On-Demand: Foundations for the Future-- Risk Management for Owners, Developers and Operators
October 14, 2020
We discussed smart and effective ways that owners, developers and operators can protect their businesses, keep the operation running, and protect their assets.
Lisë Stewart:We're going to be talking today about some of the risk management issues that are really pertinent for our business owners, our developer and operators. Please do, feel free to send in any questions along the way. We'd really like for this to be a true conversation. So, I'm going to start today with you, Eric. Just can you tell us a little bit about what you're hearing out there? We know that COVID has certainly affected a lot of people, but the whole area of risk management is certainly to the fore in people's thinking. So, what are you hearing? What do you think is going on?
Eric Diamond:Oh, thank you, Lisë. Good afternoon, everyone. I'm really happy to be here with Lisë and John today to be discussing risk management, which is really a hot topic right now. As Lexi mentioned, my name is Eric Diamond. I'm an Audit Partner out of our New Jersey office. I provide audit and accounting services for public and private real estate clients. So, the effect of COVID has impacted many areas of our personal lives as well as our businesses. In a really short period of time, we had to learn how to run our businesses with our offices being closed, employees working remotely, tenant space being closed. Many of our tenants are experiencing cash flow difficulty. All while we're trying to ensure the health and safety of our employees and tenants.
While some companies were prepared for this, many were not. As they started going through this transition, they really identified many areas that they could be improving. Some of them lead to risk areas. Those risk areas categorized into property management operations, accounting and financial reporting, and cybersecurity. So, today's session is going to be taking a deeper dive into each of those areas.
Lisë Stewart:Good. Thank you. I agree, I think that those are really important. I know, I'm going to be adding a little bit of flavor in terms of this personal risk management as well, which I think is really integral to all this different planning that we're going to be doing. So, John, what about you? What are you hearing out there in the big wide world from your clients? Tell us a little bit about you too.
John Delalio:Sure. Hi, Lisë. Thanks for the intro. Just to give everybody an idea why I'm here, I run a part of our practice called cloud accounting, which is a new concept in outsourced accounting services. It's relevant to what we're talking about risk in two ways. One, the primary goal of the service is to put all the technology into the cloud. By doing that, you might think that it adds some risk. I'm on the internet, what if the internet goes down? Data has shown that's not happening actually. By putting the systems into the cloud, they stay up. They're secure, and they're very easy to integrate between different systems. So, you eliminate a lot of manual data entry. That allows our team to be much more efficient. So, therefore, we can put multiple people on an account, multiple accountants on an account.
So, we have many eyes on our clients, books and records. That is another way that we can avoid risk. So, what I'm hearing right now is that a lot of clients saw their systems and their accounting departments go through major stress in the last few months since COVID struck. A lot of them are looking towards either a cloud accounting technology, consulting to get them into the cloud or a fully outsourced cloud accounting technology or service like we provide. I think Eric did a great job of pointing out like the three areas where we see cloud accounting making a big difference, which is the operations and the property, the accounting and finance. Cybersecurity is always a risk.
Lisë Stewart:Right. Okay. All right. So, since you guys have set it up so nicely for us, then just go through those three sections at a time. So, Eric, yeah, you set it up when you had your little intro there. So, talk to us a little bit about the management and the operations. What should people be thinking about?
Eric Diamond:Sure, so the first thing I'm hearing from my clients is from a property management operations perspective, it's all about understanding your leases, now more than ever. So, with tenants closing and vacating and going through possible financial difficulty and requesting deferred rent payments, understanding your leases and the terms of those leases is really critical. Landlords might be incurring additional expenses for cleaning and sanitizing, which could impact cam recoveries. So, all of these changes and modifications really could have a lot of implications from either financial, legal or even operational perspective. The other big thing that really impacted all the clients was the travel bans that were put into play starting back in March in April.
