Aon Retail & Wholesale Inperspective Nov 2016

Retail Inperspective

In this issue

Aon Risk SolutionsNational | Retail Practice

Issue 6 November 2016

IntroductionA rapidly shifting social, business, political and economic environment is placing UK retailers on continuous watch as they adapt and react to new threats and challenges.

Historic risk management norms like crime and security are giving way to external threats in the registers of modern companies; but many of these are intangible such as protecting brand equity and are often considered very hard to measure or mitigate.

Meanwhile the increasing influence of technology affects almost every corner of the industry from distribution and the way shoppers interact with a brand; to the supply chain and its continuing search for peak efficiency.

As a result, technology, rather than store networks or stock, is becoming one of the single greatest assets and vulnerabilities identified by the industry’s risk management community.

Daniel FoxAon Retail Practice Leader

The UK Retail Risk Management Survey

p1 The UK Retail Risk Management Survey

p3 Analysis – The External/Intangible Threat

p4 Analysis – Cyber / IT Risk

p5 Analysis – Operational Risks

p6 Analysis – People / IT Risk

p8 Analysis – Financial, Corporate, Crime and Security Risk

p9 Meet the experts

Risk. Reinsurance. Human Resources.

aon.co.uk/retail-wholesale

Inperspective | Retail | November 2016 FPNAT.238 2

This survey, conducted during April and May 2016 with the co-operation of the British Retail Consortium, has researched in depth the opinions of risk managers about how they perceive risk in the UK retail sector today. It draws on the opinions of risk managers from UK retailers from every sub-sector including grocers, fashion, department stores, DIY, wholesale and electricals.

For this report, we have also included industry insights from our own risk and insurance experts at Aon UK and Aon Global Risk Consulting, alongside a number of high profile retail industry figures who provided opinions on these issues at the recent Aon sponsored British Retail Consortium Retail Symposium. While this data was drawn prior to the EU Referendum, we maintain that it is essential for retailers not to lose sight of the wide range of risks this survey uncovers. I hope you find this report useful and enlightening and we look forward to hearing any feedback you may have.

Key findingsThe findings of the UK Retail Risk Management Survey 2016 reveal that UK retailers’ number one concern is the risk of ‘damage to reputation and brand’, with almost three quarters of respondents confirming it is either a ‘High’ or ‘Very High’ threat to their business.

This result underlines previous data published in 2015’s Aon Global Risk Management Survey which placed damage to reputation as the second greatest risk amongst retailers worldwide.

Industry insight

Rob Feldmann – CEO, Brand Alley

“Damage to reputation isn’t a risk in and of itself, but a consequence of events. Good risk management decision making can certainly limit your losses.”

BRC Conference 2016

Failing to retain top talent / key people [PEOPLE] 3.548% 4% 29% 42% 17%

Growing sales / staying competitive [FINANCIAL] 3.504% 17% 25% 33% 21%

Failure to implement strategy internally or externally [CORPORATE] 3.464% 25% 13% 38% 21%

Working / Minimum wage costs [PEOPLE] 3.254% 21% 33% 29% 13%

UK Government regulations [EXTERNAL] 3.254% 17% 38% 33% 8%

Lack of technology infrastructure to support business needs [IT] 3.254% 17% 46% 17% 17%

Social media - negative brand impact [OPERATIONAL] 3.174% 17% 46% 25% 8%

Changing consumer trends [CORPORATE] 3.3313% 21% 8% 38% 21%

Changing consumer buying patterns [EXTERNAL] 3.3313% 21% 8% 38% 21%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Damage to reputation / brand [CORPORATE] 3.928% 21% 42% 29%0%

