low threat n low threat n Medium threat n High threat n Very high threat
Score
(out of 5)Figure 1: Top 15 individual risks
Executive Summary
• #1 risk is ‘damage to
reputation and brand’
• External factors
considered greatest
overall threat
• Competition and
economic changes
driving uncertainty
• Talent acquisition/
retention and cyber risk
among relatively few
‘tangible’ risk factors in
top 15
3. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 3
While brand is increasingly seen as a measurable asset for modern companies,
for many it still comprises a number of highly intangible elements and is influenced
by external factors which can make it challenging to control or protect from harm.
This in many ways drives the overall findings of the report which shows a consistent
view that external threats outweigh more traditional elements on the retailer’s risk
register today.
The survey collected responses from retail risk managers on 65 specific risk factors
and placed them into seven broad groupings; Corporate, External, People,
Financial, IT, Operational, Crime & Security.
External risk factors were the dominant category with 52% of respondents saying
these presented either a ‘high’ or ‘very high’ threat to their organisations and six
out of the top 15 individual risks identified were external (see figure 1).
Also in the top ten individual risk factors were ‘failing to retain top talent/key
people’ (4th), ‘growing sales/staying competitive (5th) and Cybercrime (6th).
Perhaps the most tangible threat found within the top ten leading individual risk
factors was the introduction of new minimum wage laws, which was 10th on the
list and perceived as a ‘high’ or ‘very high’ threat by 42% of respondents.
1) The External/Intangible Threat
Having provided their answers in relation to the individual factors, respondents also
considered which of the seven broad risk categories concerned them most.
In many ways the results reflect the answers given on an individual risk basis. For
example, external factors are again the dominant category, with ‘IT’ and
‘operational’ risks making up the top three.
High level risks – Now, bearing in mind each of the seven categories which
you’ve already considered, what level of actual threat to your organisation
do you associate with each of these seven categories.
External factors 3.4317% 30% 43% 9%
IT 3.3517%4% 26% 43% 9%
People 2.919% 35% 22% 26% 9%
Operational 2.9622%4% 52% 17% 4%
Financial 2.874% 30% 43% 17% 4%
Corporate 2.744% 30% 57% 4% 4%
Crime & Security 2.749% 26% 52% 4% 4%
Score
(out of 5)
n Very low threat n low threat n Medium threat n High threat n Very high threat
Figure 2. Seven Risk Categories
4. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 4
In addition to these quantitative responses, the survey group was also asked to
provide qualitative answers for each risk factor.
We asked them to describe for those risks which threaten the most, which are the
most difficult to manage?
With reference to ‘UK economic changes’ (2nd), one respondent cited ‘exchange
rate fluctuation’, while another said ‘consumer behaviour is becoming increasingly
difficult to predict’.
In relation to ‘increasing competition’ (3rd), respondents cited the ‘increasing
availability of low cost products online from European suppliers’.
Others backed this up by simply stating how ‘the cost of competing’ was the most
difficult risk to manage.
2) Cyber / IT Risk
The second highest risk category overall, IT risk includes risk factors representing a
range of potential scenarios such as cybercrime (viruses or malicious codes);
internal threats like data theft by employees, as well as the more straightforward
challenge of maintaining an up to date technology infrastructure.
IT Risks – What level of actual threat to your organisation do you associate
with each of these IT risks?
Score
(out of 5)
Cyber crime/ hacking /viruses / malicious codes 3.4313% 42% 29% 17%
Lack of technology/infrastructure to support business needs 3.3517%4% 46% 17% 17%
Technology failure/system failure 2.9625% 42% 17% 13%
Internal staff error eg data loss 2.8713% 21% 46% 17% 4%
Malicious staff activity/threats/data fraud 2.9113% 17% 42% 24% 4%
Ransomware 2.7413% 33% 33% 17% 4%
n Very low threat n low threat n Medium threat n High threat n Very high threat
Figure 4. IT Risks
Although the quantitative results indicate there is less concern about IT risk than
might be expected, our qualitative research was able to draw from respondents in
some detail, how threats to technology assets could have far reaching consequences.
