Global ViewPoint
CBRE
GLOBAL RESEARCH AND CONSULTING
Global ViewPoint
www.cbre.com/research
March 2012
RISK MANAGEMENT IN CORPORATE REAL ESTATE WITHIN THE
GLOBAL BANKING AND FINANCE SECTOR
By Richard Holberton, Director, EMEA Research and Consulting;
Andrew Hallissey, Executive Director, Global Corporate Services, EMEA;
David Chang, Regional Strategist, Global Corporate Services, Asia Pacific; and
Ben Chirgwin, Managing Director, Global Corporate Services, Americas
OVERVIEW
The global financial crisis has produced a heightened focus on risk management within organizations in the banking
and finance sector, notwithstanding corporate real estate (CRE) functions. While there is no universal definition of risk
as it relates to CRE, there is widespread acknowledgement of the need to identify a broader range of risks than would
traditionally have been the case, and implement processes for managing them.
In some respects, CRE functions within financial services companies have an advantage of being able to borrow from
established risk management processes existing elsewhere in the company. However, there is wide variation in the
scope of practical measures that have been implemented. These can range from robust adherence of existing
practices to far-reaching changes. Examples of systems being introduced include risk registers, enhanced IT systems,
internal audits and new approaches to the selection of third-party suppliers. All of these also need to take into
account the differing risk profiles and standards across geographies.
What is apparent is that in the banking and finance sector, establishing and implementing processes for monitoring
and mitigating CRE risk is increasingly seen as an essential element of business practice. CRE teams cannot afford to
be bystanders in the debate and must ensure that whatever processes are in place are relevant and strategically
focused.
INTRODUCTION
In its broadest sense, the issue of risk management in the
banking and finance sector could hardly be more topical.
Perceived deficiencies in this area have been widely linked
with the financial crisis of 2008-2009, and a great deal
of attention has since been paid by everyone – from
financial authorities to the media – to risk management
and regulation. Whether seen as a cause or consequence
of the crisis, the heightened visibility of this issue is
undoubted.
March 2012
Equally, it is a very large topic and relatively little attention
has been paid to how it affects corporate real estate, how
CRE functions have adapted to the changed environment
and which specific concerns are most prominent in the
eyes of CRE executives. CRE may not be at the top of the
agenda for financial regulators, but it has certainly not
gone unaffected by recent events. To complicate matters
further, the tighter focus on risk management has
coincided with a period of intense cost reduction which,
arguably, pulls in a different direction or at least makes
© 2012, CBRE Ltd
the introduction of new risk processes more difficult.
Striking an appropriate balance between these two
imperatives is a considerable challenge. With the aim of
enhancing understanding in this area, CBRE convened a
panel of major corporate occupiers in this sector to
discuss these issues.
HOW HAS THE DEFINITION OF RISK EVOLVED
THROUGH THE RECENT GLOBAL ECONOMIC
CRISIS?
At a general level, risk may be viewed as anything that
adversely affects the ability of banking and finance
organizations to perform all their functions effectively. In
this context, however, it is important to note that financial
services companies make their money by thoughtfully
managing risk. Understanding the sources and degree of
risk, the processes for controlling it, and modeling
scenarios for risk mitigation is what separates the
profitable companies from the rest. CRE can benefit from
applying these same principles to the management of
© 2012, CBRE Ltd
Global ViewPoint
their portfolios. In the process, they can gain
significant credibility with their business leaders by
alerting them to various risk scenarios and the
premium required to mitigate the operating risks
associated with real estate. Beyond this, there is no
commonly-accepted general definition of risk as it
affects CRE. However, there has still been a marked
shift in its importance over recent years in several key
areas, including financial, reputational (within which
customer satisfaction is an ever-more important issue),
operational and political. In other words CRE risk is no
longer purely a “bricks and mortar” issue, but one that
is much more far-reaching.
Awareness of reputational risk in particular has
become far more prominent. This reflects a growing
appreciation that events in one part of the company
(even a relatively small one) can have significant
unforeseen impacts on other parts of the business.
