Managing Building Safety Risks Across an Existing Residential Portfolio

[edit] Introduction

Managing building safety risks across an existing residential portfolio is inherently complex. The Grenfell Tower fire, the subsequent Public Inquiry, and Dame Judith Hackitt’s Independent Review of Building Regulations and Fire Safety highlighted systemic weaknesses in accountability, competence, oversight, and risk ownership across the built environment sector. In response, the Building Safety Act established a more outcome-focused regime centred on the prevention and mitigation of major fire and structural collapse incidents in higher-risk buildings.

Post-Grenfell, organisations are expected to apply the Plan-Do-Check-Act cycle throughout a building’s life. This involves identifying and prioritising safety risks, implementing mitigations through structured and evidence-based decision making, monitoring and reviewing their effectiveness, and demonstrating control to the Building Safety Regulator (BSR). Principal Accountable Persons (PAPs) must also show that ‘all reasonable steps’ have been taken to prevent and mitigate major incidents, so far as reasonably practicable.

This article focuses on the shift from compliance-led management to risk-based decision-making, and the roles of maintenance, remediation, resident engagement, data and digital systems, competence, governance, and organisational culture in delivering safe outcomes across ageing residential stock.

[edit] Building Safety Risk in Existing Stock

The Grenfell Tower Inquiry highlighted that building safety failures are rarely caused by a single issue, but by a combination of design choices, materials, maintenance, management decisions, and organisational culture over time.

Building safety risk covers fire safety, structural condition, electrical and gas systems, water safety, and hazardous materials such as asbestos. In older residential stock (1950s-1990s), these risks are intensified by missing as built data, legacy standards, ageing components, and multiple refurbishments that were not always fully understood or documented.

Many buildings combine original construction with later alterations, some of which may have weakened safety features such as fire compartmentation or escape routes. The Inquiry highlighted how poorly assessed refurbishment works can significantly change how a building behaves in a fire. Over time, structural elements and safety critical systems may also deteriorate or exceed their intended lifespan, creating risks that are not always immediately visible.

No single inspection can provide a complete picture. Effective risk management depends on bringing together evidence from surveys, maintenance records, incident data, and resident reports, and critically analysing how these sources align or conflict. A key lesson from Grenfell is that gaps in knowledge must themselves be treated as risks, requiring professional judgement to determine which issues need immediate action and which can be managed safely over time.

Understanding risk, therefore, is not only about what is known, but also about recognising, assessing, and actively managing what is not yet evidenced.

[edit] From Compliance to a Risk‑Based Strategy

A key change in the regulatory framework is the move away from checklist-based compliance towards an outcome-focused, risk-based approach centred on the prevention of major fire and structural incidents. This reflects the Grenfell Inquiry’s conclusion that compliance alone was not enough to prevent harm.

For organisations managing large and varied portfolios, this requires a strategic shift. Risk-based management starts with profiling stock: building height, construction type, resident vulnerability, known defects, external wall risk and incident history. This helps focus attention on higher-risk buildings, particularly more complex buildings where the impacts of failure are greatest.

In practice, this approach involves three steps:

• identifying risks using a range of evidence,
• prioritising them using professional judgement, and

developing building-specific action plans that clearly define interim controls, remediation pathways, ownership, and review points. Action plans must be deliverable within realistic funding, procurement, and access constraints, and transparently justified where sequencing delays occur. These plans may include short-term mitigation and longer-term remedial works to individual blocks in a programme, but must be realistic, funded, and aligned with regulatory expectations. Risk prioritisation is not static and must be reviewed as buildings, residents and regulatory requirements change.

[edit] Decision Making Under Uncertainty

Managing building safety risks across an existing residential portfolio requires organisations to make consistent, defensible decisions in the face of uncertainty. The Grenfell Inquiry demonstrated how unmanaged assumptions, poorly justified interim measures, and failures to challenge or escalate known risks can allow serious hazards to persist over time. At portfolio level, similar weaknesses can appear as inconsistent prioritisation, delayed remediation, or reliance on advice that is not critically reviewed.

In practice, complete information is rarely available. Access constraints, intrusive survey requirements, funding cycles, supply chain pressures, and resident disruption mean that not all risks can be eliminated immediately across every building. The responsibility of the organisation is therefore not to remove uncertainty entirely, but to recognise it, document it, and manage it transparently.

The Building Safety Regulator expects reasoned and recorded decisions that demonstrate how risks have been evaluated, what evidence has informed the judgement, what uncertainties remain, and how residual risk will be monitored until permanent remediation is delivered. Interim measures should be proportionate, clearly documented, time-limited, and linked to a realistic remediation programme rather than allowed to drift into permanent controls.

