Adding financial value to business by ISO and Certifications

Insight 

I recently started a leadership talk on Cybersecurity Security and Business value, and it made me think back to my first weeks on the job and what I would tell me “then”, knowing what I know now. 

If you are getting started as a Technologist, then this is for you as well.

I have always felt a hunger to thrive on creativity and a sense of achievement in my career. Which automatically led me to look at the bigger picture of things. I.e., to solve a problem, you need to understand the end to end journey (architecture law – how things work).

No alt text provided for this image

Now, if you can see the accurate picture – you can choose to either be a hero or be an enabler (importantly for people – they drive the business = value = happy customer).

Over the years, I have focused on victory as a whole “Business”. However, I believe focusing on me will take all the fun out of it = no opportunity for any natural talent or leaders to grow hence bad for business (what we call – a train wreck). So today, leaders need to watch out for these practices if they want to grow.

I am grateful for my 15 years at an innovative company Xerox Corporations. Today, Xerox has changed a lot, but still, in people’s hearts, innovation is thriving. Xerox is a good example (back in the day). This company was started by a creative thinker, who everyone rejected for his idea and lost everything (even his house). Sometimes, it just made me wonder why he never gave up. For him, it must have been something more than just a great idea. He must have given his heart and soul to it (no going back attitude)!. Also, it means no space for confusion and no worries of failure (no worries of the dollar). He looked at the whole picture of a problem/solution and followed his dream (solution to copying).

He looked at the “bigger picture”, which has done wonders for everyone and many other start-ups (basically, the whole world know Xerox). Later, researchers at Xerox and its Palo Alto Research Centre invented several essential elements of personal computing, such as the desktop metaphor GUI, the computer mouse and desktop computing. First, the concepts were adopted by Apple and later Microsoft.

Xerox was founded in 1906 in Rochester, New York, as The Haloid Photographic Company.

In 1938, Chester Carlson, a physicist working independently, invented a process for printing images using an electrically charged photoconductor-coated metal plate and dry powder “toner.”

Enough about Xerox (it’s about the character)

“A Journey of a Thousand Miles Begins with a Single Step”

Let’s talk about, how ISO certification can add business value of 2% to 3%.

So, What is ISO?

Think of them as a formula that describes the best way of doing something.

It could be about making a product, managing a process, delivering a service or supplying materials – standards cover many activities.

Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organisations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators.

No alt text provided for this image

For instance,

  1. Quality management standards (ISO 9000) to help work more efficiently and reduce product failures.
  2. Environmental management standards (ISO 14000) help reduce environmental impacts, reduce waste and be more sustainable.
  3. Health and safety standards (ISO 45000) to help reduce accidents in the workplace.
  4. Energy management standards (ISO 50001) to help cut energy consumption.
  5. Food safety standards (ISO 22000) to help prevent food from being contaminated.
  6. IT security standards (ISO/IEC 27001) to help keep sensitive information secure.

How ISO Standard Benefits Business?

Companies that use standards and actively develop those qualities most see them as linked to their core business strategy and realise that standards benefit their organisation. However, some are not as aware of the benefits, and some perceive the benefits differently, at a cost to their business at times.

Benefits include (ISO in overall)

  • Increased reliability and security of systems and information.
  • Improved customer and business partner confidence.
  • It increased business resilience.
  • Alignment with customer requirements.
  • Improved management processes and integration with corporate risk strategies.

Achieving ISO 27001 certification in particular shows that a business has

  • Protected information from getting into unauthorised hands.
  • Ensured information is accurate and can only be modified by authorised users.
  • Assessed the risks and mitigated the impact of a breach.
  • It has been independently assessed to an international standard based on industry best practices.

Research around the world over the last few years has consistently indicated that implementing an ISO standards/management system to replace the “way we have always done it” pays significant measurable dividends. There is also evidence that better-performing firms self-select to adopt certifications.

How does the ISO quantify the value of Standards?

The development of the ISO Methodology was brought about to provide a consistent approach to measuring the economic benefits of standards by identifying and measuring the financial contribution the use of Standards makes to company profits or costs/revenues. 

Extensively tested globally, the results show that the value can be quantified and that those figures show business growth. The standards assessed by the ISO Methodology are known as ‘external standards’, in that they have not been created and implemented by the company themselves.

As said by Gerry Lee, Managing Director (Business Groups) and NTUC FairPrice (Singapore)

“To be able to measure and quantify how standards have helped our organisation and our customers is invaluable, enabling us to identify areas where we have done well, areas that we can further improve upon and gaps that we need to bridge.” 

How does the Value Chain save money?

The Value Chain is the foundation of the ISO Methodology and subdivides a company’s operations into several essential business functions.

No alt text provided for this image

Analysing the Company Value Chain: http://www.iso.org/iso/ebs_case_studies_factsheets.pdf

Financial Value Predictions

  • Profit margins were shown to be 2 – 3 % higher than the industry average for ISO registered companies
  • Return on investment (ROI), when measured, showed that the majority of businesses recover the costs of registration within three years or less
  • On-going savings were recorded when the company implemented the management systems as a form of continuous improvement.
  • Waste and energy costs were controlled and reduced.
  • Improvement in efficiency help to reduce overheads.

