Housing Technology interviewed IT risk experts from Incline-IT, Northgate Public Services, Riskhub and Waterstons on what IT risks housing providers should be keeping a close eye on and how they can plan for and mitigate those risks.
What are the IT risks specific to social housing?
Trevor Hampton, director of housing solutions, Northgate Public Services, said, “Poor data quality is a ticking time bomb for housing providers – in our view, it’s the number one risk. Housing providers operating with a patchwork of systems are now dealing with incomplete, inaccurate and duplicated data. This lack of joined-up systems makes it almost impossible for housing providers to gain the necessary 360-degree view of tenants and properties.”
David Mason, technical director, Incline-IT, said, “As digital transformation becomes a daily reality in housing, there are two main new risk factors emerging: the risk of misaligning IT with an organisation’s wider business strategies; and the dangers of ineffective risk management.
“With the technology market becoming increasingly competitive, there is more hype around new solutions. This can lead to unrealistic expectations of IT within the wider organisation, and a subsequent misalignment of business and IT strategies when planning for digital transformation, leading to increased costs, reduced agility and impaired decision-making.”
Sarah Herbison, CEO, Riskhub, said, “In the area of compliance, the biggest risk is housing providers losing control of the data that comes out of compliance assessments. For example, archaic spreadsheet systems are easily corrupted when accessed by multiple users, making it hard to keep track of the constantly evolving datasets.
“Two things can happen if compliance data isn’t stored properly. Firstly, the actions of the checks might be lost or incorrectly marked as complete, with the possible result that vital safety work isn’t carried out. Secondly, compliance actions might not be correctly marked as actually having been completed, meaning works could be inadvertently requested, completed and paid for more than once.”
Measuring, triaging and mitigating IT risks?
Helen McMillen, executive business consultant, Waterstons, said, “Housing providers need to take a holistic approach to mitigating IT risk; this means ensuring that the domains of people, processes, technology and leadership are all considered together. In practice, this means not simply relying on an annual penetration test or DR rehearsal but instead ensuring that risks are appropriately captured not only within your infrastructure but also well as throughout your digital supply chain.
“As well as focusing on testing, scenario planning for your critical risks is important. This lets you understand where the riskiest parts of your operations are and ensures you have the right controls to reduce those risks to within parameters you’re comfortable with.”
Northgate’s Hampton said, “Interrogating the data you hold is a good place to start. This helps measure your risk around data quality by establishing how ‘healthy’ it is, and whether it gives a complete view of your tenants. Carrying out regular data audits will identify gaps and flag what information needs to be captured. Obtaining that data can then be planned into routine correspondence or maintenance visits.
“To take another area, an increase in calls to contact centres or a rise in customer complaints are indicators of whether digital services are functioning correctly. Housing providers worried about their digital capabilities need to take care of their back office; processes must be joined up and workflows fully automated for customer journeys to be completed.”
Incline-IT’s Mason said, “When designing a digital transformation, IT teams must change their approach to risk management. Where previously the majority of IT risks were internal, they are transferred to external parties when working with SaaS providers. External risks can’t always be fully managed, so organisations must focus on mitigation by understanding their risk profile, where they put core services and how to properly separate services to ensure that if one provider has problems, the entire business isn’t affected.
“Where IT services are outsourced, ongoing risk management requires a contract management approach which may be new to some IT teams. Traditionally, service providers report their performance against pre-agreed SLAs but this doesn’t provide true visibility because there are no means to validate the figures. The key to effective service delivery and risk management is transparency; having access to the systems that providers use themselves to monitor services enables much better risk management.”
Do housing providers focus on risk management?
Northgate’s Hampton said, “IT is always on the agenda when housing providers’ risk committees meet so it’s already an area of focus for them. However, it’s not enough to just commission an IT report; you need to execute the action plans outlined in them. There is often a gap between identifying IT risk and the actual follow-through.
“To use a current example, housing providers who considered IT risk management to be a core element of their overall organisational strategy are probably responding better to the coronavirus crisis than others.”
Waterstons’ McMillan said, “IT risk should be a specific area of focus for housing providers, but the key is to ensure that it is part of a much broader enterprise risk management strategy. A robust risk management approach needs to be forward-looking because this allows us to forecast what the next areas of focus might need to be. We can then apply wider insights and intelligence from ever-changing political, regulatory and operational spheres, and understand where our critical risks lie across people, processes, and technology.”
How important is the ‘human factor’ in IT risk?