UK economic changes [EXTERNAL] 3.838% 21% 50% 21%0%

Increasing competition [EXTERNAL] 3.8317% 21% 25% 38%0%

Cyber crime / hacking / viruses / malicious codes [IT] 3.5013% 42% 29% 17%0%

Global economic challenges [EXTERNAL] 3.2917% 38% 46%0% 0%

Technology failure / systems failure [IT] 3.2125% 42% 21% 13%0%

EU Referendum [EXTERNAL] 3.2129% 33% 25% 13%0%

n Very low threat n low threat n Medium threat n High threat n Very high threat

Score(out of 5)Figure 1: Top 15 individual risks

Executive Summary• #1 risk is ‘damage to

reputation and brand’• External factors

considered greatest overall threat

• Competition and economic changes driving uncertainty

• Talent acquisition/retention and cyber risk among relatively few ‘tangible’ risk factors in top 15

http://www.aon.co.uk/retail-wholesale

http://www.aon.com/unitedkingdom/attachments/press-releases/rw-concerned-over-competition.pdf





While brand is increasingly seen as a measurable asset for modern companies, for many it still comprises a number of highly intangible elements and is influenced by external factors which can make it challenging to control or protect from harm. This in many ways drives the overall findings of the report which shows a consistent view that external threats outweigh more traditional elements on the retailer’s risk register today.

The survey collected responses from retail risk managers on 65 specific risk factors and placed them into seven broad groupings; Corporate, External, People, Financial, IT, Operational, Crime & Security.

External risk factors were the dominant category with 52% of respondents saying these presented either a ‘high’ or ‘very high’ threat to their organisations and six out of the top 15 individual risks identified were external (see figure 1).

Also in the top ten individual risk factors were ‘failing to retain top talent/key people’ (4th), ‘growing sales/staying competitive (5th) and Cybercrime (6th). Perhaps the most tangible threat found within the top ten leading individual risk factors was the introduction of new minimum wage laws, which was 10th on the list and perceived as a ‘high’ or ‘very high’ threat by 42% of respondents.

1) The External/Intangible ThreatHaving provided their answers in relation to the individual factors, respondents also considered which of the seven broad risk categories concerned them most.

In many ways the results reflect the answers given on an individual risk basis. For example, external factors are again the dominant category, with ‘IT’ and ‘operational’ risks making up the top three.

High level risks – Now, bearing in mind each of the seven categories which you’ve already considered, what level of actual threat to your organisation do you associate with each of these seven categories.

External factors 3.4317% 30% 43% 9%

IT 3.3517%4% 26% 43% 9%

People 2.919% 35% 22% 26% 9%

Operational 2.9622%4% 52% 17% 4%

Financial 2.874% 30% 43% 17% 4%

Corporate 2.744% 30% 57% 4% 4%

Crime & Security 2.749% 26% 52% 4% 4%

Score(out of 5)


Figure 2. Seven Risk Categories




In addition to these quantitative responses, the survey group was also asked to provide qualitative answers for each risk factor.

We asked them to describe for those risks which threaten the most, which are the most difficult to manage?

With reference to ‘UK economic changes’ (2nd), one respondent cited ‘exchange rate fluctuation’, while another said ‘consumer behaviour is becoming increasingly difficult to predict’.

In relation to ‘increasing competition’ (3rd), respondents cited the ‘increasing availability of low cost products online from European suppliers’.

Others backed this up by simply stating how ‘the cost of competing’ was the most difficult risk to manage.

2) Cyber / IT RiskThe second highest risk category overall, IT risk includes risk factors representing a range of potential scenarios such as cybercrime (viruses or malicious codes); internal threats like data theft by employees, as well as the more straightforward challenge of maintaining an up to date technology infrastructure.

IT Risks – What level of actual threat to your organisation do you associate with each of these IT risks?

Score(out of 5)

Cyber crime/ hacking /viruses / malicious codes 3.4313% 42% 29% 17%

Lack of technology/infrastructure to support business needs 3.3517%4% 46% 17% 17%

Technology failure/system failure 2.9625% 42% 17% 13%

Internal staff error eg data loss 2.8713% 21% 46% 17% 4%

Malicious staff activity/threats/data fraud 2.9113% 17% 42% 24% 4%

Ransomware 2.7413% 33% 33% 17% 4%


Figure 4. IT Risks

Although the quantitative results indicate there is less concern about IT risk than might be expected, our qualitative research was able to draw from respondents in some detail, how threats to technology assets could have far reaching consequences.