For example, respondents cited brand damage as a consequence of all the IT risk
factors connected to data protection or malicious activity with ‘brand damage plus
financial penalties’ and ‘high reliance on technology’ appearing in respondents’
answers as the number one reason for their concern.
5. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 5
“Intangible assets like customer data are considerably underinsured, when
compared against physical assets (12% v 51%), according to research by Aon and
the Ponemon Institute,” explains Richard Waterer, EMEA Managing Director at Aon
Global Risk Consulting (AGRC). “For the retail and wholesale industries, this
interconnectedness is acute, with customers; supply chain and infrastructure all
increasingly linked online. Risk managers, are in some cases yet to adequately assess
their value at risk in terms of intangible assets like customer data and I think this is
reflected in the concerns felt by our respondent group in this survey.”
3) Operational Risks
Industries like retail have become highly sophisticated at managing operational risks
and it is therefore unsurprising that there seems a slightly more confident feel in the
responses provided by respondents in this category. Only three factors elicited a
response that the risk in question would be a ‘very high’ threat, with business
interruption the most significant of these. Once again, the consequence of brand
damage caused by operational activities; in this case corporate social media activity,
was the highest scoring overall factor.
Operational Risks – What level of actual threat to your organisation do you
associate with each of these Operational risks?
Property damage remains a concern for the sector, however the fact that 50%
consider it to be a low threat suggests there is confidence in the risk transfer
solutions available. Property accounts for more than 15% of the sector’s overall
insurance premium spend1
and despite frequent reminders of risks such as storm
and flood, well managed risks are continuing to achieve discounts.
Property damage 50% 33% 17%
Product recall 17% 42% 4%38%
Fleet logistics 17% 33% 33% 17%
Outsourcing / Joint venture failure 42% 33% 13% 13%
Product traceability 13% 46% 29% 13%
Third party liability 8% 54% 29% 8%
Social media – negative brand impact 17%4% 46% 25% 8%
Supply chain or distribution failure 17%4% 46% 33%
Failure of disaster recovery plan / business continuity plan 4% 17% 25% 17% 8%
Figure 5: Top 15 individual risks
Business Interruption 21% 46% 17% 13%4%
n Very low threat n low threat n Medium threat n High threat n Very high threat
1
Source: UK Retail updated 2016 - Aon
6. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 6
Nevertheless, Aon has previously warned a sector that is increasingly reliant on ‘big
shed’ warehousing to consider the threats of aggregated exposures, given that
stock, staff and distribution facilities are frequently under one roof. There has also
been concern about profits themselves increasingly aggregating towards single
sites as online distribution eats into traditional branch network sales. This has
particular relevance for underwriters who require gross profit contributions as a
means of calculating overall risk.
Very much connected to business interruption is the risk of supply chain disruption
and this is another operational risk factor about which the sector has mixed views.
Almost half (46%) consider it to be a ‘medium’ threat but a significant minority
(33%) believe it to be a ‘high’ threat. Domestically, the UK road and rail network is
certainly experiencing a capacity crunch, while memories of French truckers
blockading motorways on both sides of the English Channel indicate the potential
for distribution to come to a standstill is real. While it is unlikely businesses can
negate the entire impact of that type of event, arrangements on shipping,
contractual protections and flexible commercial relationships with hauliers can be
the difference between a bottleneck causing asphyxia or allowing your company to
breathe easy.
4) People Risks
As one of the UK’s largest employers2
, human resources is justifiably considered
within the top risk factors for retail. In 2016, the challenge faces both ends of the
recruitment scale with both a lack of suitable candidates perceived to be a major
problem at the top end and the introduction of higher minimum wage standards
influencing volume recruitment as well. Failing to attract and retain top people was
the fourth highest individual factor in this survey, cited as a ‘very high’ risk by 17%
of respondents and ‘high’ by a further 42%. The working minimum wage was tenth
on the overall list, with 13% saying this was ‘very high’ risk and 19% confirming it
was ‘high’ risk.
