Risk Management for Real Estate Owners, Developers and Operators

COVID-19 has impacted many areas of our personal lives and businesses. We had to quickly learn how to continue to run our business with offices being closed, employees working remotely, tenants’ spaces being closed, tenants experiencing cash flow difficulty—all while ensuring the health and safety of our employees and tenants. While some companies were prepared, many were not. We must use this experience to help us identify where our risk areas are and how to improve on those so that we can be better prepared in the future. This transition has definitely brought to light some main risk areas within our organizations: property management and operations, accounting and financial reporting, and cybersecurity.

Property Management/Operations

First, companies must read and know their leases. With some tenants closing and vacating, others trying to defer rent payments, landlords potentially incurring additional cleaning and sanitizing expenses, companies need to understand the full terms of their lease agreements and how changes to the property and lease modifications could impact the company from a financial, legal and operational perspective.

The travel bans implemented in the spring limited operators from visiting properties. This impacted their ability to assess repairs, communicate directly with tenants, and physically show models to potential renters. All of this now takes place virtually. Companies need to protect themselves when using this new technology for virtual meetings to assess repairs and show rental units. Most companies believe these new methods are effective, but they should be aware of the risks and how to protect themselves when using additional technology.

With all of the changes and obstacles facing tenants, companies should ensure a positive tenant experience. One way is by having open lines of communication. Tenants’ safety and health is the company’s top priority, and they will continue to provide them a property in which they feel comfortable—whether that means making sure an office space is safe to reopen or holding virtual events for residents so that they still feel part of a community. Companies may need to spend more time with individual tenants to understand their specific needs. Consider providing tenants value-added services such as on-demand delivery, concierge services and contactless access to the property.

While some companies have returned to their offices and properties, others have not. For those still operating with remote employees, most of the management teams were never trained on how to fully manage a remote team. Management should identify what is the appropriate amount of employee check-ins and meetings. There is now a greater need to understand employees and how to keep them motivated. Some employees may no longer be able to work the typical 9 a.m. to 5 p.m. schedule due to childcare or caring for an elder, so it is critical that employees remain effective and efficient. Is the remote working environment suitable? Does staff have the necessary secure internet connections, dual monitors or other IT equipment? Some companies are reimbursing employees if they need to purchase certain equipment and office supplies to be able work efficiently.

Companies should create a response plan if another similar public health emergency and/or shelter-in-place directive happens again. Think about the changes that were made during the first 48 hours of the pandemic and ensuing weeks. Create, review and communicate a plan so employees know exactly what to do, what systems to use, and how to communicate. This includes having a plan in place of how companies will communicate with tenants. It is critical that tenants know how companies will address any issues, continue to operate the property, and work with them. This communication could be via email, letter, phone or Zoom calls. The two most important aspects of this plan are (1) having the right systems in place; and (2) having the most effective methods of communication in place to reach out to employees, tenants and service providers.  

Accounting/Financial Reporting

Some clients have been using the same accounting systems and following the same set of policies and procedures for years; there was never a need to change because they worked just fine. However, the immediate pivot to a remote working environment made many companies realize that their accounting systems were outdated and did not allow for remote access. Or, their policies and procedures were now obsolete because they required people to be in the office for tasks like collecting and depositing cash, or reviewing, approving and signing checks, and so forth. Many companies quickly identified the need to encourage tenants to pay electronically or via credit cards, and, thus, implemented electronic approvals for invoices and paying checks.

If your company was on an older accounting system that required an employee to be in the office to access it, that has probably changed or is currently changing. Many companies have or are in the process of converting to online and cloud-based software packages that allow employees to obtain access from anywhere. This leads to more timely information that allows management to better manage cash and make more informed decisions.

As companies implement new policies and procedures, many are realizing that they were being inefficient. This new technology-based approach gives them additional time to focus on other key aspects of their job, instead of mundane, time-consuming tasks. For example, why should an owner spend six hours a week reviewing and signing invoices and checks when they can use that additional time to grow the business?

Cybersecurity Risk

Recent changes include remote working, upgrading accounting software to an online cloud-based solution, and leveraging technology to operate the business virtually. All of these changes are increasing companies’ use of technology, which also increases cybersecurity risk. Many companies successfully changed their processes quickly to adapt, however, in their necessary haste, they may have overlooked potential cybersecurity vulnerabilities. Working remotely significantly increased email traffic among employees, tenants, service providers and so on. Working with tenants to provide a safe environment may require the need to electronically accumulate additional personal information. Increased technology use makes it easier for hackers to access companies’ computer systems for their nefarious purposes.

Assess your company’s risk of a potential cybersecurity attack, identify short-term and long-term objectives to protect your company, and devise a plan of how to detect and mitigate an attack. Prevention is the first line of defense, but companies must be prepared to react if a breach does occur.

Companies can address cybersecurity either through a specialized consulting firm or internally. If you go the latter route, there are many things you can implement. Consider the systems that employees are using remotely. Are they secured through your company’s IT system, or are they using their personal systems to send and receive documents via Google Docs, Dropbox or Zoom? The use of these platforms outside of the company’s secure IT system is a red flag for cybersecurity risk. Employee communication and training are critical. One of the easiest ways for hackers to access a system is via email. Train employees on email red flags. For example, if the CEO or CFO has made a never-before request for wire payments via email, emails addressed in general terms like “Hello” as opposed to using names, and grammar errors and misspellings. Further, always look at the actual email address to ensure that it appears appropriate and conforms to the company’s email addresses.

Companies that clearly communicate and work with their tenants, staff and vendors in property management and operations, accounting and financial reporting, and cybersecurity will be in a much better position for success in an evolving work environment.