Protecting Commercial Real Estate With Third-Party Business Continuity Planning

Unforeseen natural disasters and unexpected events can wreak havoc on any business, but particularly for commercial real estate developers. Not only do developers need to worry about the physical building, but also the safety of occupants and operational continuity. To remain prepared, commercial real estate developers must establish a robust and comprehensive business continuity plan (BCP) and ensure their vendors have done the same.

Business continuity planning plays a vital role in safeguarding developers' interests, ensuring client satisfaction, and facilitating seamless business operations. But what happens if the business-disrupting event is with a critical service provider or third-party vendor? Developers must be able navigate disruptions and crises effectively, even when the supply chain is disrupted. 

Let’s cover the basics of business continuity planning and third-party risk management, how to integrate the two together, and key third parties to include. 

Third Parties to Include in Business Continuity Planning 

It's important to consider all critical third parties and suppliers when it comes to continuity planning. These third parties’ service disruptions can directly and significantly impact business operations. An easy way to identify your critical third parties is to ask the following questions:

1. Would an abrupt loss of the third party cause a significant disruption to operations?
2. Would the sudden loss of the third party impact customers?
3. If the time to restore the service is more than 24 hours, would there be a negative impact on the organization?

 If you answer yes to any of these three questions, you’re likely dealing with a critical third party.

Let's explore some examples of critical third parties in commercial real estate development:  

• Security system providers: Robust security systems, including surveillance cameras, access control systems, and alarm systems, are a necessity to protect real estate properties. If these systems were to fail, real estate developers could face break-ins or unauthorized access. 
• Life safety systems: Life safety systems, such as fire detection and suppression systems, emergency exit signage, and emergency lighting, are crucial in mitigating risks and providing a safe environment. A system disruption or loss would increase the risk of accidents and injuries, which would have devastating consequences for real estate developers. 
• Banking or financial partners: In some cases, banking partners could be considered critical to real estate development, particularly if the financial risk with the partner is high. The loss of a key financial partner could create a serious financial shortfall, damaging your real estate firm’s services and reputation.  
• Construction and renovation contractors: These third parties would be considered critical while a project is ongoing. Delays and disruptions can take project off track, reduce property value, and cause financial losses. It’s important to ensure contractors have plans in place to mitigate any disruptions. 
• Insurance providers: An insurance provider would be considered critical to your operations if your real estate firm only used one provider. Generally, it’s recommended to maintain relationships with multiple providers to ensure uninterrupted coverage. If the one provider experiences a disruption or unexpectedly shuts down, developers can be exposed to significant financial risks. 

How Third-Party Risk Management Supports Business Continuity Planning in Commercial Real Estate 

Integrating third-party risk management into business continuity planning strengthens developers’ resilience, protects business interests, and ensures both third parties and developers are able to respond quickly to disruptions. 

Here are 7 steps to including third parties in business continuity planning:  

Step 1: Risk assess each third-party engagement at the product or service level. Use a rating scale of low, moderate, and high risk to categorize your third-party inventory. Understanding the types and amounts of risks present in each engagement can help your organization better identify which risks are significant and require remediation.

Step 2: Identify which of your third parties are critical to your operations or its customers. While all third parties are important, every organization has a subset that is truly critical to their operations. Ask the three questions listed above to determine which third parties or suppliers are critical to your operations. 

Step 3: Conduct risk-based due diligence to validate the third party’s risk practices and controls. Consider their financial stability, operational reliability, information security and privacy, and compliance with industry standards and regulations when evaluating third-party vendors.

Step 4: Ensure critical third parties have robust business continuity plans. This includes understanding their recovery strategies and procedures during a disruption. Review their business continuity plans and ensure these are regularly updated and tested. Maintaining open communication and fostering collaboration with your third parties is vital in this process to ensure expectations are aligned and responsibilities are clearly defined.

Step 5: Test third-party vendors’ business continuity plans. Conduct regular drills to ensure both parties are familiar with the response plans and procedures in case of a disruption. Regularly monitor the performance of your third parties to ensure compliance with expectations laid out in the business continuity plan.

Step 6: Monitor and review third-party vendors’ business continuity plans. Stay vigilant for any changes in the business environment that may pose risks or disruptions. Ensure adherence to compliance standards and update business continuity plans accordingly to reflect these changes. Conduct regular reviews with your third parties to discuss any modifications.

Step 7: Continually improve third-party risk management practices. Once you've completed reviews and tests with your third-party vendors, use the insights gathered to refine your third-party risk management practices. This will create a dynamic and resilient strategy that adapts and grows with your organization and its third-party relationships.

By taking these steps, your organization can ensure business continuity planning is a robust component of your third-party risk management practices.

Effective third-party risk management, which includes comprehensive business continuity planning, is an indispensable practice that empowers commercial real estate developers to boost their resilience, ensure operational continuity, and safeguard their reputation and financial well-being.