People Risks – What level of actual threat to your organisation do you
associate with each of these People risks?
Failing to retain top talent/key people 8% 21%4% 42%
Auto enrolment costs 21% 46% 33%
Skills shortage 17% 21% 33% 29%
Absenteeism 13% 46% 29% 13%
29%
Working / Minimum wage costs 4% 21% 33% 29% 13%
Workforce shortage 42%17% 29% 8% 4%
Aging workforce 21% 38% 25% 38% 4%
Injury to workers 25% 46% 25% 4%
Staff harassment/discrimination 21% 63% 13% 4%
Ethical labour 17% 54% 21% 4%4%
Figure 6: People risks
n Very low threat n low threat n Medium threat n High threat n Very high threat
Inadequate succession planning 17% 42% 38%4%
2
Source: https://www.theguardian.com/business/2016/feb/29/uk-retail-sector-predicted-to-cut-900000-jobs
7. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 7
Of the other HR factors which were labelled ‘very high’ risk, ‘ethical labour’ points
to a new system of legislation which Grant Foster, Managing Director at Aon Global
Risk Consulting, says could become an important differentiator in retail over the
coming years:
“Human resources are a dynamic risk category and one we expect will move up the
agenda of many risk managers in the coming years,” he says.
“Issues like ethical labour will probably increase, particularly in light of the Modern
Slavery Act, which has introduced new rules for businesses over a certain size to
report in their annual accounts what steps they have taken to mitigate unethical
behaviours like using child labour, or unpaid workers in the supply chain.”
September 2016 deadline
A first wave of businesses falling within the scope of the act (those with annual
turnover exceeding £36m, whose most recent year of account ended on 31st
March 2016) had to publish a statement of their policies in relation to the Modern
Slavery Act by 30th September 2016.
The obligation to publish an anti-slavery statement is mandatory, however the
content of this statement is not, prompting some observers to label the Act
‘toothless’. “Although the rules are fairly non prescriptive, it doesn’t take a very big
leap to imagine that some retailers may see this as an opportunity to promote their
own ethical standards at the expense of others, shining an unwelcome spotlight on
those who fail to control this risk,” says Grant Foster.
“The government is asking for businesses to refocus their procurement efforts and
not accept any products or services which may have been ‘adulterated’ by the
influence of modern slavery or human trafficking anywhere along the supply chain.”
Grant admits this may be a challenge for some manufacturers, but says that supply
chain traceability audits are a sensible first step. “You need to look at where there is
money and opportunity. Traceability audits focus on ‘following the money’ and
identifying where the most money could be made by adulterating a product.
Businesses with supply chains that stretch across the globe could find themselves
exposed. According to the International Labour Organisation, countries in Asia/
Pacific, Africa and South America are the most frequently associated with corrupt
labour practices. This could mean anything from enforced servitude, to the use of
state run prisons for the production of goods.”
New penalties on horizon
Meanwhile, the lack of sanctions and penalties is likely to raise questions about the
efficacy of the legislation, continues Grant. “There is clearly a reputational risk
attached to not fulfilling a legal duty by publishing an anti-slavery statement. In
addition, there is a new private members bill currently passing through the House
of Lords, which proposes new sanctions such as prohibiting those found in breach
from joining any public procurement exercise. Frankly it is not inconceivable that
one day a criminal charge could be brought against a company and its directors for
‘knowingly associating with corrupt labour practices’.”
8. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 8
5) Financial, Corporate, Crime and Security Risks
A single financial risk factor ‘Growing sales and staying competitive’ featured in the
top five overall, but the top 15 was otherwise devoid of this category. Nevertheless,
a number of live issues remain of concern, principally those relating to exchange
rate fluctuations; pension funding and cash flow/liquidity risk. Having carried out
the survey shortly before the UK’s vote to leave the European Union on 23 June, it is
conceivable that currency risk may have moved up the register, particularly given
the sharp falls experienced by the pound on global markets since Brexit was
announced.
