Minimum viable company – the new cyber paradigm for Consumer & Retail

For some time now, organizations have been aware that it is no longer a question of if, but when, they will face their next incident or data breach. For consumer & retail companies, this threat is even more persistent given their typically high profiles and brand recognition – which can enable sales but also make them a bigger target for disgruntled customers or activists.

The consumer & retail sector has seen a huge boom in e-commerce, accelerated during the pandemic, which, along with complex supply chains, multiple third-party relationships, large amounts of customer data, and a high-profile presence, has made organizations far more susceptible to attacks.

A cyberattack on a consumer & retail company does not just impact the organization and its revenue; it also threatens the data, identity, and potentially the health of thousands and possibly millions of customers – in a very visible manner. In the face of such adversity, how can you weather the storm, fulfill your commitments to stakeholders, and maintain your reputation?

Enter the 'minimum viable company' (MVC). It’s the smallest possible version of an organization that can still function and serve customers should an incident bring down part(s) of the operations and systems.  

An MVC comprises only the most essential components of a company that are critical to its survival and success, streamlined to create a leaner, more agile, and adaptable organization. For established, large organizations, an MVC could involve optimizing operations and supply chains, concentrating on the most profitable customer segments, and using technology to automate processes, improve efficiency, and reduce costs. This is especially relevant to large consumer & retail companies that have grown in complexity through mergers and acquisitions – and/or that have multiple consumer touchpoints to deliver a frictionless, omnichannel experience.

The MVC concept can also be a great model for a startup, introducing lean, efficient practices and operations from the beginning.

By focusing on the value proposition and revenue streams, an MVC can help improve resilience – not just to cyberattacks, but also to natural disasters, economic downturns or other unexpected events that have become more frequent over the last years and even in recent months.

According to the KPMG 2023 CEO Outlook,¹ less than half of corporate leaders believe their organizations are well-prepared to address cyberattacks. Cybercriminals are increasingly targeting consumer & retail organizations to steal confidential customer information or disrupt the business. Data breaches can compromise the personal financial details of millions of customers, damaging consumer trust.

In addition, natural catastrophes, geopolitical change, and pandemics like COVID-19 can expose consumer & retail supply chain vulnerabilities, making 'just-in-time' inventory practices look risky rather than efficient.

Against such threats, the MVC offers the potential to maintain business continuity and to help minimize business disruption. As a starter, companies should redefine organizational scope in terms of people, processes, technology, and assets (including key partners), gain board approval, and establish the right governance.

Creating a resilient consumer & retail MVC goes beyond cybersecurity and requires companies to reexamine their core operations and shed the excess. These eight steps can assist companies in building an MVC:

1. Assess core operations: Begin by scrutinizing your existing operations, identifying what truly matters and what can be streamlined or jettisoned. This may mean prioritizing products that customers rely on for health and other reasons, as well as protecting customer data.
   
   
2. Make your infrastructure leaner: Embrace agility and efficiency and consider remote and backup facilities – powered by the cloud – to maintain core operations in a crisis.
   
   
3. Partner for resilience: Collaborate closely with third parties in your supply chain to enhance their capabilities. Many consumer & retail companies rely on just-in-time delivery for ingredients and materials, so they may have to shift to an alternative model that includes nearshoring. Build disaster recovery provisions into contracts (something that’s relatively uncommon at present) and establish contingency plans for alternative suppliers during emergencies.
   
   
4. Perform advanced threat analysis: Major consumer & retail brands are well-known to millions and, consequently, are a target for attackers. By investing in advanced technologies like artificial intelligence (AI), robotics, and automation for swift threat analysis, you can gain real-time insights into emerging risks and incidents.
   
   
5. Embed data-driven decision-making: Enhance your data capabilities to support performance, build foundations for automation, and measure risk accurately. This is especially important in the sector due to the nascent stage of operational technology (OT)/IT convergence. Data-driven systems can help to reduce cyber fraud for retailers.
   
   
6. Establish key performance indicators (KPIs): Set and monitor clear KPIs tied to core business outcomes and make compensation and incentives contingent on meeting these metrics – to align with your resilience strategy.
   
   
7. Develop and retain talent: Fifty-nine percent of respondents to the 2023 KPMG CEO Outlook say a shortage of skilled personnel is a major factor in their lack of preparedness for a cyberattack.² The consumer & retail sector has traditionally relied on strong worker loyalty – although this has diminished somewhat in recent years – and companies should consequently invest in retaining, motivating, and developing key talent through financial and non-financial rewards.
    
8. Enhance merger and acquisition (M&A) strategy: In a sector where growth through acquisition is widespread, onboarding has become a challenge, especially when workers may come from different cultures and legal environments. Buying startups brings additional risks, as these may have limited cyber resilience. When acquiring new companies, it’s important to conduct rigorous cyber assessments and strengthen post-deal transition and integration planning.
   

In an unpredictable and volatile world, most consumer & retail companies are likely to face challenges. But by embracing an MVC mindset, they can infuse resilience and help increase their chances of maintaining operations and serving their customers, no matter what lies ahead.

• Essential personnel: Key individuals and teams to maintain the MVC.
  
• Critical infrastructure: Facilities, equipment and technology which support core processes and hold key data and information.
• Core processes: To help ensure delivery of essential services, prioritizing most important customer-facing activities and supporting internal operations.
• Key data and information: Data, information systems and backup procedures to support core operations and maintain data integrity.
• Key suppliers and partners: Third parties whose services and collaboration are central to continuity, including contingency plans for alternative suppliers to maintain supply chain resilience.

A detailed understanding of the scope of an MVC can enable more targeted investments to protect the entity and increase resilience and cyber posture to help reduce the impact – and, consequently, the cost – of cyberattacks. In this way, companies can measure the additional value delivered by the MVC.

To find out more about how KPMG professionals can help with building your MVC, get in touch.