Westfield chief risk officer Eamonn Cunningham has witnessed great changes in the retail sector’s customer demand and risk environment. Here he talks about reputational damage, regulation, business continuity and his firm’s approach to risk management

If there’s one thing Eamonn Cunningham knows for sure, it’s that customers’ expectations of shopping centres have changed considerably in recent years. Westfield Group’s chief risk officer, Cunningham has been with the company since 1986 when, as he puts it, “you’d go to the supermarket to fill your trolley, you might have had a sandwich, pick up a few more purchases and then you went home”. These days it’s all about the ‘retail experience’.

“Shopping, if I can use that simple term, today is quite different from what it was a few years ago,” he says. “You have a greater variety of retail offerings, a wide variety of dining and other experiences, you have social outings such as [going to] cinemas, and you have child play areas. In some of our high-end malls, you even have valet parking and the ability to have your purchases delivered to your car.”

Cunningham says that the general ambience found in shopping centres is “way above what was expected by customers a few years ago. You can actually have a pleasant environment in which to have cup of coffee with your friends; it’s a meeting place as part of an overall shopping experience,” he says. It’s all about being innovative within the remit of your core business, Cunningham says. “We’ve only ever been in one product, which is the development, design, construction, property management, leasing and marketing of retail property,” he adds. “We’re faithful to our core product of retail, but then there’s demand for innovation; we know that’s what the customer wants and we give it to them.”

This need to innovate, to move with and even drive the times, is key to the success of an organisation such as Westfield. “We take our retail product and subject it to evolution, largely prompted by us, and that keeps us in a position where we bring new things to market,” Cunningham says. “A specific example of this is if you go back quite a few years and look at traditional food courts in shopping malls – beyond the sandwich and milkshake you might be hard pressed for variety. Today you will have a wide range of food offerings that will vary from fast food up to white tablecloth fine dining, all within the mall.”

Irish-born Cunningham has overall responsibility for the direction of the risk management practice within the Westfield Group’s operations in Australia, New Zealand, the UK and the US. He says that one thing is clear in all these markets: “The risk landscape is changing, and it’s changing at an increasing rate. One of the things that we focus on is what I call the concept of velocity of risk,” he says. “There are certain things that will be on a slow burn, and you can see them coming and can take appropriate action. Then there are some things that have the potential to pop into your lap without notice and you need to take that into account when you’re looking at your own individual risk landscape.”

Reputational risk immediately springs to mind here, and Cunningham is quite clear that this is a top priority. “We absolutely value our reputation, our brand,” he says. “We are zealous about its protection, and we have processes and procedures for us as a group globally or individually in country to respond to a reputation-aff ecting event. As you’d expect, we have crisis-management teams that exercise regularly, and we do have large-scale operational events that are not of themselves reputation aff ecting, but we see if there’s anything that we can pick up from those experiences that leaves us better prepared for the future.”

Cunningham, who is a past chairman of the Property Council of Australia’s riskmanagement committee, also believes that being prepared for natural catastrophes is essential; for Westfield’s portfolio of properties, that means planning for earthquakes. “We have shopping malls in California and other areas of the US where there is an element of potential seismic activity,” he says. “The same applies in New Zealand, and it’s fair to say even Australia is not seismically benign. We know that there is an earth-movement risk and generally what we do, particularly when that risk is acute, is use a Monte Carlo simulation to model consequence based on certain return periods.”

While predictive analytics are of assistance in this area Cunningham acknowledges, he is quick to point out that “the output is only as good as the input. Sometimes the underlying assumptions cannot be absolutely verified and therefore caution needs to be exercised when looking at modelled results,” he says. “We see such model results as just one data point, which, together with other data points, assists us in making the decisions we need to make.

This is where Cunningham sees the value of enterprise risk management, which he says is about “determining the likelihood and consequence of something which could potentially aff ect the achievement of our goals. It’s what we can do to influence the happening of an event and its severity,” as he puts it. Business continuity management (BCM) is a related concept, Cunningham concedes, but it’s also quite different. “You can take it as a given that the event has occurred and BCM is all about preparing yourself in advance to follow a plan through which you respond to the emergency,” he says. “You then do whatever you can to restore things to ‘business as usual’ as quickly as possible.”

Man-made risks can be more difficult to plan for; none more so than regulatory risk, which Cunningham says most large operations would list as one of their top challenges. “The big question in these times of increasing regulation is, is the compliance cost too costly?” he says. “It’s a matter of having appropriate regulation to get people to do the right thing with the best degree of safety and security, but not so much to over-regulate, which could actually become an impediment to business.”

Cunningham does have concerns about the demands that regulatory or other pressures can place on the risk-management function. “There are suggestions that large corporations need to publicly state what all of their key risks are and what they do about them, and our view is that what we do in the risk identification and management space is very clever,” he says. “There’s an element of commercial confidentiality and proprietary information here, and we question whether it’s in our commercial interest to publicise all of this to the world.”

Nevertheless, Cunningham is happy to summarise Westfi eld’s overall approach to the management of risk like so: “As with all things in risk management, we plan for the worst and then hopefully end up dealing with something that isn’t as extreme as that.