Tuesday, February 9, 2010

Property Risk Management


This article was first written a couple of years ago for an industry magazine. Some of the material is slightly out of date but the principles have not changed. If anything I am more convinced about the need to limit the extent of the enterprise model.


This article discusses three aspects of risk management within a property environment: Strategic, operational and construction or project. Each of these components of risk management are applicable to all industries but they have been adapted here as a practical application to the property industry.

Background


Risk management is a diverse discipline covering potentially all aspects of business. Different streams of risk management have developed over time primarily in the insurance, finance and safety industries using a variety of different methodologies. Despite the similarities of the risk management framework that have emerged through the development of the Enterprise Risk Management (ERM) model, the type of individual risk management activities practiced at a bank, for example, are very different from those undertaken within a government department or a manufacturing plant.


Risk management has also been traditionally associated with stopping things from happening or minimising their impact – accidents, credit crunches, catastrophic bushfires and the like. The current risk manager is, or should be, also preoccupied with making good things happen using the same risk management principles – making sure projects are completed on time and within budget, assisting with the achievement of corporate objectives and exploiting business opportunities and infrastructure investments to maximise the reward, whilst managing the risks.

While the management of individual risk has always been with us, as a management discipline, risk management is relatively immature. Australian Standards, with the introduction in 1995 of the world’s first risk management standard, AS4360, provided the pathway for the risk management industry to develop to the extent that there is now widespread acceptance of the need to have embedded risk management cultures and processes within organisations although disagreement within the field on how far that needs to be implemented.

In the period since 1995 the profile of risk management has increased due to its role in effective corporate governance fuelled by some key developments in the past few years.

  • The collapse of HIH in Australia led to an increased regulatory regime for insurers under the Australian Prudential Regulatory Authority

  • The Sarbanes–Oxley Act of 2002, is a U.S federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom.

  • In Australia in March 2003 The Australian Stock Exchange ("ASX") Corporate Governance Council published "Principles of Good Corporate Governance and Best Practice Recommendation" for the guidance of ASX listed companies. Risk management figured prominently among the ten essential principles and placed heavy emphasis on the Board and the Chief Executive and Financial Officers understanding and signing off on their risk management activities.

  • 2004 saw the introduction of the Enterprise Risk Management — Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).


  • In the Victorian Government sector the introduction of the Public Administration Act 2004 required the Boards of public entities to inform their Minister and relevant Department Head of known major risks to the effective operation of the entity and of the risk management systems that it has in place to address those risks


Boards and senior management have responded accordingly. The interest and oversight from boards has increased the focus and quality of risk management within organisations. Due to the increased regulatory regime risk management is currently predominantly focused on financial risks, compliance and corporate governance. In Aon's 2006/07 Australasian Risk Management and Total Cost of Insurable Risk Survey, company CEO's and directors nominated corporate governance as the top risk concern for the second year running. One wonders whether this is a concern about their own personal risks rather than the risks to their organisations.

Risk Management Methodology

The Australian Standard on Risk Management, AS 4360 (the Standard) and its accompanying handbook, HB 436 describe a widely accepted methodology for the risk management function and associated processes. Along with the Standard and handbook there are a multitude of articles and tutorials which explain the risk assessment process for those interested in digging deeper. At it's heart risk management is about decision making and prioritising the use of finite resources. All assessment techniques, despite their differences, have that in common. Regardless of which techniques are used it is very important that they are specifically tailored to the organisation. Establishing a consistent nomenclature around risk greatly helps the communication process.


The ERM model is the result of the application of a single risk management framework across the entire organisation. It relies on aggregation of risk analysis information from individual business units along with in feed from strategic and project risk management processes. It requires a high level of risk awareness from all areas of the organisation and a recognition that each area impacts on other areas and that everyone is responsible for managing risks


Taken too far, ERM can be extremely resource hungry as it disperses throughout the organisation and there are dangers associated with quality of risk information, expertise of individuals and the focus on process and documentation rather than outcomes. Those considering a move to an enterprise model should be wary of adopting too evangelical an attitude to risk management. A key element of success is knowing when to stop.