For example, respondents cited brand damage as a consequence of all the IT risk factors connected to data protection or malicious activity with ‘brand damage plus financial penalties’ and ‘high reliance on technology’ appearing in respondents’ answers as the number one reason for their concern.




“Intangible assets like customer data are considerably underinsured, when compared against physical assets (12% v 51%), according to research by Aon and the Ponemon Institute,” explains Richard Waterer, EMEA Managing Director at Aon Global Risk Consulting (AGRC). “For the retail and wholesale industries, this interconnectedness is acute, with customers; supply chain and infrastructure all increasingly linked online. Risk managers, are in some cases yet to adequately assess their value at risk in terms of intangible assets like customer data and I think this is reflected in the concerns felt by our respondent group in this survey.”

3) Operational RisksIndustries like retail have become highly sophisticated at managing operational risks and it is therefore unsurprising that there seems a slightly more confident feel in the responses provided by respondents in this category. Only three factors elicited a response that the risk in question would be a ‘very high’ threat, with business interruption the most significant of these. Once again, the consequence of brand damage caused by operational activities; in this case corporate social media activity, was the highest scoring overall factor.

Operational Risks – What level of actual threat to your organisation do you associate with each of these Operational risks?

Property damage remains a concern for the sector, however the fact that 50% consider it to be a low threat suggests there is confidence in the risk transfer solutions available. Property accounts for more than 15% of the sector’s overall insurance premium spend1 and despite frequent reminders of risks such as storm and flood, well managed risks are continuing to achieve discounts.

Property damage 50% 33% 17%

Product recall 17% 42% 4%38%

Fleet logistics 17% 33% 33% 17%

Outsourcing / Joint venture failure 42% 33% 13% 13%

Product traceability 13% 46% 29% 13%

Third party liability 8% 54% 29% 8%

Social media – negative brand impact 17%4% 46% 25% 8%

Supply chain or distribution failure 17%4% 46% 33%

Failure of disaster recovery plan / business continuity plan 4% 17% 25% 17% 8%

Figure 5: Top 15 individual risks

Business Interruption 21% 46% 17% 13%4%


1 Source: UK Retail updated 2016 - Aon


http://www.aon.com/unitedkingdom/products-and-services/industry-expertise/attachments/retail/retail-update-2016-uk.pdf



Nevertheless, Aon has previously warned a sector that is increasingly reliant on ‘big shed’ warehousing to consider the threats of aggregated exposures, given that stock, staff and distribution facilities are frequently under one roof. There has also been concern about profits themselves increasingly aggregating towards single sites as online distribution eats into traditional branch network sales. This has particular relevance for underwriters who require gross profit contributions as a means of calculating overall risk.

Very much connected to business interruption is the risk of supply chain disruption and this is another operational risk factor about which the sector has mixed views. Almost half (46%) consider it to be a ‘medium’ threat but a significant minority (33%) believe it to be a ‘high’ threat. Domestically, the UK road and rail network is certainly experiencing a capacity crunch, while memories of French truckers blockading motorways on both sides of the English Channel indicate the potential for distribution to come to a standstill is real. While it is unlikely businesses can negate the entire impact of that type of event, arrangements on shipping, contractual protections and flexible commercial relationships with hauliers can be the difference between a bottleneck causing asphyxia or allowing your company to breathe easy.

4) People RisksAs one of the UK’s largest employers2, human resources is justifiably considered within the top risk factors for retail. In 2016, the challenge faces both ends of the recruitment scale with both a lack of suitable candidates perceived to be a major problem at the top end and the introduction of higher minimum wage standards influencing volume recruitment as well. Failing to attract and retain top people was the fourth highest individual factor in this survey, cited as a ‘very high’ risk by 17% of respondents and ‘high’ by a further 42%. The working minimum wage was tenth on the overall list, with 13% saying this was ‘very high’ risk and 19% confirming it was ‘high’ risk.

