Risk management in social housing is becoming an important issue where governance is vital, particularly following several high-profile failures and frauds reported by the Homes and Communities Agency. However, some housing providers still think of risk management as ‘merely’ a compliance obligation or box ticking exercise, when in fact it does have considerable power to improve business performance through better decision-making and information distribution.
Risk management is a wide subject, ranging from the long-term risk associated with housing providers being with raising finance and issuing bonds in the capital markets, through to more short-term and immediate concerns such as supplier contracts, rent arrears and data protection.
When discussing which areas of their operations housing providers should use technology for risk management, Andrew Noone, a governance, risk and compliance (GRC) consultant for Ciber UK, said, “All business processes contain some degree of risk; the key factor is being aware of them, understanding the impact of the risks, and how to manage or mitigate the risks. With evolving technologies and compliance obligations, it’s becoming more difficult to manage risk using traditional methods. For example, the adoption of mobile working and customer self-service can introduce a new layer of risks in addition to existing financial or data protection standards.”
Adding to the theme of organisation-wide risk management, Intuitive Business Intelligence’s channel development manager Richard Abraham said, “By consolidating and presenting the key data, business intelligence (BI) dashboards significantly enhance the ability of every department within a housing provider to quickly identify and respond to potential risks.”
Intuitive cited the example of Bernicia Group which has implemented a BI dashboard to extract key data from its housing management and CRM databases, as well as several different spreadsheets, thereby giving Bernicia staff instant access to trending visibility and critical metrics across its housing, tenant profiling and employee statistics. This has led managers to analyse performance, improve efficiencies, enhance client service and ultimately reduce levels of risk across all of those areas.
Heidi Waites, managing director of service charge experts Opus, said, “There are a number of risks that need to be managed by our customers. These include staff turnover and the resulting loss of business knowledge, mis-codings of actual spending leading to loss of income, multiple databases meaning that data is split over many sites, and the inability to service their needs using in-house resources and the consequent external costs.”
Protecting sensitive data
Housing providers store and maintain massive volumes of sensitive data, ranging from straight-forward personal details through to information about criminal charges, convictions and anti-social behaviour.
Regarding how technology should be used for risk management regarding the protection of non-financial sensitive data, PCMS’ IT strategy, solutions and delivery manager Ian Walton said, “There are a number of ways in which technology can be used to minimise risk when using non-financial yet still sensitive data. The encryption of devices such as laptops, USB drives and email are all effective in managing secure data within an organisation.
“At a deeper level, the encryption of data on enterprise storage would prevent it from being used in an inappropriate manner if it was removed from the physical location somehow. Beyond this, a robust perimeter protection system around any public-facing systems that serve sensitive data is essential.”
Ciber’s Noone added, “Intelligence-led governance relating to non-financial data is a becoming a focus area due to the growing requirement to integrate financial and operational systems. Having up-to-date, enterprise wide data available allows better risk management policies to be implemented across all areas of the business, not just areas with a financial focus.”
During the recent Housing Technology 2014 conference, a rough ‘show of hands’ during one of the presentations suggested that in most housing providers, the technology function has either a direct or very close representation on the board. Given that risk management is now completely reliant on technology, should technology-based risk management be discussed at board level?
PCMS’ Walton said, “Risk management is a board-level activity without a doubt. For example, the criteria for ISO27001 clearly state that the board must take responsibility for the risk treatment plan and management activities around a given system; whether a business is ISO27001 compliant or not, this is still sound advice. Information incidents inevitably lead to financial and/or reputational losses, so it’s essential that risk management is discussed at board level. To ignore this is the equivalent of burying your head in the sand and hoping for the best without preparing for the worst.”
Intuitive’s Abraham said, “While it is important to discuss and demonstrate at board level the capabilities of the technologies being implemented, it is also important to embed risk management into the organisation as a whole and therefore it must be a ‘top-down’ initiative implemented and supported by the board and linked to the housing provider’s corporate objectives.”
Overlapping risk with performance
To a certain extent, performance management and risk management are two sides of the same coin, with good performance usually correlated with reduced risk.
Abraham explained, “For example, using technology to monitor contractors’ SLAs is vital not just for performance insight but also to reduce risks to maintenance contracts. Equally, the risks associated with spiralling maintenance costs can be considered alongside the performance levels of the contractors – who is performing well and offering value for money and who is not? If risk management criteria are included when setting individual KPIs and metrics for risk, then using technology to internally monitor performance should lead to a reduction in a housing provider’s exposure to risk.”
Ciber’s Noone added, “Risk management strategies should be reflected in defined and measurable outcomes to help organisations very clearly understand “what does good look like?”. Performance management software must then be able to reflect, monitor and assess the achievement of risk management KPIs to enable risk managers to measure and report their success.”
Modelling & predicting risk
An important part of risk management technology is its ability to model, predict and mitigate key risk factors. Opus’ Waites said, “When the key risk factors have been recognised, technology can be used easily to monitor them, report on trends and inform you of pre-determined behaviours. Technology can be used to follow any process, follow any pre-determined path or even change course if a particular scenario happens; the trick is to get the right piece of software for the risk that you are in fear of.”
Last word goes to Noone who said, “Risk can be mitigated by setting thresholds above which monitored risk factors create alerts; in this way technology, acting as an early warning system, can be used to nip growing risks in the bud. While there are no crystal balls, the best technology goes beyond ‘simple’ alerts to pro-actively analyse trends in data and KPIs to predict emerging risks and identify the business activities causing them. Of course, this relies on the accuracy of the data being monitored and modelled; to some extent, data integrity itself becomes a risk to an organisation.”
Housing Technology would like to thank Andrew Noone (Ciber UK), Richard Abraham (Intuitive Business Intelligence), Heidi Waites (Opus) and Ian Walton (PCMS) for contributing to this article.