20
IT Risk Minimisation in Retail Research findings on IT risk minimisation and cloud computing in the retail industry Research commissioned by Insite and conducted by Martec International
IT Risk Minimisation in Retail
Research findings on IT riskminimisation and cloud computing inthe retail industry
Research commissioned by Insite andconducted by Martec International
2
Research Highlights 4
Top Business Risks in the Event of Critical Application Failure 6
Outsourcing of Business-Critical Applications 6
Main Reasons for Using or Considering a Private Cloud Provider for Business-Critical Applications 8
Reasons for Not Considering Outsourcing the Hosting for Business-Critical Applications 9
Overriding Factor When Deciding Whether to Outsource Your Business-Critical Applications 10
Experience of Outsourcing 11
Important Factors When Selecting a Company to Host Business-Critical Applications and Manage and Store Data 12
Evaluating the Risk of Critical Application Failure 13
Confidence in the Current Performance, Availability and Stability of Business-Critical Applications 14
Satisfaction with Spend on Business-Critical Applications vs Service Levels 15
Benchmark for Retail IT Risk Minimisation 16
How to Use the Benchmark Grid 17
Benchmark Your Own Mid-Size Retail Business 18
Survey Methodology and Research Criteria 19
About Insite 20
About Martec International 20
3
Contents
Welcome to this Risk Minimisation in Retailresearch report commissioned by Insite andconducted by Martec International.
The report focuses on the IT-related risks facedby mid-sized retailers operating in the UK, withspecific reference to the emergence of, andattitudes towards, cloud computing.
Based on detailed interviews with tier two UKretailers it gives a unique insight into thiscrucial aspect of mid-market retailing today.
We would like to thank all those executiveswho participated in this research. We wouldalso encourage mid-sized retailers to use thepositioning models included at the end of thisreport to benchmark their own retailingoperations and exposure to IT risk.
Risk Minimisation forMid-Sized Retailers
© Copyright 2016 by Martec International Ltd. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, nor translated into anyhuman or computer language, in any form or by any means, electronic, mechanical, optical, chemical, manual or otherwise,without the prior written consent of Martec International Ltd, Martec House, 40 High Street, Taunton, Somerset, TA1 3PN,United Kingdom.
4
Research Highlights
Research focused on tier two(mid-sized) UK retailersThis research covers tier two UK retailers with sales inexcess of £20 million per annum. We interviewed 30retailers and have a high level of confidence that thefindings are applicable to other tier two retailers.
Average retailer in thissurvey has ‘Some Exposure’to IT risk
We have established abenchmark for retail IT riskminimisation. The averageretailer is designated “2.0”, or“some exposure” to business risk.Retailers at this level still considerrisk and security as an IT onlyissue; they may use the cloud for
some non-core applications, have some nervousnessaround system stability and have done some ad hocevaluation of risk reduction. We have benchmarkedeach retailer that has participated and highlightedstrong and weak areas and a strategy for improvement.
87% happyto use thecloud
There is a significant interest in cloud computing in retail,and 87% of those interviewed were happy to use cloud-based systems.
Loss of sales isthe biggestperceived risk
The top two business risks perceived by retailers in theevent of critical application failure are loss of sales /inability to trade (97%), and loss of customers and impacton customer service (90%).
Outsourcing popular forecommerce and expected tobecome more common forother applications
At least one criticalbusiness applicationis outsourced by 68%of the retailersinterviewed.Outsourcing is morepopular thanmanaging internallyfor ecommercesolutions (55% use orplan to). We expectoutsourcing to
become more common versus management by internalteams for other applications. The top two reasons for using/ considering the use of private cloud for business-criticalapplications are: to manage risk (34%) and to allow focuson core business activities (31%). Cost came third, but citedby only 13% of the retailers interviewed.
