Why omnichannel resilience starts with trust
Executive summary
Retailers have scaled omnichannel experiences faster than the governance, security and privacy controls needed to support them. As digital touchpoints multiply, so do hidden risks across data, identity and third-party ecosystems. Insights from Grant Thornton’s Lindsay Hohler and Brandon Branchini reveal why resilience now hinges on cross-functional ownership, secure-by-design architecture and pragmatic trade-offs between convenience and control.
Retail’s omnichannel evolution has been relentless. Websites, mobile apps, loyalty platforms, APIs and third-party integrations now define how customers browse, buy and engage. That expansion has unlocked growth and personalization, but it has also created a sprawling digital footprint that few organizations fully understand.
According to Lindsay Hohler, partner in Risk Advisory for Privacy and Data Protection at Grant Thornton, many retailers are only now confronting the implications. “All of those digital properties are ultimately governed by the retailer as the data controller,” Hohler said. “They’re obligated to make sure compliance-monitoring processes are in place, and historically and especially where the retailer has hundreds of digital properties, a lot of that has been the Wild West.”
At the same time, cyber threats are becoming more sophisticated, more automated, and more opportunistic. Brandon Branchini, a senior manager in Cyber Strategy at Grant Thornton, sees organizations struggling to secure environments they can’t clearly map. The result is mounting exposure that touches revenue, customer trust and operational continuity.
Resilience, then, is no longer about protecting a single channel. It is about understanding how everything connects — and designing security, privacy and governance to scale alongside digital ambition.
The risk hiding inside omnichannel growth
As retailers add channels, they also add complexity. What often looks like a seamless customer experience is, behind the scenes, a web of independently built sites, apps and data flows.
Hohler pointed to large retail and hospitality brands that operate hundreds of digital properties beyond a primary website. “You’ll see separate domains for a company’s featured amenities, plus multiple mobile apps,” she said. “All of that data rolls up to the same controller, even if it’s managed very differently day to day.”
That fragmentation matters. Many organizations allowed teams to build quickly without consistent standards for data collection, consent or tracking technologies. Regulators and plaintiffs’ attorneys are now scrutinizing those gaps, particularly around online tracking and consumer preferences.
The challenge is not just regulatory. Branchini notes that retail cyber risk expands with every unknown dependency. “Understanding your environment is foundational,” he explained. “If your asset inventory isn’t up to date and you don’t know how data is flowing, you can’t apply the right controls.”
Omnichannel growth without visibility turns innovation into exposure.
Governance can’t live in one team
One of the most persistent breakdowns Hohler sees is in governance ownership. Digital, legal, privacy and security teams often debate responsibility, slowing progress while risk continues to accumulate.
“The real answer is that it has to be cross-functional,” she said. Digital teams must own standards and change management, while privacy and compliance teams define frameworks and monitor adherence. “It’s not something you can fully outsource, and it’s not something one function can solve alone,” Hohler added.
Branchini echoed the need for clarity from the top, especially when it comes to driving the business to a more secure control environment. “Control areas, such as access management, are typically managed by different application owners, whom all may have different expectations or desires for data security,” he said. “If expectations aren’t communicated clearly, you end up with inconsistent controls across the environment.”
Tone from leadership matters. When governance is treated as optional or secondary, teams optimize locally and risk grows globally.
Personalization versus protection is a false trade-off
Retailers face constant pressure to personalize more deeply. More data promises greater relevance and higher revenue. Yet that same data also increases exposure when it is poorly governed or inadequately secured.
Hohler sees this tension intensifying. “Today, personalization is often treated as an all-or-nothing choice,” she explained. “But consumers will expect far more nuance.” Preferences may vary by data type, use case or even by whether an AI agent is acting on their behalf.
Branchini approaches the problem from a different angle. His focus is not how personalization works, but whether the underlying data is protected. “My experience centers on reviewing the security of the data as it flows through the environment,” he said. “Without a clear understanding of data paths and dependencies, personalization efforts rest on shaky ground.”
The implication is clear. Personalization strategies that outpace security and privacy maturity create long-term risk that can outweigh short-term gains.
Legacy systems slow resilience
Many omnichannel risks trace back to technology decisions made years ago. Legacy systems, especially those stitched together through mergers and acquisitions, are difficult to secure and harder to retire.
Hohler described environments where core customer data is fragmented across dozens of systems. Modernizing those foundations is critical. Moving master data management and customer profiles to scalable cloud platforms helps organizations absorb demand spikes while applying more consistent controls.
Branchini points to a recurring weakness in older architectures: authentication. “Many legacy systems aren’t using modern token-based or cryptographic controls,” he noted. “That increases the likelihood of unauthorized access or credential misuse.”
Resilience requires more than patching old systems. It requires a deliberate strategy to decommission, consolidate and modernize them.
Third-party risk doesn’t stop at contracts
Retailers have made significant progress managing payment card risk, often by outsourcing processing. But broader third-party exposure remains.
Branchini cited access management as a common blind spot for retailers. “Vendors don’t always notify you when someone leaves their organization,” he said. “That person may still have access unless you have strong recertification and monitoring in place.”
Hohler adds that risk extends well beyond initial due diligence. “As retailers move deeper into cloud and SaaS environments, configuration choices matter,” she noted. “Those risks don’t show up in a standard third-party assessment.” As a result, third-party risk management must evolve from periodic reviews to continuous oversight.
How we can help you
SERVICES
SERVICES
Identity is the new frontline
Account takeover, bots and synthetic identities are no longer edge cases. They are everyday realities in digital commerce.
Hohler has worked with clients grappling with bot-driven account creation that inflates marketing metrics while undermining data quality. “There’s a real balance between reducing friction and validating that someone is a real person,” she explained.
Branchini points to risk-based controls as a practical solution. “If someone claims to be in the U.S. but logs in from another country, that should trigger step-up verification,” he noted. Behavioral monitoring and adaptive authentication help protect accounts without degrading the experience for legitimate users.
Identity controls, once considered optional, are now foundational to trust.
Overcoming resistance to change
Even when risks are well understood, internal resistance can slow progress. Cost concerns, fear of added friction and change fatigue all play a role.
Hohler sees formal governance as the starting point. “You need clear responsibility for setting policy, standards and change management,” she said. Standardization, such as approved tracking technologies or cookie templates, can also reduce long-term compliance costs.
Branchini emphasized education as a critical lever. “People need to understand why this matters,” he said. Leadership messaging and ongoing training help shift culture from convenience-first to risk-aware.
Resilience, ultimately, is as much a people challenge as a technical one.
Conclusion
Omnichannel innovation has transformed retail, and it has also transformed risk. Digital sprawl, legacy systems, third-party dependencies and rising identity threats are converging at a moment when regulators and customers alike expect greater accountability.
The insights from Lindsay Hohler and Brandon Branchini point to a common truth: resilience is built through visibility, governance, and intentional design. Retailers that align digital ambition with security and privacy maturity are best positioned to protect trust, sustain growth and adapt to what comes next.
Contacts:
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share