This document has been produced to assist Registered Social Landlords (RSLs) in carrying out reviews of compliance with the Standards of Governance and Financial Management, particularly when these are undertaken as preparation for submission of Annual Assurance Statements.
Other sector guidance is available, in the form of the SFHA’s Social Landlord Self-Assurance Toolkit. The Scottish Housing Regulator (SHR) participated in the development of the Toolkit and endorses its contents. This Lessons Learned document is intended to sit alongside, and complement, the Toolkit approach.
We commissioned Paul Rydquist, an experienced Statutory Manager, to produce this as an illustration of an effective way to carry out a review of compliance with Regulatory Standards. Its main purpose is to highlight the lessons that both the author and SHR have learned from such reviews with which we have had direct involvement, and to provide more information about how to carry out a successful review process.
It is targeted at RSLs rather than local authorities, and in particular at governing body members, to help get the most benefit out of these reviews and improve governance effectiveness.
It is also for senior staff members, given the role they need to play in such exercises, and any independent advisors tasked with leading or participating in the review process. Other stakeholders, who may be asked to engage and offer their opinions on the current state of governance, might also be interested.
The approach is principle-based and focuses solely on compliance with the Standards of Governance and Financial Management for RSLs.
It is for each RSL to decide how it will approach reviewing and demonstrating compliance with each of the Regulatory Standards, in order to support the submission of its Annual Assurance Statement. This is advisory guidance and landlords should consider applying any recommendations but are not required to follow it. So, a landlord may decide to adopt the approaches in full, in part, or not at all.
From observation of previous successful review processes, two key lessons have been identified:
- The more governing body members are directly involved in the process the better the quality of review, and the more genuinely useful the outcome is likely to be.
- It is very important to be fully objective and totally honest, and to be ready to recognise any significant weaknesses found.
Self-assessment reviews: a key component of sound governance
Governance is the system by which organisations are directed and controlled, and the Standards of Governance and Financial Management for RSLs are based on widely recognised principles of good governance. Because this is the case, compliance with Regulatory Standards is a strong indicator of overall governance effectiveness.
The Regulatory Framework requires RSLs to show how they comply with these Standards and associated guidance, and to use self-assessment reviews to demonstrate that this is the case.
Since the introduction of the requirement to make Annual Assurance Statements, the conducting of such reviews is now integral to RSLs’ self-assurance processes.
Lessons from Statutory Intervention (2018) noted that in all 11 statutory interventions since 2014, SHR judged that the RSL had failed to meet regulatory requirements and the root of the problems lay in weak governance. Key lessons included:
- Governing body members did not know what they did not know – they were not provided with, did not ask for, or failed to understand the information needed to carry out their role;
- The governing body did not seek or receive appropriate assurance and did not effectively challenge senior officers.
Factoring these lessons into the self-assessment review process will enable governing body members to prepare properly for their input, helping them to be self-aware, analytical, open and honest about their RSL’s performance.
Assurance: What is it, and why is it important?
Assurance is the process of gathering evidence to confirm that any controls and associated internal processes are working properly, thereby building confidence in compliance and effectiveness.
It is the key role and responsibility of governing body members to have overall responsibility and control of the strategic leadership of the RSL (Standard 1.2). This is why it is important for governing bodies to take a leading role in self-assessment reviews.
Governing body members generally cannot, and should not, be involved in the day-to-day running of the RSL. That is the responsibility of the staff team, led by the Senior Officer. Nevertheless, the governing body needs to ensure that what is being done in its name is appropriate and effective. A key responsibility of governing body members is to seek assurance on these points, and to achieve confidence in that assurance.
The process of RSLs assuring themselves that they meet Regulatory Standards and other regulatory requirements, and then assuring both SHR and their tenants, is central to the regulation process (see How We Regulate, Regulatory Framework February 2019).
Governing bodies need to be able to rely on the successful conduct of the RSL’s business activities, and particularly delivery of its key services, sound internal processes, and the production of credible information, in order to make good decisions and fulfil their role effectively. Where there are uncertainties around any of these, confidence diminishes.
