The Dollarama Case Study

Dollarama

I was recently going through the FY23 Q4 Management’s Discussion and Analysis of Dollarama (TSE: DOL). Sales were up 20% YOY, new stores were being opened and gross margin was healthy. Overall, business was good. However, as any good risk nerd like me would do, I jumped to the “Risks Related to Business Operations” section, more precisely, to the “Technology Risks” section. I was eager to find out what Dollarama thought their tech risks were. Today, I’ll briefly summarize my findings, contextualize them and provide my opinion at the very end.

No technology, no Dollarama

From an IT standpoint, three major points deserved to be highlighted:

1. Dollarama is deeply aware that its whole business needs IT to function. “The Corporation depends on its information technology systems for the efficient functioning of its business, including financial reporting and accounting, purchasing, inventory management and replenishment, labour forecasting and scheduling, payroll processing, data storage, customer transactions processing and store communications.”
2. They are aware that an incident would cost them a LOT. “Difficulties with the hardware and software platform may require the Corporation to incur substantial costs to repair or replace it, could result in a loss of critical data or could disrupt operations, including the Corporation’s ability to timely ship and track product orders, forecast inventory requirements, manage the supply chain, process customer transactions and otherwise adequately service customers, which, in each case, could have a material adverse effect on the Corporation’s business, reputation and financial results.”
3. Dollarama runs heavily on consultants and would benefit from AI/automation to maintain high productivity. “The Corporation relies heavily on information technology staff and consultants. Failure to meet staffing needs or to retain competent consultants may have an adverse effect on its ability to pursue technology-driven initiatives and to maintain and periodically upgrade many of its information systems and software programs, which could disrupt or reduce the efficiency of its operations and materially adversely affect its business and financial results.”

Dollarama knows cybersecurity threats are omnipresent

From a cybersecurity standpoint, four major points deserved to be highlighted:

1. Dollarama is aware they could become a victim of The Domino Effect. “The Corporation also depends on security measures that some of its third-party service providers are taking to protect their own systems and infrastructure. For instance, the outsourcing of certain functions requires the Corporation to sometimes grant network access to third parties. If such third-party service providers do not maintain adequate security measures in accordance with contractual requirements, the Corporation may experience operational difficulties and increased costs.”
2. Cyber risk is real and it could lead to company-threatening incidents. “They could result in important remediation costs, increased cyber security costs, lost revenues due to a disruption of activities, litigation and reputational harm affecting customer and investor confidence. Cyber-attacks and security breaches could therefore materially adversely affect the Corporation’s business and financial results.”
3. The data protection and privacy compliance landscape is evolving and they know it. “Any fraudulent, malicious or accidental breach of data security could result in unintentional disclosure of, or unauthorized access to, customers, suppliers, employees or other confidential or sensitive data or information, which could potentially result in additional costs to the Corporation to enhance security or to respond to occurrences, violations of privacy or other laws or regulations, penalties or litigation.”
4. Bad press due to only “perceived vulnerabilities” could hurt Dollarama. Even if nothing happened. That’s CRAZY! “media or other reports of perceived security vulnerabilities of the Corporation’s systems, even if no breach has been attempted or has occurred, could also adversely impact the Corporation’s brand and reputation, attract investigations by government bodies and materially impact its business and financial results.”

So what’s my take on this?

It’s refreshing to see companies pay attention to tech risks and share their concerns at the executive reporting level. While I cannot attest that this good practice streams down (or not) to the Dollarama IT and security practitioners, it’s common to see a disconnect between the executives and the business lines when it comes to tech risk. Evaluating and properly communicating cyber risk is exceedingly difficult and there is no easy way of doing it. Having a strong GRC program is essential for this.

One important point to highlight is the “perceived breach” aspect of the management’s discussion and analysis. It’s unfortunately true that companies that get named in the media with “breach”, “cyber attack” or “hacked” next to their names (whether true or not) are going to lose the trust of the general public and potentially even their investors. While it’s impossible to aim for risk zero, reducing the chances of being mentioned as part of a Forbes article may greatly reduce the potential negative business impact. Instead, companies should aim at making the headlines with innovative new controls or even significant investments in cyber. This could shed light on their willingness to take cybersecurity seriously and positively flip the script.

At the end of the day, I believe Dollarama did a great job at understanding and evaluating its tech risks. Other companies should definitely give a good look at the report and see it as a solid example.

Thanks to Daniel Roy for the review of this article.