Many of the operators were limited, unable to visit or go to the properties like they typically used to. This really impacted them from being able to assess repairs, typical communication, one-on-one directly with tenants, as well as being able to show models to potential renters. But amazingly, before we knew it, everything was taking place virtually. That was all because of new technology or just the use of existing technology. Most of my clients said that all those virtual aspects are just as effective as they were before. But the one thing they weren't really considering is some of the risk and some of the risk with that additional technology that they're using. We'll talk about that in a little detail.
The other thing I'm hearing a lot about is it's all about the tenant experience. They really need to continue to make sure that it's a positive experience for the tenant. That means a lot of my clients are just checking in more frequently with them, more open lines of communication, really making sure that the tenant understands that from a landlord's perspective, the safety and well-being of the tenant is their top priority. It's making sure that the tenants feel comfortable at the property.
If it's an office property, working with the tenant to understand the protocols that are going to be put in place if they're reopening their offices; or for multifamily properties, a lot of my clients are doing virtual events to keep the community together. So, it's really important to make the tenant feel comfortable in this situation and make sure you're reaching out to them.
As John touched upon it, I think really the biggest thing from an operational perspective is just the change into a remote working environment. This is something that over the past decade, some companies have started getting to, but nothing like the change that we saw. In a while, a lot of clients have definitely started to go back to offices, maybe in a limited capacity, and even going to the properties. Some of them have not. For either one of them, it's just something that as a whole, most of us have not been really trained to manage a fully remote team. So, there's a lot of risk with that.
It's really understanding your employees and understanding their needs. How much time do you have to spend to check in with them and have meetings? How do you motivate them? Now that you're not face-to-face in an office, how do you keep your employees motivated? One of the biggest changes that almost every company is going through is some of their employees may not be able to work the typical 9:00 to 5:00 hours. Although, 9:00 to 5:00 is never typical anymore, but between childcare and virtual schooling and caring for elders, some people may have to work early hours, late hours. So, you really have to manage that to make sure that you can support them.
And then just from an IT perspective, with the amount of people that are working at home right now, do they have a suitable working environment? Do they have a fast internet connection that's secure? Which we will definitely talk about later. Do they have dual monitors or printers that they need? Some of my clients have been offering reimbursements to employees if they have to buy some equipment or even desks or chairs just to make their home office really suitable. So, that's what I'm seeing right now from a lot of my clients on the property operational side.
Lisë Stewart:Great, good. Thank you. What about you, John? I'm just going to toss the ball right down over. What are you seeing from the property and operation side?
John Delalio:Well, what's great about the timing right now is that a lot of the technology that has been growing, I've been in this business for over 20 years, and the cloud didn't exist in 1999. It was all about Y2K, but the cloud has appeared, and it's grown as a concept. All this technology, it's not bleeding edge anymore. It's standard technology. The technology can solve problems. Eric talked a lot about the problems that are out there, but how do you actually solve them? To give you an example, Yardi is like the classic real estate management platform. They're entirely in the cloud. Now, if you go to Version 7, they host it. So, you don't have to worry about servers and all that stuff, which is great.
But what's really great to solve problems at the property level, I'm an accountant, so it has to do with me, AP and AR. How do you deal with your tenants in a virtual world? How do you deal with your vendors that are servicing your properties in a virtual world? Yardi, in particular, has got some great tools. They have this thing called VendorCafe and TenantCafe. They got this great sound. Yeah, let's have some coffee and go the website, but they provide serious value to property owners quickly, because your tenants have an online portal that they can see their bills. They can pay their bills. They can put in scheduled work requests all without picking up the phone or going to see somebody. So, it gives them a better service. I think they also have an ability to market properties that are up for renewal.
So, they actually can make your organization better. There's others. ClickPay's another one that's got a really nice tenant feature. On the AP side, there's a lot of technology that allows bills to be paid entirely online where vendors can email in a receipt. It's scanned by artificial intelligence, it's categorized, it's coded. It's approved for payment, and then it pays out of your bank.
You can pay automatic file transfer or by cheque. You can do it from your phone, right? You never have to see somebody. You never have to open an envelope. You don't have to lick a stamp, not if you lick many stamps, except for the ones at the bottom of your drawer. But that's what's really fun. At the property level, the technology is there to actually solve the challenges you're having at the property level.