1.0 Exposed To Risk
2.0 Some Exposure
3.0 Advancing 4.0 Risk
Minimised
5
13% would not consider usinga private cloud provider
Only 13% of those interviewedsaid that nothing wouldpersuade them to use a privatecloud provider. Their concernwas the safeguarding ofsensitive corporate data andthe perception that keepingdata on-premise leaves themless exposed to cyber-attacks ordata breaches.
Risk outweighs Cost whendeciding whether to outsource
When deciding whether to outsource business-criticalapplications, risk was stated as the over-riding factor(45%) with cost a close second (42%).
Experience of outsourcing isgood, especially for business-critical applications
Retailers’ experience ofoutsourcing IT is fairly good -an average of 6.3 out of 10.Those that currently outsourceat least one “business-criticalapplication” score higher thanthose who do not (6.6 vs 5.8).
Retailers feel theyhave thoroughlyevaluated risk
Retailers feel they have done a thoroughjob evaluating the risk of criticalapplication failure (7.0 out of 10). Thelarger retailers with sales exceeding£100 million score slightly higher thansmaller ones (7.1 vs 6.9).
Retailers confident in thestability of their business-critical applications, but someare maybe over-confident?
Retailers are very confident inthe current performance,availability and stability oftheir business-criticalapplications (7.8 out of 10).Smaller retailers (with sales ofless than £100 million) aremuch more confident thanlarger retailers (8.8 vs 7.0),which is surprising and mayindicate some naivety.
Satisfaction that IT spend onrunning business-criticalapplications is deliveringbest possible service is high
Satisfaction that the budgetcurrent spend on initial ITinfrastructure, plus expert ITsupport staff to run business-critical applications, isdelivering the best possibleservice levels to their businessis fairly high (6.4 out of 10).Again, smaller retailers have ahigher level of satisfaction thanlarger retailers (7.1 vs 6.0).
6
Outsourcing of Business-CriticalApplications
“We have our POS set up sowe can keep our tills ringingcome what may, though wedon’t have generators instores… we don’t want thesales staff taking the flak.”
Head of IT, Department Store Retailer
“We have a stand alonesystem (in-store) so we canalways trade.”
IT Director, Small FormatSpeciality Retailer
“Cost doesn’t really comeinto it when you are in a DRsituation.”
Head of IT, Small FormatSpeciality Retailer
”Without credibility youhave a hard job.”
Head of IT, Small FormatSpeciality Retailer
“We are obligedcontractually by the NHS todeliver a service.”
IT Manager, Pharmacy Retailer
“EFT issues are a particularconcern here and this is anarea we outsource.”
Head of Innovation and Change,
Supermarket Retailer
“Day to day support takes alot of time but we do try tobe more strategic.”
Head of IT, Department Store Retailer
Top Business Risks in the Event of CriticalApplication Failure
We asked retailers to highlight their top business risks in the event of criticalapplication failure. Top of the list, and cited by 97% of the retailers surveyed, is theloss of sales and inability to trade - a retailer’s nightmare. The impact on customersand customer service is also a high business risk, mentioned by 90% of retailers. Theimpact on the business spending time firefighting rather than doing somethingproductive comes third and is a concern to 70% of retailers.
In retail, customers always come first so it is not surprising to find that the damage tothe internal IT department reputation and the negative impact on company morale,though important and mentioned by 57% of companies, is fourth on the list ofconcerns.
We looked at six business-critical applications and how retailers manage them. Inthe case of ecommerce outsourcing is the most popular with 48% of retailerschoosing this option, compared to 38% managing the applications internally.
However, for the other five applications internal management was the most popular.Some 92% of the companies we interviewed manage finance using their internalteam, followed by merchandise management with 90%; in third place comes ERPsystem where 87% of companies manage the application internally; then comes HRand payroll with 78% and marketing and CRM with 58% managing it internally.