Strategic Risk Management

Strategic risk management is concerned with the strategic objectives of the organisation and in managing the risks associated with those objectives to maximize the likelihood that they will be achieved. It is also concerned with emerging risks and those risks that are not under the direct control of the organisation. Emerging risks such as climate change, the war for talent and an ever changing regulatory landscape are not restricted to any one organisation and the management is a collective effort which involves individuals, organisations and governments. A prudent organisation can recognize emerging risks and make adjustments to strategy in order to either offset a future negative or take advantage of a future positive trend.


For the property industry risks like climate change and the war for talent may have a profound effect on their future strategic direction. Energy efficient buildings with low maintenance services are already becoming more desirable to both property owners and occupiers despite the sometimes high initial costs of such an investment. Changes to the regulatory and legal landscape can be anticipated and effectively managed to ensure that robust compliance, maintenance and inspection activities are in place and appropriate for the associated risks. An intimate understanding of the cost of managing existing risks leads to better decision making around the management of future risks. Changes in the risk profile of existing buildings due to climate change (e.g energy efficiency, increasing flood, windstorm or bushfire exposures) may require retro fitting of additional physical controls and should be determined by an appropriate risk engineering assessment. These risk changes are likely to be gradual but consideration should be given to these issues for such things as site selection and design of new buildings.


Strategic risk management can be practised in several ways but fundamental to the process is the need to align the risks to the objectives of the organisation and to identify emerging risks. At a minimum that requires engagement from the executive and the Board. A risk workshop in which the risks are identified and discussed at the highest level can be highly effective and generate the type of buy-in required from the Board and senior management. In an ERM model this type of strategic risk workshop is integrated to the business planning process and is practised at several levels of the organisation depending on the relative size and complexity. Done well, this type of activity can lead to more consistent achievement of corporate objectives.


It is also useful to look backwards as well as forwards. A fundamental component of risk management is the continuous review and communication function. A corporate objective performance review should include a component on risk management to identify the core reasons why objectives were not met and ensure that they are addressed in the next cycle of business planning and strategic risk management.

Operational Risk Management

The property industry, like many others, is highly regulated. Most of the regulatory requirements are focused on life safety such as the Building Code of Australia and the State regulatory regimes dealing with occupational health and safety, treatment of in-situ asbestos, the risk of legionella from water cooling towers and the like.


Strict adherence to compliance will therefore go a long way toward managing the operational risks that the property poses to the public and its occupants. Compliance alone however will not identify and manage the risks to the property, the property owner or the tenant. Property and equipment protection, continuity of business operations and risks associated with breach of professional duty require an additional level of analysis. One way of doing this is through a physical risk survey. The property insurance industry underwriting report presents a model upon which this can be carried out. A COPE survey focuses on Construction, Occupancy, Protection and Exposure to identify the and quantify the risks and recommend improvements. An expanded COPE survey can be used to quantify the risks and expand the scope of the survey to include such things as professional practices and the giving of advice.


Such surveys should be carried out in a number of circumstances:


  • by property owners on a recurring basis (say every two to three years)
  • as part of due diligence for buying a new asset
  • as part of a business case for a new building

One important aspect of managing the risk to the public is the need to maintain good records. Defending a liability claim against a third party is greatly enhanced by a robust risk management methodology that is diligently followed and recorded. There is general acceptance that not all risks can be mitigated and that a system of prioritisation is a reasonable approach with finite resources. However poor record keeping can undermine the best risk management. Records need to be accurate, continuous and kept, in many cases for several years, in order to provide good protection against third party liability claims. The round of tort law reforms within Australia earlier this decade have reduced the risk of third party claims to property owners by removing “nuisance” litigation. However the risk environment never sits still and there are signs that the balance may swing toward the plaintiff in forthcoming years. This observation is also relevant to the compliance environment in which there tends to be regulatory creep in response to particular severe risk events that occur from time to time. Public liability can be tricky and it may be better to stick to a consistent risk management regime over time rather than try to continually adapt to a changing risk environment.

