GN1.5: Environmental risk control and assurance

Guidance Note purpose 

The purpose of this Guidance Note is to provide asset managers, property managers and facilities managers with information about environmental risk control and assurance in relation to real estate. 


Managing environmental risk involves establishing a range of control and assurance arrangements that are integrated within a wider governance framework. 

This includes nominating roles with accountability for risk, and roles with responsibility for undertaking various risk management activities, and enabling individuals undertaking these responsibilities to develop the required risk management competencies. 

Alongside the identification and evaluation of risks, it is important to develop controls to mitigate significant risks.  The effectiveness of these controls should be assessed, and the assessment outcomes reviewed regularly, by individuals at the appropriate level of managerial control. 


Risk controls enable the effects associated with environmental risks to be mitigated, preventing exposure to potential threats and the loss of potential opportunities.  Assuring the effectiveness of risk control enable a company to make robust, informed decisions regarding how best to manage uncertainties about the future. 

Having a formal system for managing environmental risks is a requirement of various rating and certification schemes, for example ISO14001. 

Responsibilities & Interests

The table below summarises the key activities associated with environmental risk control and assurance, and highlights where asset managers, property managers and facilities managers are likely to have a responsibility or specific interest. 

  • AM - Asset Manager
  • PM - Property Manager
  • FM - Facilities Manager

Step 1: Allocate environmental risk responsibilities  


Step 2: Define competence and provide training 


Step 3: Develop risk controls 


Step 4: Assess the effectiveness of risk controls 


Step 5: Provide governance over environmental risk 


Show less

How to



Usually, the environmental risk framework adopted for a property or portfolio will be specified by an asset manager, in alignment to a wider corporate risk framework.   The process of environmental risk control and assurance is often co-ordinated by a property manager, with input from a facilities manager where required. 

Environmental risk control and assurance generally considers the following steps: 

Step 1: Allocate environmental risk responsibilities


It is important that a senior individual is nominated to be accountable for environmental risk across a company.  It is likely that environmental risks are combined with wider accountabilities for non-environmental risk. 

The responsibilities for various risk management tasks should be allocated to individuals at the company, portfolio and property levels.  These may include, for example: 

  • Risk identification and assessment. 
  • Maintaining risk registers. 
  • Developing risk controls. 
  • Assessment of risk control effectiveness. 

Step 2: Define competence and provide training


As accountabilities for managing environmental risk vary across a range of roles and seniority, it is important that appropriate training is provided to enable individuals undertaking these roles to undertake their responsibilities competently. 

For example: 

Senior leaders with overall accountability for environmental and non-environmental risk should have a robust understanding of the way in which environmental risks may affect the company strategy and how to interpret the outcomes from the assessment of risk controls. 

This competency can be developed through a combination of formal briefings from qualified risk professionals, for example, and through the provision of concise briefing material. 

Risk assessment specialists should have in depth knowledge of risk assessment and auditing. 

Individuals undertaking local aspects and impacts assessment should be familiar with the process and associated documentation. 

The competencies for risk assessment specialists and practitioners can be developed by undertaking accredited training courses and attaining qualifications, for example, and through in-house classroom style courses or e-learning. 

Step 3: Develop risk controls


Risk controls are often developed at managerial and operational levels. 

  • Managerial controls usually involve strategic interventions to control risks rating as significant.  For example, considering the recruitment of suitably qualified resource to manage compliance arrangements environmental risk management, or commissioning climate resilience studies in relation to the risk of climate change. 
  • Operational controls are developed so that operations and activities can be undertaken in a way that mitigates associated risks. For example, procedures for handling, storage and disposal of hazardous waste or the use of hazardous cleaning chemicals. 

Operational controls are usually prepared: 

  • In the form of work instructions, procedures or manuals. They are best prepared in accordance with an existing document control procedure. 
  • With input from individuals undertaking the related operational activities, along with suitably experienced individuals with responsibly for risk. The operational control is developed in a way which enables practical and efficient operations while mitigating the associated risk to a level which is acceptable. 

Step 4: Assess the effectiveness of risk controls


The assessment of the effectiveness of risk controls can be undertaken in various ways. For example, audit programmes are: 

  • Often developed to check that operational controls are being followed. 
  • Usually undertaken by a suitably trained auditor. 
  • Often build on other available data which may indicate where risk mitigation is not as effective as intended. 

Environmental occurrence trends are also used to help assess the effectiveness of environmental controls.  Environmental occurrences indicate where an environmental control has not been effective in controlling risk. Through investigations into the root-cause of the occurrence, remedial action can be undertaken to improve the control, or its deployment. 

Step 5: Provide governance over environmental risk


It is important that the management of environmental risk is undertaken within an appropriate governance framework. 

The governance of environmental risk most often includes a series of meetings throughout an organisational hierarchy to review identified risks, their significance and the associated controls.  It is important to that the effectiveness of environmental risk control is also reviewed within these frameworks, including: 

  • The outcome of audit reports. 
  • Trend information. 
  • Findings and recommendations from occurrence investigations. 

By considering both environmental and non-environmental risks, risk governance frameworks usually aggregate the assurance of risk for the local property level through to portfolio and company levels.   

Likewise, risks identified at the corporate level may be cascaded to the most local level of managerial control. 

Related Guidance Notes (as text links) 

The following Guidance Notes contain related information: 

Additional Resources