Many RSLs will be familiar with this approach through the operation of their risk management framework:
- Key risks are defined;
- The main causes of the risk are identified;
- Any controls in place within the business are matched to each risk cause (and any gaps noted where there are new controls required to manage the risk);
- Assurance is sought to provide evidence that the controls in place are working - that what needs to be done is actually being done. Levels of assurance obtained can be scored, e.g. “limited”; “adequate”; “substantial”;
- Risks can then be accurately assessed.
From experience, the same approach will pay dividends for self-assessment reviews of compliance with Regulatory Standards:
- evidence of compliance with each Standard is identified (effectively the “controls” which should ensure compliance);
- indicators and evidence of the level of “assurance” or confidence that the “control” is doing its job, often in the form of reports, reviews, analysis, checking processes, etc. are assembled;
- Judgement is made about the strength of assurance, and the level of compliance.
For example: Regulatory Standard 6.4 requires that:
The RSL encourages as diverse a membership as is compatible with its constitution and actively encourages its membership in the process for filling vacancies on the governing body.
Most RSLs will have a Membership Policy or equivalent, with associated procedures, and in a review exercise would identify this as part of the evidence for compliance (the “control”). But does this of itself provide assurance of compliance? Probably not, and governing body members are also likely to want to know:
- Is the policy up-to-date? If dated before the new regulatory standard was introduced in April 2019, it may not address some of its requirements and expectations.
- Is it fit for purpose? It might be up to date, but will it provide the outcomes that the governing body expects to see achieved?
- Is it being complied with? The policy might be just what is needed, but if it’s not being followed it’s of little value.
Answering these questions could be part of the judgement about the strength of assurance and level of compliance associated with this part of the Standards.
Sources of assurance can come from both inside and outside the RSL, e.g.
- Day-to-day management of the Standard under review: from reports by the staff team performing the day-to-day activity, or from checking exercises by management that the agreed processes are being followed;
- Reports and reviews by central staff teams, such as finance, or HR, or “corporate services” or management teams, who have responsibilities across the RSL for seeing that the control framework is working effectively;
- Input from outside the RSL, and from anyone independent of the management chain, including internal audit reviews, and work by other specialist advisors.
Each source can provide robust assurance on its own, and no one source provides better assurance than the others, although being able to consider evidence from multiple sources will add confidence to the judgement. It is certainly not necessary to think that all three must be in place for each regulatory standard, or that independent assurance is required in each case.
Conducting reviews of regulatory compliance
This document suggests an approach to carrying out reviews of compliance, based on the author’s experience of conducting and overseeing many such reviews in RSLs, and of what seems to work well. This includes reviews associated with Annual Assurance Statements – this is now the main context in which such reviews are undertaken.
There are potentially four key phases to a successful review process:
- Surface the key issues – An annual light-touch exercise won’t tell you all you need to know about the current state of your governance. From time to time a more comprehensive review will be required. The process needs to be open, absolutely honest and objective. If key weaknesses exist, and significant change is required, it’s important that the process brings this to light.
- Own the results – If the review process produces results you weren’t expecting, or identifies serious weaknesses, don’t shy away from them. By picking up these issues you can demonstrate self-awareness and transparency, and show how you’re going to deal with them. If significant change is required, it won’t happen unless the governing body recognises it, and is driving the change.
- Commit to the necessary improvements – A comprehensive review exercise will always throw up areas for improvement, and even if no non-compliance is identified, there may be areas of significant weakness to address, as well as partial compliance. Setting this out in a plan, with measures of what genuine “success” in fixing the problem looks like, will help the assurance process.
- Evaluate the impact of the completed improvements – If you need to achieve significant change, especially if it involves culture change, an end-of-process review exercise, perhaps from an independent perspective, will be helpful. Find ways to check not just that you can confirm the improvements have been fully completed, but also that the outcomes you’re looking for are happening. Identifying success factors, or key performance indicators at the start of the improvement phase, which will tell you if this is the case, can be very useful.
Preparing for review
It is important to establish the right environment for an effective and honest appraisal, where it feels safe to bring out any issues or concerns. Setting the right tone for those involved is an important ingredient in a successful review.
While the governing body has the central leadership role within an RSL, and especially in the effective delivery of its governance arrangements, not all governing body members may feel confident about offering opinions about the current state of governance across all areas of the Regulatory Standards.