HR and payroll, marketing and CRM and website systems are the business-criticalapplications identified as the most likely for retailers to switch from managinginternally to outsourcing (7% each). There are two main reasons for this; theproliferation of applications being offered on an outsourced basis (SaaS) and agreater tendency of these functions to outsource.
A number of the retailers surveyed mentioned that they selected a system based onthe functionality first and then if it happened to be a cloud-based application theywould accept this without having made a proactive decision to outsource.
We expect that outsourcing for business-critical applications will become moreimportant as retailers replace systems and re-evaluate their strategy.
This chart shows the percentage of retailers that outsource or plan to outsourcebusiness-critical applications. In total 68% of the retailers we interviewed outsourceat least one business-critical application. The most common is ecommerce with 55%of companies outsourcing or planning to; this is followed by marketing and CRM(25%), HR and payroll (22%) and finance 8%. Merchandise management and ERPapplications are the least likely to be outsourced at 7% and 3% respectively.
Retailers often feel that their stock management processes are so vital to theirbusiness and customer service that they are reluctant to outsource the systems thatsupport them, at least until they have seen this work with other applications. Also,merchandise management and ERP systems have a longer lifecycle when comparedwith marketing and ecommerce systems and many retailers are using systems that are several years old, and in many cases bespoke systems that have beendeveloped in-house.
7
“It’s about where we wouldget an improved service vswhat we do internally. Weneed to think about whatwe could do to streamlineour operation and use ourresources effectively.”
Head of IT, Small FormatSpeciality Retailer
“We are a fashion retailernot a software house and it’sall about sticking to ourknitting and focusing oncore activities.”
IT Director, Small FormatSpeciality Retailer
8
Main Reasons for Using or Considering a PrivateCloud Provider for Business-Critical Applications
The majority of retailers (87%) were happy to use or consider using a privatecloud provider for business-critical applications.
The key driver for private cloud adoption is the need to manage the risk of criticalsystem failure and avoid the subsequent business impact, as cited by 34% ofinterviewees. Managing the risk and the attendant worries about applicationfailure is the priority for a large number of IT directors. These executives feel ableto sleep better at night knowing their private cloud provider is managing the riskfor them.
The second most important reason for using a private cloud provider ties in withthis, in that retailers are able to focus on core business activities whilst leveraginginvestment in IT. This is mentioned by 31% of companies. In effect the privatecloud provider is offering expertise and services that the retailer either is not ableto provide in-house, cannot afford to or does not want to because they haveother business priorities.
Surprisingly for the retail market, these two reasons are much more importantthan the third reason, which is to reduce ongoing IT costs. This is mentioned byonly 13% of companies. Normally retailers place a very high importance onreducing costs but, in the case of selecting private cloud providers, other factorsare clearly more important. Certainly, the price will have a role to play in choosinga private cloud, but managing risk is the priority.
“The other things that are important (about the cloud) are that it is
available 24/7, the resilience, the cost and the fact that we are less
reliant on skilled expertise internally.”
IT Manager, Small Format Speciality Retailer
“Our use of the cloud is alsodetermined by theapplications. For examplethe loyalty solution wechose - they only had acloud option. It does reducethe reliance on our internalteam. Chip and PIN isoutsourced, again not aconscious decision, it kind ofhappened organically.”
Head of IT, Department Store Retailer
“It’s the ease of use (ofcloud) - we don’t have toworry about back ups andall that kind of thing. Alsowe have monthly costsrather than upfront costswhich is better for thebusiness.”
IT Director, Home Shopping Retailer
“We are considering thecloud for our new HR systemas it means that our mobileworkforce will be able toaccess it and we have sidestepped the issue of securityand getting out of ourfirewall. For certainapplications like POS wewould want to keep theknowledge in-house, but forHR, which is critical butdoesn’t give us acompetitive edge, thencloud is suitable.”
Head of Innovation andChange, Grocery Retailer
“Our location means it isdifficult to recruit peoplewith the right skills, so usinga cloud provider makessense.”
