Third-Party Risk in CRE: Business Continuity Focus

Commercial Real Estate (CRE) firms rely heavily on third-party vendors for a wide range of services, from construction and property management to IT and security. These relationships offer numerous benefits, such as increased efficiency, specialized expertise, and cost savings. However, they also introduce potential risks that can disrupt operations, damage reputation, and impact financial performance. Failing to properly manage these risks can have severe consequences, including financial losses from lawsuits, regulatory fines, and reputational damage leading to a loss of business¹². Effective third-party risk management (TPRM) is crucial to mitigate these risks and ensure business continuity, especially in the face of increasing disruptive events. This is particularly important as the reliance on third-party vendors continues to grow across the financial services sector, including CRE². This report explores TPRM best practices for the CRE industry, focusing on business continuity planning and resilience.

Impact of Disruptive Events on CRE and the Role of TPRM

Disruptive events, such as natural disasters, pandemics, and cyberattacks, can significantly impact the CRE industry. These events can disrupt operations, damage property, displace tenants, and cause financial losses. TPRM plays a crucial role in minimizing these impacts by:

• Ensuring Business Continuity: By requiring vendors to have robust BCPs and regularly monitoring their resilience, CRE firms can ensure the continued delivery of essential services during disruptions³.
• Protecting Against Supply Chain Disruptions: TPRM helps identify and mitigate potential supply chain disruptions that can impact construction projects, property maintenance, and tenant services¹. For example, a disruption at a critical building material supplier could delay a construction project, leading to cost overruns and potential legal disputes.
• Enhancing Cybersecurity: Strong TPRM practices help protect against cyberattacks that can compromise sensitive tenant data, disrupt building management systems, and damage the firm's reputation⁴. A cyberattack on a property management system could lead to unauthorized access to tenant information, financial records, and building control systems, potentially causing significant disruption and financial losses.
• Improving Operational Resilience: By proactively identifying and mitigating risks, TPRM helps CRE firms build operational resilience and adapt to changing circumstances². For instance, having alternative vendors in place for critical services can help mitigate the impact of a disruption at a primary vendor.

Third-Party Risk Management (TPRM) Best Practices for CRE

TPRM involves identifying, assessing, and mitigating risks associated with third-party vendors throughout the relationship lifecycle. In the CRE industry, this includes contractors, suppliers, service providers, and any other external entity that interacts with the business.

Due Diligence and Vendor Selection:

Before engaging a vendor, conduct thorough due diligence to assess their financial stability, reputation, operational capabilities, and security posture. This includes reviewing their track record, financial statements, and relevant certifications⁵. For example, when selecting a security vendor, it's crucial to verify their licensing, insurance coverage, and experience in the CRE sector.

Contractual Agreements:

Establish clear contractual agreements that define the scope of services, performance expectations, security requirements, and liabilities. Include provisions for business continuity and disaster recovery to ensure vendors can maintain service delivery during disruptions⁶. For instance, a contract with a cleaning service should specify the required cleaning standards, frequency of service, and contingency plans in case of staff shortages or unforeseen events.

Risk Assessments:

Regularly assess the risks associated with each vendor relationship, considering factors such as the criticality of the service, potential impact of disruptions, and the vendor's own risk management practices⁷. For example, a vendor providing essential IT services would require a more comprehensive risk assessment than a vendor supplying office stationery.

Ongoing Monitoring:

Continuously monitor vendor performance, compliance with contractual obligations, and adherence to security standards. Implement a system for tracking key performance indicators (KPIs) and key risk indicators (KRIs) to identify potential issues early on⁸. This could involve regular performance reviews, security audits, and tracking of service level agreements (SLAs).

Information Security:

Pay close attention to information security risks, especially when vendors handle sensitive data. Ensure vendors have appropriate security controls in place to protect against data breaches and cyberattacks¹. This includes data encryption, access controls, and regular security awareness training for vendor employees.

Business Continuity Planning:

Require vendors to have their own business continuity plans (BCPs) that align with the CRE firm's resilience objectives. Review and assess these plans to ensure they adequately address potential disruptions and maintain service delivery⁶. This is crucial to ensure that critical services, such as property management, security, and IT support, remain operational during emergencies.

Communication and Collaboration:

Establish clear communication channels with vendors and foster a collaborative relationship to address risks and ensure business continuity. Regularly communicate expectations, share information about potential threats, and coordinate response efforts⁷. This could involve regular meetings, incident reporting procedures, and joint exercises to test response plans.

