by Raymond Kelly — Raymond Kelly is President of Risk Management Services (RMS) for Cushman & Wakefield, where he helps clients identify potential vulnerabilities, as well as prepare for and mitigate risk in a number of mission-critical areas. This month, Kelly, who also serves as a consultant for ABC News, speaks with the LEADER about the areas where corporate real estate (CRE) is most vulnerable and where it should focus its greatest attention.
Apart from obvious risks, like physical threats to buildings or cyber-attacks, in what areas is CRE most at risk?
The global security profile has been deteriorating over the past year. The malignant expansion of ISIS has fueled an overall increase in terrorist activity as rival groups compete for recruits and media attention. This alarming trend should be of concern to commercial real estate investors, managers and occupiers.
Through social media, terrorist groups are encouraging followers worldwide to launch attacks on Western interests. The Paris attacks in January on the Charlie Hebdo offices and the kosher supermarket show how vulnerable many commercial locations are to these low-tech attacks.
Al-Shabaab’s widely disseminated video which calls for attacks on specific shopping malls in the U.S. and Europe reminds us of their devastating attack on the Westgate mall in Nairobi. We need to move aggressively to assess the risks to our people, facilities and operations from these types of threats and implement common sense mitigation measures.
Are executives focusing on cyber-security to the exclusion of other, equally important areas?
Executives should be focusing on an all-hazards approach to risk. Certainly, cyber-security risks are evolving and growing exponentially and deserve careful consideration. Many firms haven’t paid sufficient attention to cybersecurity issues and have suffered the consequences. Cyber-threats from state actors, corporate espionage, cyber-criminals and hacktivists can inflict massive economic losses and severe reputational damage.
So, too, risks related to terrorism, conventional crime, political instability and natural disasters need to be examined systematically. Corporate leaders need to be proactive in establishing a broad-based approach to assessing risks on an ongoing basis and not be simply reacting to the latest headline.
John Santora, CEO of North America for C&W, has been quoted as saying that, “Global risks are diverse, disruptive, geographic in scope, and constantly evolving.” What global, disruptive events pose the greatest threat to CRE now and what do you anticipate they will be in the next 3 to 5 years?
Threats related to or accelerated by the Internet pose the most significant global risk to commercial real estate interests. We now have a pretty clear understanding of the current risks posed by cyber-criminals and by Internet-savvy terrorist groups, as separate threat vectors. The convergence of those threats, however, is an emerging concern.
The so-called “Internet-ofThings” contains significant vulnerabilities for commercial properties. As building systems (HVAC, access control, CCTV, power, etc.) are increasingly connected to the Internet, their vulnerability to hacking intensifies. This risk is most acutely felt in facilities related to critical infrastructure. Before adopting new Internet-based building systems for their convenience and efficiency, we need to be sure we understand the risks and have adopted prudent mitigation measures.
What are three things CRE teams can and/or should do in the immediate future to protect themselves from these areas of vulnerability?
For the areas of vulnerability we’ve discussed, CRE teams should: 1) undertake an objective, comprehensive risk assessment and implement reasonable mitigation measures, 2) develop or update their Business Continuity Plans and 3) establish a program for periodic drills and tabletop exercises to assure organizational readiness.
In a CRE operation, who should hold the primary responsibility for risk management? Should it be the CEO? The IT department? Should risk management be outsourced?
Ultimately, it’s the CEO’s responsibility. The CEO will set the tone for the organization, which is critical in establishing the importance of risk management in the organization’s culture. The CIO/CISO will play a key role in managing the more technical aspects of risk in the IT arena. The Chief Operating Officer, Chief Risk Officer, General Counsel, Chief Financial Officer and Communications head all have critical roles to play in a robust program of risk management. Increasingly, members of the Board are learning they need to take an active interest in risk issues, as they have fiduciary obligations that may lead to personal liability.
Outsourcing risk assessments to independent experts has many benefits. It provides the Board and C-suite with objective judgments about their organization’s vulnerabilities and is evidence of their due diligence in fulfilling their obligations.
You have stated that CRE professionals must “think differently” about how they protect their assets. What would this different way of thinking entail?
CRE professionals need to think differently and more broadly about their critical assets. Their critical assets are those things that are necessary for the continued functioning of their organizations. Those assets include personnel, data and facilities. Those assets may be in your office or on the other side of the world. They may be under your control or operated by your suppliers or customers. A systematic effort to identify those assets is the first step toward providing for their protection. This identification of critical assets serves as the foundation for a comprehensive risk assessment.
You have also said that each CRE operation should perform a risk assessment. Can you explain what this assessment captures and what the process entails?
The risk assessment proceeds from the identification of critical assets with a determination about the nature, extent and likelihood of threats to those assets. Then, the organization’s current security arrangements are examined to assess its vulnerability to those threats. Next, credible predictions are constructed about the likely consequences of realized threats. Finally, based on the magnitude and significance of the consequences, risks are prioritized for mitigation.
Undertaking the implementation of reasonable risk mitigation measures need not be overly burdensome or costly.
Raymond Kelly
Raymond Kelly is President of Risk Management Services (RMS) for Cushman & Wakefield (C&W). Prior to joining C&W, Kelly served as Commissioner of the New York City Police Department (NYPD) under former Mayor Michael Bloomberg, where he held the distinction of being the longest-serving Commissioner in NYPD history. Kelly also established the city’s Counterterrorism and Intelligence Bureaus after September 11, 2001.