How can retailers prepare for a riskier world?
Retail is anything but predictable. Today, grocers are impacted by a range of external factors, from an unstable economy and rising inflation to shifts in consumer demands and fluctuating spending habits. Add in unexpected events such as weather catastrophes, cyberattacks, geopolitical crises and public health scares, and – if you’re not ready – you have a recipe for disaster.
“The worst thing you can do is say ‘it’s not going to happen to me.’ If you take that attitude, chances are it’s going to be very painful,” says Roberto Zegarra, director of education and product development at Disaster Recovery Institute (DRI) International, a non-profit that helps organizations prepare for and recover from disasters.
The solution is one word: preparedness, adds Zegarra. “You must think of the things that can go wrong. This is happening. This is not a meteor that’s hitting Earth once every 10 million years … You have to plan for [the unexpected] and you must do due diligence and due care.”
READ: Global food prices in 2022 hit record high amid drought, war
Though risks and threats are nothing new, retailers are now thinking differently about them, says Marty Weintraub, partner, national retail leader at Deloitte Canada. That’s because recent crises retailers have just come through – the pandemic, war in Ukraine and extreme weather events – are still top of mind. However, Weintraub worries this may not last.
“In my experience … retailers, unfortunately, tend to have short-term memories and tend to focus on what they do best, which is retailing,” he says.
And retailers are often faced with more burning issues, Weintraub adds. If given a choice, rather than put resources towards scenario-planning, most retailers would “attack the opportunity immediately staring them down the barrel, which is sales, margin, inventory,” says Weintraub. “That’s the conundrum we live in on this topic.”
However, retailers must have a plan in place to remain resilient in the face of an emergency or disaster. “If you take the attitude of ‘there is a possibility of this happening and, when it does happen, this is how we’re going to attack that problem,’ you will mitigate a lot of the damages and impact to your organization,” notes Zegarra.
READ: Cheese council calls on Canadian government to act to prevent loss of access to British cheese
In addition, retailers doing due diligence are showing their customers, community and employees they are “a strong, resilient and responsible organization,” adds Zegarra. “This is key because [those groups] know they’ll be able to rely on these organizations when bad things happen… People will say, ‘It happened, but they were ready. They’re strong. We can trust them.’”
The changing nature of risks and risk preparedness
While the retail industry is no stranger to the unexpected, risk preparedness and risks themselves are evolving. For strategist David Ian Gray, it comes down to today’s more complex and interconnected world.
“In the past, emergency threats to Canadian retailers tended to be economic shocks or brand hits related to social injustice or eco-disasters elsewhere [in the world],” says Gray, founder of DIG360, a Vancouver-based retail consultancy. For example, Loblaw’s Joe Fresh clothing brand was connected to a garment factory in Bangladesh that experienced a deadly fire in 2013.
READ:
When it comes to risk assessments, they were traditionally “fairly rote and small scale, for example, a vendor going out of business,” says Gray. “Looking broadly at what was going on in [the retail] universe, there was no need for [emergency preparedness] for a long time.”
Fast-forward a few years to the COVID-19 pandemic and it was “sink or swim” for retailers across the board, says Gray. “It jarred many executive teams and a lot of them rose to the occasion,” he says. “They started to adopt new practices quickly in a short time frame … They did develop a nimbleness and a triage approach that they could draw on the next time something happens.”
One lesson learned from the pandemic is the importance of sharing information in times of disaster. Though competitors typically keep things close to the chest, Gray says there was “an unprecedented amount of co-operation – competitors sharing information and letting their guard down a bit to jointly solve some big issues. I’d never seen anything like that and hopefully some of that stays… Sharing is not going to harm their competitive abilities, but it’s going to make sure they can all do better together.”
READ: Ukraine, inflation, shortages and more food stories that made headlines in 2022
The pandemic also opened people’s eyes to how precarious our systems are, adds Gray. As retail became more global with interdependency across the supply chain, Gray says “we built complex systems that only seemed simple… The ‘normal’ now is that the world is quite complicated and hiccups across the system can cause unexpected ripple effects that can be big in magnitude.”
In response to the pandemic, many retailers – grocers included – diversified their supply chains and turned to new vendors amid ongoing disruptions. “What we now realize is there is a huge risk to being beholden to one source of supply,” says Gray.
The shift may have been kick-started by COVID, but it was heightened by the war in Ukraine affecting wheat and canola exports; rising oil prices; and shipping and port problems. “The ‘what if’ is what if one place has a problem?” says Gray. “Do we have other places that we’re drawing from?” That diversification, he adds, “could be from the source all the way through to how [retailers] set up distribution across the geography they operate in.”