IT Manager, Mixed GoodsRetailer
If we take a closer look at the motivation of the 13% of retailers that would not consideroutsourcing their business-critical applications, the primary reason is that they believetheir corporate data is too sensitive to trust to an external company.
This reason was mentioned by 50% of the companies. It contradicts the belief of themajority of retailers who said that outsourced companies do help to minimise risk andare better able to manage security.
Other concerns include issues about the business risk and being unwilling to trustanyone but themselves, and also unreliable communication links meaning that it is toorisky to host off-site.
9
Reasons for Not Considering Outsourcing theHosting for Business-Critical Applications
10
“I have a business background in global IT assurance and audit and
my concerns about risk outweigh any cost benefits. I sit on a national
security council and what I have seen there gives me grounds for
concern. For example, credit card data can start in Germany and then
gets moved to Lithuania or China to keep costs low and you have
no control.”
IT and Operations Director, Wholesaler
Overriding Factor When Deciding Whether toOutsource Your Business-Critical Applications
We asked retailers which was most important to them when deciding whether tooutsource business-critical applications - cost or risk?
Interestingly, risk reduction is the key driver, as highlighted by 45% of companies,compared to 42% preferring the cost advantages. Retailers are often very cost-driven, due to the low margins and intense pressures in the sector. However, thisdemonstrates that when running business-critical IT systems it is more importantfor them to work consistently in order to minimise operational risk.
Some other advantages of outsourcing were mentioned as well, including thatthe vendor can offer services not offered by the retailer (7%), the ability to focuson core business if using an outsourcing company (3%) and the provision ofbetter service levels (3%).
“It all comes down to cost inthe end for us.”
Head of Infrastructure andSecurity, Small Format
Speciality Retailer
“If we were to do it for EPOSit would have to give reallysignificant cost benefits. Tous it would be more riskyoutsourcing than keeping itin-house.”
Technology Manager,Pharmacy Retailer
“Cost is the main reason touse cloud but I can’t imaginewe ever would as our data istoo sensitive to trust tosomeone external.”
Senior IT Manager, Mixed Goods Retailer
“I’d say it is more that a serviceprovider can do somethingbetter than us, that wouldbe the reason to use them.”
IT Manager, Pharmacy Retailer
“It’s about whether it is coreor not, we wouldn’t want tolose the knowledge of how itworks for core applications.It’s difficult when you are amedium sized enterprise asmost cloud providers targetbigger companies wherethey can offer most value”
Head of Innovation andChange, Supermarket Retailer
“It’s more about futureproofing the organisationfor us. We will be movingfrom a very antiquated IT setup to the brave new worldall in one go.”
Head of IT, Mixed Goods Retailer
We asked retailers to score their experience of outsourcing out of 10, where oneis poor and 10 is excellent. The average score of 6.3 out of 10 shows that mostretailers have had a good experience to date. If we analyse this by experience ofoutsourcing, those retailers that are currently outsourcing at least one business-critical application have a slightly higher score (6.6), compared to those that donot outsource any business-critical applications at the moment (5.8 out of 10).
This indicates that the reality of outsourcing is actually better than theperception of it. A score of 6.6 out of 10 is actually quite high for the retail sectorand does indicate that those retailers that use outsourcing for business-criticalapplications have a good experience and are getting the benefits of riskreduction that they are expecting.
11
Experience of Outsourcing
We do have a good experienceof outsourcing and it allowsstaff to focus on their corebusiness function. In-housesolutions are usually moredifficult to recruit for andsupport. Our IT team is smallso it’s easier to manage thirdparties than be responsiblefor developing andmaintaining the solution.”
Head of IT Projects, SmallFormat Speciality Retailer
“The trouble is we have toomany suppliers (about 120)and we need to reduce thenumber by an order ofmagnitude. I have abackground in outsourcing(I worked at CSC for 13years) and so do know it canwork well.”
