What is your risk appetite for Digital, Data and Technology?
Risk appetite sits at the heart of strategic governance. Sometimes organisations can articulate a single, generic appetite statement as if all technology risks are of the same nature and require the same cautious approach. In reality, appetite is multi-dimensional: a board may have a low appetite for compliance breaches, a moderate appetite for operational risk, and a high appetite for strategic innovation.
Excessive risk aversion, meanwhile, remains one of the greatest inhibitors of innovation in social housing. Organisations often misjudge risk because they over-focus on the most prominent threats while neglecting moderate but cumulative ones, or because they confuse a lack of certainty with the presence of danger.
In this context, board members should be asking themselves the following questions:
1. Do we have reliable, comprehensive data to run the organisation — and can we evidence its accuracy?
2. What are our most significant digital and cyber risks — and how do they align with our risk appetite?
3. How resilient would we be if a major incident occurred tomorrow (cyber attack, data breach, system failure)?
4. What independent assurance do we receive on digital, data and cyber controls — and what does it tell us?
5. Do we have the leadership, skills, capacity and culture to manage DDT risks effectively across the organisation?
Deep Dive
Let’s start with a reminder of the NHF Code of Governance about risk, in general.
– The Board retains retains ultimate responsibility for how risks are identified, assessed, managed and monitored. It must ensure the organisation’s approach is robust, effective, and aligned to mission and strategy.
– The Board must formally document its appetite for risk and how much risk it is willing to take in pursuit of strategic objectives.
– The Board must ensure the organisation is resilient to risks, through effective mitigation, business continuity and scenario planning.
– The Board must include members with the right skills, competence, and experience to manage the level of risk faced by the organisation.
– The Board must ensure that a living risk register exists and is escalated properly, internal controls are effect and assurance is robust and triangulated with risk appetite.
Few board members have deep expertise in digital, data and technology (DDT) risks. Like areas such as Finance or Development, it is becoming essential to recruit specialists with professional experience in this domain. However, DDT governance and risk management are no different from other core risk areas. They form an integral part of corporate governance and must be approached with the same rigour — effective, transparent and accountable.
Sector Risk Profile
It may help to understand some of the risks. Like other risks these might be considered strategic or operational and be recorded in the relevant risk register.
The Regulator of Social Housing helpfully provides what it considers to be the most critical risks annually in the Sector Risk Profile (SRF). In practice this is about the use and protection of data which is help in the organisation.
The latest (November 2025) highlights:
– It is important that landlords manage their data in accordance with all relevant laws and regulations and understand the implications for data protection of adoption of new technologies such as artificial intelligence.
– Landlords need comprehensive data, covering all assets and liabilities, the safety and quality of tenants’ homes, tenant complaints and the status of repairs and maintenance work.
– Boards must have assurance that decisions are underpinned by robust and comprehensive data that is appropriately managed – ensuring confidentiality, integrity, and availability.
– Several factors contribute to the risk profile of landlords’ data integrity. This includes fragmented data systems, outdated IT systems, reliance on manual data entry, and lack of standardised data entry.
Data Risks
In my work with housing providers, I have been exploring what assurance the regulator is likely to want to see evidenced in an In-Depth Inspection (IDA). This is becoming clearer from recent published governance grading reports.
We have found it helpful to disaggregate “data risk” into six distinct areas:
Data and Cyber Security
The 2024 SRF highlights that landlords have a legal and moral duty to protect tenant and staff data, particularly as cyber-security risks continue to rise. Ransomware and extortion attacks remain the most significant threat, with AI expected to accelerate and intensify existing attack methods. Remote working, online service delivery, legacy systems, and poorly maintained infrastructure all increase vulnerability, though most attacks remain unsophisticated and preventable through basic cyber-resilience measures.
Boards are expected to ensure robust IT security, identify and mitigate vulnerabilities, and maintain a proactive cyber-incident response plan aligned with business continuity arrangements. Plans must prioritise protecting critical services and maintaining clear communication with tenants.
Technology Risks
As we drill further into the Digital/Tech Team, I would expect to see a light-touch risk register or operational schedule for day-to-day issues. These artefacts take real discipline and energy to keep up to date, and the Tech Team is already stretched with competing priorities. As a result, meeting the Governance Manager’s requests often falls down the list.
I’m also not convinced that a traditional risk register always drives the right behaviours. In many cases, I’d prefer to see clear schedules for maintenance, weekly checks and routine controls—practical tools that actively support good practice rather than simply record it.
Want to know more?
Technology risk management can be complex and we all know what happens when it goes wrong?
Your options with Golden Marzipan include:
