Lead paragraph
Shirine Khoury-Haq, the outgoing chief executive of the Co-op Group, received a total remuneration package of £1.9m for 2025, including a £165,000 rewarding-growth bonus, even as the mutual reported an underlying loss of £125m for the year and grappled with a damaging cyber incident in 2025 (The Guardian, Apr 5, 2026). Her departure was announced in March 2026 and has prompted scrutiny of remuneration governance at member-owned retailers. The juxtaposition of a significant pay package against a material negative financial outcome has raised questions among stakeholders about board oversight, bonus criteria, and disclosure practices at the Co-op. The case also highlights how operational shocks such as cyber-attacks can distort performance metrics and complicate pay-for-performance frameworks. Institutional investors and sector analysts will be parsing the underlying numbers and governance disclosures for implications on both member confidence and peer benchmarking.
Context
The Co-op Group operates as a mutual rather than a publicly traded company, which means oversight mechanisms differ from those of listed peers, yet the scale of the numbers involved places this matter squarely in the public and regulatory spotlight. The Guardian reported on April 5, 2026 that the group fell to an underlying loss of £125m in 2025 following a cyber-attack that disrupted trading and supply-chain operations. That result contrasts with recent years when the group reported positive underlying results, underscoring the outsized impact of once-off operational shocks relative to recurring retail volatility.
Member-owned structures traditionally emphasize member representation and reinvestment of surpluses, but the Co-op’s decision to approve a £165,000 bonus within a £1.9m total package for the CEO demonstrates the tension between strategic retention incentives and the optics of awarding variable pay while the organisation records a loss. The board’s remuneration committee approved the package, according to reporting, which raises disclosure issues around the metrics and rationale used to justify the award in a loss-making year.
The cyber-attack in 2025 is a central causal factor in the negative financial outcome; it materially disrupted operations, according to published reports. For investors and analysts, the key contextual questions are how the event was accounted for in underlying performance measures, whether bonus metrics adequately adjusted for exogenous shocks, and how the board communicated that adjustment to members and the market.
Data Deep Dive
The headline numbers reported on April 5, 2026 are specific and measurable: £1.9m total pay for 2025, a £165,000 bonus element, and an underlying loss of £125m (The Guardian, Apr 5, 2026). Numerically, the £1.9m package equates to approximately 1.5% of the £125m underlying loss, and the £165,000 bonus is roughly 8.7% of the CEO’s total pay for the year. These ratios frame the decision in financial terms and help investors quantify the scale of remuneration relative to the group’s performance deterioration.
Beyond those headline figures, the timing matters: the cyber incident occurred in 2025 and the CEO departed in March 2026. That timeline indicates both the operational impact and the relatively rapid governance response, but it also complicates any straightforward assessment of pay-for-performance because the event was not a predictable component of annual targets. The board’s minutes and remuneration policy disclosures — and whether they explicitly accounted for the cyber event when assessing bonus eligibility — will be critical primary documents for a rigorous review.
Source attribution and transparency are central. The numbers above derive from national reporting (The Guardian) and will need to be validated against the Co-op Group’s statutory accounts and remuneration report for the year to confirm how items were classified (underlying vs statutory results) and how the bonus was justified under published policy. For institutional due diligence, cross-referencing the press report with the Co-op’s formal filings and minutes is the next step.
Sector Implications
Retail peers and broader corporate governance observers are likely to watch the Co-op case as a bellwether for how boards handle executive reward in the context of operational shocks. While the Co-op is mutual, many listed grocers and retailers must also reconcile cybersecurity losses, one-off impairments, and supply-chain interruptions when calibrating incentive outcomes. The headline of a £1.9m remuneration package approved during a loss year could prompt investors to press listed peers for clearer clawback, malus provisions, and explicit guidance on how one-off events adjust incentive metrics.
From a competitive standpoint, the reputational fallout may affect the Co-op’s positioning with members and customers in the near term, particularly if the board’s justification is perceived as opaque. Members of a mutual are both customers and owners, and governance expectations can be higher when executive pay is perceived as misaligned with member returns. Retail customers increasingly evaluate corporate behaviour; governance controversies can translate into a measurable brand and discretionary-spend impact when amplified by media coverage.