Integrating TPRM into Business Strategies for Enhanced Resilience

CRE companies are increasingly integrating TPRM into their overall business strategies to enhance resilience and mitigate disruptions. This involves:

• Aligning TPRM with Business Objectives: Integrate TPRM into the organization's risk management framework and align it with strategic goals and objectives. This ensures that TPRM activities support the company's overall mission and contribute to its long-term success⁷. For example, if a key business objective is to improve tenant satisfaction, TPRM should focus on ensuring vendors providing tenant services meet the required performance standards.
• Embedding TPRM in Business Processes: Incorporate TPRM considerations into key business processes, such as vendor selection, contract negotiation, and performance monitoring. This ensures that risk management is an integral part of daily operations⁹. For instance, risk assessments should be conducted as part of the vendor onboarding process, and contracts should include clauses related to business continuity and data security.
• Leveraging Technology: Utilize technology solutions to automate TPRM processes, such as vendor risk assessments, due diligence, and ongoing monitoring. This improves efficiency, reduces manual effort, and enhances risk visibility⁹. TPRM software can help automate tasks such as collecting vendor information, conducting risk assessments, and tracking performance metrics.
• Promoting a Culture of Risk Awareness: Foster a culture of risk awareness across the organization, where employees understand the importance of TPRM and actively participate in risk mitigation efforts¹⁰. This can be achieved through training programs, communication campaigns, and incentivizing employees to identify and report potential risks.

Furthermore, as reliance on third parties grows, so does the need to consider the risks associated with their vendors (fourth parties) and the cascading impact on the CRE firm. This concept, known as fourth-party risk management, highlights the interconnectedness of the vendor ecosystem and the importance of extending risk assessments beyond immediate vendors¹⁰.

By effectively integrating TPRM into their business strategies, CRE firms can not only mitigate risks but also contribute to achieving strategic goals, such as increased efficiency, improved tenant satisfaction, and enhanced brand reputation¹⁰³.

Business Continuity Plans (BCPs) in the CRE Industry

A BCP outlines procedures and strategies to ensure business operations continue during and after disruptive events. In the CRE industry, BCPs are essential to minimize downtime, protect tenants and assets, and maintain financial stability. And as companies shore up their own business continuity plans, they must consider the impact critical vendors have on those plans¹¹. Key elements of a BCP for CRE firms include:

• Risk Assessment: Identify potential threats and vulnerabilities, such as natural disasters, cyberattacks, pandemics, and supply chain disruptions¹². This involves analyzing the likelihood and potential impact of each threat on the firm's operations.
• Business Impact Analysis: Assess the potential impact of disruptions on critical business functions, including property management, tenant services, financial operations, and communication systems¹³. This helps prioritize recovery efforts and allocate resources effectively.
• Recovery Strategies: Develop strategies to recover critical functions and minimize downtime. This may include backup systems, alternative work locations, and emergency communication protocols¹⁴. For example, having a backup generator can ensure continued power supply during outages, and cloud-based systems can provide access to critical data from any location.
• Communication Plan: Establish a clear communication plan to keep tenants, employees, vendors, and other stakeholders informed during emergencies¹⁵. This may involve using multiple communication channels, such as email, text messages, and social media, to ensure timely and effective communication.
• Testing and Training: Regularly test the BCP to ensure its effectiveness and train employees on their roles and responsibilities during disruptions¹⁵. This could involve conducting tabletop exercises, simulations, or full-scale drills to test the plan and identify areas for improvement.

Resources and Guidelines for BCP Development

Several resources and guidelines are available to assist CRE firms in developing and implementing effective BCPs. BOMA International, a leading association for commercial real estate professionals, offers valuable resources, including:

• Pandemic Guide: Provides guidance on managing commercial buildings during a global health crisis.
• Civil Unrest Guide: Offers tools and strategies to prepare for and minimize disruptions related to civil unrest.
• Emergency Preparedness Guidebook: A comprehensive guide to help property professionals prepare for and respond to various threats¹⁵.

In addition to these resources, CRE firms can refer to industry best practices and standards, such as the 13 standards outlined for community agency preparedness¹⁶. These standards provide a framework for enhancing preparedness and resilience, covering areas such as risk assessment, planning, communication, and training.

Importance of Vendor Business Continuity Plans in CRE

Vendor business continuity plans are critical in the CRE industry to ensure the continued provision of essential services during disruptions. These plans should address:

• Personnel Loss: Strategies for managing personnel shortages due to illness, evacuation, or other disruptions⁶. This could include cross-training employees, having backup staffing arrangements, or utilizing remote work capabilities.
• Facility Loss: Contingency plans for alternative work locations, data backups, and communication systems in case of facility damage or inaccessibility⁶. This may involve having a secondary data center, utilizing cloud-based services, or establishing alternative communication channels.
• Breach/Disruption Notification: Procedures for notifying the CRE firm of any disruptions or security breaches that may impact service delivery⁶. This ensures timely communication and allows the CRE firm to take appropriate action to mitigate the impact.
• Annual Testing Results: Documentation of annual testing of the vendor's BCP to ensure its effectiveness⁶. This provides assurance that the plan is up-to-date and capable of addressing potential disruptions.