In order to build that confidence across all governing body members, some initial training would be appropriate, including familiarisation with the SFHA Toolkit. The more governing body members are involved, the more their knowledge and understanding of regulatory requirements will be enhanced.
A comprehensive approach
The review process described here is intended to be part of a comprehensive review exercise. It could sensibly be linked to the business planning process.
SHR’s Recommended Practice document on Business Planning (2015) notes that, in an appropriate business planning cycle, some RSLs have a rolling programme approach where:
- Every 3 years there is a comprehensive update of the strategic direction of the RSL;
- Annually, the business plan is updated as necessary.
In order to establish a sensible review cycle, a similar approach can be beneficial for reviews of compliance with Regulatory Standards:
- Every 3 years or so, a comprehensive review is undertaken;
- Annually, some form of “light touch” audit and update on any improvement plans is undertaken, to support sign-off of the Statement.
This could be phased, so that in year 1, a comprehensive compliance review takes place, followed in year 2 by a comprehensive business planning exercise.
Any comprehensive review of compliance will complement and enhance a major strategic planning review. It should provide a much clearer picture of the current state not just of governance effectiveness, but of other aspects of the RSL’s internal processes, and enable a more confident SWOT (Strengths; Weaknesses; Opportunities; Threats) or other analysis of the current state of the organisation, on which effective business planning needs to be based.
Setting your own review cycle and method
There are seven Standards of Governance and Financial Management, under which sit further guidance, amplifying the scope of each Standard. A view needs to be formed about the current state of compliance with each Standard and area of guidance, and the SFHA Toolkit is structured to support this approach.
Having submitted a number of Annual Assurance Statements, RSLs will have developed some form of annual process to support the signing of its Statement.
RSLs will need to decide for themselves if this pattern of compliance review exercise in support of their Annual Assurance Statement – a comprehensive review conducted every 3 or 4 years, interspersed with light touch reviews in other years – fits with their way of working and will enhance their governance effectiveness.
RSLs may wish to adopt other approaches such as the ongoing compliance process set out in the SFHA Toolkit.
Who should be involved in the review process?
All governing body members should play a full part in the comprehensive review exercise, and in deciding how the review is to be led and co-ordinated. There will always be three options:
- Internal-only review, led by the Senior Officer, senior manager or board member(s)
- Internally led, with some external input
- Externally led, e.g. by a specialist advisor or independent consultant
However the review is structured – possible approaches for you to consider are set out in a flow-chart included at Appendix 1, and also in the SFHA Toolkit - it is important for the success of this process that:
- All governing body members are involved and express an initial view on current compliance with each of the Standards and associated guidance, at the commencement of the process. This can be simply obtained, for example, by using a questionnaire.
- The final decisions on compliance levels are made at a full meeting of the governing body.
Management team members, including the Senior Officer, will play a key role in both assembling evidence, and if the exercise is being conducted in-house, in offering initial judgements about compliance. Their input and perspective is vital to an accurate assessment of compliance.
Other stakeholders, such as tenants, funders, front-line staff, plus auditors, other partners and local community organisations, can provide a very helpful perspective on how the RSL is perceived by those who are invested in its success, particularly if this review is part of a wider business planning exercise.
Any input from other stakeholders should be focused on relevant Standards where they are likely to have first-hand experience of regulatory expectations, most obviously Standard 2 and parts of Standard 5, and other specific areas that are directly relevant to the particular stakeholder group.
Tenants are key stakeholders, and it will be important for the RSL to consider whether and how they can contribute. Most RSLs will already have useful feedback from tenants to call on, e.g. Tenant Satisfaction Surveys, but there is considerable scope for added value by asking direct questions on current views of compliance and effectiveness. This would be particularly relevant for most of Standard 2 in terms of communication and accountability to tenants, and some of Standard 5 (e.g. reputation of the RSL in the community, and impact on advancing equalities and human rights). Engaging with an existing group would be the most straightforward approach, e.g. an RTO or tenant scrutiny panel, but if none of these are in place then a focus group can be assembled for the occasion.
Front-line staff can provide alternative and very useful insights, e.g. via a focus group session.
