The 5-Step Risk Management Process for Affordable Housing Organizations

  • September 16, 2022

At HAI Group, we define risk as the existence of uncertainty regarding a future loss. The “uncertainty” is an event that can occur and, in the case of a housing organization, adversely affect its objectives, mission, vision, or bottom line.

“At its core, risk management aims to preserve and protect an organization’s assets, including its employees, residents, buildings, equipment, property, and even visitors,” said Elizabeth Owens, HAI Group’s director of risk control and consulting (pictured at left). “Proactive risk management helps demonstrate due diligence and can reduce your long-term costs.”

For example, if your organization were to face a claim or a lawsuit, having a policy or guidelines in place related to the risk in question could help you demonstrate that you proactively attempted to prevent or reduce the risk.

A coordinated risk management practice can also help you meet the requirements of your insurance company and of the U.S. Department of Housing and Urban Development (HUD), and help you comply with federal laws, state and local fire codes, and building codes.

“A safety-forward culture that includes sound risk management principles is one of the first steps in a coordinated risk management initiative,” Owen said.

The risk management process

The risk management process consists of five steps that apply to physical hazard risks as well as organizational and financial risks. Use the steps below to identify and control risks within your housing organization.

Step 1: Identify the risk

To begin, you must first establish context. Think about your organization. What is its risk history? What losses has it experienced? Who are its stakeholders? What risks might it face?

When identifying risk, it’s important to consider all aspects of the organization and the different categories of risk you need to assess. These categories include, but are not limited to, organizational risk, financial risk, external risk, compliance risk, and technical/IT risk.

Step 2: Evaluate the risk

Analyze the potential frequency of the risk, as well as its potential severity. Determine what would cause the risk to turn into a loss. Then, examine how prepared your organization is to withstand a large loss.

“It’s important to keep in mind that some risks cannot be eliminated, though you can minimize or control their frequency and severity,” Owens said.

Group meeting

There may be instances where some risk is acceptable if the cost to eliminate the risk exceeds the benefit of removing it.

Step 3: Select a technique

There are five different risk control techniques you can use (either on their own or in combination) to address risks within your organization. Let’s explore them below.

  • Avoidance means intentionally abandoning an activity or service or removing an object so a loss can no longer occur. With this technique, you remove the risk completely. For example, if you have old, damaged playground equipment, you could remove it from the property to eliminate the potential for a liability loss related to that equipment.

  • Loss prevention reduces the probability and frequency of a loss. Installing handrails in the hallway of a building designated for the elderly is one example. By installing handrails, you provide stability to people, which can help reduce slips, trips, and falls.

  • Loss reduction reduces the severity of a loss that does occur. An automatic fire sprinkler system is one example. The system will not reduce the probability of a fire, but it will help prevent the fire from spreading throughout the building.

  • Loss separation separates and/or duplicates assets and resources to prevent a single event from causing simultaneous loss to all. If you store your vehicles in different garages, for example, you can prevent a total loss of inventory should a fire occur in one location.

  • Loss transfer contractually transfers financial and legal responsibilities to a third party for specified losses that might otherwise be incurred by the transferring organization. For example, when you hire a fire equipment vendor to test and maintain your fire protection and life safety equipment, you effectively transfer the potential risk to that vendor, assuming an adequate contract is in place.

Step 4: Implement the technique

This step requires you to develop a plan to implement a given risk control technique or a combination of techniques.

"Be sure to gain the support of your management team for the measures you plan to take, and make sure to share the plan across the organization," Owens said. "You should also develop a timeline with goals that you can track and measure as they’re achieved."

Step 5: Monitor results

Man monitoring fire safety equipment

When monitoring your results, be sure to evaluate how your employees and residents were affected by the measures you implemented. Keep in mind that risk management is an ongoing process. Your organization should start at step one periodically and reassess risks on a regular basis.

Ideally, proactive risk management will reduce the frequency of your organization’s exposure to risk as well as the severity of the risk. Both will save you money.


Includes copyrighted material from a company under the HAI Group family, with its permission. this post is for informational purposed only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.

Don't Miss This

Related Content

Meet Jeffrey Wade, HAI Group's 2022 Risk Champion of the Year

July 28, 2022
HAI Group’s board and committee members convene annually to determine the winners of our Risk Management Awards,...

Meet Betty Dye, HAI Group's 2021 Risk Champion of the Year

February 8, 2022
HAI Group’s board and committee members convene annually to determine the winners of our Risk Management Awards,...

3 Emerging Risks to Public and Affordable Housing Organizations

October 3, 2022
Your public or affordable housing organization can't develop an informed response to emerging risks if you don't know...