Housing Technology interviewed senior executives from CalQRisk, Civica, Decision Time, FLS (Fast Lean Smart), Futr AI, NDL and NEC Software Solutions on the risk management side of IT, how to measure, triage and mitigate it, the ‘human factors’ of IT risk and its impact on housing providers’ wider business activities.
What are the IT risks specific to social housing?
Gerard Joyce, chief technology officer, CalQRisk, said, “All IT departments, across all sectors, grapple with the common risks of cyber attack, data breaches and system failures, but in social housing I would add technical skills shortages, misalignment of IT strategies with organisational strategies, underfunding of the IT elements of business initiatives, leading to poor technical foundations and deficient reporting.”
Helen Rogers, product director for housing, Civica, said, “There are several factors associated with risk in IT for any housing provider due to the critical services they provide. High on the list would be resilience, performance, security and the ability to deliver services digitally and remotely. These need careful consideration, management and mitigation at all times.”
David Braziel, technical director, Decision Time, said, “The big risks for housing providers are the same as for almost any organisation – reputational and financial damage from cyber security incidents, data breaches or systems failures. Ransomware attacks are on the increase and the regulatory and financial penalties around data breaches, GDPR and information security are significant.
“However, focusing on the specific risks that we are aware of can be a problem; I don’t think any of us had ‘global pandemic’ on our risk registers two years ago, so building general resilience and flexibility to match unknown risks is vital.”
Kitty Hadaway, head of sales for housing, Futr AI, said, “The increase in the volume and complexity of demand means that housing providers’ existing IT infrastructures and tools are no longer fit for purpose. Their siloed data stacks and lack of interoperability mean that every tenant interaction creates a deeper hole.
“Housing providers who have recognised this quickly and fast-tracked their digital transformations are the winners in this paradigm shift, reducing their IT and operational risk, winning awards for their customer engagement and future-proofing themselves against other unexpected developments.”
How can housing providers measure, triage and mitigate their IT risks?
Trevor Hampton, director of housing solutions, NEC Software Solutions, said, “Potential risks need to be considered as part of corporate governance as well as the business and strategic plan. It’s important to ensure that ‘risk’ is a standing item on the agendas of the weekly and monthly operational and executive meetings. This gives you a designated time to consider the probability of an occurrence as well as its potential impact, making it easier to triage risks accordingly and reduce your vulnerability to threats and hazards.”
CalQRisk’s Joyce said, “I would suggest that housing providers’ senior management teams see IT as an enabler of business functions and that any projects or initiatives include details of their IT requirements. The IT risks will thus be identified earlier and the prioritisation for addressing those risks will therefore be project- or business-driven.
“Where necessary, funding for the mitigation of risks can be linked to the function or service associated with those particular risks and thus ensure they are correctly prioritised. For example, the main regulatory risk is about demonstrating compliance with legal requirements; to do this in a cost-effective manner demands technology that can gather the necessary information from many sources and deliver it in a format that satisfies the regulator.”
Decision Time’s Braziel said, “The known risks can be dealt with by a set of layered controls. Taking cyber security as an example, a solid set of security tools (software and hardware) wrapped in a well-designed set of policies and procedures with a working audit and assurance process in place will significantly reduce the likelihood and impact of those risks.
“The unknown risks are harder to meet, but housing providers need to be building spare capacity and flexibility into their systems and processes to be ready for them. For example, housing providers who had already adopted cloud, mobile working and online payments were better prepared for the pandemic than those who had outdated, monolithic or inflexible systems.”
Do housing providers focus on IT risk?
Jeremy Squire, managing director, FLS (Fast Lean Smart), said, “Some housing providers still consider risk management merely as a compliance tickbox, whereas thorough risk management strategies offer the potential to really improve business performance. The biggest risk for housing providers is therefore not exploring the specialist technology options available in order to drive value for money and business efficiency.”
CalQRisk’s Joyce said, “Housing providers don’t focus on IT risk; they focus on where their funding is coming from and how they can ensure best use of those funds. The IT function is thought of as a business enabler and is expected to provide the technology solutions as needed.
“Not enough housing providers take a holistic view and align their IT strategy with their business strategy, compounded by few board members having the skills and knowledge to ensure that their organisation’s IT and business strategies are actually aligned.”
Decision Time’s Braziel said, “Most housing providers have a good grasp of their known risks, but many struggle to build a matching set of controls, actions and review processes to mitigate them fully. Without an embedded risk management framework, it’s hard to ensure that controls are multi-layered, actions are completed and reviews are carried out. Managing this multi-layered information stack across multi-disciplined groups of people in an organisation is difficult, especially if you’re still trying to do it via a spreadsheet or Word document.”
NEC Software Solutions’ Hampton said, “On the one hand, housing providers are now much more aware of the dangers and consequences of, say, a ransomware attack, so business continuity and disaster recovery are now priorities.
“On the other hand, housing providers’ business functions often prioritise departmental requirements above the ‘whole system’ view, and in some cases, the business functions don’t associate IT risk with their operational decisions. For example, one department might be using a separate system for asset management that requires integration into the main IT system rather than using just one consolidated system to reduce the IT risk.”