People Risks – What level of actual threat to your organisation do you associate with each of these People risks?

Failing to retain top talent/key people 8% 21%4% 42%

Auto enrolment costs 21% 46% 33%

Skills shortage 17% 21% 33% 29%

Absenteeism 13% 46% 29% 13%

29%

Working / Minimum wage costs 4% 21% 33% 29% 13%

Workforce shortage 42%17% 29% 8% 4%

Aging workforce 21% 38% 25% 38% 4%

Injury to workers 25% 46% 25% 4%

Staff harassment/discrimination 21% 63% 13% 4%

Ethical labour 17% 54% 21% 4%4%

Figure 6: People risks


Inadequate succession planning 17% 42% 38%4%

2 Source: https://www.theguardian.com/business/2016/feb/29/uk-retail-sector-predicted-to-cut-900000-jobs


https://www.theguardian.com/business/2016/feb/29/uk-retail-sector-predicted-to-cut-900000-jobs



Of the other HR factors which were labelled ‘very high’ risk, ‘ethical labour’ points to a new system of legislation which Grant Foster, Managing Director at Aon Global Risk Consulting, says could become an important differentiator in retail over the coming years:

“Human resources are a dynamic risk category and one we expect will move up the agenda of many risk managers in the coming years,” he says.

“Issues like ethical labour will probably increase, particularly in light of the Modern Slavery Act, which has introduced new rules for businesses over a certain size to report in their annual accounts what steps they have taken to mitigate unethical behaviours like using child labour, or unpaid workers in the supply chain.”

September 2016 deadlineA first wave of businesses falling within the scope of the act (those with annual turnover exceeding £36m, whose most recent year of account ended on 31st March 2016) had to publish a statement of their policies in relation to the Modern Slavery Act by 30th September 2016.

The obligation to publish an anti-slavery statement is mandatory, however the content of this statement is not, prompting some observers to label the Act ‘toothless’. “Although the rules are fairly non prescriptive, it doesn’t take a very big leap to imagine that some retailers may see this as an opportunity to promote their own ethical standards at the expense of others, shining an unwelcome spotlight on those who fail to control this risk,” says Grant Foster.

“The government is asking for businesses to refocus their procurement efforts and not accept any products or services which may have been ‘adulterated’ by the influence of modern slavery or human trafficking anywhere along the supply chain.”

Grant admits this may be a challenge for some manufacturers, but says that supply chain traceability audits are a sensible first step. “You need to look at where there is money and opportunity. Traceability audits focus on ‘following the money’ and identifying where the most money could be made by adulterating a product. Businesses with supply chains that stretch across the globe could find themselves exposed. According to the International Labour Organisation, countries in Asia/Pacific, Africa and South America are the most frequently associated with corrupt labour practices. This could mean anything from enforced servitude, to the use of state run prisons for the production of goods.”

New penalties on horizonMeanwhile, the lack of sanctions and penalties is likely to raise questions about the efficacy of the legislation, continues Grant. “There is clearly a reputational risk attached to not fulfilling a legal duty by publishing an anti-slavery statement. In addition, there is a new private members bill currently passing through the House of Lords, which proposes new sanctions such as prohibiting those found in breach from joining any public procurement exercise. Frankly it is not inconceivable that one day a criminal charge could be brought against a company and its directors for ‘knowingly associating with corrupt labour practices’.”




5) Financial, Corporate, Crime and Security RisksA single financial risk factor ‘Growing sales and staying competitive’ featured in the top five overall, but the top 15 was otherwise devoid of this category. Nevertheless, a number of live issues remain of concern, principally those relating to exchange rate fluctuations; pension funding and cash flow/liquidity risk. Having carried out the survey shortly before the UK’s vote to leave the European Union on 23 June, it is conceivable that currency risk may have moved up the register, particularly given the sharp falls experienced by the pound on global markets since Brexit was announced.