Head of IT, Mixed Goods Retailer
“We have two suppliers weoutsource to in the groupand we have had a 15-yearrelationship with both ofthem, so it can work.”
IT and Operations Director,Wholesaler
12
Important Factors When Selecting a Company toHost Business-Critical Applications and Manageand Store Data
There are three factors that the vast majority of retailers (97% for each) look for whenselecting a company to host business-critical applications and manage and store data. Theseare good customer references, a formal support arrangement with the third party softwarevendor and a robust service level agreement with financial penalties for down time.Rigorous change and incident management processes come a close fourth and arementioned by 90% of retailers.
Personal service with immediate director level access is seen as important by the majority(77%) - the knowledge that you are important to the company and can get access to senior management easily if things go wrong or need discussing is key. Technicalaccreditations and ISO27001 or SOC-2 were raised by 70% and 63% of companies althoughmany people felt that they were a prerequisite to delivering this kind of service, andtherefore not a differentiator.
The ability to host data in the UK was least important, although was still highlighted by 57%of companies. As long as legislation about data is being adhered to (for example CRM dataneeds to stay in the EU) many companies did not mind where their data was being stored,and many assumed that storing it outside the UK would provide cost benefits to them.
We wanted to establish how thoroughly retailers are evaluating the risk ofapplication failure and how seriously they are taking the planning.
They were asked to mark the thoroughness of their evaluation on a scale ofone to 10: where 0 is no evaluation at all; and 10 is very thorough. Theaverage is 7.0 out of 10 and this indicates reasonable confidence in theevaluation process.
Many of those interviewed had an annual process of disaster recoveryplanning.
We investigated further the types of retailer who were most likely to havethorough evaluation processes and found a minor difference between largerand smaller retailers. Those with sales exceeding £100 million scored slightlyhigher for the thoroughness of their risk planning than smaller ones withsales below £100 million, but this was only 7.1 versus 6.9 out of 10. Webelieve this is because companies with bigger IT budgets and larger scaleoperations are able to make better risk plans.
13
Evaluating the Risk of Critical Application Failure
“We have recently gone through a risk assessment for all our IT
systems. As a retailer then not being able to trade would be our
largest concern; however the systems we have in place either
work standalone (shops) or are in a VM environment and easily
cloned (web). We carry out a risk assessment annually and also
when major system changes are planned as part of a new project.”
Head of IT Projects, Small Format Speciality Retailer
“We have done our own riskassessment and it is clearlydocumented. But we don’thave investment for a fulldisaster recovery solution,we’ve done the best withinour means.”
Head of IT, Department Store Retailer
“We are actually looking atthis now and we alreadyhave cloud-based disasterrecovery.”
CIO, Small Format Speciality
“We’ve not got the money todo what we want to do,that’s the problem.”
Business SystemsDevelopment Manager,
Department Store Retailer
“We do a DR plan regularlyand the current plan we dida year ago. I think we do itwell; it’s not just me involvedit is users and the business.”
IT and Operations Director,Wholesaler
“It’s such a big and complextopic that I don’t know if wehave done it justice.”
CIO, Small Format Speciality Retailer
“Technically it’s thorough,with our DR plan we will berestored within 4 hours andwe test this annually.”
Head of Innovation andChange, Supermarket Retailer
14
“We are contractually boundto be, I have to sign adocument every year thatsays we are totallyconfident.”
Technology Manager,Pharmacy Retailer
“We’ve still got some serversin the basement and we areon the flight path forHeathrow, so there are a fewthings to worry aboutthere!”
Business SystemsDevelopment Manager,
Department Store Retailer
“Do we have the bestsystems? Probably not. Dowe have the best up time?Probably - we deliver to theend consumer and we needto fulfil orders within 24hours.”
Head of IT, Small FormatSpeciality Retailer
Confidence in the Current Performance, Availabilityand Stability of Business-Critical Applications
The results reveal that retailers are very confident in the current performance,availability and stability of their business-critical applications. The average scoreout of 10 is 7.8, showing significant confidence across the retailers interviewed.
