green risk management meeting

Green Risk Management Helps CRE Fight Climate Change

Commercial real estate (CRE) managers are tasked with building thriving businesses and protecting their properties from a wide variety of risks… However, public outcry for action on climate change and new environmental, social and governance (ESG) pressures are resulting in new green building codes, carbon emissions laws and fiduciary exposures for business owners, directors and officers.

Many CRE managers are finding themselves unequipped to manage these new financial and operational risks.

Green risk management (GRM) is a process you can use to reduce exposure and economic risk related to sustainability, while maximizing financial value for your real estate business over both the short, and long-term.

GRM provides a simple framework for:

  • Assessing risk
  • Identifying exposures
  • Financing green building projects
  • Transferring risk
  • Managing risk over time

With a GRM plan in place you will prioritize – and implement – sustainability strategies, even when financial resources are scarce.

Most importantly, by understanding GRM you’ll transform yourself from an ordinary commercial real estate manager into a “green building black belt” – one who is prepared to fight, and win, the challenges of climate change in the decades to come.

Getting Started With Green Risk Management

The job of a green risk manager is to determine how much business risk to retain and how much risk to transfer through insurance or other means.

Conventional enterprise risk management focuses only on managing the downside from strategic, financial, operational and compliance related risks…

Green risk management not only helps you manage these downside risks, but also values the potential upside of sustainability solutions to climate and business risks.

The GRM process includes four steps:

  1. Green risk assessment
  2. Green building project planning
  3. Green project financing
  4. Green risk transfer

This article describes Step 1, the green risk assessment.

In Step 2 you’ll learn about the green building projects that top real estate investors use to reduce risk and increase value. In Step 3 you’ll learn about green project financing, even when you have no cash available. In Step 4 you’ll learn about green risk transfer – the best practices for minimizing your exposure to catastrophic risk, transferring risk through insurance and checking contractual risk transfer between parties.

1) Green Risk Assessment

The first step in GRM is the green risk assessment. This is a six (6) part process following the ULI Center for Sustainability and Economic Performance risk-assessment process for climate change risk:1

Whereas the ULI process helps assess climate change risk to entire urban areas, the green risk assessment focuses on ESG risks to your commercial real estate assets.

ESG risks include external climate related risks and internal risks related to green building projects, social and management decisions.

The GRM process places emphasis on mitigating those risks that are controllable and transferring to insurance those risks that are catastrophic or unreasonable to retain.

The six (6) part GRM process starts with identifying hazards which can lead to events that impact your assets and cause damage. Then estimating the cost of managing risks in the short and longer terms. The six (6) parts are:

  1. Hazard identification (A hazard is something that increases risk of loss… What factors related to sustainability could increase the potential for losses to your commercial real estate?)
  2. Event definition (An event causes a loss. What losses could your CRE business experience? Some losses from events may be insurable whereas others are not. Events fall across a spectrum and are defined by frequency and severity of loss.)
  3. Asset identification (Which of your assets could be affected by events you identify?)
  4. Damage estimation (What is the financial impact of these events to your CRE assets?)
  5. Annual cost estimation (What is your exposure to events this year and what is the expected cost of these events this year?)
  6. Cumulative cost estimation (what is the expected cost of these risks over an extended period of time?)

In the first step, the hazards identified may be internal (business driven hazards that you can control) as well as external hazards (climate driven that you have little or no control over). Event definition defines the losses you could experience and prioritizes them according to the probability and severity metrics of events your business may face. Asset identification clarifies which of your business assets may be affected by these events. Damage estimation assigns cash value to potential events. Finally, annual and cumulative cost estimations translate the process into today’s dollars so you can take action.

1) Hazard Identification:

In the hazard identification phase, you identify the factors related to sustainability and climate change that increase your risk of loss. 

Hazards can be internal or external. Internal hazards affect only your business whereas external hazards may affect many businesses, including yours.

Internal hazards can include outdated mechanical equipment, inefficient building systems, deferred maintenance items that have become liabilities, over-reliance on fossil fuels, bad or poor quality construction (i.e. less resilient), Internet connected systems or distributed energy resources (DERs) that are not secure, poorly worded construction contracts, poorly worded leases, bad decisions or inaction on climate-related measures by directors and officers, etc. 2

External hazards include hurricanes, tornadoes, high winds, drought, fires and extreme temperatures, cyber attack or loss of goodwill due to public backlash from poor building efficiency grades or carbon emissions fines from municipalities.