Lisë Stewart:Great, thank you. So, this seems to be a good lead into you. So, Eric, I'm going to want to toss it back to you from the accounting, financial, reporting section, right? So, John's going to open the door for us to talk about how the technology might be able to support that. So, from your perspective, what's going on? What do you see?
Eric Diamond:John, I mean, you're absolutely right. I mean, I see that with a lot of my clients. I mean, we literally were getting calls right after some of the lockdowns talking about, "We don't have a cloud-based system. Our people have to come into the office and basically sit at their desktop. What do we do?" I think some companies had to make that change immediately. Others had the ability, just maybe not for everyone. It really is making everyone rethink their accounting software. A lot of the companies have been using the same accounting software for quite some time, and maybe never needed to change. But now, this is definitely making them rethink that.
On the policies and procedures side, it's interesting that you say that, because I have a number of clients where they basically had to be in the office. They were collecting cash, depositing cash. They were sitting there reviewing, approving, and signing checks. Now they had to quickly change. Some of them went to their tenants and really encouraged paying electronically or via credit cards as well as some of them implementing, you talked about the electronic approval process. But I think one of the most important things is as they're going through some of those policies and procedures, they really identified that some of the old ways that they were doing things maybe were inefficient.
The new ways of doing things, which most likely now incorporate a little bit more of an element of technology, are really saving them time. So, people are now able to spend whatever that is, three, four, five, six extra hours that they're saving because of this new technology and refocus that. Instead of working on some of the mundane time-consuming tasks that they were basically just used to.
I'll give one example, where an owner used to spend six hours a week just sitting at his desk, reviewing and signing every individual check. Now that that's taking place electronically, it's taking about an hour. Now he can focus on what's really important for the company, and that's growing the business. So, I think this unfortunate circumstance has really led companies to take a look at some of the way they do things and really force them in a position to improve, which is to their benefit.
John Delalio:So, one of the areas I want to just dovetail on what Eric's talking about is he started out the entire conversation about risk. To me, at accounting, there's two risks. There's fraud and not handling your cash correctly, right? That's your business, right? People are stealing from you or you can't manage your business if you don't know where your cash is. Those can put you into some awful situations. I know Lisë is going to talk a little bit about some of the things you can do to make sure your team is backed up and you have people that are there that can replace if something happens to your team.
But what about risk? What about the risk of fraud? They say 99% of corporate fraud is from a single act or one person. I was on the phone with a CFO of a major family office. He basically said to me, he's like, "John, you know as well as I do that if somebody has a bookkeeper operating on QuickBooks desktop, they can steal. They can access the bank account. They can change records in the system without being notified or anybody seeing it. They can do bad things."
I had one colleague who had an employee steal half a million dollars of PPP loan money from their business that actually an outside accountant caught. This was a trusted bookkeeper that has been there forever. I think it was Ronald Reagan, who said, "Trust, but verify." But we always look at it that way, so that you never want one person handling your cash.
Think about a lot of companies have the check stock locked up in a cabinet. Well, COVID hit, that check staff went home with the bookkeeper, right? So, they can pay the bills. That's like a major problem that needs to be addressed. That's what we're helping clients, either through looking at their process or using technology, because the cloud, all that goes away. It's all taken care of in the cloud.
And then the second thing is how you manage your cash and particularly in real estate where you have clearly the whole industry is under distress. There's also opportunities in there, but you've got to understand which properties are performing and which properties are not. I have a client who was on a great property management system, I think AppFolio, so their tenants were all happy. But they had a desktop-based software in the background managing the accounting of 30 entities. Well, we've taken them and put them on a single platform, cloud platform, where now they can track all the cash going between all the organizations and actually do proper multi-entity accounting, where you have a due to or due from and a consolidation report. So, you can understand where it all goes.
As we dug into it, we found that they were actually chasing the cash, right? One property was distressed, you move cash to it. Well, then the next one was distressed, will you move cash to that? It was bouncing around, made it impossible for them to manage cash. But by putting in the cloud, multi-entity solution could all be managed at a high level and thereby decreasing the risk of their organization. So, Lisë, I know you're going to talk a little bit about that employee level risk, right?