Increased Customer Base

  • Quality certification is now essential for growth in a competitive marketplace to stand out from competitors.
  • More valuable customers, e.g. public sector, more giant corporations, which have their ISO/Quality Management Systems (QMS) in place, demand similar certification from the suppliers.
  • The promotion of a business having achieved ISO certification is a valuable marketing tool.

Better Management Control

  • The implementation of ISO 27001/9001 directly and positively influence operational performance.
  • Performance improvement is statistically significant.
  • Time, money and others resource are utilised efficiently.
  • When managers support implementation fully, the process works better
  • Internal motivation is directly affected and enhanced

Benefits

  • Experienced auditors trained and qualified by IRCA or an equivalent approved training body.
  • Smooth integration of existing systems.
  • A powerful marketing tool.
  • Fixed fee for easier budgeting.
  • Consultancy help with documentation.
  • Measurable savings.

How it works

A specialist Auditor will:

  • Assess existing procedures.
  • Identify existing conformances.
  • Analyse gaps.
  • Prepare appropriate manuals.
  • Supply draft for client approval.
  • Present manual for certification.

Once documentation and manuals are in place, they will be reviewed by QAS international or an industry-specific certification body for certification.

Developing skills & ISO Focus

Internal ISO training enables a business to keep up to date, applying best practices and leading a culture of continuous improvement.

The following focus ISO areas for a company is recommended 

ISO 27001 Information and Data Security

ISO 27001 is a management system that identifies, manages and minimises a range of threats to business information. 

Through ISO 27001, you can:

  • Protect your client confidential data.
  • Identify areas of potential loss.
  • Reduce delays and downtime.
  • Ensure staff are aware of their individual responsibilities.
  • Demonstrates a duty of care.
  • Set up preventative action.
  • Protect your intellectual property.
  • Provide a framework for legal compliance.

ISO 9001 Quality Management

Based on your existing systems, ISO 9001 demonstrates that you have implemented and documented processes that meet the international standard.

Proven benefits include

  • Increase efficiency.
  • Supply chain advantage.
  • A powerful marketing tool.
  • Internationally respected and recognised.
  • Potentially 15-20% savings.
  • Practical help with documentation and manuals.
  • Continuous improvement.

ISO 14001 Environmental Management

What is good for the environment is also good for your business. ISO 14001 certification proves that you have an Environmental Management System (EMS) in place, leading to:

  • Savings on energy and materials.
  • Lower distribution costs.
  • Reduced costs of waste management.
  • Support supply chain policies.
  • Improves efficiency and motivation.
  • Improved corporate image.
  • Competitive advantage.

BS OHSAS 18001 Occupational Health & Safety Management

Accidents can happen at any time, with long-term consequences for your business and your employees.

Achieve this standard, and you will gain:

  • Reduced risk of prosecutions.
  • Faster completion of tenders.
  • Reduced insurance premiums.
  • Supply chain advantage.
  • Less downtime and delays.
  • Protection for your employees.

Other standards that can implement include:

  1. ISO 22301 – Business Continuity.
  2. AS 9100 – Aerospace.
  3. ISO 13485 – Medical Devices.
  4. ISO 2000 – IT Service Management.
  5. ISO/TS 16949 – Automotive.
  6. ISO/IEC 17025 – Laboratory Testing.
  7. ISO 22000 – Food Safety Management.

Case Study 

The TJX Companies, Incorporated (NYSE: TJX), is the largest international home fashion departmental store chain in the United States based in Framingham, Massachusetts. By 2004, the company moved up to the 141st position in the Fortune 500 rankings and was a $17 billion worth of business. In 2007 TJX revealed that its security system had been compromised, and some 45.7 million customer accounts had been affected. 

The most significant known theft of credit-card numbers in history began in 2005 outside a discount clothing store near St. Paul, Minn. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. Once in, they were further able to penetrate into the central database of TJX Cos. in Framingham, Mass. During the next two years, they had been able to smuggle credit card data from the system and sell or use them in fraudulent card transactions amounting to $8 million or more. 

What went wrong?

The following information was uncovered during a subsequent security analysis performed. 

  • Loose compliance with regulatory standards such as PCI DSS (Data Security Standard) for storing and transmitting credit/debit card information.
  • Store systems were based on a weak wireless security protocol (WEP).
  • Lack of additional security features such as firewalls and software patches on these systems.
  • Track2 information, such as account numbers, expiration dates, encrypted personal identification numbers, along Social Security Numbers and driver’s licenses, were stored for unusually long periods of time.
  • Lack of clear segregation and access control systems implemented for the critical information on TJX’s central servers. This additionally made the information easily available to the hackers.

Aftermath

  • $9.75 million breach settlement charges with 41 states to cover the costs of investigating the incident.
  • An initial budget of $100 million for the possible security upgrades
  • Several customer lawsuits for damages
  • Heavily damaged customer loyalty and hence loss of business.

From this case study, it is evident a well-functioning information security framework within the organisation is necessary for preventing such security oversights, which can become very costly. 

This is where a standardised security system becomes vital. Specially IS0 27001 is very important in this regard since it is the de-facto standard for establishing, maintaining and improving an Information Security Management System (ISMS).

Happy to answer and learn, if you have any questions, comments, or suggestions.

Thank you for reading.

References:

ISO Fact Sheet – Economic benefits of standards (iso.org)

The ISO27k FAQ. –  http://www.iso27001security.com/html/faq.html

Security Breach: The Case of TJX Companies, Inc. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=3391&context=cais

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − fourteen =