Smaller retailers (with sales of less than £100 million) have much more confidence than larger retailers, with a high score of 8.8 versus 7.0 out of 10 for the larger retailers.
This could suggest naivety on the part of the smaller retailers. It may be they areless likely to have experienced application failure because of the smaller scale ofoperations they run and so may have false levels of confidence in their currentsituation. It may also be that they feel they have done the best with resources theyhave and so can do no more.
Martec is quite surprised at the confidence levels of retailers of all sizes here,especially given the number of high profile application failures recently - forexample, those associated with Black Friday in 2014.
Given the importance of value for money in the retail market it is useful todetermine how satisfied retailers are that the budget currently spent on theirinternal IT infrastructure, plus expert IT support staff to run business-criticalapplications is delivering the best possible service levels to their business. Ingeneral retailers are fairly satisfied that their budget is delivering good value formoney in this area. The average score is 6.4 out of 10.
The main difference is in the size of the retailer. Smaller companies, with salesbelow £100 million, have a significantly higher score than large ones, 7.1 versus6.0 out of 10. Again this may be because smaller retailers are so restricted withtheir budget they are more likely to feel that they have done the best with thebudget they have compared to larger companies. Retailers with sales over £100million may be more aware of the extra things they could be doing to improveservice levels and so have a lower score.
15
Satisfaction with Spend on Business-CriticalApplications vs Service Levels
“It is about the changingdemands from the business,influenced by changingcustomer and retailbehaviour that is requiring adifference in approach frommy internal team and oursystems. It also relates tochallenges in deliveringbusiness change. That itselfis not solely the issue of myIT team, but relates to theoverall organisation’smaturity in deliveringchange, throughunderstanding their corebusiness processes, and theimplications of changethrough the adoption ofnew systems. Historicallythis has been seen to be ITthat is responsible fordelivering change, and ourattempts to do so have beenunderstandably challengingas this actually requires amuch more joined-upapproach to business-led,process-led change, enabledby IT. “
IT Director, Hospitality Retailer
“We’ve suffered years ofneglect. We need catch-upinvestment. It’s like having a10-year-old car, it costs moreto put it right than a newone and we are paying a lotout at the moment. Now thenew owners are asking whywe have two of everything.It costs money to sort thisout, we know that, we justhaven’t got the money to do it.”
Business SystemsDevelopment Manager,
Department Store Retailer
16
Benchmark for Retail IT Risk Minimisation
The research enabled us to put together a benchmark for retail IT risk minimisation.This benchmark is designed to be used by retailers as a guide to understanding howtheir business compares with other retailers. We have defined four levels.
Level 1.0: ExposedRetailers at this entry stage occasionally have their trading interrupted due toheadquarters or store issues. They do not have in-house or outsourced risk or securityexperts and spend a lot of time firefighting. They have a culture of in-housedevelopment and support with little use of the cloud or outsourcing. They do nothave a formal disaster recovery (DR) plan and have a higher than average IT spend fortheir sector.
Level 2.0: Some ExposureRetailers at this stage consider risk and security as an IT-only issue and do not usespecialist vendors or resources. They rely on in-house developed and interfacedrather than integrated systems. They use the cloud for some non-core applicationsand outsource mainly on the basis of price. They have done some evaluation of keyrisk but are nervous around system stability.
Level 3.0: AdvancingInterruptions in stores are very infrequent at this stage and risk minimisation isstarting to involve the rest of the business. They are starting to use the cloud forindividual applications as well as outsourcing to support key applications. At thisstage retailers will undertake an annual DR plan and have regular reviews andassessments. DR and risk management is a budgeted item.
