What Four Months of RSH Regulatory Judgements Tell Us About Risk in the Sector

The RSH’s 2025 Sector Risk Profile was published in November last year. It was direct, shorter than its predecessor, and delivered a clear message: governance is the foundation of everything, and the regulator is watching.

Most people in the sector read it. Many nodded in recognition. Some held a board session to discuss it. And then — as tends to happen with annual publications — it moved on to the shelf.

Four months on, I’ve been reviewing the regulatory judgements the RSH has published since November. Not to summarise what the SRP said — there is plenty of that already — but to ask a different question: are the judgements bearing it out? And if so, how?

The answer is yes. And in a very specific way that I think is worth unpacking for any board or executive team right now.

The pattern in the judgements

Across the governance downgrades published since the SRP, three failure points keep appearing in the RSH’s own language. Not as one-off issues in a single organisation, but as a pattern repeating across providers of different sizes, geographies and operating models.

All three were explicitly flagged in the SRP. The regulator didn’t hide what it was looking for. What’s striking is how consistently organisations are still being found wanting on exactly these points — four months into the inspection cycle that was meant to have prompted action.

1. Procurement and contract oversight

This is perhaps the most common thread across recent judgements. The RSH has cited weaknesses in how boards oversee procurement activity, manage contracts, and maintain visibility of delegated authority limits — particularly in relation to repairs and maintenance spend.

In more than one recent judgement, the language has been striking in its specificity. Weaknesses in procurement of works and contract monitoring resulting in unknown overspends against the repairs budget. Inadequate corporate oversight of delegated authority limits on contract spend. Controls that exist on paper but haven’t been tested against what’s actually happening operationally.

This isn’t about large-scale fraud or deliberate wrongdoing. It’s about the slow, quiet drift that happens when operational activity outpaces board line of sight. Contracts get let. Spend accumulates. Commitments are made. And the board only finds out when the figures don’t add up.

The question for any board is straightforward: do you have genuine assurance that your controls around procurement and contract management are working in practice — or are you relying on the assumption that they are?

2. Data quality undermining assurance

The second pattern is one I find particularly significant, because it strikes at the heart of how risk frameworks actually function in practice. Boards are being told, in judgement after judgement, that they cannot adequately oversee risk because the data they are receiving is not accurate enough to base sound decisions on.

Recent judgements have found boards needing to improve their oversight of operational delivery because of gaps in the accuracy and integrity of the data being reported to them. In some cases, organisations had reporting processes in place — the issue was that what was being reported didn’t reflect what was actually happening on the ground.

A risk framework is only as good as the information feeding it. You can have a beautifully designed risk register, a well-structured assurance map, and a sophisticated three lines of defence model — and if the underlying data is inaccurate or incomplete, the board is effectively flying blind while believing it has full visibility.

This is one of the hardest things to surface from the inside. It requires asking not ‘what does our risk framework say?’ but ‘how confident are we that what it says is actually true?’ Those are very different questions.

3. Subsidiary and third-party risk

The third pattern is growing in significance as the sector’s operating models become more complex. As organisations expand into development subsidiaries, establish trading entities, use managing agents, or work through development partners, boards are increasingly losing meaningful oversight once activity moves outside the registered entity.

Several recent judgements have cited the need to improve risk and control frameworks specifically in relation to the oversight and management of strategic risks associated with unregistered subsidiaries. The risks were real and material — but the assurance framework wasn’t designed to surface them.

The RSH is unambiguous on this point. Ultimate responsibility remains with the registered provider. The complexity of your corporate structure does not reduce your accountability for what happens within it — or through it.

For any board operating with subsidiaries, joint ventures, or significant third-party arrangements, the question to sit with is whether your assurance framework genuinely extends to those entities — or whether it stops at your own front door.

What this means in practice

The 2025 SRP told us governance was the central challenge. Four months of regulatory judgements are now showing us exactly where governance is breaking down — and it’s not in grand strategic failures. It’s in the operational blind spots. The places where nobody has asked the right question recently, or where the assurance framework simply wasn’t designed to look.

Having spent 15 years working in senior risk leadership roles inside housing associations — as Head of Risk and then Director of Risk — this pattern is a familiar one. Most organisations have frameworks. Most boards receive risk reports. The gap — the one the RSH keeps finding — is between what the framework says is in place and what is actually happening on the ground.

The question for any board right now isn’t whether these risks exist in your organisation. In most cases, they do to some degree. The question is whether your assurance framework is designed to surface them — before the RSH does.

How House of Risk can help

At House of Risk, we work with housing associations, universities and public sector organisations to build risk and assurance frameworks that are practical, meaningful, and genuinely useful to the boards and executive teams that rely on them. We bring practitioner insight — from having sat in senior risk roles inside these organisations — that a generalist consultancy simply cannot replicate.

If any of the three patterns above resonate with where your organisation is right now — or if you’d simply like an honest, experienced view of how your risk and assurance framework would hold up to RSH scrutiny — we’d welcome a conversation.

Get in touch: enquiries@houseofrisk.co.uk  |  www.houseofrisk.co.uk