Companies have been forced to become a lot more
cohesive in their thinking on risk management, and to
acknowledge the inter-dependencies that exist within
their organizations. To some extent this is a reaction to
more media scrutiny which rarely differentiates
between core and peripheral parts of a business when
something goes wrong. It’s also a function of an
exposed industry that has allowed a greater focus on
internal process. But to a far greater extent it is an
acknowledgement of the need to become more
vigilant and proactive, and that the application of risk
management processes in all business areas,
including CRE, is no longer a “nice to have,” but a
requirement.
“Some risk mitigation measures appear to be there in
order to protect the industry from reputational attack,
rather than because they have clear business benefits. This
is quite an expensive way of protecting against perceived
external threat.”
March 2012
There is an inherent advantage that large, diversified
financial services companies generally have a range
of risk management functions and departments
already in place. Thus, while CRE issues haven’t
historically been prominent in the risk management
arena, there are existing centers of thinking and
practice within these companies that CRE functions can
tap into. To this extent, prevailing corporate cultures
and organizational structures are helpful in spreading
risk awareness as broadly as possible around the
business.
Page 2
© 2012, CBRE Ltd
There is no doubt that CRE functions have been the
recipient of a more risk-averse mindset from their
parent businesses over the past two to three years.
Though it often results in greater internal scrutiny and
interrogation, this is widely seen as a positive attribute.
On the whole this has meant that CRE functions are
becoming more business-relevant, by acting as a
catalyst for greater integration and stronger linkages
between the CRE function and the wider business.
Evidence of the CRE function partnering with, and on
occasions challenging, the wider business is now more
widespread. However, the specifics of how this shift in
culture affects practice and process within CRE vary
enormously.
HOW HAS THE CORPORATE REAL ESTATE
FUNCTION RESPONDED?
The impacts of these changes vary widely. In some
organizations they are regarded as no more than a
“wake-up call,” with few practical implications. In
others, however, they have necessitated far-reaching
changes. In the first category – which is a minority
view – existing process for managing risk at individual
property level have (with some improvements) proved
up to the task. Where process modifications have been
needed, they have generally resulted from risk
manager demands for a fuller range of CRE risk
sources to be identified and incorporated into the
decision-making process. Ultimately, these changes
will require the CRE industry to shift its focus from
driving real estate performance to enabling business
performance through thoughtful risk-benefit analysis.
Visibility and transparency of risk control processes
Even where the scope of process adjustments has been
limited, there has been a discernible shift in the need
to demonstrate those things that are already carried
out as part of existing processes – even if they weren’t
previously acknowledged. In other words, the required
visibility and transparency of risk control processes has
increased sharply even if the nature of the processes
themselves is largely unchanged. The key message
from CRE leaders is to drive adherence to policies,
even if the policies themselves are in need of
refinement. This emphasis on applying existing
processes better, or good “business as usual,” is seen
as a key strand of risk mitigation policy.
Where more profound changes to risk mitigation
policies have been required, they have mostly come
under one or more of the following headings:
Internal process
There is a huge focus on ensuring the rigor of all
internal process around risk management, and
overhauling them where necessary. This can take a
variety of forms, but a measure commonly reported
was some form of CRE risk register or risk inventory.
Generally these are accompanied by regular meetings
of key personnel to review the range and priority of
major risk items. More is documented than used to be
the case and, more importantly, there are clearer
hierarchical processes over what needs to be
escalated. These processes have certainly aided
transparency and openness; risk registers have
provided a mechanism for bringing difficult issues into
the open and forcing attention on issues that might
otherwise have been swept under the carpet. In this
sense, the addition of more “process” has been
accompanied by a cultural shift whereby swiftly
challenging assumptions and process, vigorously and
often, is becoming more commonplace. Regular “spot
checking,” peer reviews and internal audits are
becoming familiar compliance checks across CRE
organizations, but need to take into account the fact
that risk profiles and regulatory standards differ across
geographies.
“There is a greater need to identify the fullest range of
known unknowns as early as possible. It isn’t necessarily
the main aim of risk registers, but they have helped to
flush out difficult issues that might previously have been
unrecognised or ignored.”
