5 overlooked retail GRC risks senior leaders should be watching

Key takeaways 

Retail leaders are focused on growth, margin, resilience, customer trust and operational performance. For GRC teams to add real value, they need to connect risk and controls to those outcomes, not manage them in isolation. 

Recent retail examples show why this matters. 

• In April 2025, Currys announced its largest ever annual investment in store safety after rising retail crime. Its response included colleague headsets, crime reporting software, intelligence sharing, guarding and surveillance.  

Lindsay Haselhurst, Chief Operating Officer at Currys, said retail crime statistics “make for difficult reading”, but the bigger point is how Currys responded: by linking colleague safety, customer experience, store controls and incident intelligence as part of the same performance challenge 

• In May 2025, M&S showed how quickly supplier risk can become operational disruption. CEO Stuart Machin said attackers were “unable to get into our systems by breaking through our digital defenses” and instead found “another route” through a third party.  

M&S responded by working with experts, partners and authorities, scanning around 600 systems, and restoring affected services gradually.  

• AI is creating a similar challenge. In December 2025, Instacart ended AI-driven pricing tests after criticism that customers could see different grocery prices. The company said the tests had raised concerns and added, “That’s not okay.”  

That is a useful warning for retail GRC leaders. AI risk is not only a technology issue. It can affect pricing, customer trust, fairness, brand reputation, evidence trails and decision-making accountability. 

Together, these examples show the real issue: the most overlooked retail GRC risks are rarely isolated. They move across stores, suppliers, digital systems, customer journeys, product data and operational controls. The retailers that respond best are the ones that can quickly identify ownership, act on reliable evidence, communicate clearly and prove what changed. 

This article looks at 5 overlooked retail GRC risks senior leaders should be watching, and what they reveal about control, accountability and evidence in modern retail. 

Intro: Why are overlooked risks becoming harder to manage in retail GRC? 

Retail GRC is becoming harder to manage because the risks facing retailers are no longer contained neatly within 1 team, channel or process. A supplier issue can quickly disrupt trading. A store incident can affect colleague safety, customer experience, insurance exposure and brand trust. A technology change can create new compliance, data and control questions before risk teams have had time to assess the impact. 

That does not mean every risk is new. Many of the pressures facing retailers, from third-party oversight to fraud, colleague safety, product compliance and customer data, have existed for years. What has changed is how directly those risks now affect the objectives retail leaders care about: growth, margin, resilience, speed, customer loyalty and operational performance. 

PwC’s Global Compliance Survey 2025 reinforces this shift. It found that 71% of organizations expect digital transformation initiatives over the next 3 years to require compliance support. It also found that 63% of respondents said the complexity and disaggregated nature of data across the organization made compliance more difficult. PwC also reported that compliance technology is already helping companies improve visibility of risks and risk management activities, identify and respond to issues faster, improve reporting, support faster decision-making and increase productivity, efficiencies and cost savings. 

For retail GRC leaders, that is the opportunity. The goal is not to create more process for its own sake. It is to help the business understand what could stop it achieving its objectives, what controls are actually working, where action is needed and where better governance can help the business move quicker and with more confidence. 

The overlooked risks in this article are not obscure. They are hiding in plain sight. The issue is whether retail GRC teams can connect risk to business objectives before the problem becomes a performance issue. 

Risk 1: Third-party risk is being underestimated beyond tier 1 suppliers 

Retailers depend on a wide network of third parties, from suppliers and manufacturers to logistics providers, payment partners, technology vendors, data platforms, agencies and outsourced service providers. That ecosystem supports growth, speed, and scale. It helps retailers move faster, reach customers across more channels, and operate more efficiently. But it also creates risk that can directly affect trading resilience, customer trust and operational performance. 

The problem is that third-party risk management is often strongest at onboarding. Due diligence is fresh, contracts are being reviewed, and questionnaires are being completed. Once the relationship is live, visibility can fade, even though the risk continues to change. A supplier that looked low-risk at the start can become business-critical later if it gains access to customer data, payment systems, fulfillment processes, store operations or core technology. 

That is a serious gap for retail GRC teams. The UK Government’s Cyber Security Breaches Survey 2025/2026 found that only 48% of large businesses had reviewed cyber risks from immediate suppliers, and only 24% had reviewed risks from the wider supply chain. Across businesses overall, the figures were just 15% and 6%.   

M&S showed how quickly this can become a board-level retail issue.  

In May 2025, Reuters reported that hackers had entered M&S systems by tricking employees at a third-party contractor.  

CEO Stuart Machin said the attackers were “unable to get into our systems by breaking through our digital defenses” and instead used social engineering, “entering through a third party rather than a system weakness.”  

