I was pleased to be asked to author the new NHF publication on risk and assurance for boards, having been involved in the reading group for the previous separate publications on risk and assurance in 2014. I was keen to bring the two together and make the clear links between risk, control and assurance from a governance perspective.
Risks are changing. The real challenge is thinking about the different reporting and assurance the board needs if it accepts this. Financial and policy risks are well understood and largely well managed in the sector, but there is more variation in how much attention is given to risks arising from business operations, and changing expectations on stakeholder accountability.
These latter risks cannot just be seen or scored as ‘reputational’, because for housing associations, failure to manage them effectively means a failure of organisational purpose. That goes to the heart of risk management and ensuring that effective control is in place to manage risks which we define as ‘any event that impacts on the organisation’s ability to meet its key objectives’.
Risks around the condition of homes and responding to resident’s complaints have come very much to the fore in recent weeks and have resulted in some tough questions being asked of the sector. Are those tough questions being asked in your organisation? Is it a safe place to feel uncomfortable? If so, then that is a positive. The links between operational failures, accountability to stakeholders (especially residents), and organisational culture are captured in this guide and should be part of a robust risk and assurance framework.
The role of the board in setting the right tone is so important, and the board really adds value when it adopts an open and curious mindset, combined with strong awareness of what presents a material risk. The great skill of governance is being able to take evidence from numerous sources and understand the extent to which it supports or contradicts current understanding. This is not about not trusting the executive team, but about fulfilling core board responsibilities to ensure a sound system of control, and that risks are well managed.
There is a world of difference between relying on words of reassurance, however well meant, and having evidenced assurance to support the assertions. Strategic oversight of operational risks relies on a strong understanding of risk to focus board attention, and then getting the right level of assurance (evidenced and triangulated) that those top risks are managed really well.
Having a board level guide on risk management and assurance helps boards and executives have the conversation about what and how significant risks areas get reported, and how they are assured their organisational purpose is being delivered.