All hazards can increase risk, leading to events that can cause losses for your CRE business.

2) Event Definition:

In step 1 you identified the hazards that can increase the risk of losses in an event. In step 2 you’ll brainstorm the events that could cause losses to your business and visualize which events are the riskiest so you can prioritize your GRM efforts.

For example, an unpatched firewall can be a hazard that leads to a cyber attack event. Cyber risks are ESG risks because cyber crime is social in nature. Cyber warfare is also a constant, asymmetrical battle3 that is not in our favor. Our personal data is everywhere and can be used by criminals or weaponized against us. Massive cyber attacks such as those at Equifax or Target often start with individual personal manipulation (aka “social engineering”) but result in catastrophic breaches affecting the data of millions of people.

As CRE shifts more toward electrification away from fossil fuels, and is more connected by mobile and IoT devices, building management and automation systems networks, the potential for cyber vulnerabilities – and unwanted access to our personal data – increases.

A extreme weather event or storm can be a hazard that causes a flood event.

But by themselves cyber, flood and other events are meaningless unless we can visualize them because there will always be differences in severity and frequency, which are important for measuring risk.

To help visualize and identify which events you should pay attention to, you can prioritize event types on a chart by ranking them according to two important factors which define the level of downside risk:

  1. Probability of occurrence
  2. Negative impact

The level of downside event risk can be clarified by multiplying the probability of occurrence by the negative impact (or severity) of that occurrence.

probability of occurrence x negative impact = level of downside risk
The formula for measuring downside risk.

The chart below ranks events from low to high across a range of 1-10 and uses low, medium and high categories across the two parameters of probability of occurrence and negative impact.4

Once an event has been plotted on the graph, multiply the scores for probability and severity together and prioritize the events according to score. The higher numbers will be prioritized over the lower numbers.

This process helps make risks visible and helps with decision making in terms of what risks to focus on.

risk matrix

Events could be an external, weather related flood from a hurricane or 100 year storm, an internal non-weather related flood event from a leaking or bursting water pipe, a fire or a cyber attack, or a building carbon emissions fine.

A 100 year storm is an external event has a 1% chance of occurring in a given year. The probability of a 100 year storm is relatively low. While you have no control over whether this will occur, the negative impact could be severe.5

The negative impact of flooding may not only be costly, it could be catastrophic for a property that is located in an area that is only 1 foot above sea level.

In the next step, after estimating the probability and severity of events you will estimate what assets they could affect.

3) Asset Identification:

In steps 1 and 2 you identified the hazards and events that could impact your CRE business. In step 3 you identify which of your business’s assets could be directly or indirectly affected by these events.

Assets are those that fall within the “three Ps”:

  1. People
  2. Property
  3. Profits

People: How could your employees, investors, vendors, clients or partners be affected in an extreme weather event or a cyber attack? Businesses are often unaware of how disruptive a natural disaster could be to their operation or how much personal data is stored and exposed in their internal networks.

New York City

Investment firms such as real estate investment trusts (REITs), real estate private equity companies or small CRE investment funds raise and pool investment capital from limited partners (LPs) or general partners (GPs) usually collect personal information, including names, addresses, social security numbers, dates of birth, etc. in the course of business. Both GPs and LPs need partnership tax documents prepared by the business each year at tax time, and your business probably collects personal identifiable information (PII) from them in order to submit this information to the IRS.

If your business collects personal data from employees or potential hires, or offers employee health benefits you may have gigabytes of unprotected personal data on your networks.

If your company suffers a data breach, these people could be harmed by having their data exposed.

Property: Properties that are located in high risk areas such as Florida, New York and New Jersey, should be evaluated based on their exposure to direct physical damage of real property.

Physical factors such as building construction type, elevation, building and building mechanical systems, as well as business interruption (loss of income) from critical equipment and technology that could be disrupted or destroyed by flood, should be considered.

Wood framed construction is considered the weakest construction class by insurers, followed by joisted masonry. Framed construction is most vulnerable to fire, water and wind damage.

Solar developers or buildings with solar photovoltaic installations should reevaluate their exposure to high wind.