It is particularly helpful if the process can begin with obtaining an initial view of the current state of compliance from each governing body and management team member. They can rate compliance with each Standard and associated guidance, based on their own observations of “governance in action” through attendance at meetings, reading reports, attending training or other events, and so on.
The author finds using a four-category scoring approach, both for the preliminary judgement and for overall compliance assessments, to be the most helpful:
- Fully compliant
- Partially compliant
- Significant weakness (but still partially compliant)
Whichever approach you decide to take to scoring the assessment, it is essential that the review will result ultimately in a clear outcome judgement for each Standard: is it compliant or non-compliant? This approach offers three shades of compliance, with a sliding scale of improvement requirements.
If questionnaires are used to make this initial judgement, they can helpfully be augmented by one-to-one interviews with each governing body and management team member, to discuss some of the more sensitive and potentially concerning areas. If the review is being conducted in conjunction with a business planning review, interview questions can be expanded to include a wider assessment of the current state of the RSL and its strengths and weaknesses. Care should be taken to identify a suitably objective person to conduct such interviews.
An example of a completed questionnaire covering Standard 4, including comments from participants, and some related interview questions, is included at Appendix 2.
Analysis of the questionnaires and any interviews can form the starting point for the review of compliance for each area of the Standards, and point towards the kind of evidence (or potential absence of evidence) which will be important in judging compliance.
A feature of such exercises can be considerable variation in judgements between different audiences, which is highlighted in Appendix 2. There is great value for the governing body in exploring the reasons for these differences in judgement, which can be very wide-ranging at this initial stage.
Gaining assurance on compliance needs to be evidence-based, and is a two-stage process:
- Step 1 is to identify any evidence that will support a judgement that the specific standard under review is being complied with.
- Step 2 is to consider such sources of assurance as are available (see Section 3) and make the judgement: using a scoring system, are we fully or partially compliant; seriously weak; or non-compliant?
Most RSLs will already have some form of “evidence bank” linked to each of the Standards, based on preparations for previous Annual Assurance Statements, which will be their first port of call in future review exercises.
It is important to understand the scope of each standard, as many are multi-faceted, and require judgements to be reached in several areas.
Standard 1.2 requires that: The RSL’s governance policies and arrangements set out the respective roles, responsibilities and accountabilities of governing body members and senior officers, and the governing body exercises overall responsibility and control of the strategic leadership of the RSL.
Forming an overall judgement on this Standard will mean considering:
- Have we got an appropriate and up-to-date range of governance policies and procedures?
- Do our governance arrangements – the interplay of sub-committees (if we have any) or any other sub-groups with the main governing body or the operation of any group structure, and associated reporting lines -work smoothly and effectively?
- Have we clearly set out in writing, in our policy documents or Standing Orders, or governing body remit, etc. the roles and responsibilities and accountabilities of governing body members?
- Have we got a scheme of delegation which makes it clear where governing body member and staff responsibilities begin and end?
- Does our induction cover these issues? Do we understand what this means for us in practice?
- Have we seen a job specification for our Senior Officer and management team members? Do we ever step into the management team’s territory, or they into ours? Do we ever discuss this (e.g. at an away day, or in reports back from the Senior Officer’s appraisal - assuming they have one, or in our own appraisals)?
- Do we really understand what “exercising overall responsibility and control of the strategic leadership of the RSL” means in practice?
- And if we understand it, are we confident that we’re actually doing it?
The SFHA Toolkit provides an excellent guide through this part of the review process, setting out how one Standard links to others; where useful guidance relating to that Standard can be found; examples of evidence that may give a prima facie indication of compliance; and the sort of questions that you may wish to ask in pursuit of making the compliance judgement.
RSLs can look to their existing documents, performance data and other reports, including internal audit reports, and internal control, risk management and performance management processes, etc. to find the evidence they need, or to identify what they should have but haven’t yet got.
Further evidence can be gleaned from the questionnaire and interview outcomes, and any stakeholder focus group or survey results included in the review process.
Being objective is crucial to the success of the process. The temptation to be defensive about the current state of governance, or to present an overly-positive picture, assuming compliance in the absence of any real evidence, will undermine the effectiveness of the process. Governing bodies should welcome finding and flagging up a problem.
