The COVID-19 pandemic has directly transformed demand for space through quarantines, social distancing, and diminished consumer confidence. For the real estate sector, this has translated to shutdowns of retail stores, restaurants, hotels, and office buildings, as well as loss of income from rents and leases. 

Recent studies by the commercial real estate development association NAIOP found that about half of companies expected that the pandemic-fueled economic crisis will impact their business operations for more than a year. In addition to owners and operators grappling with a significant decline in new leases and lease renewals, developers are facing delays in permitting and entitlements, slowed financing, supply shortages, and construction disruptions. With these impacts comes a new era of risk – and evolving regulatory compliance obligations – for real estate organizations. Not surprisingly, the costs and complexities of risk management are mounting. 

Today’s unfamiliar landscape requires real estate organizations and their boards to enable agile risk management processes through continuous assessment of policies and processes. Speed in redefining your organization’s goals and strategies and impeding risks will likely prove to be a competitive advantage. As such, companies should be reassessing, refreshing, and even revamping certain governance practices related to technology, compliance, human capital, vendor management, fraud, and business continuity planning.  

Contributing factors to an unrecognizable risk landscape

A significant concern for real estate firms – and operators in particular – is that the pandemic will give rise to new regulatory and market mandates related to the health and safety of employees and tenants. Organizations can expect that there will be some level of self-reporting needed. Transparency into how organizations will evolve to meet new requirements will be key to strengthening trust from stakeholders. These mandates will likely trigger resource-intensive operational, technical, and process-related obligations. 

Many real estate companies are finding that they have not recently reviewed and revised their compliance programs. They are also discovering that their compliance plans are not aligned with today’s transformed economic conditions, risks, and processes as standard practices have given way to ad hoc workstyles: A home-based finance employee, for instance, may be zigzagging between helping their children complete online homework while bouncing between virtual meetings and cutting checks to employees from the kitchen table. 

This presents a perfect storm of risk. As many organizations rapidly shifted to a work-from-anywhere (WFA) model this spring, it’s a safe bet that they implemented temporary guidelines and technologies that were hastily designed and deployed to enable remote workers to communicate and collaborate, weakening segregation of duties (SOD) and creating flawed processes. These situations increase the likelihood of fraud. It’s critical that businesses revisit these initial policies, procedures, controls, and technologies, and identify any new levels of risk that must be addressed when solidifying permanent WFA programs.

Organizations may find that their new remote-work policies create significant changes to business processes that increase cyberthreats in unanticipated ways. The proliferation of remote access, for example, expands the cyberattack surface by creating additional endpoints that threat actors can exploit. And because businesses often prioritize expedience over security in times of crisis, these new endpoints often lack consistent, effective security controls. 

As organizations address these security gaps, it’s essential that they properly test current and new remote-work software and services before they are deployed to end users. Equally important is employee training. Software that automates the approval and payment of rental invoices, for instance, will require thorough training to drive user acceptance and capabilities.

Construct solid business continuity plans against future crises

As the industry strives to predict tomorrow’s threats, real estate companies must embed risk awareness, regulatory compliance, and business continuity into their strategic plans, risk management processes, technologies, and talent. Given the unpredictable course and costs of the COVID-19 crisis, it’s critical that industry business leaders champion a review of the organization’s crisis management plans. The assessment should factor in new initiatives like WFA programs, and be periodically refreshed to address emerging risks and market changes. 

A critical component of proactive business continuity planning and management is a relentless focus on cybersecurity and privacy. We have seen a pattern in which CRE executives prioritize other aspects of continuity management planning at the expense of security. This can create vulnerabilities that all but roll out the welcome mat for cybercriminals who target the real estate sector.

COVID-19 has also underscored the importance of environmental, social, and governance (ESG) issues, such as climate change and sustainable energy. More and more, continuity and sustainability are becoming synonymous. A company’s future success and continued investor interest will be impacted by their ability to address sustainability concerns head on. Investors want to know that your organization is built to support itself through ESG-related changes and challenges that arise. COVID-19 will continue to heighten ESG programs as societies and citizens continue to experience the calamitous risks of global disease and its economic and societal impacts. As organizations begin to understand their strategic value and impact, we are increasingly seeing business continuity, disaster recovery, and ESG programs as standing agenda items during board meetings. 

Paving a path forward with stronger processes and risk controls

Alongside these mounting risks are opportunities. As real estate companies create, revise, and implement enterprise risk management strategies, they can identify strategies to improve operational efficiencies and strengthen risk and compliance capabilities. 

One of the most potentially impactful actions is an assessment of current business processes that identifies – and re-engineers – broken processes. This review can also enable companies to identify recurring processes and daily tasks that can be automated to further enhance operational efficiencies and streamline workflows. 

Achieving these enterprise risk goals will require that stakeholders freely communicate and collaborate. To start, an evaluation of risk-management strategies should be conducted. In line, finance and IT leaders should work together to assess how their systems and solutions can reduce risks and lower the cost of compliance. 

Additionally, organizations should weigh the benefits of data analytics to help them better understand unique business anomalies, inefficiencies, and cybersecurity risks. Analytics create data-driven quantifications that can allow security stakeholders to better measure and manage security risks and prioritize funding for risk and compliance. 

Instilling trust – continuously

In today’s uncertain business environment, risk management should be elevated to a strategic partner alongside finance, legal, and operations. Only then will the risk management function be empowered to provide current insights and real-time decision-making, disclose the right information, and maintain the trust required to support corporate resiliency. Ongoing organizational assessment processes are crucial to restoring marketplace trusts, as stakeholders and investors will be looking for evidence that your organization is taking the necessary steps to ensure sustainability on a go-forward basis. As such, strategy, risk management, and audit reporting should be shifted from a quarterly or annual basis to a continuous model.  

As the disruptions caused by COVID-19 persist, it has become clear that risk management is no longer a check-the-box discipline. Real estate leaders and their boards will need to explore material changes – for both the individual business and the sector as a whole – to develop a risk-management strategy for an unknowable future. A culture of continuous risk management can help organizations quickly prioritize the right security spend, controls, and automation – all of which can help the sector prepare for future crises, achieve operational efficiencies, strengthen resilience, and, ultimately, instill the trust required to place people back into public and shared spaces. 

Contact

Marianne Turnbull, CIA, CAMS, Managing Director, CohnReznick Advisory

973.364.7711