Local laws can also create risks to properties. For example, properties in New York must comply with Local Law 97 which imposes strict carbon emissions limits for properties over 25,000 square feet. California and New York both have strict laws regarding data breach and notification of those affected.

Profits: If your business is completely or partially shut down for a period of time after an event such as a storm or cyber attack, your business could suffer from lost business income.

Imagine investing in a solar farm or large solar rooftop project paired with energy storage – and then have the building burn down.  If your solar project is producing income for you, such as from renewable energy certificates (RECs) or by selling the renewable energy to an offtaker, you could lose both the real property and business income. 

Be sure to have business income coverage for your business and update your business income limits with your insurance broker each year and account for all revenue streams.

4) Damage Estimation:

In step 3 you identified which of your business assets could be affected by these events. In step 4 you will calculate the estimated direct and indirect damage and potential financial cost of a particular event.

Financial estimates of damage from different events will be unique to your situation. To estimate the potential damage to your business assets, you should talk with your CFO, service providers, building engineers, staff and property managers for estimates of the cost to replace assets at each location.

To calculate climate change damage and related event probability, use the free Hazus mitigation modeling software from FEMA to estimate the potential risk from external hazards and events such as earthquakes, floods, hurricanes and tsunamis.

Use the events chart(s) you created in step 2 to build a spreadsheet that calculates the probability of events and the financial damage you would expect under low, medium and high severity event scenarios.

You can download and edit this Google Sheet I created or create your own. Your chart for each event type and severity level may look something like the chart below.

Flood Event_ Cost of Damage vs. Annual Event Probability
This chart the cost of damage and probability of low, medium and high frequency flood events.

For a flood event affecting a specific asset you would list the types of damage that could occur to the asset (such as water damage, mechanical damage, electrical, business income, roof, foundation, etc.) under each event scenario (low, medium and high severity).

Damage to real property insurance values should be based on replacement cost (what it would cost to replace your building with a new one in a total loss). Replacement costs include the cost of commercial construction per square foot based on the size, building type, construction class and location of your building. Construction cost estimates for different building types can be found here.

Location has a big impact on the cost of construction, and on insurance. For instance a 100,000 square foot joisted masonry building in New York City will cost much more to build and insure than an identical one in Bristol, Rhode Island.

To estimate financial impact, talk with local service providers, building engineers and facilities managers to value the cost of repair or replacement of building systems.

Other possible monetary costs could include lost rents if tenants leave to occupy more resilient buildings. Green buildings which have been shown to command higher rents and lower turnover resulting from greater tenant demand.

Other damages could include carbon emissions fines, or indirect damage from poor public perception (damaged “goodwill”) due to low efficiency “grades” on buildings.

5) Annual Cost Estimation:

Use your spreadsheet to estimate the cost per year of the damage to your building in the coming year.

For example in the stacked bar graph below you can see that in the coming year, for the event of flood, there is a risk of $265,230 in damages for this hypothetical property. The least expensive way to manage this risk is through flood insurance.

level of financial exposure to climate risk from flood
This chart shows the estimated cost of damage, or financial exposure, from various flood events related to climate risk in a given year.

6) Future Cumulative Cost Estimation:

For projecting potential risk into future years, you can use a net present value calculator to calculate the net present value of future annual risk exposure values.


  1. The climate risk assessment process described follows the Urban Land Institute's "A Guide For Assessing Climate Change Risk".
  2. In the insurance policy world, hazards are different than "perils". A hazard is a situation that makes a peril more likely to occur. For example the peril of fire could be more likely to occur if the hazard of frayed wires exists in a building, or if the occupants of a building are smokers.
  3. If you want a visualization of global cyber attack activity, check out the live, real time cyber attack threat maps at FireEye or Checkpoint Software or Kaspersky.
  4. You can broaden your definitions to be as granular as you want... For instance you could use extremely low, low, medium, high, extremely high, etc. Or you can use any range you prefer. If you want a more granular measure a 1-100 range may be used
  5. Indeed, according to, sea level rise caused by climate change increases the odds of extreme coastal flooding in New York's Battery Park to 33% by 2030.

Insurance Checklist for Solar Contractors 3D cover iPad

Free Download

Contractor's Energy Savings Insurance Project Checklist

Solar Panel Installer Insurance

solar panel installer insurance

Passive House Guard

Passive House Guard Insurance