The SFHA Toolkit identifies questions that can be asked to provide indicators of assurance, and form a basis for discussion. Positive indicators of compliance can come from a range of sources, but those with an external element can provide added value. Examples, which RSLs may have gathered in the normal course of business, could include:
- Tenant survey outcomes, or other tenant or service user feedback
- Analysis of service user compliments / complaints
- Internal audit reports – These can be even more pertinent if specific Standards are targeted when briefs are agreed for the annual programme of reviews. For instance, if a review of internal financial controls or treasury management arrangements is being undertaken, auditors could be asked to review compliance with standards 3.1 and 3.2, which cover these areas. The more specific the focus of the audit, the more thorough the review, and the more value added to the assurance process
- Benchmarking reports – If these can be produced by your club service provider, objectivity is further enhanced
- Other external reports commissioned in the course of business, e.g. Investors in People assessments, funding evaluations, organisation-specific training outcomes, etc.
The review process will involve agreed parties – whether particular governing body members, senior staff members, external advisors, or a combination of all three – making provisional judgements about compliance, based on the evidence and assurance methods identified.
Governing body members need to build in objectivity to this provisional assessment process, e.g. avoiding senior staff being involved in judgements in areas that fall under their responsibility.
It can be helpful to record which sources of assurance have been identified, and why this results in a judgement of compliance (or non-compliance).
Final decisions on compliance levels in a comprehensive review process are best taken by the whole governing body, potentially in a session devoted just to this exercise, considering provisional assessment recommendations, but with plenty of scope for challenge and discussion. Where assurance is limited, or borderline adequate, actions to improve this can be identified for inclusion in any improvement plan.
Focus on improvement
The real benefit of investing time and effort into such a comprehensive and thorough review process comes in the accuracy of the picture of the current state of the RSL created, and the clarity of its conclusions. These can provide a solid platform for sustainable change and improvement.
If the review judges the RSL to be less than fully compliant with any area of the Standards, improvement action will be required. The more thorough the review process has been, the clearer the nature of the required improvement action will be.
All necessary improvement action arising from a comprehensive review exercise is best gathered together in a single improvement plan. Any necessary training should be included in the plan – both in areas where the governing body needs more knowledge and awareness to ensure compliance, but also in preparation for more complex policy or strategy decisions e.g. the introduction of a new treasury management strategy.
It is more important to take enough time to ensure that the right change is being made, and that it can be properly embedded, than to rush programmes through in the shortest possible period.
RSLs may wish to spread minor improvements over a longer timescale, while “nipping bigger problems in the bud” and not allowing a problem to get worse through lack of attention.
At the conclusion of a comprehensive review, some form of proposed improvement plan should be presented to the governing body for consideration, including arrangements for regular review of progress by the governing body.
Evaluating the outcome
Where the improvement plan has picked up on multiple areas of weakness, consideration should be given to including an evaluation exercise once it is completed (see paragraph 4.2 above).
The inclusion of “success factors”, or key performance indicators in the improvement plan will identify if outcomes are being achieved.
Examples of how an Improvement Plan can be structured, and of potential success factors related to the required improvements, are included at Appendix 3, also featuring Standard 4.
Making judgements: compliance, non-compliance and materiality
Despite the fact that reviews of compliance with regulatory standards need to be evidence-based, there is still a significant degree of judgement involved in the process.
Good evidence is essential and provides an indication of compliance. But a series of judgements then come into play:
- What assurance do we have that the evidence is fit for purpose and is complied with by those responsible for operating it (if it is a policy, procedure, internal control, etc.)?
- What assurance do we have that the evidence means that we are achieving full compliance?
Both this Lessons Learned and the SFHA Toolkit provide pointers as to how RSLs might seek to satisfy themselves on these points. But it remains a matter of judgement.
We have emphasised two key points:
- in the review process, it is important to be clear who has authority to make judgements in these areas, with every effort made to ensure objectivity; and,
- the governing body should take final responsibility for endorsing these judgements through a process of discussion and challenge.
It is also important to recognise the multi-faceted nature of many of the Standards. For example:
Standard 3.4 requires that: The governing body ensures financial forecasts are based on appropriate and reasonable assumptions and information, including information about what tenants can afford to pay and feedback from consultation with tenants on rent increases.