Lisë Stewart:Mm-hmm (affirmative).
John Delalio: That trusted bookkeeper.
Lisë Stewart: Right, right. Yes. In fact, I might circle back to that, because we do have a question to both of you. What about this accounting software? I know sometimes we're a little loath to talk about what we would recommend, but can you? Are there different programs that either one of you would say our clients should be looking at?
Eric Diamond: I'll start, and John, then you could dovetail off of that. I mean, we get that question actually a lot. It really does depend on the company. It depends on the company's size, the volume of the transactions, how much are they willing to spend on IT. But the two names that keep coming back, and I think John mentioned one, are Yardi and MRI. I mean, they really are the two top tier choices, the best reputation. They're probably the most common that I see. That doesn't mean that they're the only ones.
I have a lot of other clients that use other packages, a little bit more reasonably priced that have that cloud-based software. Some of them, Sage and Xero, even QuickBooks actually has a version, QuickBooks Online. So, you really have to take a look at your company. But Yardi and MRI are the two very popular ones. I mean, that's most of what my clients have me. John, what are you seeing?
John Delalio:Well, I don't mean to throw any shade into that, I think they make some great products. I have a religious thing about desktops or software. I'm done with it. It's all got to be into the clouds. You realize to someone with someone that have a major bias. So, at the low end, there's two great applications, Xero and QuickBooks Online. They're really good for an entity just getting off the ground or maybe you rent an apartment down in Hilton Head or something like that. You just need to keep books and records for this one rental. Those apps are really good. They're in the cloud, you can connect to various things. They do an excellent job for not a lot of money.
I have one real estate client who goes between North Carolina and New York. She doesn't want to be carrying her desktop around, so she can get to our system. So, she can get to it anywhere, anywhere there's bandwidth. You don't have to mess with all that remote desktop stuff. So, that low end there is that. Then when you get a little bit more complicated into more entities, then you got to look at some other options.
There's a great application by Sage called Intacct, which is to say the level up from Xero and QuickBooks. It's awesome in multi-entity accounting. So, a lot of family offices use it, a lot of real estate companies use it. A lot of just regular businesses use it. So, it's a pretty powerful solution. NetSuite's in there too, which is an Oracle product.
Then you tip into like the real estate packages. Yes, Yardi is at the top of the pile, MRI. There's another one called RealPage. They all have different pros and cons and they fit different clients. And then there's also some applications that came down market that are very successful, like AppFolio and Yardi Breeze. So, those are good, but you got to understand where your organization is going to understand what's right for you. I have one prospect right now who's starting out buying distressed hotels, putting it into a portfolio.
The question is, "Well, where do I go?" Because the hotels can be managed by somebody else. I have a holding company, an operating company, a management company. Where do I all put it together? His portfolio is a mixture of hospitality and commercial real estate. So, it's not a one-size-fits-all. You got to look at the organization and what's right for them.
Lisë Stewart:Great, good. Thanks, guys. John, I'm just going to jump back to that lovely lead-in that you gave me about the employees, because it's one thing to have a great accounting software or whatever it is that you use. But if something happens to you or to the person who knows how to get into that software, then you've got a problem. Those are some of the risks that I think a lot of business owners don't think about. So, I want to just pause for a moment here and think about some of the personal aspects of risk management.
We had an interesting situation a couple of years ago. We had a wonderful business owner. He employed about 200 people. He had various entities, including real estate as well as several other businesses. He had several kids in the business, but he was one of these people who'd grown his business from the ground up. He kept a lot of the information very close to his chest. He liked to be the one who really understood the finances better than anybody else. He had a controller, but that was about it. Unfortunately, he had a heart attack and passed.
Nobody knew how to get into his computer. Nobody knew how to get access to the most important financial information particularly quickly. The other thing that was interesting is that he had relationships with people outside of the company. He had relationships with some investors. He had relationships with bankers and so on. People didn't know who they were or how to reach them or what were the most important decisions that needed to be made, etc.