Construction Risk Management

Construction projects have a number of constraints and pressures:


  • Budget

  • Time

  • Multiple stakeholders

  • Compromised deliverables

  • A highly competitive industry


These and other factors combine to create an environment in which a lot of things can go wrong, occasionally spectacularly. A formal risk management approach can be very beneficial in identifying underlying risks to the project that may remain hidden under a standard project management methodology.


Having said the most effective form of project risk management is to follow a formal project management methodology, which is a separate professional discipline in itself and is concerned with managing the myriad resources, materials and stakeholders within a strict reporting and tracking methodology. Project management has many in-built risk management features that go a long way to ensuring that the project is delivered on time, on budget and on-spec.


Integrating a risk management process into a standard project management process is not a simple task. The level of rigour and formality needs to be commensurate with the size and complexity of the project. As with any project activity the earlier that risk discussion can be introduced into the project management process the better. Changes driven by risk considerations need to be identified during the feasibility and business case stages in order for them to be implemented cost effectively. Similarly, risk considerations associated with layout, occupancy, construction materials and fire protection need to be done during the early design stages so that practical solutions can be determined.


The tracking of risk treatments needs to be incorporated into the project management process. Individuals need to be held accountable for the completion of those treatments.


Historically the key activity in the management of risk has been the contract negotiation. In many cases substantial resources are devoted to drafting the contract in an effort to transfer the risk to the party willing to manage it, but not necessarily in the best position to manage it.


When a risk materializes in a standard design and construct contract an adversarial mindset can kick in and the project can suffer accordingly. In recent times the concept of shared risk within a project environment has gained currency. Many large and complex projects financed by state governments in Australia are using the Alliance contracting methodology whose key characteristics is the pain/gain sharing model, a feature of which is that each party to the contract agrees to hold the other parties harmless for any first party losses that might occur during the project period. Anecdotally the experience has been very positive. Contractors appreciate the model because it removes or shares much of the construction risk that they might otherwise bear by themselves. Losses can still occur but the theory is that the collaborative culture created by the Alliance and the inability to sue any other party means that all attention is focused on fixing the problem or avoiding it in the first place. We should expect to see more Alliance projects in the coming years given the projected infrastructure expenditure by State governments around the country and the capacity constraints on the construction industry.


Regardless of the type of contract in place, at the very least the project stakeholders should get together for a risk workshop. Risk workshops rarely reveal hidden risks but what they do is to get the stakeholders talking about risk in an open manner, allowing them to prioritize in terms of importance. A half or full day session, well facilitated, can have very beneficial outcomes for the project group and often results in key decisions around project design options, insurance purchases or other risk mitigation measures that might otherwise not have been addressed within a standard project management framework.


It is very important also that the risks identified and managed through the strategic and operational risk management activities are fed into the project risk management process. Examples of this include design considerations around service redundancies, maintenance and compliance costs, building layouts, construction materials and fire protection.


Take Aways:


  • Risk management has tremendous value to add to an organisation if used appropriately and within its limitations. The formality and resources dedicated to risk management should always be commensurate with the risk profile of the organisation and with a constant view as to whether the activity is adding value.

  • The characteristics of a successful risk management program are common to almost any industry. Top-level support is crucial. The increased focus on corporate governance has gone a long way toward achieving this for many organisations but it is common to hear the lament at the top levels that the risk management function is too focused on the methodology and the documentation and not on achieving positive outcomes.

  • Be wary of the quality of the information used to carry out risk assessments. Each assessment should be given the sniff test to make sure that the data also matches the intuitive conclusions.

  • Stick to the key issues. The majority of risks will either manage themselves or, if they do eventuate, will cause a ripple but not a tremor within an organisation. An holistic approach to risk will separate the key issues from the day to day operational issues.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)