E-commerce Risk Management Checklist

Pull on-hand vs. sellable counts from your OMS (Cin7, SkuVault, Linnworks, NetSuite) and reconcile against Shopify, Amazon FBA, and any other active channels. Overselling the last unit across two channels is the most common operational failure — it triggers Amazon ODR hits and refund cascades. Note any SKUs with variance over 2%.

Lost/damaged FBA units have a 30-day reconcile window for inbound shortages and an 18-month window for reimbursement claims. Either run the workflow manually in Seller Central or use a service (GETIDA, Refunds Manager, Seller Investigators). Money left here directly hits margin.

Confirm primary factory lead times and identify Chinese New Year / Golden Week / Diwali windows that fall in the next two quarters. Verify a qualified backup supplier exists for any SKU representing more than 10% of revenue.

Pull last-90-day metrics from ShipBob / ShipMonk / Flowspace: same-day cutoff hit rate, mispick rate, damage rate, late-shipment rate. Compare against contract SLAs and flag any breach for credit recovery.

Hero SKUs should have a conservative buffer beyond the Helium 10 / forecasted Q4 demand — port congestion and Amazon Q4 receiving delays routinely add 2-3 weeks. Confirm an air-freight contingency exists for top 5 SKUs.

Run the Avalara / TaxJar / Anrok nexus report for trailing 12 months. Most states use $100K or 200-transaction economic-nexus thresholds. Marketplace facilitators collect on Amazon/eBay/Walmart sales, but DTC Shopify revenue accumulates seller liability. Flag any state newly crossed but not registered.

Pull chargeback rate from Shopify Payments / Stripe / PayPal. Visa flags merchants over 0.9% and Mastercard over 1.5% — both trigger monitoring programs that are expensive to exit. Categorize by reason code (fraud, item not received, not as described) and assign root cause.

Compare 1099-K from Shopify Payments, Amazon, PayPal, Stripe against bookkeeping totals. Marketplace fees, refunds, and shipping pass-throughs are the common reconciliation pain points. Annual IRS thresholds have shifted — check the current year's filing rule.

Amazon FBA fee schedule changes annually; storage, fulfillment, and the inbound placement service fee all shift. Recalculate contribution margin per ASIN against current fees and identify SKUs that have flipped negative.

Confirm 90-day cash position covers PO commitments, ad spend, and payroll. Check announced UPS/FedEx GRI for the next contract year (typically 5-7%) and decide whether to renegotiate rates or shift carrier mix.

Verify MFA on Shopify admin, Seller Central, Klaviyo, Meta Business Manager, Google Ads, the 3PL portal, and the bank. Account takeover on any one of these is revenue-fatal — Meta hijackers drain ad budgets in hours.

Pull the installed-apps list and remove anything unused. Review staff accounts and revoke access for departed contractors. Confirm no public-facing staging URL or unauthenticated dev environment exists with real customer data.

Use KnowBe4, Hoxhunt, or a manual exercise. Record click rate and credential-entry rate. Customer service staff are the most-targeted role because they have order-data access and customers contact them constantly.

Walk through a tabletop: who notifies the CMP/DPO, what triggers the GDPR 72-hour clock, which state breach-notification statutes apply, and how customer comms get drafted. Confirm cyber insurance contact info is current.

Document each gap surfaced in the tabletop, assign an owner, and book the re-test within 30 days. Common gaps: outdated DPO contact, no documented sub-processor list, no pre-approved customer-notification template.

Confirm OneTrust / Cookiebot / Termly is firing on first page load and that GPC signal is honored. The CCPA/CPRA Do Not Sell or Share link must be in the footer; Virginia, Colorado, Connecticut, and Utah have parallel requirements. Update the sub-processor list in the privacy policy.

Sample the last 30 days of paid creator posts. Each must use #ad, 'paid partnership,' or equivalent disclosure per the FTC Endorsement Guides. Pull the Refersion / GRIN / Aspire log; tag any non-compliant post and require a re-post or takedown.

For each non-compliant post, send the takedown / amend request and re-circulate the disclosure language clause from the influencer agreement. Document the corrective action — the FTC consent decrees explicitly require evidence of brand-side enforcement.

The FTC Negative Option Rule and California / New York click-to-cancel statutes require online cancellation parity with sign-up. Test cancel paths in Recharge, Smartrr, or your subscription tool. Retention offers may be presented but cannot block cancellation.

Pull all 'clinically proven,' 'FDA approved,' '#1 rated,' 'eco-friendly,' and 'natural' claims from PDPs, A+ content, and ad copy. Each must map to a substantiation document. Supplements, cosmetics (MoCRA), and children's products carry the highest enforcement risk.

Pull negative reviews from Amazon, Yotpo / Okendo / Judge.me, and Trustpilot. Tag by reason code (sizing, quality, image-vs-reality, shipping damage). Three reviews citing the same defect is a manufacturing signal that needs a product-team escalation, not just a CX response.

Run Trackstreet / MarketTrack against the authorized-reseller list. For Amazon, check Brand Registry / Project Zero / Transparency for unauthorized sellers on listings. Issue cease-and-desist letters and de-authorize repeat offenders.

Pull Loop Returns / AfterShip / Narvar reason-code data. Apparel target is under 25%, hardgoods under 8%. Flag any SKU whose returns rate moved up by 5 points quarter-over-quarter.

For each SKU above threshold, pull the last 50 returns with photos and free-text reason. Decide between PDP fix (better images, sizing chart, clearer description), supplier QC corrective action, or SKU phase-out. Document the decision and target date.