McMillan said, “When we look at the trends in recent data breaches, the vast majority were caused by people, and in most cases by accident. This means that securing the ‘human factor’ is just as important as technical security, although this area of IT risk management is frequently overlooked.
“It is all too easy to tick the training box, but will it actually have any lasting effects? In contrast, we’ve found that live hacking demos, the gamification of cyber security challenges and business-wide security formats are the strongest links when it comes to managing risk.
“It’s also important to realise that despite everyone’s best efforts, sometimes things will go wrong and data will accidentally be sent to the wrong place or information mishandled. In those cases, it’s important to ensure that there is a culture of openness where staff feel able to report incidents quickly without fear of reprisals and are empowered to suggest ways of making operational processes more secure.”
Incline-IT’s Mason said, “Human error is a common and well-known risk factor within an IT setting, and SaaS providers introduce human risks at another level, with a number of SaaS services having had significant outages caused by human error.
“This risk can’t be totally managed so the key for an organisation is to understand their risk profile, where they place core services and how to properly compartmentalise their services to ensure that, as mentioned earlier, if one provider has issues, the entire business is not affected. This is why we rarely recommend single provider solutions and ensure our customers understand that putting all their eggs in one basket isn’t a sensible solution to manage and mitigate their risk exposures.”
How can IT help with non-IT areas of risk?
Riskhub’s Herbison said, “Using data management and compliance tools that have the capability to link with a housing provider’s other systems can help with reconciliation, time management and data integrity. For example, a considerable financial risk of not keeping robust compliance data is that a housing provider might unwittingly duplicate its planned maintenance or repairs.”
Northgate’s Hampton said, “IT underpins every area of social housing, from maximising rental collections to maintaining assets. For example, automating payments and collections helps housing providers keep on top of their income streams, while AI can spot patterns and help predict problems before they become an issue, thereby helping with areas such as compliance and maintenance planning.
“Technology enables housing providers to see the bigger picture in ways that, say, busy housing officers might not be able to do, by flagging all the indicators. For example, take a tenant repeatedly denying access to a property for a gas safety inspection; technology would flag not only the risk to the asset and the lack of compliance, but also other indicators, such as tenant vulnerability, which would help the housing provider to have the right safeguards.”
What has coronavirus taught us about attitudes to IT risk?
Riskhub’s Herbison said, “It’ll be interesting to see how housing providers evaluate how prepared they were for this crisis. It’s not about seeing something of this magnitude coming but having a sufficiently versatile and robust IT system will get you part of the way towards adapting to the current situation.
“That said, I suspect that a worrying number of housing providers who are still reliant on legacy IT systems will have been caught out by the sudden shift to offsite operations, with important data proving difficult to access.”
Waterstons’ McMillan said, “We believe that one of the core learnings from the current pandemic is that organisations must invest in their business resilience measures. These go beyond typical risk management approaches and reframe the practice in several ways. It’s not just about ensuring that you can weather the storm of an unforeseen event or the loss of a critical system; it’s also about ensuring that your organisation has the pre-emptive capabilities to respond to change and seize the opportunities presented to you.
“In practical terms, this will mean organisations standing in the shoes of their customers to make sure that they can provide value in both the short and long terms. It will mean maturing business processes and ensuing that they support and fit within this new way of working; for example, legacy processes which rely on close physical contact or cohabitation of an office space will have to change. For housing providers, this will mean understanding what is critical to their tenants and which processes need to be the focus to improve risk responses.”
Incline-IT’s Mason said, “Before the advent of coronavirus, we were already preparing to migrate two customers into the cloud, with risk management and business continuity being the key motivators for their transformations. It really was a lucky coincidence that we were prepared to do this before lockdown was enforced. For the smaller of the two housing providers, we managed to migrate all of their systems within a fortnight and scale up their remote working capabilities from 10 to 30 staff.
“In our experience, housing providers of all sizes were already looking at cloud and SaaS for their risk management and DR capabilities, albeit as more theoretical remote working policies for their wider business continuity plans. However, with most housing providers having been forced into putting these policies into practice, many are now asking how they can maintain the flexibility for their staff to work from home.
“IT in some organisations is a bit like a prodigal son; it’s been allowed to drift away from the business and it now needs to be welcomed back with open arms and sit alongside other key areas of the business.”
Housing Technology would like to thank Trevor Hampton (Northgate Public Services), Sarah Herbison (Riskhub), David Mason (Incline-IT) and Helen McMillan (Waterstons) for their editorial contributions to this article.