Supply chain diversification is apt in a lot of emergency scenarios, including severe weather events. “In the last few years, we have seen more and more major weather events create havoc for communities and retailers,” says Gray. In 2021, for example, catastrophic flooding and mudslides in B.C.’s Fraser Valley closed major highways and rail lines and led to many empty shelves in grocery stores.
“When the floods occurred in the Fraser Valley and washed out roads, there was a shortage of supply for grocery,” says Gray. “A lot of crops were wiped out and food stock – [cows], chickens and other animals – perished. That was a supply hit, but also just delivering goods to stores was incredibly disrupted.”
Identifying emergency threats and their potential effects
Retailers must also brace for the possibility of an increased onslaught of emergency threats. “We’re seeing the impact of disruptive events that are becoming more frequent and are having higher magnitude,” for example, wildfire events and cyber disruptions, says Edward Matley, partner and national crises and resilience leader at PwC Canada. That means organizations may have to respond to more than one crisis at a time – and those crises can be different types, he adds.
According to PwC’s latest biannual Global Crisis and Resilience Survey, nine in 10 organizations report they’ve experienced multiple major disruptions. More than three-quarters (76%) said disruptions had a medium to high impact on operations, disrupting critical business processes and services and causing financial and reputational issues. The top five reported disruptions include the pandemic, employee retention and recruitment, supply chain, technology disruption or failure, and cyberattacks.
READ: Expert shares how grocers, CPG companies can prepare for a cyber attack
When it comes to more unexpected events, though, Matley sees cyberattacks as the No. 1 threat today. “Cyber is, not surprisingly, the big one,” he says. “Even though public health emergencies shot up materially in terms of where they’ve landed on the risk scales for a lot of organizations, cyber has quickly gone back to being No. 1.”
Research (not to mention near-daily headlines) bears out the scope of the problem. According to IBM Security’s annual X-Force Threat Intelligence Index, for example, retail is the third most-attacked industry in Canada (tied with the government), accounting for 10% of all the cyberattacks IBM X-Force cyber threat management responded to in 2022.
In the grocery sector, high-profile cases made clear how retailers and manufacturers are vulnerable. Last fall, Maple Leaf Foods was hit with a cybersecurity incident the company said would cost at least $23 million in direct and indirect economic impacts. Earlier this year, Empire Company was the victim of a cybersecurity breach at its grocery banner Sobeys, which cost the business around $32 million.
On an earnings call with analysts in March 2023, president and CEO Michael Medline spoke about how the company is shoring up its cybersecurity. “We did have a robust cybersecurity system in place that obviously was breached,” he said. “We have made significant changes to all elements of our cybersecurity… Over the next few years, we’ll spend a little bit more, which will really improve our cybersecurity in the short- and medium-term.”
A plan to weather the next disaster
As the threats keep coming and evolving, grocers must analyze their risks and develop or revisit their emergency preparedness plan. “If an organization [fared well during] the pandemic in 2020, that plan is three years old now and is most likely not going to work,” says DRI’s Zegarra.
On a practical level, Zegarra says companies need to run through various scenarios and ask questions about how they’ll respond, especially in three priority areas: cyber, supply chain and weather events.
READ: The St. Lawrence Seaway: An overlooked gem
“Whether it’s a cyberattack or a major flood, look at your operations and ask, ‘what are our top products and where are they coming from?’” he says. “If there is a distribution centre in a flood-prone area or in an area where, if we have a huge snowstorm, we won’t have access to it. How are we going to deal with that?” And in the event of a cyberattack, the question might be: “How will I be able to sell my products and keep track so that we can continue our business while IT and information security is getting rid of the problem?” says Zegarra. PwC’s Matley says risk management starts with being aware of the risks to your organization, and then making sure you apply the appropriate level of investment and focus to mitigate them, including putting preventative measures in place.
From there, build plans for what you’d do when something goes wrong. “Those plans shouldn’t be big red binders of information that we used to have, like business continuity,” says Matley. “[It’s about] having a pragmatic approach, a plan for what to do when those threats are realized because increasingly, they are being realized.”
The third step, in Matley’s view, is making sure the people who have responsibility for responding to disruptions have been through training and have exercised those plans in a realistic environment. “[This will] help build muscle memory so when they are involved in responding to a disruption, they feel they’re capable, they’ve done it before… so the response will be much more effective.”
This article first appeared in Canadian Grocer’s September/October 2023 issue.