Corporate Risks – What level of actual threat to your organisation do you associate with each of these Corporate risks?

Directors and Officers personal liability 33%4% 42% 21%

Corporate social responsibility/sustainability 4% 33% 42% 13%

Damage to reputation/brand 21%8% 42% 29%

Failure to implement strategy internally or externally 4% 25% 13% 38% 21%

Growing burden and consequences of corporate governance/compliance 4% 38% 33% 29% 4%

Ethical sourcing 17% 38% 17% 25% 4%

Acquisitions / disposals 29% 17% 29% 25%

New product development failure 21% 29% 38% 8%4%

Figure 6: Corporate risks


Changing consumer trends 21% 8% 38% 21%13%

Meanwhile, supplier credit risk was cited on numerous occasions in our qualitative responses, with respondents indicating it was a reason for difficulties in creditor management and cash flow/liquidity risk.

In the corporate risk category, there were numerous factors which concerned risk managers greatly. In addition to ‘damage to reputation and brand’ (1st overall), ‘failure to implement strategy internally or externally’ (7th) and ‘changing consumer trends’ (8th) made this category the second highest scoring of all. Relatively few factors in this category were labelled as low threats.

Crime and security was the category risk managers in retail appear least concerned about. Only a very small minority (4%) believed that factors such as ‘attacks on staff/outlets’ or ‘activist action’ were a ‘very high’ threat, while terrorism registered as a medium to low threat in the majority of cases.

However although this indicates a relatively sanguine stance, Richard Waterer of AGRC says the sector will have different perceptions of risk depending on which assets are being protected. “While there may be a perception that ‘traditional’ criminal activity; theft, criminal damage etc, is on a downward trend, retailers with an eye on their intellectual property, customer data or the problems of fraud and counterfeiting may have a different opinion about the level of threat.”

For further information on how Aon could help your organisation identify, manage and mitigate risk, contact Dan Fox at [email protected].




Meet the experts

Dan FoxAon Retail Practice Leader

Dan Fox has over 20 years’ experience working for leading national and global brokers in client management roles. In this time, he has lead client service teams, delivered strategy and developed international and captive programmes. Dan has been a specialist in the retail sector for the majority of his career and has been accountable for a number of flagship accounts at major national brands.

Grant FosterManaging Director, Aon Global Risk Consulting

Grant Foster is the Managing Director of Aon Global Risk Consulting, a team of 80 risk practitioners based in the UK covering a range of risk management disciplines including Actuarial, Engineering, Claims, Risk Financing and Enterprise Risk Management.

Combining direct experience of Corporate Assurance Systems, Organisational Change Management, Enterprise Risk Management and Project Risk Management (including risk assessments, process development and due diligence work), Grant is able to bring innovative approaches to the challenges of business management.

Grant is a chartered engineer, holds PhD in the field of distributed systems modelling and a BSc (First Class) in Cybernetics and Mathematics from the University of Reading.

Richard WatererEMEA Managing Director, Aon Global Risk Consulting

Richard Waterer is the EMEA Managing Director of Risk Control and Engineering at Aon. His team provides advice and solutions that help companies to meet their objectives, by reducing risk and volatility in the performance of people, assets and operations.

Richard began his career in the business continuity industry, where he worked with clients on their disaster recovery strategies and helped to build contingency plans for major events such as Y2K.

Richard has advised numerous clients in the retail sector, around issues such as business resilience, enterprise risk, reducing the cost of claims and supply chain. He is a regular writer and speaker at business and risk events, and has a degree in Political Science from the University of Liverpool.


Risk. Reinsurance. Human Resources.

About AonAon plc (NYSE:AON) is a leading global provider of risk management, insurance brokerage and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 72,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative risk and people solutions. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com/

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Aon UK Limited Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London, EC3V 4AN. Registered No. 210725. VAT Registration No. 480 8401 48. Some links on this website may redirect you to third party sites. Aon is not responsible for this content. Telephone calls are recorded and may be monitored. © 2016 Aon UK Limited. FP number: FPNAT.238