Risk management in social housing is becoming an important issue where governance is vital, particularly following several high-profile failures and frauds reported by the Homes and Communities Agency. However, some housing providers still think of risk management as ‘merely’ a compliance obligation or box ticking exercise, when in fact it does have considerable power to improve business performance through better decision-making and information distribution.
When discussing in which areas of their operations housing providers should use technology for risk management, Andrew Noone, a governance, risk and compliance (GRC) consultant for Ciber UK, said, “All business processes contain some degree of risk; the key factor is being aware of them, understanding the impact of the risks, and how to manage or mitigate the risks. With evolving technologies and compliance obligations, it’s becoming more difficult to manage risk using traditional methods. For example, the adoption of mobile working and customer self-service can introduce a new layer of risks in addition to existing financial or data protection standards."
Adding to the theme of organisation-wide risk management, Intuitive Business Intelligence’s channel development manager Richard Abraham said, “By consolidating and presenting the key data, business intelligence (BI) dashboards significantly enhance the ability of every department within a housing provider to quickly identify and respond to potential risks.”
Intuitive cited the example of Bernicia Group which has implemented a BI dashboard to extract key data from its housing management and CRM databases, as well as several different spreadsheets, thereby giving Bernicia staff instant access to trending visibility and critical metrics across its housing, tenant profiling and employee statistics. This has led managers to analyse performance, improve efficiencies, enhance client service and ultimately reduce levels of risk across all of those areas.
Heidi Waites, Managing Director of service charge experts Opus, said, “There are a number of risks that need to be managed by our customers. These include staff turnover and the resulting loss of business knowledge, mis-codings of actual spending leading to loss of income, multiple databases meaning that data is split over many sites, and the inability to service their needs using in-house resources and the consequent external costs.”
Protecting Sensitive Data
The encryption of devices such as laptops, USB drives and email are all effective in managing secure data within an organisation. “At a deeper level, the encryption of data on enterprise storage would prevent it from being used in an inappropriate manner if it was removed from the physical location somehow. Beyond this, a robust perimeter protection system around any public-facing systems that serve sensitive data is essential.” Ciber’s Noone added, “Intelligence-led governance relating to non-financial data is a becoming a focus area due to the growing requirement to integrate financial and operational systems. Having up-to-date, enterprise wide data available allows better risk management policies to be implemented across all areas of the business, not just areas with a financial focus.”
PCMS’ Walton said, “Risk management is a board-level activity without a doubt. For example, the criteria for ISO27001 clearly state that the board must take responsibility for the risk treatment plan and management activities around a given system; whether a business is ISO27001 compliant or not, this is still sound advice. Information incidents inevitably lead to financial and/or
reputational losses, so it’s essential that risk management is discussed at board level. To ignore this is the equivalent of burying your head in the sand and hoping for the best without preparing for the worst.”
Intuitive’s Abraham said, “While it is important to discuss and demonstrate at board level the capabilities of the technologies being implemented, it is also important to embed risk management into the organisation as a whole and therefore it must be a ‘top-down’ initiative implemented and supported by the board and linked to the housing provider’s corporate objectives.”
Overlapping Risk With Performance
Equally, the risks associated with spiralling maintenance costs can be considered alongside the performance levels of the contractors – who is performing well and offering value for money and who is not? If risk management criteria are included when setting individual KPIs and metrics for risk, then using technology to internally monitor performance should lead to a reduction in a housing provider’s exposure to risk.”
Ciber’s Noone added, “Risk management strategies should be reflected in defined and measurable outcomes to help organisations very clearly understand “what does good look like?”. Performance management software must then be able to reflect, monitor and assess the achievement of risk management KPIs to enable risk managers to measure and report their success.”
Modelling & Predicting Risk
Last word goes to Noone who said, “Risk can be mitigated by setting thresholds above which monitored risk factors create alerts; in this way technology, acting as an early warning system, can be used to nip growing risks in the bud. While there are no crystal balls, the best technology goes beyond ‘simple’ alerts to pro-actively analyse trends in data and KPIs to predict emerging risks and identify the business activities causing them. Of course, this relies on the accuracy of the data being monitored and modelled; to some extent, data integrity itself becomes a risk to an organisation.”