So, one of the things that we really like to encourage our business owners to do is to think about what are some of these risks. So, just as a starting point, one of the tools that we use is something that's called a desk plan. So, a desk plan is a document that a business owner can fill out. You can also have some of your senior employees fill it out. It simply says, "If anything should happen to me, if I'm incapacitated, here's what you need to know." So, it will list out things such as who should be contacted immediately, who are the most important people on the team that need to be able to step in and take over.
For example, many business owners have never allocated somebody in their company to step in and take over day-to-day operations and key decisions. So, when something untoward does occur, everybody is scrambling. So, somebody might say, "Well, I think I better make these decisions." But it can cause an all-out war when people are not in agreement as to who that person should be. So, thinking about that ahead of time.
Also, making sure that people know where you keep your passwords. Maybe it's just one trusted person. Maybe it's your outside attorney or it's your accountant or whoever it might be, but somebody needs to know what those passwords are, so that they can get into your computer and take care of the most important business. If you're having to make financial decisions or other things really rely on you, what does that really look like?
So, a disk plan is a simple risk management document that helps you to inform other people about what needs to happen. If anyone ever wants to see an outline or understand how to fill those out, we have examples of those on our website. You can always email us for more information.
One other thing that I think is important is unfortunately, in our line of work, and it's a terrible risk. Again, COVID has really brought this to the fore. When something bad happens, the family is often left in disarray. The employees are lost and left in disarray. People just are confused about what the next steps should be. So, here's a book that I like to use called The Peace of Mind Planner. I'm going to hold that up so that people can see it. There are lots of different examples of this online. It's called Important Information about My Belongings, Business Affairs, and Wishes. So, there are different tabs for every section, about your business, about your life insurance, about your retirement plans, your personal property, you name it.
I think one of the greatest gifts that anybody can leave behind for their families, for their employees is information about what to do when times are really difficult. So, I know a lot of times in business when we start talking about risk management, it's all about the business and the business systems. These are all very, very important. But I will tell you that in the moment, when something like this bad really happens, people draw great comfort in being able to find the information that they need in one easy place. So, that we're not adding to the burden that's already there caused by grief and so on. So, I just want to put that plug in there. So, make sure that your employees know what to do and who to turn to on your team to keep things running even if you just get sick.
So, with that, thank you guys for letting my little plug in there about personal risk. Then somebody just asked again about what the name of the book is. There are many of these online. This one happens to be called The Peace of Mind Planner. There are many examples of it. I've got several on my desk here. So, they're relatively inexpensive, and they're a great tool. This one is actually by Peter Pauper Press. I have reviewed dozens of these types of books, and this is my favorite. I think it's really the best laid out peace of mind planner.
So, with that, I'm going to turn it over to probably one of the hottest topics that keeps coming up over and over again. That is cybersecurity. So, people are really talking a lot about how difficult this is and what they should do and when they should start doing this planning and what the first steps are. So, I'm going to start with you, Eric. Can you talk to us a little bit about what are some of the advice that you give your clients around cybersecurity?
Eric Diamond:Sure, Lisë. Actually, before I go there, you made me think of something, but earlier I was talking about how a lot of companies are going through and improving and updating a lot of their policies and procedures. It's really important that as you're going through, and I know, this is the auditor of me talking, but it's documenting those policies and procedures. Because to your point, if something happens to someone, do they have the passwords? Do they know how to get into stuff?
Also, if an employee gets sick or if they leave the company, having that documentation that basically lays out, these are the roles, these are the responsibilities. If you have to have another employee take over or you hire someone, they now have the documentation that they know to follow. So, definitely a big recommendation. As companies are going through and updating their procedures, definitely put that in writing, document it, because that's that gift to leave behind also to help the next person, so.
Lisë Stewart:Exactly, I agree.