Level 4.0: Risk MinimisedIt is very rare for trading to be interrupted anywhere at this stage. The whole businessis involved in risk management and there is a risk management culture throughoutthe company. Systems are truly integrated and easy to manage. DR planning isannual and the process is taken seriously and checked with occasional dry run DRtests. Companies in this stage regularly achieve their service level goals.
The darker blue boxes show the benchmark or average performance of the retailersthat took part in this research. For the majority of processes the average performance islevel 2.0 or ’Some exposure’. It is only for outsourcing, disaster recovery and stability ofbusiness-critical applications that the average was higher at 3.0 or ’Advancing’.
If you have participated in the research you will receive your personalised benchmarkto show how you compare to the rest of the industry. This will show you where youperform better than the industry and some suggested areas to improve.
If you have not taken part in the research but would like to benchmark your business,you can use this as a framework for benchmarking.
Of course there will be some quite understandable differences in performancedepending on the exact nature and culture of the business, trading formats, saleschannels and so on. So this is intended more as a guide to show you where to focuseffort and investment, rather than a hard and fast rule.
We suggest the following approach for improvement of your retail IT risk minimisation:
1. Take your personalised benchmark and identify the areas where your company performs below average. These are the areas totackle first. By studying the next box along to the right you can see what a realistic goal for improvement is. In some cases you may be able to leapfrog a stage for significant performance advances.
2. Look at the areas where you are ahead of your competitors. Are you reallymaking the most of this competitive advantage? It won’t last for long.
3. Where your performance is average, take a look at the next column along tothe right and see which of these areas are ones where you feel you will getmost benefit from improving. The market is moving on, so you must too!
17
How to Use the Benchmark Grid
18
Risk Minimised (4.0)
• Can’t remember the lasttime trading wasinterrupted anywhere
• Whole business involved inrisk management
• Sensible balance of in-house and outsourcedresources
• Culture of riskmanagement in the wholebusiness
• Truly integrated modernsystems to streamline coreprocesses
• Common, easier tomaintain technicalarchitecture
• High service levels• Easy to manage
• Always evaluated as anoption as part of the ITstrategy
• Always evaluateoutsourcing as an optionand adopt it where it willadd value
• Detailed annual plan andassessment undertaken
• Process is taken veryseriously and is checkedand reviewed
• Occasional dry run
• Back up plans, specialistresources and technicalarchitecture used to createmost stable environmentpossible
• Routinely achieve servicelevel goals
• Lower than average ITspend for sector
• Regular evaluation of risksand use of specialistreviews
Advancing (3.0)
• Very, very infrequentinterruptions instores
• Starting to involvethe rest of thebusiness outside ITin risk management
• Higher proportion ofstrategic projects
• Mix of packages andcustom developedapplications
• Properlydocumented
• Migrating tocommon platforms
• On-site knowledge
• Starting to use forindividualapplications
• Some use ofoutsourcing tosupport keyapplications, wheresuppliers havespecialist expertise
• Annual plan andreview undertaken,but does get put onhold when otherpriorities come up
• Regular reviews andassessments
• Regularly achieveservice level goalswith occasionalfailures
• Average to lower ITspend for sector
• DR and riskmanagement is abudgeted item
Some Exposure (2.0)
• Only everinterrupted in afew stores
• Risk and securityconsidered an IT-only issue
• Little use ofspecialist vendorsor resources
• Moderateconcerns
• Reliance on in-house developedand interfacedrather thanintegrated systems
• Somedocumentation
• Some people withknowledge on site
• Some use of cloudfor non-coreapplications,ecommerce andmarketing
• Outsourcingmainly selected onbasis of price
• No single strategicsupplier
• Have done someevaluation of keyrisks
• Nervousnessaround stability
• Service levelachievementbelow targets
• Average IT spendfor sector
Exposed (1.0)
• Occasionallyinterrupted due toHQ or store issues
• No in-house oroutsourced risk orsecurity specialistsused
• Lot of time spentfirefighting
• Worries about ourrisk level
• Legacy systems• Poorly
documented• Fragile operating
processes• Limited or no
people withknowledge on site
• Don’t use cloud,except perhaps forpayroll
• Only for non-critical applications
• Culture of in-housedevelopment andsupport
• No formal DR plan
• Fragile• Users remember
failures
• IT spend higher thanaverage for sector
• No allocation for DRor risk management
Benchmark out of 4.0
Trading
Risk Level
Technology
Use of Cloud
Use of Outsourcing
Disaster Recovery
Stability of Business-Critical Applications
Effective Use ofBudget
Benchmark Your Own Mid-Size Retail Business
Shade the boxes that best describe your IT risk minimisation situation
The results of this retail IT risk minimisation research are based on 30 UK and Irishrespondents. All the respondents were at the director, controller or managerial level.The interviews were conducted from May to August 2015 among tier two retailers withsales exceeding £20 million excluding the top 25 retailers. The companies weinterviewed had an average of £156 million in sales with 86 shops.
