New Research: Retail Risk Models: Exploring Current Practices


Retail crime and risk is not evenly distributed across time or by location. As such, most retailers operate with some form of risk model to identify relative risk and vulnerability across their estate. Such risk models might seek to capture and analyse shrink, incidents of violence and aggression, criminal damage, as well as other factors that could signal vulnerability e.g. under staffing / vacancies. The level of sophistication of these models, how they are used, and who has responsibility for them is currently not known.

A well-designed risk model can bring multiple benefits, including:

·         informing investment decisions to allocate finite security resource and equipment (including NOT providing additional measures to stores that do not register as high risk)

·         informing operational decisions e.g., staffing, opening hours, lone worker shifts

·         prioritising stores for the installation of new security systems (and de-prioritising others)

·         as a litigation defence i.e., foreseeability

Despite the range of possible benefits, a well-designed - and used - risk model can bring to a business, there does not appear to be any standardised best practice or even established knowledge about how to construct, review and use a risk model in the retail sector.

There are multiple approaches that have been developed in the retail sector - from third-party designed and managed models to simple internal risk registers that are manually updated -but there is little awareness of how risk models are created and managed.

This new research offers multiple benefits to the industry by shining a light on how the retail sector is using data to inform decision-making and security strategies. The project will seek to understand how risk models are constructed (identifying areas of commonality and difference between businesses), how they are used and by whom, who has operational responsibility for managing the model, and how it is reviewed and validated. At a time that crime and in-store violence appear to be increasing across many countries, the project will provide a better understanding of how risk models can contribute to data-informed security strategies and solutions. 

Aims and Objectives

The research will be divided into two parts. Given the range of approaches taken and the lack of best practice awareness across the sector, Part A proposes to answer a wide range of questions categorised by who, why, when, what, and how? It is intended that this part of the project will commence first.

The aims and objectives of Part A ‘Scoping the Retail Model Landscape’ are threefold:

Objective 1: To understand how risk modelling is used across multiple industries.

The objective is to establish the current state of the art in terms of risk modelling. By looking to other sectors (e.g. insurance and banking) relevant principles for risk modelling and uses will be gathered. This will be used to inform the future development and direction that risk modelling in the retail sector can take.

Objective 2: To gain insight into how retailers construct and build risk models and who has responsibility for this activity.

There are different approaches being taken. The project will capture this difference and seek to understand the rationale for decisions about what data is included (or not), who has responsibility for constructing the model, and what the business case is for investing in the development and maintenance of a risk model and can this be objectively and tangibly demonstrated? It will also gain insight into the review process and how frequently this is undertaken (e.g., quarterly, annually, or more frequently / ad hoc)

Objective 3: to understand how risk models are being used, by which business functions and with what impact.

There are different approaches to using risk models. The project will collate information on the range of operational decisions that risk models are used to inform in the retail sector e.g., guarding allocation, opening hours, acquisitions and new sites, and staffing. We will also attempt to gain information on the impact of the model and the degree of confidence with which it is used. We will gather examples of any real life ‘tests’ of its robustness e.g., legal challenges.

Part B will seek to explore the risk model of up to three retailers to try to better understand which variables have the strongest explanatory and predictive power. Part B is entirely contingent on being able to access the data – and of it being of a useable quality to run the required analysis.


As is always the case with an exploratory project of this nature, multiple methods yield the best results. To generate as full a picture as possible in relation to the current landscape of risk modelling, the project has four main elements:

1.    Focus group with retailers

The project will start with an online ‘focus group’ discussion with invited retail representatives. This initial meeting scheduled for May 1st 2024 will be used to shape the project i.e. understanding levels of maturity in risk modelling, gaps in knowledge and understanding, and to provide input on key literature to explore. 

2.    Literature review of risk modelling in different sectors.

The project will be supported by a comprehensive search of relevant literature and publications from multiple sectors. This will provide background to how different industries approach risk analysis and identify any key learnings for the retail sector. The review will also inform the development of the survey tool.

3.    Industry Survey

A survey of retailers will be conducted to answer the who, why, what, when, and how questions (see Appendix A). The survey will be hosted online using Qualtrics software and distributed to ECR’s membership. Questions will explore which companies are using a risk model, whether it is internally built or third-party, the variables that it incorporates and to what degree it has been tested for accuracy and reliability (either validated in house or scrutinised through litigation proceedings). It will also explore whether multiple different models exist in the same business for different functions, the ways in which the model is used – and by whom – and with what authority to act on the data. We will seek to understand what the model looks like, its functionality, cost, and ease of use.

The survey will use branching and logic techniques to ensure an efficient pathway through the survey questions (i.e. only displaying relevant questions to participants). This will reduce the number of participants who do not finish completing the survey.  

The survey will provide an option for respondents to self-select to be interviewed to provide a fuller picture of the strengths and weaknesses of their modelling approach. 

4.    A) Interviews – Heads of Security / Loss Prevention

Interviews with approximately 15-20 Heads of Security / Loss Prevention will be conducted to provide a more contextual and qualitative understanding of the evolution of the business’ risk model, its use/s, strengths and weaknesses. Interviews will include representation from different verticals and across multiple countries. If possible, industry events e.g. RILA will be used to arrange some in-person interviews.

B) Interviews – non-retail sector representatives

Interviews will also be sought with representatives from other sectors that are potentially more advanced in the development and use of risk modelling. The initial focus group will request suggestions for relevant people / industries.

Interviews will be conducted using online meeting platforms (e.g. Zoom or MS Teams). Interviews will be recorded (with permission) and fully transcribed using the automated transcribing function (manually checked and cleaned). This will provide for full but anonymised verbatim quotes to be included in the report.  


The outputs will take the form of a report and a maturity benchmarking tool.

Report: The report will provide a detailed analysis of findings from the survey and interviews. While sophisticated in its analysis, it will be accessible in “plain English” and engaging to read with visual charts and tables for numerical data generated from the survey and insightful quotes from the interviews with LP/AP Leads.

Maturity benchmarking tool: Drawing upon the findings from the study, the tool will be developed to enable businesses to assess the level of maturity that their risk modelling has achieved. It will incorporate, as far as is possible from the findings, industry good practice and level of sophistication.  

The dissemination strategy will include an ECR meeting (invitees only) and webinar (open). Opportunities will also be taken to disseminate more broadly via trade publications (e.g. LPM and The Grocer), industry conferences and trade shows.


The research will take approximately 8 months to complete. Anticipating a early May start date, the project will be completed by the end of November 2024. 

Research Leader

The research will be undertaken by Emmeline Taylor, who is Professor in Criminology at City, University of London. She has more than 15 years of experience in research across the private, public and academic sectors. Professor Taylor has worked at world-leading institutions on three continents (in England, Singapore and Australia) and is now London based. She has retained strong global links and continues to work with international clients. She has worked with the police, probation, prisons, national government and private business to develop projects to address some of the most challenging societal issues including violent crime, antisocial behaviour, retail security, burglary, and the responsible use of surveillance technologies. 

Next Steps

The research will kick off on May 2nd, if you are interested in learning more and possibly participating, please register for the meeting. If you have other questions or want to discuss this research, please email Colin Peacock at

Join Us @ Research Kick Off Meeting

Please join us and learn how you can participate.


Feb 22, 2024