How does IT risk affect housing providers’ wider business operations?
Civica’s Rogers said, “Quite simply, IT is the backbone to housing providers’ business operations. There are many business-critical systems including integrated housing, asset, contractor management as well as customer portals which are essential to the running of the business. Without robust, scalable and resilient IT systems, the risk of failure is huge.”
Futr AI’s Hadaway said, “All of the services that housing providers offer are delivered or at least underpinned by technology. As such, it’s no understatement to say that IT risk should be one of the primary risk considerations for housing providers.”
NEC Software Solutions’ Hampton said, “As housing providers have had to rapidly introduce digital channels in customer service and income, asset and compliance management, this increases the level of risk for the business. All of these elements rely on IT, so an integration or back-up failure could make these essential areas more vulnerable.
“Looking ahead, the adoption of new technologies, such as artificial intelligence and the internet of things, have the potential to bring new risks, so careful forward planning, budgeting and resourcing are needed to mitigate potential threats.”
How important is the ‘human factor’ in IT risk?
CalQRisk’s Joyce said, “If you think that cyber security is an IT problem then you have a problem. IT can only protect the organisation so far; the weakest link is always human. We are often curious and too trusting, and that curiosity and trust gets abused via social engineering techniques. We reveal information we shouldn’t, we click on links we shouldn’t… and then it all kicks off.”
Futr AI’s Hadaway said, “The human factor has always been hugely important in IT risk, and even more so today with our fluid working environments. Having the right policies is a start, but it’s critical to reinforce those with proper training and technologies which provide both oversight and visibility.”
NEC Software Solutions’ Hampton said, “The human factor everything – for example, the obvious risk is a data breach. Technology should empower and motivate staff but it’s essential to make sure people can’t access or provide data by accident, so close attention needs to be paid to security privileges to reduce the chance of human error.”
Can housing providers’ IT departments help with non-IT areas of risk?
Civica’s Rogers said, “IT teams must always take the time to understand business needs. Often data is the responsibility of the business yet the IT department takes ownership of it. Data is one of a housing provider’s most important assets and if it isn’t secure or maintained to high standards, the risk of failure is high. Therefore, IT teams need to engage with business departments to understand how to mitigate any unforeseen problems which non-technical people wouldn’t necessarily be aware of.”
Futr AI’s Hadaway said, “Every department has their own primary objectives but a key characteristic of an efficient organisation with engaged employees is one that offers visibility into how individual and departmental objectives and results feed into the wider organisation. Risk is an important part of that because very few processes, workflows or outcomes stand in siloed isolation.”
What has the pandemic taught IT teams about IT risk?
Tom Wright, head of digital engagement, NDL, said, “The unpredictable nature of the pandemic has highlighted the importance of remaining adaptable. IT processes need to have room for adjustment to ensure that the right lines of communication remain open and data management solutions have the required flexibility to adjust to changing circumstances.
“As part of establishing effective IT processes, it’s essential that data quality and security are carefully managed as potential areas of risk. Digital transformation supports housing providers to ensure they maintain clear, structured and accurate data – less human intervention means fewer opportunities for errors. This then ensures the usefulness and agility of data between systems or departments. Similarly, maintaining strict security parameters is vital; data loss or GDPR risks can compromise critical processes at the most crucial times.
“Efficiency is of paramount importance during a crisis, especially when resources are stretched beyond their usual limits. For example, robotic process automation (RPA) can drive huge efficiencies for teams by automating repetitive administrative tasks. This can make a major difference to a team’s ability to direct their time and skills where they are most needed.”
Decision Time’s Braziel said, “The housing providers who coped best with the pandemic were those who had already implemented online, cloud-based solutions and working practices. Having services available online made an enormous difference when offices had to close, and something as simple as a policy of providing laptops rather than desktop computers and having a modern, cloud-based phone system also had a huge benefit when staff had to work from home.”
NEC Software Solutions’ Hampton said, “The pandemic has been a stark reminder to us all to constantly review our business continuity plans. This might have previously seemed like a tickbox exercise but the last 18 months has taught us to prepare for everything.
“It’s essential to fully test every eventuality and to believe each eventuality could happen. IT is a fundamental part of this, and we need to consider worst-case scenarios such as how would your organisation continue to operate if you lost access to your office and your core IT infrastructure?”
FLS’s Squire said, “Housing providers’ contingency plans to manage risks were severely tested during the pandemic, but many demonstrated that they could move much, much faster than they ever thought possible. The pandemic has accelerated housing providers’ digital ambitions, teaching us all the benefits of automation and the power of technology to avert risk.”
Housing Technology would like to thank Gerard Joyce (CalQRisk), Helen Rogers (Civica), David Braziel (Decision Time), Jeremy Squire (Fast Lean Smart), Kitty Hadaway (Futr AI), Tom Wright (NDL) and Trevor Hampton (NEC Software Solutions) for their comments and editorial contributions to this article.