The compliance world constantly talks about the “highly regulated industries” such as healthcare or financial services. Today, let’s talk about compliance issues in one of the less regulated industries: retail. Although, for the record, I’ve never met a compliance officer in retail who feels any less regulated.
Let's review some of the unique compliance challenges, that present opportunity for compliance officers in the industry.
Complex Training Needs
First, training needs are far more complex, because retail has such high employee turnover and works in so many jurisdictions. So not only do compliance training procedures need to be simple and effective because so many new employees will be taking it for the first time; the content itself needs to be versatile because applicable law for employees in one state or country might be quite different from those in another.
Korn Ferry published a report last fall that pegged annual employee turnover among part-time hourly employees at 81 percent, and even among corporate employees at 15.6 percent. Those are sky-high numbers compared to other industries. Then consider all the local employment issues a retailer might face: wage-and-hour law; paid leave law; internal investigation protocols; work schedules (my favorite: in Germany, managers cannot call or email employees off hours except for emergencies), and much more.
That all adds up to a difficult environment for training and policy management. Corporate policies need to comply with those myriad local rules while hewing as much as possible to broader corporate compliance objectives and corporate values.
Training also needs to focus on local managers so they don’t create their own local policy unilaterally, which might contradict corporate policies or expose the company to liability for some employment issue. For retailers, middle management is where ethical corporate conduct lives or dies.
Consumer Reputational Risk
Second, the retail sector has heightened reputation risk because it deals with consumers so much more. That heightened reputation risk manifests in two ways.
Start with questions around ethical sourcing in the supply chain: slave labor or unfair labor practices. Those are dangerous threats to a hard-won reputation. So compliance officers need to strong procedures to peer further down into the supply chain, and to investigate issues once they do emerge.
The true challenge, however, won’t be to stamp out supply chain misconduct. Retailers should accept that somebody, somewhere, will inevitably raise an allegation on social media that strikes at your brand reputation. So the compliance program will need some way to connect that allegation back to the company’s documentation of supplier due diligence.
That is, when an allegation arises, the company will need to respond — swiftly — with documentation that conveys the message: “Here are our standards for supplier conduct; here’s the due diligence we performed; here’s the certification that supplier gave us; here is the monitoring we do.” That may not prevent a social media storm, but it will help the company weather that storm more effectively.
Cybersecurity Challenges
Along similar lines, retailers also face heightened risks for cybersecurity and consumer privacy.
Part of this challenge is to know who your customers are, and what rights they can exert over their personally identifiable information (PII). The EU General Data Protection Regulation, for example, grants consumers the right to have their data erased — but retailers can’t grant such requests when that data is part of a law enforcement investigation.
So the company’s employees, systems, and procedures will need to know when such requests can’t be fulfilled. Ok, but consumers want things done in real time. If the retailer is using technology to automate those requests, compliance concerns need to be embedded into that automation.
And as all businesses continue to use more technology service providers for data processing, that means more third parties handling your customers’ PII — so the urgency of due diligence here is to evaluate a third party’s data security protocols.
Again, it won’t hurt to assume that a cyber breach will strike your company eventually, with the usual consumer outrage on social media. Just like the ethical sourcing issues above, a crucial tool will be the ability to show how you evaluated the security of your tech service providers.
That’s a lot for compliance officers in retail to consider right there, and we’ve barely scratched the surface of everything retailers need to anticipate for effective ethics and compliance.
So sure, finance and healthcare may face more regulation but retail, along with many other sectors, still have just as much work to do.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.