In our previous articles, Paul Lloyd-Smith of SAP and I highlighted that whilst the point of sale (PoS) has traditionally been the focus of a retail organisations, it is the back office where control failures can have a much greater impact on the bottom line.
The good news is that there are a number of solutions out there to counter these threats. Whether these threats come from internal sources i.e. employees working around internal controls to manipulate the order to cash process; or external threats enabling 3rd parties to gain access to vital systems.
One look at the scale of the SAP product portfolio, for example, highlights the investment in solutions to combat these threats. When people thought of SAP GRC, it used to effectively mean access management, but now there are over 20 discrete products. Many of these solutions can be integrated together and can effectively provide a comprehensive risk management platform. The focus of these solutions is broad, whether the risks be from be cyber threat or insider corruption or just protecting from the risk of human error.
Early implementation – even if it is not a full end to end implementation, gives organisations a quick start and accelerator for improvement. Even if this initially helps to highlight weaknesses in their estate, this moves an organisation from denial of the risks into recognition of them. Having a start, also significantly reduces the effort involved with making further improvements as it feels like a continuation of a process rather than a blank sheet of paper.
So having looked at the current threats to retail, what is around the corner that retailers should be thinking about?
"Paul Lloyd-Smith believes that, moving forward disruption to business as usual could well be one the biggest risks."
As retailers are trying to protect their margins by reducing overheads and improving efficiency throughout their business model, the systems involved will become even more critical to their operations. It will not be possible to run “offline” or revert to manual processes, even for a short time and therefore resilience of those systems will be key. Any potential disruption to the operation of those systems will require proactive management as the impact will be too great to wait until an incident occurs. An example of this is outlined below.
"Point of sale systems will automatically order stock, based upon knowledge of current stock and sales information. With integrated supply chain focusing on “Just in time” mechanisms, retailers will not need large warehouses and distribution centres as the supply chain can ship straight to stores based upon demand."
Systems are also integrated across traditional corporate boundaries. Supplier networks like SAP Ariba allow suppliers far greater access to their customer’s information and with more opportunities to have auto invoicing and self-billing. There is a greater trust placed upon connecting systems and the supplier to follow the rules. Going back to the PoS scenario above, it may be possible for the systems themselves to be ordering directly from vendors that can also auto invoice to rapidly increase the level of spend. Any disruption in the underlying systems could significantly impact either the retailer or their supplier causing material damage to their operations and profitability.
The aspect of trust is a key here. How can you trust your suppliers are still playing by your rules? This is likely to be an increasing threat especially for retail as the supply chain is often more complex and a huge source of reputational damage. Therefore, screening needs to be performed more often than during onboarding processes, but continuous in order to take account of recent changes. It is not just suppliers either. Potentially employees, and maybe even customers will be subject to screening to ensure that you know who you’re dealing with.
This links into a further threat in the form of data privacy. The new General Data Protection Regulation (GDPR) comes into effect in May 2018, with a hefty 4% of annual revenue fine per incident as its teeth! This new regulation has been called the next PPI, in terms of the number of claims that could potentially be made, especially against public facing organisations. The retail sector, which holds numerous sources of customer and personal identifiable information (PII), must be putting in place controls now, to work towards compliance with the 99 articles which make up this regulation.
Paul Lloyd-Smith has been talking to many of the leading UK’s retailers and is reassured by the efforts being made by these organisations; identifying where their PII data resides and working towards tightening controls around access to that data. Many are using tools like SAP Access Control and SAP Process Control to support these efforts. However, all of those spoken to recognise that there is still work to be done to get their houses in order and a continuing requirement to keep it that way in an ongoing manner.
Throughout this whole data lifecycle SAP have solutions which can simplify manual efforts and bring into a GDPR Cockpit many of the metric required to keep on top of progress whilst also monitoring for any potential breach.
We have identified several future concerns which UK retail sector should be looking to mitigate. Disruption to business as usual whether that be from Fraud, Cyber Attack or Regulatory pressures are just three of these areas. The threats are there, however, the solutions are there too.