The first step is the most important | KPMG | CA

ERM is rapidly climbing the real estate audit committee agenda

The first step is the most important

How can ACs fulfill their risk mandate?


Related content

ERM is rapidly climbing the real estate audit committee agenda

While certain types of risks have always been front and centre for real estate companies, they are now facing an expanding threat landscape—one that is pushing enterprise risk management (ERM) rapidly up the audit committee’s priority list. From having the right basic internal controls in place and functioning, to the need to mitigate complex transactional risks, to the ongoing rise of cyber risk, threats that can directly damage an organization are growing in number and intricacy. Moreover, more subtle risks—such as insufficient resources or inadequate talent—may not result in a specific or measurable loss but can lead to missed opportunities or impede strategic execution. Within this milieu, audit committees are increasingly trying to understand and define their ERM role and responsibilities.

A number of factors contribute to this challenge. As real estate companies get bigger and the potential for complex global transactions grows, risk grows as well. Add to that the larger number of public companies and institutional investors in the game, and you have an increasingly sophisticated industry that’s attracting heightened regulatory as well as business interest. Reporting is more complicated, as are the financial instruments and structures that underpin today’s deals. Reputational risk has also come to the fore, as sharing and accessing information online has become instantaneous. The industry is even seeing risks—cyber risk, for instance—that it hasn’t really considered before and for which specific controls and mitigation procedures may be relatively weak.

Audit committees on the risk hot seat

It’s not necessarily that real estate companies aren’t addressing risk—it’s that a large number have not formalized risk policies or put a formal risk management framework into place. Without a real ERM strategy, risk activities become reactive rather than proactive; controls that are not regularly tested and updated become ineffective; and the chances of recovering effectively from a risk event diminish. Aside from the dangers, without a formal risk profile/appetite, an organization’s ability to align risk with its strategic plan, and leverage it to seize opportunities and drive growth, could be severely compromised.

In this volatile environment, private companies should certainly be looking to up their risk governance game; and for the growing number of public companies now responsible to public stakeholders and under a more stringent governance regime and operating model, ERM becomes critical to corporate sustainability. Audit committees, of course, need to clarify their role in the ERM process, so they can strive to put the right questions to management, ensure the right processes are in place and safeguard their own liability.

Along with defining ERM roles and responsibilities, audit committees should pose a number of key questions to both management and themselves:

  • Are we getting complete, accurate and reliable information needed to effectively discuss ERM issues?
  • What is being done to identify industry-critical and company-specific risks?Are we taking the right amount of risk?
  • How are we setting priorities around these risks?
  • Are our risk management efforts appropriately focused not only on identifying risk hazards, but on achieving strategic goals?
  • Have we connected specific elements in the organizational risk matrix to potentially affected aspects of the strategic plan?
  • How do our ERM practices link to our business processes?
  • What mitigation and recovery strategies are in place with respect to high-risk issues?
  • Are we addressing risk effectively both internally and externally?
  • Are current business activities within appropriate risk tolerance limits?
  • Do people in the organization have a common understanding of "risk"?

The first step is the most important

If you’re not already engaged in an ongoing ERM process—one that covers the above questions and more—it’s time to involve your management team and examine your risk management investments and priorities. The first step is creating a formal risk register and ensuring your ERM processes are aligned with and embedded in your strategic plan. Moreover, effective oversight means ensuring that all ERM processes are consistently updated and renewed as the strategic plan evolves.

Developing and implementing an effective risk framework requires an interactive approach and participation from stakeholders throughout the organization. It’s not always easy to make this happen and some may require third-party advice with real estate risk experience. At the same time, you don’t have to do everything at once. If you begin with the risk register, focus on strategic alignment and tailor your program to your organization’s size and goals, the process can be manageable and incremental, allowing you to keep pace with the ever-encroaching risk landscape today’s real estate companies face.

Connect with us


Request for proposal



KPMG's new digital platform

KPMG International has created a state of the art digital platform that enhances your experience, optimized to discover new and related content.