Data, technology and resilience
Partly because of growing information demands from
compliance departments and external regulators such
as the U.S. Federal Reserve and the Financial Services
Authority, data, technology and resilience increased
the profile of the CRE agenda. Information
management and security is treated far more
rigorously. The volume of data submitted to other
internal departments, such as Compliance and
Corporate Communications, is far higher, as is the
level of scrutiny to which it is subjected. Heightened
awareness of the risks and consequences of power
failure for, say, trading floor operations, have also
focussed attention on data and resilience issues. All
this has increased the need for the upgrade of data
systems and technology platforms, tempered by the
view that it is sometimes too easy to hide behind the
resilience of data systems as a smokescreen for
deficiencies elsewhere.
Global ViewPoint
“More than ever we need to be able to document, defend
and explain a decision in the event that it comes under
scrutiny at a later date.”
Recruitment
The assembly of greater resources around legislative
compliance has been widely pursued, including
recruitment of key individuals (such as Head of CRE
Risk) and/or the creation of new teams to devise and
enforce best practices. In many cases these roles have
reporting lines direct to the CEO or COO and hence
ready-made credibility and power. Previously, within
some organizations, risk responsibilities were often a
dual responsibility with other functions (e.g. business
continuity planning coupled with finance), often
leading to a potential conflict of interest and delays in
reporting.
Selection and management of third-party vendors or
suppliers
Finally, selection and management of third-party
vendors or suppliers has assumed growing
importance. This is widely seen as a significant source
of risk in CRE and beyond, to the extent that in some
organizations, CRE policies in this area are regarded
as a pilot for other parts of the company. Given that
CRE organizations within financial services companies
have been early adopters of sourcing strategies, there
is much value to be shared, including scaleability,
flexibility, and process. In areas such as the selection
of landlords and sub-lessees, there is some evidence
that this is altering decisions and impacting corporate
behavior more generally.
“Risk managers can sometimes learn from CRE, rather
than CRE simply absorbing lessons from elsewhere in the
business. In this sense, the general air of increased
scrutiny can produce benefits right across the business.”
© 2012, CBRE Ltd
March 2012
Page 3
Global ViewPoint
Wherever an organization lies in this spectrum, there is
a widely-acknowledged need for any new or improved
measures to be relevant and couched in terms of
“financial materiality,” which is a natural strength for
CRE departments. In other words, rather than adding
process for its own sake, there is a need to be clearheaded about the relative priority and potential
benefits of any new measures.
“External risks are clearly still unusually high, but there is
a limit to what we can do about these. My concern is
around things that are, in theory, within our control but
which we haven’t done enough about.”
WHAT RISKS REPRESENT THE GREATEST
CHALLENGE FOR THE BUSINESS AND FOR CRE?
Beyond systemic risks that have the potential to affect
the business as a whole (such as economic and
political risks), issues relating to physical infrastructure
and its robustness to various threats tend to dominate
CRE thinking. Risks pertaining to disaster response,
civil unrest, terrorism or other security threats, as well
as health and safety feature strongly in company
thinking, along with IT resilience and risks associated
with the concentration of activity at fewer locations.
The extent to which the key components of CRE risk
are being effectively measured and reported within the
sector appears somewhat variable. Some have
developed a set of risk measures relevant to each
aspect of CRE activity, while others noted the need for
progress in this area. The overriding need to ensure
that any measure is business-relevant and strategically
focused, as opposed to “knee-jerk,” was generally
accepted. By way of example, investing significantly in
tightening processes and compliance in already lossmaking or marginal areas of business was regarded
as an ineffective use of resources.
March 2012
“We are getting better at it quite quickly, but it is still fair
to say that this is all a work in progress. We are not yet at
the stage of having robust metrics and seamless processes
to capture everything we would want to in the area of CRE
risk.”
Page 4
© 2012, CBRE Ltd
It was also instructive that some organizations also
noted that, relative to the immediate aftermath of the
2008-2009 crisis, attention now seems to be easing as
a result of greater confidence in improved systems and
process management. This raised the issue of whether
some organizations may be consistently doing more
than is strictly required by legislation or even by
regulatory demands, in order to appease the media or
the public or in response to specific events. Legislation
around bribery, such as the U.S. Foreign Corrupt
Practices Act or UK Bribery Act, and money
laundering, such as Canada’s Proceeds of Crime and
Terrorist Financing Act, exist in most major
jurisdictions and some have a significant impact on
banks’ processes and practices.