Eric Diamond:So, yeah, cybersecurity. Cybersecurity was a hot topic before COVID. After COVID, now, it has really become a major concern. Early, I've been talking about remote working, John is talking a lot about accounting software upgrades to cloud-based online systems, but also how businesses are just doing things much more virtually now. They're using more technology. The increase in technology increases cybersecurity. A lot of companies over the past six months have been changing their policies and procedures very effectively, but how many of them have really been considering the risk associated to that with the cybersecurity?
I mean, everyone else has a lot of other things on their plate right now, but it's really critical, because the number of breaches is really increasing. If you think about it, people are working from home way more now. So, the number of emails, whether it's internally between employees or tenants or service providers, is increasing. Emails is one of the easiest ways that hackers can get into the system.
Another thing we're seeing, landlords are working with tenants on a lot of offices that are opening up have to have protocols put in place for contract tracing and temperature checks. A lot of that could have employee information. That could be very confidential. So, there's a lot of things now that we're doing to help us get through this that are increasing the risk. It's really important for companies to take a step back and just think about some of the short term and the long-term goals to protect the company.
But it's not only prevention though. I mean, prevention is definitely the first line of defense, but it's also how to react. So, it's very important to have a plan in place that if your systems do get breached, how are you going to react? Because I mean, I've had clients where they've been hacked, and they have not been able to access their GL for up to two weeks. So, you really want to think about not only the prevention side, but how are you going to react if in fact, it does happen?
Lisë Stewart: Right, yeah. John, what about you? What can you add to this conversation about cybersecurity?
John Delalio:Well, I'll tell you one of the funnier stories or scarier stories with me is I got an email from a vendor saying, this was a prior position I was working at, basically asking me for something odd. I replied back and said, "This is not an email, I think your system might have been hacked." I got back an email said, "No, it hasn't been. It's okay." Right? Well, I didn't respond to an email. It came to find out I was actually exchanging emails with a hacker at the time that the email was sent. So, that was really eye opening for me as far as how real the cybersecurity risk is out there.
I talked a little bit about how a lot of people are wondering whether the cloud's secure and whether that actually increases your risk level or decreases. I actually believe it decreases your risk levels for a lot of reasons. The biggest is these are major companies that are spending millions of dollars in secure infrastructure. If they get hacked, it's not only you who's going to be impacted, but it's going to be their entire portfolio of customers.
One of the vendors we deal with is Bill.com. I think I heard something like they moved $14 billion worth of money around per year. That's a lot of money, but you can be sure their security is top notch. As a business owner, you don't need to worry about it. By the way, if your auditors want attestation that they're secure, you can contact these vendors and they'll provide you the SOC reports or whatever that you need to satisfy your auditors that in fact, your system is secure.
The other part that's really nice about them is they have backup all figured out and business continuity. So, literally, the systems never go down. If they do go down, you can get to them anywhere in the world where there's internet. It really, in my mind, eliminates a lot of the cybersecurity side.
But I also find that what do you do with all those other things that you work within your business that you store on those shared drives? We have a group called PRTS, Process, Risk, and Technology Services, that looks at all of that and can figure out solutions for clients to get away from the old, "Well, we got a file server sitting on the corner that's got all our records," and put that into a secure place that's managed and monitored properly for security.
Lisë Stewart: Right, right, good. Thanks, John. We have a couple of questions that are popping in. So, I think we're going to do these real-time. First of all, there is a question about finding the desk document on our website. So, we will send out a link directly. It's buried in the family business area on the website. So, we'll make sure that people have access to that. It's really a very popular tool. So, I'll do that. Another question is coming up. John, this might be a good one for you to start with, because you had talked a little bit about fraud. That is if I suspect that fraud is occurring in my firm, what's the first step?
John Delalio:That's a very good question. Fraud is not my expertise. I do know that EisnerAmper does have a fraud group that specializes in that. So, I would suggest definitely talk to your accountant first and foremost. Usually, there's an entrance to your account anyway, because they're doing the audit or they're doing the taxes. So, it might not raise any red flags. But that might be your place to start. Again, I'm not really an expert in fraud. I try to prevent it, but definitely, local authorities should be notified as well. Again, not my expertise.