CRE firms should effectively review and monitor vendor BCPs by:

• Reviewing Plans Before Contracting: Include BCP review as part of the vendor due diligence process⁶. This helps ensure that vendors have adequate plans in place before entering into a contractual agreement.
• Conducting Annual Reviews: Regularly review and assess vendor BCPs to ensure they remain up-to-date and aligned with the CRE firm's requirements⁶. This may involve requesting updated plans, conducting on-site visits, or participating in vendor BCP exercises.
• Monitoring Testing Results: Require vendors to provide documentation of their BCP testing and review the results to identify any gaps or areas for improvement⁶. This helps ensure that the plans are regularly tested and validated.
• Communicating Expectations: Clearly communicate expectations for vendor business continuity and maintain open communication channels to address any concerns¹⁷. This fosters a collaborative relationship and ensures that both parties are aligned on business continuity objectives.

Conclusion

Third-party risk management is essential for CRE firms to mitigate potential disruptions, protect business interests, and ensure operational resilience. By implementing robust TPRM practices, including thorough due diligence, contractual agreements, risk assessments, and ongoing monitoring, CRE firms can effectively manage vendor relationships and minimize the impact of disruptive events. Business continuity planning is a critical component of TPRM, and CRE firms should require vendors to have comprehensive BCPs that address potential disruptions and ensure continued service delivery. By integrating TPRM into their business strategies and fostering a culture of risk awareness, CRE companies can strengthen their resilience, enhance their reputation, and achieve long-term success in an increasingly complex and unpredictable environment.

CRE firms are urged to prioritize TPRM, develop robust BCPs, and integrate these practices into their business strategies for enhanced resilience and long-term success. This proactive approach will not only protect against potential disruptions but also contribute to achieving broader business objectives, such as increased profitability, improved tenant satisfaction, and a stronger competitive advantage.

Works cited

1. The rising importance of third party risk management (TPRM) - Deloitte, accessed December 17, 2024, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-the-rising-importance-of-tprm.pdf
2. The Critical Role of Third-Party Risk Mitigation in Financial Services | Forvis Mazars, accessed December 17, 2024, https://www.forvismazars.us/forsights/2024/08/the-critical-role-of-third-party-risk-mitigation-in-financial-services
3. Rethinking Third-Party Risk Management: From Compliance to Operational Resilience, accessed December 17, 2024, https://empoweredsystems.com/blog/rethinking-third-party-risk-management-from-compliance-to-operational-resilience/
4. Third-Party Cyber Risk Impacts the Health Care Sector the Most. Here's How to Prepare., accessed December 17, 2024, https://www.aha.org/news/aha-cyber-intel/2024-08-05-third-party-cyber-risk-impacts-health-care-sector-most-heres-how-prepare
5. Third-Party Risk Management FAQs, accessed December 17, 2024, https://ociso.ucla.edu/services/third-party-risk-management/faqs
6. Protecting Commercial Real Estate With Third-Party Business Continuity Planning - Venminder, accessed December 17, 2024, https://www.venminder.com/blog/protecting-commercial-real-estate-third-party-business-continuity-planning
7. Approaching TPRM Within ERM - Venminder, accessed December 17, 2024, https://www.venminder.com/blog/appraoching-tprm-within-erm
8. Examples of Key Risk Indicators in Third-Party Risk Management - Venminder, accessed December 17, 2024, https://www.venminder.com/blog/examples-key-risk-indicators-third-party-management
9. Third-Party Risk Management: The Definitive Guide - Prevalent, accessed December 17, 2024, https://www.prevalent.net/blog/third-party-risk-management/
10. Integrating ERM into Third-Party Risk Management (TPRM) - IERP®, accessed December 17, 2024, https://insterp.com/integrating-erm-into-third-party-risk-management-tprm/
11. 19 Best Practices to Manage Business Continuity with Critical Vendors, accessed December 17, 2024, https://vendorcentric.com/single-post/19-best-practices-to-manage-business-continuity-with-critical-vendors/
12. Business Continuity Plan: The Only Guide You Will Need - Zerto, accessed December 17, 2024, https://www.zerto.com/resources/essential-guides/business-continuity-guide/
13. Business Continuity Resource Requirements - Ready.gov, accessed December 17, 2024, https://www.ready.gov/sites/default/files/2020-03/business-continuity-resource-worksheet.pdf
14. IS-12: IT Recovery - policies | UCOP, accessed December 17, 2024, https://policy.ucop.edu/doc/7020451/BFB-IS-12
15. CRE Industry Preparedness Resources - BOMA International, accessed December 17, 2024, https://www.boma.org/BOMA/Advocacy-Codes/Security___Emergency_Preparedness/CRE_Industry_Preparedness_Resources/BOMA/Advocacy/Security___Emergency_Preparedness/CRE%20Industry%20Preparedness%20Resources.aspx?hkey=c3cc8a46-cbe8-4324-be92-e69586ebc9f6
16. Tools and resources for community-based and faith-based organizations - King County, Washington, accessed December 17, 2024, https://kingcounty.gov/en/dept/dph/health-safety/safety-injury-prevention/emergency-preparedness/cre/tools
17. The Basics of a Vendor Business Continuity Plan (BCP) Report - Venminder, accessed December 17, 2024, https://www.venminder.com/podcast/basics-vendor-business-continuity-plan-bcp-report