At my last
position as an Operations Manager, my company was mandated by a national client
to register under ISO 27001 certification standards, and as the project lead one
of the steps I was assigned was to "manage identified risks".
Simple,
right?
"Managing
identified risks" sounds all well and good on paper, but companies are
complex entities, with many people with differing viewpoints getting into the
mix and handling problems (from an outsider's view) with a very short-term
memory and erratic method. The idea when
you put a new plan into place at work, is to make it actually easier for employees to do their work.
Almost
everyone's eyes glaze over when they hear about ISO certification or workflow
process, but really, at the heart of it, an ISO work plan only means 'do what
you say, and say what you do'. Often
there are real benefits to having a structured plan for the company.
Enter: The Master Log
So, without
adding any real complexity to the company, not generating more paper, we were
able to track problems in a simple method that benefitted everyone.
When we
implemented our ISO policies, we established a very simple tool. It was a company-wide database that entered
and tracked log items for staff members, describing the problem, the due date
to deal with the problem, notes on the item, and a score.
We kept this
log of events, or items requiring 'exception management'. This could be anything from computer failure,
to a staff member's absenteeism, to a client audit requiring action and a
report back to them.
In this
master log, every item in the log was assigned a Risk Priority Number (or RPN),
with scores of 1-10 multiplied together to get a number between 1 and 1000 (Risk Priority Number (RPN)
DEFINITION - RPN: Cost (of the
event) * Probability (of the event occurring) * Detection (Probability that the
event would be detected before the user was aware of it)
So, when this
was set up as a log system, that supervisors, managers and IT folks could use,
it was able to measure all sorts of things -- everything for how often Sarah
Walters in the A/R department has been absent (RPN 3 x 5 x 4 = 60), to if a critical
weekly database backup has been done (RPN 6 x 4 x 6 = 144).
Let's face
it, in any company, you are going to keep track of these items anyway -- the
problem is they are either kept on paper in someone's filing cabinet, or they
are in separate computer files or systems that don't talk to each other, or
aren't easily accessible. Imagine if you
will, anyone can look up how often there has been a Better Business Bureau
complaint, or a backup of the database.
Now imagine people can look for patterns, and build solutions.
Because let's
face it, if you have a manager running in circles pulling her hair out every
month because the phone system crashes, don't you think you should do something
about it? People forget what happened
six months ago because they are busy dealing with the emergency that cropped up
this month -- but they shouldn't.
And the five
year plan your company established at a high-level board meeting? You can plug in a monthly report on this that
the directors of the company can review.
You can
establish a simple rule to review issues -- any item that's 'due' is set up to
be viewed by the staff member responsible.
Items (open or closed) scored over 100 has to be reviewed by a
department manager, and any items scoring over 150 has to be reviewed by the
board of directors at the next meeting.
A lot can be
done with a unified log, and from that log, real exception management can begin
-- this means identifying risks, and then learning from them. Either as interested employees, teams
reviewing what went right or wrong in the last year, or the board of directors or
an external auditor doing a review of the year.
What Does This Have To Do With Credit
& Collections?
Collections
is simply one aspect of a company's risk management -- recovering accounts that
represent a potential loss, or dealing with a flaws in the sales and customer
acquisition element of a company. If
anyone should learn from their mistakes, it should be those involved with
Credit and Collections.
Unfortunately,
many credit departments and collection agencies get too involved in the
symptoms and daily grind of their role, and forget they are in a position to
help their company and clients learn from their mistakes.
Credit
management isn't just about making people pay their bills -- it's also about
finding better ways to keep accounts from going delinquent in the first place.
Conclusion
If you are
interested in ISO 27001 standards, or risk management, or proactive company
management, I'm always interested to hear what different companies use as
measurement and preventative tools. My
direct line at Kingston Data and Credit is 226-946-1730.
For further
reading on risk management, you may be interested in:
Blair
DeMarco-Wettlaufer
Kingston Data
and Credit
Cambridge,
Ontario
226-946-1730
No comments:
Post a Comment