Eric Diamond:I mean, I could follow that, John, a little bit. Unfortunately, a good number of my clients have had some fraud. The one thing though is if they're suspecting a little bit, a lot of times, companies will want to do their own due diligence, which is fine, right? Before they go to an accounting firm or a law firm to figure it out, you do want to be careful with that, because chances are if there is fraud, it's eventually going to find its way possibly in litigation or in the courts.
So, it really is a good idea depending on what the situation is to talk to professional, to make sure before you start going down a path of investigating yourself and having conversations or digging through files, you're going to leave a trail. So, definitely recommend if you do suspect something, talk to a professional that can guide you in the right steps, even if you don't want them to do it themselves and you want to take care of it, at least having someone to advise you.
John Delalio:Yeah, I think, Eric, there's also something else to think about. This is like the good side and the bad side of the cloud. So, with employees, the old way to identify fraud was making employees take two weeks of vacation. All the banks do that. I even know there's a yacht club near me that basically the bookkeeper and the boatyard stole half million dollars over four years. They finally got her, because she went away for two weeks. So, that's a great way to identify it is to make sure all your employees are away for a certain amount of time, somebody can back them up. But with the work from home, it's almost impossible now to keep somebody out of the system for two weeks, because they can literally login from their vacation in Aruba and keep things going.
So, you've got to look at that old technique that used to work through a new lens and say, "Okay, well, how can I deal with that risk and cap it?" I guess I would look towards more outsourced accounting as a solution. I realized it's like a gratuitous plug for my own business, but that's not the purpose. It's just more a matter of getting a second set of eyes on your books and doing some deep dive, maybe not an audit, maybe an audit. But just always have a second set of eyes on your books is really the recommendation.
Lisë Stewart: Right. Another thing that we sometimes recommend to our clients is to do some risk scenario planning. So, what that means is we suggest that as an owner, sit down with your senior management team. Every once in a while, particularly when maybe you're reviewing your strategic planning documents, which I'm hoping everybody heard the webcast on strategic planning and has one. So, is to brainstorm a list of potential things that could go wrong. Whether that's fraud, a pandemic, some natural disaster in your area, some key person getting sick, whatever it might be, you simply brainstorm a list of what these issues might be. And then you develop some ideas about how you believe you and your team should react to this and identify, "What are the current gaps in your ability to react effectively?"
So, what are those gaps information in your IT system? Are the right people have the right information? Is it a backup of policies or whatever it might be? So, risk scenario planning can be a very effective exercise. I mean, just imagine what it would have been like if many companies say a year ago had been doing some risk scenario planning about, "What happens if there's a major pandemic?" We know that we've been told that that was important, and it could be coming down the pike, but I will tell you that most businesses really just didn't consider it. So, a lot of us were just caught on the hop.
So, now I think is such a great reminder, that risk happens, right? Stuff happens. The more prepared we are, the better we can respond in a way that's going to have better and more positive impacts for our business. So, just food for thought as we go forward.
All right. We are open for questions if anybody has some additional questions to ask, but I would be curious to see from the two of you, just like my point about risk scenario planning. Is there anything else that you really believe that's going to be important for our clients who are listening today to know and understand about risk management? So, Eric, I'll start with you this time and then I'll jump to John.
Eric Diamond: Yeah, sure. I want to follow something that John talked about a little bit. We were talking about fraud and cybersecurity in emails. If a company is concerned about cybersecurity, they obviously definitely can bring in a firm. John mentioned our firm does it as well as others to do initial risk assessment. But considering that companies might want to be a little careful now with their budget and spending, there's still a lot of things that they can do on their own.
I mentioned it earlier, but emails is the number one way that hackers can get into your system. I mean, John said it himself, he was emailing with the hacker. There's a lot of things that companies can do. It's just taking a look at what your employees are doing. What systems are they using? Are employees using personal email or Google Docs or Dropbox to transfer company documents? I mean, if they are, that's a red flag. You need to make sure that they're only operating within the company system. Even Zoom, making sure that companies are using whatever system that you have, whether it's like a WebEx or anything else.