To some observers the response is a “necessary” overreaction, justified simply because of the profile of the
issue. To others it is premature since it is too early to
assess fully the costs and benefits of earlier measures.
In all probability, the challenges of CRE risk
management are only going to mount, so
corporations and their service providers need to
ensure that they are more than bystanders in the
debate.
“The climate of opinion is such that we have sometimes
gone further than is strictly necessary, but the process of
doing so has produced some unexpected benefits. It is
hard to see the focus slackening so we all need to stay
vigilant.”
Global ViewPoint
CONCLUSIONS: RISK CATEGORIZATION AND BEST PRACTICES
The range of risks that need to be considered by CRE functions is already broad, and is widening. Increased
scrutiny and cross-over from other parts of the parent business are necessitating changes in process and
approach for many corporations. While this increases the degree of complexity attached to risk management,
it is possible to group the main sources of risk and identify a range of best practice measures to ameliorate
them.
Broadly, it is possible to identify four categories of CRE risk, as summarized in the matrix below:
Typology of Corporate Real Estate Risk
FINANCIAL
OPERATIONAL AND BUSINESS CONTINUITY
• Capital allocations and constraints
• Escalating occupancy and energy costs
• Understanding the CRE cost base and financial
data transparency
• Debt and equity financing costs
• Financial strength and performance of key
suppliers
• Uptime of critical facilities
• CRE resource constraints and skills gaps
• Application of CRE technology systems
• Business continuity processes
REPUTATIONAL
EXTERNAL AND GEOPOLITICAL
• Regulation and compliance – U.S. FCPA, UK
Bribery Act
• Business relationships with third party stakeholders:
landlords, subtenants and suppliers
• Health and safety incident performance
• Press, media relations and CRE communications
processes
• Political or social unrest
• Natural disasters and acts of god
• Terrorism
• Economic shocks and recession
• Climate change
• Technology advancement
© CBRE 2012
Establishing and implementing processes for monitoring and mitigating CRE risk is increasingly seen as an
essential element of business practice. Self-evidently, processes to manage these risks clearly need to be
designed and tailored for specific situations. However, it is possible to identify a number of broad categories
of best practices to CRE risk mitigation.
BEST PRACTICE APPROACHES TO CRE RISK MITIGATION
1. Risk identification, tracking and reporting
The financial crisis has raised awareness of the full range of risks to which financial institutions are
exposed. At minimum, it is widely considered essential to introduce (or revive) processes to ensure that
there is corporate awareness of all the material risks, as well as ways of assessing, documenting and
monitoring them. The range of issues that may need consideration is potentially very wide and includes,
for instance, obsolescence risk due to technological advancements, social and demographic trends that
affect the way customers engage with financial services companies. All of these have the potential to
impact portfolio alignment and ultimately pose financial risk.
© 2012, CBRE Ltd
March 2012
Page 5
Global ViewPoint
2. CRE Business Continuity Planning
Issues such as terrorism or civil unrest and, increasingly, cyberthreat, are major potential risks to
corporations in many parts of the world. The resilience of physical and human infrastructure to such
issues, including the robustness of IT platforms, is focusing attention on business continuity.
3. Legislative compliance
Legislation such as the U.S. FCPA and the UK Bribery Act is increasingly acknowledged as binding across
entire corporate structures and geographies. Moreover, there is awareness of the full range of current
and prospective regulatory compliance needs. In some instances, this could encompass “cease and
desist” closures, and increased capital requirements due to higher risk profiles. The consequences of noncompliance are also widely recognised and as a result many corporations are tightening their processes
in this area.
4. Developing an organizational culture for HSSE
While health and safety issues may appear somewhat mundane alongside some of the other points
covered in this paper, their potential to disrupt business in many different ways is such that they are often
viewed as being of equal importance as, say, security threats. There may also be the need to overcome
internal resistance from staff in treating these issues with the required seriousness.