For senior retail GRC leaders, the lesson is not simply “monitor suppliers better.” It is to understand which third parties are critical to the business objectives leadership is trying to achieve.  

• Which suppliers could disrupt trading?  

• Which partners touch customer data?  

• Which outsourced providers could affect recovery time, service quality or brand trust? Which controls give leaders comfort that those risks are being managed? 

Stronger third-party governance helps retailers protect resilience while still using suppliers and partners to move faster. It gives leaders a live view of which third parties matter most, what controls apply, who owns the relationship, when risk needs to be reassessed and what evidence proves the right checks happened. 

Risk 2: Retail crime as a workforce, control and incident governance issue 

 Retail crime is usually discussed as a loss prevention problem. But for senior GRC leaders, it is also a workforce, control and performance issue. Theft affects margin, but the wider risk reaches further: colleague safety, store confidence, customer experience, insurance exposure, repeat-offender intelligence, reputational risk and whether store-level controls are actually working. 

The scale of the issue is hard to ignore. The British Retail Consortium’s 2025 Retail Crime Survey found that violence and abuse rose by over 50% in the past year, reaching more than 2,000 incidents every day. It also reported over 20 million incidents of theft, equal to 55,000 incidents per day.  

Currys is a useful example of how this risk is moving beyond traditional loss prevention. In April 2025, the retailer announced its largest ever annual investment in store safety and security, including colleague headsets, crime reporting software, intelligence sharing, guarding and surveillance. Lindsay Haselhurst, Chief Operating Officer at Currys, said retail crime statistics “make for difficult reading.”  

The GRC lesson is that retail crime can affect the outcomes leadership cares about: safer stores, stronger colleague retention, better customer experience, lower leakage, more reliable reporting and greater resilience in high-risk locations. The question is not only whether security measures exist. It is whether leaders can see which stores are most exposed, where incidents are rising, whether controls are working and what action is being taken. 

For senior retail GRC teams, this means treating retail crime as a connected governance issue. Incidents should not sit separately across store logs, security reports, HR records, insurance claims and spreadsheets. Leaders need consistent reporting, clear escalation, tracked actions and evidence that follow-up is happening. 

Handled well, stronger governance does more than reduce risk. It helps protect store performance, supports colleagues, improves decision-making and gives leaders confidence that investment in safety and controls is targeted where it matters most. 

Retail crime is not only a security issue.  

It is also a culture issue:  

• whether colleagues feel safe reporting incidents,  

• whether leaders trust the data, and  

• whether follow-up actions are visible.  

Risk 3: Product compliance evidence is becoming a live data problem 

Product compliance can look like a technical or legal issue, but for retail leaders it links directly to growth, resilience and trust. If product evidence is incomplete, scattered or hard to verify, retailers can face delayed launches, slower recall response, regulatory exposure and reputational damage. 

The challenge is that product information often sits across multiple teams. Product teams may hold specifications. Suppliers may hold origin, material or manufacturing data. Sustainability teams may hold recyclability or environmental information. Legal may track regulatory obligations. Customer teams may manage complaints, returns or recalls. If that data is not connected, leaders may struggle to get a clear answer when they need to act quickly. 

This is becoming more important as product regulation becomes more data-heavy. For example, the EU’s Ecodesign for Sustainable Products Regulation entered into force on 18 July 2024 and extends eco-design requirements to almost all categories of physical goods placed on the EU market.  

That creates a practical evidence challenge for retailers. Product teams may hold specifications. Suppliers may hold origin, material or manufacturing data. Sustainability teams may hold recyclability or environmental information. Legal may hold regulatory obligations. Customer teams may manage product complaints or recalls. If that information is scattered, it becomes harder to prove compliance quickly when a regulator, auditor, customer or internal leader asks. 

IKEA’s 2024 VARMFRONT power bank recall shows why this matters in practice. UK product safety authorities said the affected models did not meet the General Product Safety Regulations 2005 and advised owners to stop using the product immediately and contact IKEA for a replacement or full refund. IKEA also told customers to “immediately stop using it” and seek a replacement or refund, citing a fire safety risk linked to a manufacturing error.  

The GRC lesson is not that product recalls happen. Retailers already know that. The real issue is whether the business can respond quickly and confidently when something changes. Can teams identify affected product lines, suppliers, batches, markets, customer communications, approvals and corrective actions? Can leaders see what was known, when it was known and what action was taken? 

For senior retail GRC teams, stronger product compliance evidence helps protect customer safety, reduce response times, support regulatory confidence and protect brand trust. It also helps the business move faster by giving leaders confidence that product data, supplier evidence and approval trails are ready when needed. 