This Standard will require the RSL to consider its various forms of financial projections – the budget; 5-year financial projections which are required to be submitted annually to us; and any longer-term projections (usually 30-year projections) – and the appropriateness of the assumptions on which they’re based and the range of information provided within them.
It will also need to consider its rent policy, what this says about rent increases, and how this relates to affordability. It will also need to make some form of assessment about its tenants, their incomes, and their ability to afford any planned rent increases implied by its rent policy.
Then it will need to consider the effectiveness of its most recent rent consultation with its tenants and any other relevant service users about proposed rent increases: how well did it engage with its service users? What sort of feedback did it get? Did it take account of that feedback?
How do we approach judging compliance, if we establish that we are at differing levels of compliance with each element of the Standard? For example:
- Our budgeting systems are fine, but we’ve had serious problems with our longer-term (30-year) financial projection system, and we haven’t been able to use it properly for a couple of years. We’ve managed to make a 5-year projection submission each year, and underlying assumptions are clear, but we know we’ve got a significant weakness while this remains the case.
- On rent policy and affordability, we feel instinctively that we should be reducing our standard measure of inflationary rent increase, but without the long-term model operating properly, we can’t test out options. However, we’ve used a rent affordability assessment tool as part of this year’s rent consultation process and are happy we’ve done what we can to assess affordability issues for our tenants around any proposed rent increase. Maybe we’re partially compliant.
- On rent consultation, we’ve got a well-honed system, and it worked very well this year, with lots of tenant feedback and a decision on a rent increase that was supported by tenants, which we’re also reasonably confident (in the absence of the long-term model) will provide adequate resources to meet our business plan objectives. This feels fully compliant.
Where does this leave us in terms of overall compliance? While there is a lot that’s working well, the lack of important information caused by the failure of the 30-year projection system is a serious weakness, and could even cause risks to overall viability if allowed to persist. Perhaps this should be flagged as non-compliant. Certainly, an urgent improvement plan is needed.
In most cases, where non-compliance is judged to form one part of a multi-faceted Standard, even where other parts are either fully or partially compliant, there would need to be very significant mitigation for that Standard to be assessed as anything other than overall non-compliant.
If, in our example, the governing body were to decide that the RSL was overall non-compliant against Standard 3.4, should this be included in the Annual Assurance Statement as material non-compliance?
Four key principles for deciding this are set out in the statutory guidance on Annual Assurance Statements, and examples of how the guidance might be applied are provided in the Frequently Asked Questions publication, and in the SFHA Toolkit.
Applying these principles to the hypothetical situation above, the governing body would need to form a judgement as to whether:
- the absence of any reliable long-term financial forecasting threatened the stability and viability of any of its service delivery arrangements (check planned maintenance programmes, but possibly not)
- whether this represented a significant risk to the financial health of the organisation (possibly)
The decision could go either way.
If the governing body decides that this is material non-compliance, then it will need to be included as such in the Annual Assurance Statement, or submitted as a notifiable event if the Statement is not due for imminent submission. If it is accompanied by a clear improvement plan, and there is confidence in the capacity and commitment of the RSL to deal with the issue, this would not normally lead to formal engagement by the Regulator.
A flow-chart is included at Appendix 1, which sets out the sequencing of the key stages of a comprehensive review process, as described in this Lessons Learned. Again, it is for RSLs to decide whether, and to what extent, they wish to follow this approach.
This Lessons Learned document emphasises that:
- Governing bodies and their members should be closely involved in reviews of compliance with Regulatory Standards
- Making what are sometimes difficult judgements about compliance and materiality falls within the governing body’s role and responsibility.
- Well-governed organisations will recognise their weaknesses and address them.
Conducting an effective self-assessment review process is about more than creating greater confidence in the Annual Assurance Statement. It creates other opportunities - for improved governance; for enhanced self-awareness of the current state of the organisation as a whole; and for better strategic planning within the business.
Ultimately, it will help to ensure the RSL is better able to deliver for its tenants and other service users.
Appendices 1 to 3
Appendices 1 to 3 include flow charts and tables to support this guidance. To view the appendices, download the full report at the bottom of this page.