5. CRE data management and management information systems
As noted above, risk registers or inventories are emerging as a common mechanism for assembling and
managing information on CRE risks, with identifiable benefits for data and process transparency, as well
as thoroughness. The data should be regarded as no less important than any other piece of
management information.
6. Measurement of risk through the CRE performance management framework
Embedding risk management objectives within performance management frameworks for individuals and
teams is increasingly regarded as an effective way of ensuring that policy goals are reflected in corporate
value and behaviours. This reflects the need to associate CRE risk management aims with measurable
outcomes.
7. Supplier due diligence process
Financial strength and reputational risks, among other forms, can be strongly linked to the performance
and practices of affiliates, suppliers and other points of contact in a corporate network. There is growing
awareness that getting one’s own house in order, while necessary, may not be sufficient to address all
relevant areas of risk. Tighter scrutiny and due diligence around the appointment and management of
suppliers, contractors and others is a common result.
8. Closing skills gaps
In addition to general awareness-raising, some companies are appointing individuals and teams to CRE
risk management posts where they are explicitly tasked with implementing and overseeing processes to
manage key areas of risk. Training and development of other employees to encourage widespread best
practice in this area is also common.
9. CRE communications processes
Any expansion in the reach of data, or introduction of new processes, requires effective communication to
ensure awareness and compliance. In some instances the mechanisms to achieve this will already be in
place; in others they may need to be newly-instituted.
March 2012
10. Financial contingency
Financial institutions are acutely aware of the direction of regulation and the growing requirement to
retain capital buffers against the possibility of losses relating to lending or other activity. Prudent balance
sheet management has always been an imperative, but is becoming even more important.
Page 6
© 2012, CBRE Ltd
Global ViewPoint
For more information regarding this report, please contact:
Andrew Hallissey, Executive Director
Global Corporate Services, EMEA
St Martin’s Court
10 Paternoster Row
London, EC4M 7HP
t: +44 (0)20 7182 3528
e: [email protected]
David Chang, Regional Strategist
Global Corporate Services, Asia Pacific
4/F Three Exchange Square
8 Connaught Place
Hong Kong
t: +852 2820 2872
e: [email protected]
Ben Chirgwin, Managing Director
Global Corporate Services, Americas
33 Arch Street
28th Floor
Boston, MA 02110
t: +1 781.837.6898
e: [email protected]
Brad Henderson, Senior Managing Director
Global Corporate Services, Americas
18 King Street East
Suite 1100
Toronto, ON, M5C 1C4
t: +1 416-992-8956
e: [email protected]
Richard Holberton, Director
Research and Consulting, EMEA
Henrietta House
Henrietta Place
London, W1G 0NB
t: +44 (0)20 7182 3348
e: [email protected]
CBRE GLOBAL RESEARCH AND CONSULTING
CBRE Global Research and Consulting is a network of preeminent researchers and consultants who collaborate to
provide real estate market research, econometric forecasting and consulting solutions to real estate occupiers and
investors around the globe.
FOR MORE INFORMATION REGARDING GLOBAL RESEARCH ACTIVITY PLEASE CONTACT:
Nick Axford, Ph.D.
Head of Research, Asia Pacific and
Senior Managing Director, Global Research
t: +852 2820 8198
e: [email protected]
Asieh Mansour, Ph.D.
Head of Research, Americas and
Senior Managing Director, Global Research
t: +415 772 0258
e: [email protected]
Follow Asieh on Twitter: @AsiehMansourCRE
Peter Damesick, Ph.D.
EMEA Chief Economist and
Senior Managing Director, Global Research
t: +44 20 7182 3163
e: [email protected]
Raymond Torto, Ph.D., CRE®
Global Chief Economist and
Executive Managing Director, Global Research
t: +617 912 5225
e: [email protected]
Disclaimer
CBRE Limited (CBRE) confirms that information contained herein, including projections, has been obtained from sources believed
to be reliable. While we do not doubt their accuracy, we have not verified them and make no guarantee, warranty or
representation about them. It is your responsibility to confirm independently their accuracy and completeness. This information is
presented exclusively for use by CBRE clients and professionals and all rights to the material are reserved and cannot be
reproduced without prior written permission of the CBRE Global Chief Economist.
© 2012, CBRE Ltd
March 2012
Page 7