Receivable/Accounts - Information for Credit and Collection Issues

Tuesday, September 3, 2013

ISO 27001 - Learning From Your Mistakes



At my last position as an Operations Manager, my company was mandated by a national client to register under ISO 27001 certification standards, and as the project lead one of the steps I was assigned was to "manage identified risks". 

Simple, right?

"Managing identified risks" sounds all well and good on paper, but companies are complex entities, with many people with differing viewpoints getting into the mix and handling problems (from an outsider's view) with a very short-term memory and erratic method.  The idea when you put a new plan into place at work, is to make it actually easier for employees to do their work.

Almost everyone's eyes glaze over when they hear about ISO certification or workflow process, but really, at the heart of it, an ISO work plan only means 'do what you say, and say what you do'.  Often there are real benefits to having a structured plan for the company.


Enter: The Master Log

So, without adding any real complexity to the company, not generating more paper, we were able to track problems in a simple method that benefitted everyone. 

When we implemented our ISO policies, we established a very simple tool.  It was a company-wide database that entered and tracked log items for staff members, describing the problem, the due date to deal with the problem, notes on the item, and a score.

We kept this log of events, or items requiring 'exception management'.  This could be anything from computer failure, to a staff member's absenteeism, to a client audit requiring action and a report back to them.

In this master log, every item in the log was assigned a Risk Priority Number (or RPN), with scores of 1-10 multiplied together to get a number between 1 and 1000 (Risk Priority Number (RPN)

DEFINITION - RPN: Cost (of the event) * Probability (of the event occurring) * Detection (Probability that the event would be detected before the user was aware of it)

So, when this was set up as a log system, that supervisors, managers and IT folks could use, it was able to measure all sorts of things -- everything for how often Sarah Walters in the A/R department has been absent (RPN 3 x 5 x 4 = 60), to if a critical weekly database backup has been done (RPN 6 x 4 x 6 = 144).

Let's face it, in any company, you are going to keep track of these items anyway -- the problem is they are either kept on paper in someone's filing cabinet, or they are in separate computer files or systems that don't talk to each other, or aren't easily accessible.  Imagine if you will, anyone can look up how often there has been a Better Business Bureau complaint, or a backup of the database.  Now imagine people can look for patterns, and build solutions. 

Because let's face it, if you have a manager running in circles pulling her hair out every month because the phone system crashes, don't you think you should do something about it?  People forget what happened six months ago because they are busy dealing with the emergency that cropped up this month -- but they shouldn't.

And the five year plan your company established at a high-level board meeting?  You can plug in a monthly report on this that the directors of the company can review.

You can establish a simple rule to review issues -- any item that's 'due' is set up to be viewed by the staff member responsible.  Items (open or closed) scored over 100 has to be reviewed by a department manager, and any items scoring over 150 has to be reviewed by the board of directors at the next meeting.

A lot can be done with a unified log, and from that log, real exception management can begin -- this means identifying risks, and then learning from them.  Either as interested employees, teams reviewing what went right or wrong in the last year, or the board of directors or an external auditor doing a review of the year.


What Does This Have To Do With Credit & Collections?

Collections is simply one aspect of a company's risk management -- recovering accounts that represent a potential loss, or dealing with a flaws in the sales and customer acquisition element of a company.  If anyone should learn from their mistakes, it should be those involved with Credit and Collections.

Unfortunately, many credit departments and collection agencies get too involved in the symptoms and daily grind of their role, and forget they are in a position to help their company and clients learn from their mistakes.

Credit management isn't just about making people pay their bills -- it's also about finding better ways to keep accounts from going delinquent in the first place.


Conclusion

If you are interested in ISO 27001 standards, or risk management, or proactive company management, I'm always interested to hear what different companies use as measurement and preventative tools.  My direct line at Kingston Data and Credit is 226-946-1730.

For further reading on risk management, you may be interested in:


Blair DeMarco-Wettlaufer
Kingston Data and Credit
Cambridge, Ontario
226-946-1730