Corporate Risks – What level of actual threat to your organisation do you
associate with each of these Corporate risks?
Directors and Officers personal liability 33%4% 42% 21%
Corporate social responsibility/sustainability 4% 33% 42% 13%
Damage to reputation/brand 21%8% 42% 29%
Failure to implement strategy internally or externally 4% 25% 13% 38% 21%
Growing burden and consequences of corporate governance/compliance 4% 38% 33% 29% 4%
Ethical sourcing 17% 38% 17% 25% 4%
Acquisitions / disposals 29% 17% 29% 25%
New product development failure 21% 29% 38% 8%4%
Figure 6: Corporate risks
n Very low threat n low threat n Medium threat n High threat n Very high threat
Changing consumer trends 21% 8% 38% 21%13%
Meanwhile, supplier credit risk was cited on numerous occasions in our
qualitative responses, with respondents indicating it was a reason for difficulties in
creditor management and cash flow/liquidity risk.
In the corporate risk category, there were numerous factors which concerned risk
managers greatly. In addition to ‘damage to reputation and brand’ (1st overall),
‘failure to implement strategy internally or externally’ (7th) and ‘changing
consumer trends’ (8th) made this category the second highest scoring of all.
Relatively few factors in this category were labelled as low threats.
Crime and security was the category risk managers in retail appear least
concerned about. Only a very small minority (4%) believed that factors such as
‘attacks on staff/outlets’ or ‘activist action’ were a ‘very high’ threat, while
terrorism registered as a medium to low threat in the majority of cases.
However although this indicates a relatively sanguine stance, Richard Waterer of
AGRC says the sector will have different perceptions of risk depending on which
assets are being protected. “While there may be a perception that ‘traditional’
criminal activity; theft, criminal damage etc, is on a downward trend, retailers
with an eye on their intellectual property, customer data or the problems of fraud
and counterfeiting may have a different opinion about the level of threat.”
For further information on how Aon could help your organisation identify,
manage and mitigate risk, contact Dan Fox at dan.fox@aon.co.uk.
9. aon.co.uk/retail-wholesale
Inperspective | Retail | November 2016 FPNAT.238 9
Meet the experts
Dan Fox
Aon Retail Practice Leader
Dan Fox has over 20 years’ experience working for leading national and global
brokers in client management roles. In this time, he has lead client service teams,
delivered strategy and developed international and captive programmes. Dan has
been a specialist in the retail sector for the majority of his career and has been
accountable for a number of flagship accounts at major national brands.
Grant Foster
Managing Director,
Aon Global Risk Consulting
Grant Foster is the Managing Director of Aon Global Risk Consulting, a team
of 80 risk practitioners based in the UK covering a range of risk management
disciplines including Actuarial, Engineering, Claims, Risk Financing and
Enterprise Risk Management.
Combining direct experience of Corporate Assurance Systems, Organisational
Change Management, Enterprise Risk Management and Project Risk Management
(including risk assessments, process development and due diligence work), Grant
is able to bring innovative approaches to the challenges of business management.
Grant is a chartered engineer, holds PhD in the field of distributed systems
modelling and a BSc (First Class) in Cybernetics and Mathematics from the
University of Reading.
Richard Waterer
EMEA Managing Director,
Aon Global Risk Consulting
Richard Waterer is the EMEA Managing Director of Risk Control and Engineering
at Aon. His team provides advice and solutions that help companies to meet their
objectives, by reducing risk and volatility in the performance of people, assets
and operations.
Richard began his career in the business continuity industry, where he worked with
clients on their disaster recovery strategies and helped to build contingency plans
for major events such as Y2K.
Richard has advised numerous clients in the retail sector, around issues such as
business resilience, enterprise risk, reducing the cost of claims and supply chain.
He is a regular writer and speaker at business and risk events, and has a degree in
Political Science from the University of Liverpool.