Adopting ISO9001 can improve efficiency and reduce Covid operational risks

Posted on the 27th November 2020

The unprecedented challenges caused by Covid-19 have meant the need for productivity and operational risk management has never been higher. Finance providers will face new drivers of risk including

  • Forbearance and deal restructuring, with high levels of manual calculation and processing required
  • Reduced staff levels, resulting in staff members taking on new responsibilities
  • Working from home with lack of supervision and the associated performance management and risk implications
  • The increased threat of financial crime

Individually and collectively, these factors may significantly increase operational risk and related financial losses.

Applying a standards-based framework to your business can sound intimidating, but there is little to fear and much to gain in taking such an approach. ISO9001 is a well tried and tested framework for driving a quality management approach that can be applied by businesses of any size.

ISO 9001

  • Customer focus is at the core of the standard, and is aimed at both internal and external customers.
  • Brings a consistent quality approach across all processes

Adoption is driven by the senior leadership team meaning no ‘dead spots’

  • It ensures that processes are managed in a consistent and effective manner
  • It establishes a culture of continuous improvement
  • It Identifies and establishes practices that help to manage operational risks
  • It helps to quantify risks and embeds a risk-based approach to decision making

ISO 9001 in Asset and Motor Finance

ISO9001 logic can easily be applied to the operations of finance companies, resulting in a greater focus on satisfying customer needs, reduced operational risks and higher productivity.

Taking a risk-based approach can be good place to start.

Begin by examining operations, looking for potential risks. Some of these will be well-known or may have appeared in operational risk reports.  Identifying and resolving others may require a more systematic approach.  This can be achieved by documenting your processes, looking in detail at the activities within each step of the process and the handovers between them. Anything where an activity is required to rework something provided by a ‘supplier’ activity is a potential risk, as is any activity that relies on, for example, an off-system spreadsheet to perform calculations.  It is also important to establish robust process controls, system-based where practical, and consider how future risks might be embedded within process outputs – for example if incorrect data input may not have an effect until the end of a lease.

It is important not just to document the risks but also to understand the frequency with which they occur, and the scale of risk that they may incur. Then the identified risks can be categorised, creating a risk record. This needs to include not only the risks themselves but also the severity and the likelihood of occurrence.

The next step is to work out how to manage those risks. Ideally, risk should be addressed with a combination of people, processes, and tools. A cross-functional team will help, reviewing the different risk outcomes and then determining how to handle different risk levels. Actions will generally fall under these headings:

  • Accept the risk (i.e., the outcome is worth the risk)
  • Improve the processes and procedures to minimize the likelihood of the risk(s) occurring or to put steps in place to manage the effects. As part of this, if you haven’t already done so, document your processes and keep them continually up to date. This also enables you to identify inefficiencies and waste within the processes, providing opportunities for improvements in throughput and customer satisfaction.
  • If the risk is simply too high, ultimately you may have to avoid it (i.e., stop the process altogether)

Whichever actions are agreed upon, they must be taken quickly and effectively. Using Quality Management tools will support the continuing management of those risks.

We’re currently leading an ISO9001 implementation with one client, including ISO27001 (Information Security Management).  Much of the work involved is structured so we are able to mentor key project staff or directly lead the programme, according to the client’s requirement.

For some, a full ISO9001 programme may be too much to take on right now but the logic is sound and can be applied to manage specific processes that may come under stress, such as transactional restructuring, early and partial terminations or arrears management.

For more information please contact Mark Stoddart at, +44 (0)7764-611936