So, you really want to educate your employees to make sure they know the risks, because unfortunately, it only takes one employee for a hacker to get into the system. Just talking a little bit about emails, and you could just go online and find top 10 lists of stuff, but they're very common. The typical CEO or CFO sending an email to someone asking for a wire transfer, and you say to yourself, "Well, why did they do that?", because employees actually will execute it. They're afraid to ask. So, in your organization, if that's never happened before, and all of a sudden, you get an email, you have to be a little suspicious.
Also, they always say, a lot of misspellings in emails, or if it's dressed to general terms, hello as opposed to address to someone's name. These are all things to really look after. If you're really uncertain, take a look at the actual email address, because they're very good at disguising it. They'll change one letter or one period to conform to what the company's typical email addresses are. So, these are all what I like to call very simple, very easy. Companies can put out a one-page letter to the employees just letting them know. Especially, like I said, with the increase of emails, it's out there right now. So, I think that's a very simple step for companies that they could take on their own.
Lisë Stewart:Great, thanks. John, what are we thinking?
John Delalio:I'm going to take a higher-level view to respond to that. Basically, what actually keeps me up at night for my clients is how their business is going to be successful with what's going on in the economy right now, particularly the real estate market. Who knows what's going to happen next? It actually frightens me to think about people making business decisions without realizing how much cash or resources they have available to them to make a decision.
I think capping these risks is excellent. I think the cloud technology in particular, whether you run it yourself or you work with an outsourcer to run it for you, give you a great way to cap these risks and really control them without having to do them yourself. However, the real benefit is that you can control that risk and get better information and more timely information about your business to make decisions.
Yeah, I talked to about that investor who's investing in hotels. His business model is to buy distressed hotels, fix them up, wait. And then open them. And then he's off, off to the races, great business plan. But that's going to take a lot of information. Right now, he's like, "Well, John, I can manage all of this in my head, I know where all my investments are." Also, none of those properties are operating right now. So, he's definitely putting in money and resources to do construction and build out and all that. But once things turn up, his organization could get very squirrely very quickly. And then you add in all the other stuff with real estate funds and debt, it gets very complicated.
As a real estate owner and a real estate investment family, you don't need to worry about that thing. You can actually get that information when you need it with some expertise and minimize some of the risks that we've been talking about here today.
Lisë Stewart:Right, great. So, we do have a question about the risk assessment. I think, Eric, you may have mentioned that a moment ago. So, the question to you is, "What does a risk assessment entail?" You had mentioned the fact that we do that.
Eric Diamond:So, from a cybersecurity perspective, so a company will come in. They will take a look at your company's infrastructure. They'll take a look at some of the things that we've been talking about in terms of, "What is your current IT system? What is your accounting software? What protections do you have? What email servers, what portals are using?" Basically, what are the internal and external sources you're basically using? They'll be able to identify how vulnerable a company can be.
They also take a look at going through the emails to identify, "Is there a spam filter?" You'd be amazed at how many emails companies get that are spam and potential hacking that people like John or myself or Lisë, we don't even see, because they get blocked right away. So, that's an important thing. So, the specialist, the consultants will come in and take a look at that. This way, companies can get a sense of really how vulnerable they are. Is it something that they need to take immediate action on, or they have a little bit of time?
Lisë Stewart:Right, good. Great. Well, I see that I think we've answered the questions that have come in. We have covered a lot of different areas here today. I know that there may be other questions. So, please, if anybody does want to follow up or get in touch with any of us, we are very happy to continue this conversation. I do want to thank absolutely everybody for joining us today and to also make sure that you realize that we have another one of these webinars coming up on October the 22nd. That one will be about How to Build an Effective Board. We'd love to have you join us and to register.
So, if you're interested, please go to eisneramper.com/REfamilies. There you'll also find some other resources and information that might be helpful to you as you start to plan for the future. Again, I really want to thank my colleagues, Eric and John, for joining us today. I hope you all have found this useful. We've certainly enjoyed putting it together. So, we hope to see you for the next one. Thank you, everybody.