Risk 4: AI-driven retail decisions are moving faster than governance models 

Retailers are adopting AI across: 

• personalization,  

• product recommendations,  

• demand forecasting,  

• marketing,  

• pricing,  

• customer service  

• supply chain visibility.  

In many cases, these tools are being introduced to improve speed, margin, customer experience and operational efficiency. But the overlooked risk is not AI use itself. It is AI use without clear governance around who owns the decision, what data is being used, how outputs are tested and whether the business can explain what happened if a customer, regulator or board member asks. 

Deloitte’s 2026 Retail Industry Global Outlook shows how quickly this is moving. It found that nearly 68% of retail executives expect to deploy agentic AI for key operational and enterprise activities within 12 to 24 months. It also found that 81% believe generative AI will weaken brand loyalty by 2027, while 44% say legacy systems are slowing innovation.  

Instacart shows why this matters in practice. In December 2025, Reuters reported that Instacart ended AI-driven price tests after criticism that different shoppers could be shown different prices for groceries. The company said the concerns raised were fair and added, “That’s not okay.”  

For retail GRC leaders, the point is not that AI should be avoided. The issue is that AI can turn everyday commercial decisions into governance questions. If AI is influencing pricing, customer segmentation, product recommendations, fraud scoring, workforce planning or supplier forecasting, the business needs to know who approved the use case, what controls apply, how bias or unfair outcomes are tested, and what evidence exists to support the decision. 

This is especially important in retail because AI decisions are often close to the customer. A weakly governed AI use case can quickly become a pricing fairness issue, a customer trust issue, a data protection issue or a reputational issue. Retailers need AI governance that is practical enough to keep pace with innovation, but strong enough to give leaders confidence that decisions are controlled, explainable and defensible. 

Retailers are adopting AI across personalization, recommendations, demand forecasting,    

Read CoreStream GRC’s guide to building trusted, controlled AI into GRC 

Risk 5: Returns and refund abuse are becoming a control risk, not just an operational cost 

Returns are often treated as a customer experience or logistics issue. But for GRC leaders, they are also a control risk. Every refund, exchange, store credit, exception or denied return depends on policy, evidence, approval and consistency. 

The scale of the issue is significant. NRF and Happy Returns reported that 2024 retail returns were projected to total $890bn, while 93% of retailers said retail fraud and other exploitive behavior was a significant issue for their business. 

Target shows how retailers are tightening governance around returns. In 2024, Target updated its online return policy to say it “reserves the right to deny returns, refunds and exchanges” where fraud, suspected fraud or abuse is identified.  

The GRC lesson is not that retailers should simply make returns harder. The real issue is control consistency.  

• Can store teams apply the policy in the same way?  

• Can customer service teams explain decisions clearly?  

• Can the business identify repeat abuse across channels?  

• Can leaders see where exceptions are happening, who approved them and what evidence supported the decision? 

For senior retail GRC teams, returns and refund abuse should be managed as part of the control environment, not just as a cost of doing business. Otherwise, retailers may see the financial loss but miss the control weakness behind it. 

Conclusion: What should retail GRC leaders do next? 

Retail GRC leaders do not need more disconnected reporting, longer spreadsheets or more noise. They need a clearer way to show how risk affects the objectives their leaders care about: growth, margin, resilience, customer trust and operational performance. 

As Paul Cadwallader, GRC Strategy Director at CoreStream GRC, puts it: 

“Retail GRC leaders create the most value when they connect risk and controls to the outcomes the business is trying to achieve. Growth, resilience, customer trust and operational performance all depend on understanding what could stop the business reaching its objectives, how those risks are being managed, and what evidence gives leaders confidence to act. Without that link to performance, risk and control activity can quickly become noise.” 

That is the common thread across the 5 risks covered in this article. Third-party risk can disrupt trading and resilience. Retail crime can affect colleague safety, store performance and customer experience. Product compliance can slow response times and damage trust if evidence is not ready. AI decisions can create fairness, pricing and reputational issues if governance lags behind adoption. Returns and refund abuse can quietly weaken margin and expose inconsistent controls. 

For senior retail GRC teams, the priority is not to create another layer of process. It is to help the business understand which risks could block performance, which controls are working, where action is needed and where better governance could help teams move faster with confidence. 

CoreStream GRC helps retail teams move from fragmented tracking to connected governance, where risks, controls, actions, third parties and evidence are managed in 1 place and aligned to how the business actually works. 

See how CoreStream GRC helps retail organizations connect risk, compliance, control and third-party oversight to the outcomes that matter:

FAQ on retail GRC risk