The episode also intersects with growing interest in cyber-risk disclosure from investors. Regulators and market participants have pressed for better disclosure on cyber incidents since the mid-2010s; a high-profile operational loss tied to cybersecurity will reinforce calls for standardized metrics on cyber resilience, expected loss modelling, and insurance arrangements. Institutional investors may increasingly ask peers for scenario analyses that show how executive pay would be adjusted under material cyber events.
Risk Assessment
For institutional stakeholders, the immediate risk is reputational and governance-related rather than market-moving on a systemic level. The Co-op is not a listed entity, so direct market volatility tied to this story is limited; however, sector peers with customer overlap could experience reputational contagion or increased shareholder activism, particularly if remuneration norms come under scrutiny. The market-impact score for this event is therefore modest but non-zero, reflecting concentrated governance risk with wider sectoral implications.
Policy risk is also present. The UK’s corporate governance environment has increasingly emphasised alignment of pay with long-term sustainable performance and tightened expectations for disclosure. Recurrent headlines about bonus awards in loss-making circumstances can catalyse regulatory or member-led reforms in mutuals and may accelerate demands for improved transparency on remuneration committee decisions. Insurers and lenders may also adjust risk assessments for firms with proven operational vulnerabilities.
Operationally, the primary risk that produced the loss — a cyber-attack — is persistent across retail. Investors should assess whether the Co-op’s capital allocation and contingencies for cyber resilience and business continuity were adequate and whether insurance coverage materially offset losses. The adequacy of those controls is material to future earnings volatility and to the capacity of management teams to hit future incentive targets.
Fazen Capital Perspective
Fazen Capital views the Co-op episode not only as a governance question but as an illustration of how incentive frameworks must evolve for an era in which once-off operational shocks are both more common and more consequential. A rigid binary approach that treats bonuses as forfeited solely on headline losses can perversely disincentivize management from investing in mitigation or pursuing long-term structural projects. Conversely, awarding bonuses without transparent, pre-specified adjustments risks eroding stakeholder trust and provoking regulatory scrutiny. Our expectation is that institutional investors will press for remuneration architectures that include explicit, pre-defined adjustments for force majeure and cyber events, accompanied by robust disclosure of the rationale when exceptions are used.
Contrarian to the prevailing narrative that all bonuses in loss years are inappropriate, Fazen Capital cautions against reflexive policies that forbid any reward following operational shocks. Well-designed protocols can preserve managerial incentives for long-term value creation while safeguarding accountability. The key is formalising those protocols in the remuneration policy, tying any discretionary awards to clearly documented, board-approved remediation milestones and member communication strategies. For practical guidance on integrating operational risk into compensation frameworks, see our insights on governance and remuneration at [executive pay trends](https://fazencapital.com/insights/en) and cyber risk at [cyber risk in retail](https://fazencapital.com/insights/en).
FAQ
Q: How common is it for executives to receive bonuses in loss-making years?
A: It is uncommon but not unprecedented. Boards may award discretionary bonuses if the remuneration policy permits and if the committee can demonstrate that performance targets were met after adjusting for extraordinary items. What differentiates a defensible award is transparent documentation showing how and why an exception was applied, and what remediation or future-oriented milestones the award is intended to support.
Q: What governance steps should institutional investors request following this kind of episode?
A: Investors should request the board’s remuneration committee minutes, the precise wording of the remuneration policy, and a breakdown showing how the bonus was calculated and adjusted for the cyber event. They should also seek assurance on improvements to cyber resilience, changes to incentive design (including malus/clawback terms), and enhanced member or shareholder communication protocols. Historical context suggests that engagement is more effective when paired with specific disclosure requests and proposed policy amendments.
Bottom Line
The Co-op’s approval of a £1.9m remuneration package, including a £165,000 bonus, while reporting a £125m underlying loss and following a 2025 cyber-attack raises substantive governance and disclosure questions that merit direct scrutiny by members and institutional stakeholders. Boards must provide clear, evidence-based explanations of discretionary awards and update remuneration frameworks to account for systemic operational risks.
Disclaimer: This article is for informational purposes only and does not constitute investment advice.