19
Survey Methodology and Research Criteria
Companies Interviewed by Size of Company• 27% have sales of less than £50 million
• 23% have sales of £51 to 100 million
• 27% have sales of £101 to 250 million
• 23% of the companies interviewed have sales exceeding£250 million.
Responsibility of People InterviewedThe respondents are senior executives responsible for IT riskminimisation across the business. 57% are directors,department heads or controller level executives. The rest aresenior managers.
• The vast majority, 90%, are IT executives
• 7% are operations executives
• 3% are in charge of innovation and change.
Companies Interviewed by SectorThis survey covers all retail sectors. They comprise:
• 40% small format speciality retailers including clothing,shoes, accessories, books and toy retailers
• 20% mixed goods retailers who sell a wide range of differentproducts including discounters
• 10% department store retailers
• 7% large format speciality retailers including DIY, motoring,garden centres and electrical retailers
• 7% pharmacy retailers
• 7% wholesalers
• 10% other companies.
Insite Ltd.
Insite Data Centre,
Unit 21, Chapman Way,
Tunbridge Wells,
Kent TN2 3EF
www.insite-europe.co.uk
Telephone+44 (0)1892 686 000
© Copyright 2016 by Martec International Ltd. All rights reserved
8327
ISO27001:2013
Member of SN Registrars (Holdings) Ltd
About Insite
Insite is a leading provider of Private Cloud solutions for business-criticalapplications. The company’s clients in the retail sector include Crew Clothing, Joules,Countrywide and BrightHouse.
Insite mitigates its clients’ operational risk by taking full responsibility for theavailability and performance of their business-critical applications, thereby allowingeach client to focus on developing competitive advantage and business growth.
As an ISO 27001 and IL3 accredited company, and as a G-Cloud 6 accreditedsupplier, we ensure that our clients’ business applications meet complianceregulations and work on time, all the time. Additionally, Insite is a Microsoft CertifiedGold Partner in three competencies: Server Platform, Data Platform and Hosting.
We are one of the UK’s foremost providers of managed hosting and support servicesfor enterprise resource planning (ERP) applications. We work on-premise or off-premise, with a client’s IT team or independently.
Established in 1994, Insite owns and operates from a purpose-built, state-of-the-artTier 3 datacentre, where a team of highly qualified in-house engineers ensure ourclients’ data is kept supremely safe and secure 24x7x365.
To find out more about Insite’s services please call 01892 686000 or visit www.insite-europe.co.uk
About Martec International
Martec International is a specialist retail consulting and training company and themarket leader in this type of research. We assist retailers to improve their businessperformance and help suppliers to retail to execute their go to market strategiesmore successfully.
Our clients include retailers, technology and merchandise vendors, ingredientmanufacturers, CPG and FMCG companies, banks, telecommunications companiesand venture capitalists.
If you would like to discuss further details of this report or any of Martec’s servicesplease visit www.martec-international.com
20
