Protecting Restaurants from the Unexpected
By: Clark Schweers and Matt Hanson
The restaurant and manufactured food industry is notoriously risky. Owners and executives must carefully consider all the risks associated with everything from their restaurant concepts to their social media campaigns. They must ask themselves: Do I have the right quality of food and ingredients? Have I hired the right personnel, and can I retain key employees? Are employees meeting customer service demands? Am I in compliance with all labor and wage laws? Do I have the right financing in place to manage cash flows? What happens if…?
The list goes on.
Here's another question to consider: How can risk management and insurance help protect me against the unexpected?
Natural disasters, accidents, lawsuits and even disgruntled workers can put a restaurant out of business. The proper management of risk can help you avoid, transfer or insure against the perils that threaten your restaurant. Here are some of the specific risks that food industry executives should manage:
- Property and Equipment. Your kitchen is critical. You’ve invested in specialized equipment, which you rely on for food preparation, refrigeration and sanitation. But without your kitchen and equipment, you’re out of order. That means lost income and, very often, extra expenses. Whether it is a kitchen fire, equipment malfunction or other covered peril, property insurance can minimize the impact to your operations.
- Product Recall and Contamination. Contamination and foodborne illness are the food industry worst nightmare. Foodborne illnesses can result in customer lawsuits and even death, not to mention lost business, spoilage and decontamination costs. According to the FDA, there were over 400 food product recalls last year. In addition, the FDA’s Coordinated Outbreak Response & Evaluation network has investigated nearly 500 foodborne illness incidents and identified 97 outbreaks over the last four years.
Liability, property and product recall/contamination insurance can protect against these events. Managers should also consider the contract terms of food and ingredient suppliers, as well as other vendors such as launderers and contract cleaning staff, that can bring a contaminant into restaurants. Vendor contracts should be reviewed by your attorney for proper indemnity clauses. Even with the proper contract in place, you should perform background checks to see if key suppliers have been involved in contaminations in the past.
- Cyber Security. Cyber-crime incidents and data breaches are growing. Make no mistake, the victims are not just large companies like Target and Sony. Even small businesses are affected, especially if the bad actors identify them as easy prey. Restaurants become targets due to the large volume of customer credit card transactions and personal identity information associated with customer reward programs. The retail industry’s October 2015 adoption of EMV credit card technology may reduce the impact of data breaches, but it won’t prevent them.
Restaurant owners should understand what customer information they own, how it's collected and where it's stored in order to understand their potential exposure to a data breach. This is especially true if you use a third party for credit card processing or data storage. It's important to remember that the party responsible for customer data is you, as the owner, and not your vendors. Owners should also understand why a data breach can be so costly. A company responding to a data breach can incur consultant fees to investigate the matter, legal fees to comply with varying state laws, customer notification costs as well as customer credit monitoring costs — and that’s not including the costs associated with potential fines or lawsuits.
You can manage these risks and mitigate potential costs in three simple steps:
- Consider your current inventory of customer data and how well-secured it is. An IT expert can help with this assessment and address vulnerabilities, such as others’ access to your data on a shared server or unnecessary entry points for vendors to access customer data. You can also minimize your risk exposure by developing a practice to routinely purge old or unnecessary records.
- Consider adding language to relevant vendor agreements that would either indemnify you if the breach originated from their systems, or reimburse you for data breach recovery costs that result from the vendor’s own actions or negligence.
- Consider whether cyber insurance is right for your business by speaking with your insurance agent. Cyber insurance won’t prevent a data breach, but it can help mitigate the costs associated with the investigation and remediation.
- Employee Crime/Theft. A disgruntled current or former employee has the potential to hit you where it hurts—your bottom line. A frequently cited statistic from a National Restaurant Association survey says that employee theft accounts for 4 percent of a restaurant’s revenue. Employee theft can take many forms, including inventory theft, unauthorized comps, fraudulently applied discounts and untracked cash sales.
Restaurant owners should develop internal controls to prevent and detect employee theft. Examples include implementing employee background and work history checks, installing security cameras, using handheld EMV pay terminals, tracking sales through a POS system and controlling access to cash and higher value inventory such as alcohol. Additionally, managers should monitor sales activity to detect unusual patterns, such as a significant number of voids by an employee that could indicate employee theft. Large-scale restaurant operators can also consider obtaining insurance coverage on a fidelity or employee crime policy, which could cover losses associated with employee thefts.
For more information about how your business can mitigate risk and recover from major setbacks, please contact Matt Hanson, Senior Manager in BDO Consulting's Forensic Insurance & Recovery (F&IR) practice, at email@example.com
, or Clark Schweers, Principal at BDO Consulting and head of the FI&R practice, at firstname.lastname@example.org.