In the modern world of retail, an Enterprise Risk Management (ERM) program should be dynamic and keep up with the internal and external changes in the stakeholders’ concept of risk. While it is important to maintain the most significant elements of retail ERM, such as cybersecurity, technology, brand reputation, sales and competition amongst others, it is also necessary to consider how an organization designs a proper ERM engagement and executes the necessary mitigation controls taking into consideration the proper framework, such as COSO, ISO or others.
In the current retail environment, public companies and their leaders are required to balance the need to evaluate the shareholder and customer risk with the consideration for risks affecting customers, employees, the environment, and the communities in which they operate. Consumers, company employees, boards and shareholders are requesting a higher level of ethics and participation in areas of ERM.
"Consumers, company employees, boards and shareholders are requesting a higher level of ethics and participation in areas of ERM"
As such, it is important for a company to provide clarity in defining these new and evolving areas of risk such as corporate social responsibility, cybersecurity, environmental and sustainability since the absence of clear definition, measurements and tracking of such risks can result in significant impact to the company’s performance. It has become apparent over time that corporate responsibility and sustainability is managing long-term risks and overall health of the business. The improper administration of ERM can manifest as significant material losses, customer impact (reduction in sales, compromise of PII information and others) and lack of appeal to modern institutional shareholders. There are multiple cases and examples of this type of losses ranging from significant insurance claims to the negative impact to directors and board members caused by cyber incidents. If a company wants to exist decades into the future, it must plan, communicate and demonstrate its ERM strategy clearly and within the most appropriate framework for their business.
In the retail risk management field one must also have a clear understanding of the security risks impacting corporate social responsibility and cyber risk since the potential for non-compliance is significant along with the business continuity, fraud risks and financial risks that are intertwined with them. How a retailer evaluates, measures and reports on responsibility are important risk mitigation elements of a properly implemented ERM program.
If a company identifies the risk or opportunity in corporate social responsibility, cybersecurity oroverall in ERM, their leadership and the Board will need to be aware of the cost of implementing and maintaining programs that effectively deliver proper risk mitigation. Implementation of these risk controls is cumbersome and can be a financial burden to the company but to the extent that modern retailers decide to make social, cybersecurity or business resiliency claims, they need to be prepared to support such representations. Absence of doing so presents a higher risk in reputational damage and backlash from consumers.
In summary, there are many risks impacting the ERM profile of a modern retailer amongst which some of the most relevant due to financial and reputational impact are the risk associated with corporate responsibility and cybersecurity. These areas of risk need to be evaluated to build the necessary and sustainable programs, resources and risk mitigation controls to ensure that shareholders’, employees’ and consumers’ expectations are met and exposure to litigation due to non-compliance is avoided.