Where information is incomplete or conflicting, a precautionary approach should be adopted. Gaps in knowledge should be treated as risks in themselves, with defined actions, review points, and clear escalation where circumstances change or delivery is delayed. Defensible decision making is therefore not about eliminating all risk at once, but about reducing risk so far as reasonably practicable and keeping it under active review until it is resolved.

[edit] Competence as a Safety-Critical Risk Control

Competence is a primary control on portfolio risk. Grenfell exposed not only technical failings but also weak risk interpretation, unchallenged assumptions, and poor integration of advice. Under the Building Safety Act regime, demonstrating ‘all reasonable steps’ depends on informed judgement:

• which risks require urgent action
• which can be managed by interim controls, and
• which justify longer-term remediation.

Organisations should treat competence as a system-level control, particularly at the points where responsibilities pass between clients, surveyors, designers, and contractors. This requires retaining sufficient in-house capability to understand, challenge, and confidently rely on external advice when making and defending safety decisions. Competence should be demonstrable, proportionate to the complexity of the building, and subject to periodic review.

[edit] Maintenance, Remediation, and Legacy Assets

For many organisations, the main challenge is managing older buildings with unclear maintenance histories.

With legacy stock, planned preventative maintenance (PPM) is essential effective risk control when undertaken in conjunction with reactive repairs. Regular checks of fire alarms, emergency lighting, lifts, gas systems, fire doors, and other safety-critical elements support early detection and reduce lifecycle risk.

Remediation work is particularly challenging in occupied buildings, where access, sequencing, and resident disruption must be carefully managed. These pressures increase the risk that poorly planned or commercially driven interventions introduce new hazards rather than reducing existing ones.

Grenfell demonstrated how inadequate maintenance and commercially pressured refurbishment and remediation can undermine safety outcomes, making robust quality assurance and competence non-negotiable.

[edit] How Resident Engagement Influences Safety Risk

Building safety risk is not just technical; it also depends on how residents are involved. Residents are recognised stakeholders, and their engagement is an important part of managing risk.

Residents need to understand fire safety arrangements, evacuation plans, and how to report concerns. Equally important is organisational responsiveness. When residents feel ignored or dismissed, trust breaks down and risks can go unreported.

Large remediation programmes can place additional strain on resident relationships, making clear and honest communication about risks, works, and timescales essential. A key lesson from the Grenfell Inquiry is that listening and reacting to residents matters. Effective engagement acts as an early warning system, highlighting issues that formal inspections may miss.

[edit] Data, Digital Systems, and the Golden Thread

Modern building safety management depends on accurate, up-to-date information. Golden Thread reflects the need for a reliable record of how buildings were designed, built, and are now managed.

Digital systems help track risks, actions, and safety-critical assets, support regulatory assurance, and enable portfolio level analysis of recurring issues. However, technology alone does not provide assurance. Poor quality data, unclear ownership, or incomplete records can give a false sense of control.

A key lesson from Grenfell is that organisations must understand their buildings, be able to evidence that understanding, and ensure that information is used to inform decisions at every level.

[edit] Governance, Accountability, and Culture

Outcome based regulation places clear responsibility on organisations and senior leaders. The PAP must be supported by clear governance arrangements, competent teams, and effective escalation routes. Crucially, those in leadership positions must be capable of understanding building safety risk, assessing the quality of assurance, and challenging decisions and assumptions.

Demonstrating control of risk relies on competent individuals, regular internal audits, independent assurance, and clear records of decisions. Beyond formal structures, organisational culture is critical. A strong safety culture encourages early reporting, challenge, and learning, while cost driven or siloed approaches weaken risk management. Clear thresholds for escalation of emerging risks, including where interim measures fail or where remediation is delayed, are critical to demonstrating control.

Grenfell showed that failures of governance and culture can be as damaging as failures in design or regulation. Where leadership is engaged, there is effective self-challenge and safety is prioritised, organisations are better placed to manage risk effectively.

[edit] Conclusion

Managing building safety risks across existing residential stock is an ongoing task. The Grenfell Tower fire and the Inquiry that followed made clear that compliance alone is not enough to keep residents safe.

Effective building safety management depends on understanding risks, prioritising action, maintaining buildings proactively, engaging residents meaningfully, and using reliable data and clear governance. Organisations that take a joined-up, risk-based approach, supported by strong leadership and accountability, are better placed to protect residents and exceed regulatory expectations with confidence.