Advisory

Best practice for smaller providers

Practical, technology-agnostic guidance for smaller and not-yet-scored registered providers: how to organise, evidence your data, and protect your services. Use these as maturity checklists against the RSH consumer standards. Generic sector guidance; no landlord is named.

Target operating model

Target operating model

A target operating model sets out how your organisation actually delivers its services: the structure, processes, data and systems that turn intent into outcomes for residents. Smaller providers do not need a large transformation team to get this right; they need clarity about who does what, and the evidence to prove it. Use the checklist below as a maturity prompt, not a tick-box.

Accountability and structure

  • Every consumer standard has a named owner at executive level, with a clear line to the board.
  • Repairs, complaints, building safety and tenancy management each have a documented process and a single accountable manager.
  • The board sees a regular assurance report mapped to the RSH consumer standards, not just finance and operations.

Process and evidence

  • Core processes (repairs, complaints, ASB, damp and mould) are written down, in date, and match what staff actually do.
  • You can evidence outcomes, not just activity, for each standard, ready for an inspection or a self-assessment.
  • Complaints and Ombudsman findings feed a continuous-improvement loop that the board can see.

Sweating existing assets

  • Before buying new systems, you have mapped what your current housing-management and asset systems can already do.
  • You choose suppliers proportionate to your size and standard, not the largest enterprise tool by default.
  • Procurement decisions weigh accreditation, support and total cost of ownership, not headline licence price.

Data strategy

Data strategy

A data strategy is how you turn the records you already hold into reliable evidence for residents, the board and the regulator. The RSH consumer standards now expect providers to know their stock, their tenants and their performance. The goal for a smaller provider is not a data lake; it is trustworthy, current, joined-up data on the things that matter most.

Know your stock and tenants

  • Stock-condition data is current, complete and drives your investment programme.
  • You hold and maintain the vulnerability and accessibility data needed to prioritise repairs and damp and mould cases safely.
  • Building-safety compliance data (the “big six”) is evidenced, in date and reportable on demand.

Data quality and ownership

  • There is a named owner for data quality, and a simple, regular check on the records that drive regulatory outcomes.
  • Key data is held once and shared, not re-keyed across disconnected spreadsheets.
  • You can produce your Tenant Satisfaction Measures and complaint-handling figures from source, not by hand.

From data to decisions

  • Performance against each consumer standard is visible to managers, not locked in a year-end report.
  • You benchmark against the sector to know whether your rates run high or low, and act on it.
  • Data informs board decisions about investment, risk and where to focus improvement.

Cyber and information-security strategy

Cyber and information-security strategy

Social housing providers hold sensitive personal data on tenants and run services that residents depend on. A cyber strategy protects both. Smaller providers are not exempt from attack: they are often targeted precisely because defences are lighter. The aim is proportionate, accredited security that a board can be assured of, not a security operations centre.

Foundations and accreditation

  • Pursue Cyber Essentials (and, where proportionate, Cyber Essentials Plus) as a baseline and a procurement filter.
  • Maintain an asset and data inventory so you know what you are protecting and where personal data lives.
  • Choose suppliers and cloud services with recognised security accreditation (e.g. ISO 27001, Cyber Essentials).

Protect, detect, respond

  • Multi-factor authentication is enforced on email, remote access and admin accounts.
  • Patching, backups and access reviews are routine, owned and evidenced; backups are tested, not assumed.
  • You have a tested incident-response and business-continuity plan, including how you keep serving residents during an outage.

People and governance

  • Staff receive regular, practical security-awareness training, focused on phishing and data handling.
  • Information-security risk is a standing board item, with a named owner and a clear escalation route.
  • Data-protection (UK GDPR) obligations are mapped to your systems and suppliers, with DPIAs where required.

Where you stand

See where your organisation sits against the sector.

This guidance is generic. To see your own organisation’s Housing Ombudsman finding rate, peer cohort and trajectory, create a free account, and we’ll email a link to finish.

Email me my organisation’s position

See where your organisation sits against the sector. We'll send a link. No password needed yet.

We'll email a secure link to finish. No password needed yet.

A note on scope

This is general guidance for the sector, not advice tailored to your organisation, and it does not name or assess any individual landlord. For how we work with the public corpus, see the data sources and methodology pages.