What Leaders Can Learn From ISO Consultants

Show Notes

Summary

In this conversation, Robert Clements from Assent Risk Management discusses the evolution of ISO standards, the role of consultants, and common misconceptions about ISO certification. He emphasises the importance of documentation, communication, and leveraging ISO standards for business growth. The discussion also covers the challenges faced during audits, the differences in approach for startups versus established businesses, and strategies for promoting ISO certification post-achievement.

Takeaways

ISO consulting has evolved significantly over the years.

Documentation should be practical and not overly burdensome.

Clients often misunderstand the role of consultants in ISO certification.

ISO standards can help businesses grow and scale effectively.

Internal audits are crucial for identifying potential risks.

Startups can benefit greatly from implementing ISO standards early on.

Communication with consultants is key to successful ISO implementation.

Overcomplicating ISO processes can hinder effectiveness.

Promoting ISO certification can enhance business credibility.

The human aspect of consulting is vital for successful client relationships.

Chapters

00:00 Introduction to Assent Risk Management

00:49 The Evolution of ISO Standards

03:02 Rob's Journey into ISO Consulting

05:19 Understanding the Role of a Consultant

08:48 Common Misconceptions about ISO Standards

10:42 The Importance of Documentation

12:41 Effective Communication in ISO Implementation

14:36 Changing Perceptions of ISO Standards

16:39 Knowledge Transfer and Client Involvement

19:02 The Leadership Role in ISO Implementation

21:30 Navigating the Certification Process

24:27 Tailoring Approaches for Startups vs Established Businesses

26:58 The Value of Internal Audits

29:17 Maximising the Benefits of Certification

32:04 Learning from Audit Experiences

34:27 Engaging Effectively with Consultants

Key Links

Auva Website: www.auva.com

Apple Podcast:  https://podcasts.apple.com/gb/podcast/by-all-standards/id1771677594

Spotify: https://open.spotify.com/show/79OUNj3vY9dmESR3okwHJa?si=871837f56dc149b6

Youtube: https://www.youtube.com/@auvacertification/podcasts

LinkedIN: https://www.linkedin.com/company/auva-certification-ltd 

Instagram: @auvacert

Michael Venner:  https://www.linkedin.com/in/michaelvenner-isocertificationexpert/ 

Assent Risk Management Website: assentriskmanagement.co.uk & clemarkgroup.com

Rob Clements LinkedIN: https://www.linkedin.com/in/robert-clements-6a9a8b10/

Chapters

• 0:00: Introduction to Assent Risk Management
• 0:49: The Evolution of ISO Standards
• 3:02: Rob's Journey into ISO Consulting
• 5:19: Understanding the Role of a Consultant
• 8:48: Common Misconceptions about ISO Standards
• 10:42: The Importance of Documentation
• 12:41: Effective Communication in ISO Implementation
• 14:36: Changing Perceptions of ISO Standards
• 16:39: Knowledge Transfer and Client Involvement
• 19:02: The Leadership Role in ISO Implementation
• 21:30: Navigating the Certification Process
• 24:27: Tailoring Approaches for Startups vs Established Businesses
• 26:58: The Value of Internal Audits
• 29:17: Maximising the Benefits of Certification
• 32:04: Learning from Audit Experiences
• 34:27: Engaging Effectively with Consultants

Transcript

Michael Venner (00:00)

Most people hear the word ISO and think of clipboards, audits and paperwork. But today's guest helps companies transform how they think, lead and scale using ISO as the vehicle.

Michael Venner (00:16)

Before we start, have a little disclaimer. We are not solely recommending Ascent during this podcast. There are many great consultants in the industry and there are a number of these on our website where you can source a range of consultants in your area. Just like Ascent can't recommend any specific certification bodies, we can't recommend any specific ISO consultants. Enjoy the discussion.

Michael Venner (00:46)

Okay, Robert, thanks for joining us. If you want to just tell everyone a little bit about yourself, first of all.

Robert Clements (00:52)

Yeah, well thank you for having me. My name's Rob Clements from Assent or Assent Risk Management. I founded the company many, many years ago now and seen a lot of evolution in the industry, but essentially we are consultants for various ISO standards. We have some very good people that specialise in the different areas like health and safety, quality, information security, but essentially we help clients.

implement those systems in a way that works for their business and we guide them through the process of certification with guys like yourselves.

Michael Venner (01:27)

Yeah, so you don't just put a system in and walk away like some people do and leave the client to it. Kind of get quite involved.

Robert Clements (01:33)

No, that's right. Well,

exactly right. think the old days of having a ring binder where you photocopy everything and just change the name. think that doesn't work for anyone these days. Definitely not the client and I think probably not good for you guys either. yeah, we're very much, very much customized now. Yeah, it is difficult.

Michael Venner (01:47)

No, no, makes everyone's job difficult.

Yeah, just specialise any specific standards. Is there any?

Robert Clements (01:58)

Well, yeah, it's got a broad range of standards over the years. We've been going for more than 20 years. So in that time, we were one of the early adopters of ISO 27001. So when that became an international standard in around 2005, I think, wasn't it? I think you're too young for that. 2005, it was information security, ISO 14001 for environment and then

Michael Venner (02:16)

Nice of you to say.

Robert Clements (02:26)

quality, obviously ISO 9001 biggest standards still is and since then it's expanded into many different areas and we've we take more of a kind of technology approach so we've gone down the avenue of all the basic or the normal ones 45001 but also the techie ones like ISO 22301 for business continuity so that is an area we specialise in.

And now we're looking as we were talking about earlier off mic about the AI standards, so ISO 42001 I think that's one that we would definitely focus in on. But really, any standards, we would consider any standards as long as we had expertise and competence in that area and we've got a good database of people that we work with regularly that have different competencies.

So we'd always refer to that first, make sure we could do the job. yeah, 

Michael Venner (03:19)

Yeah, good.

Yeah, not just take anything on, which I know some consultants do. Yeah, I can do that, but yeah, maybe not got the confidence. Yeah.

Robert Clements (03:26)

Yeah,

no, that's right. Obviously, we don't like to do that if we can deliver on something. But there are certainly jobs that we turn down because, example, in nuclear, we don't do anything in nuclear at the moment, although there's a big supply chain for nuclear power and standards associated with that. That's not an area that we're in at the moment. Maybe in the future, we have the competency, but we link everything back to competence of the people that are our people.

Michael Venner (03:51)

Yeah. Yeah. So how did you first get into it then? Obviously you said about 20 years ago. How did you first did you wake up one day and just think, I  know, I'm going to be an ISO consultant. How did that happen?

Robert Clements (04:02)

No, you know, I've asked many people this and no one's ever told me they woke up and decided to do ISO. You know, neither consultant nor auditor nor client. But I think I, many, many people that come into this and I kind of fell into it. I have an IT background, so we were doing IT stuff. Back in those days, things were a bit more difficult. So things like web design and networking tended to be professional IT people.

Michael Venner (04:07)

You

Okay.

Robert Clements (04:31)

like us that did that. Nowadays, everyone can do it, rightly so. But it was through that, through that sort of technology aspect that one of the clients we worked with was asked by their customer to get ISO 27001, which of course we all know is not just IT, it's about information security, but so much of it, even back then, was IT related. So that's how it kind of got put on our plate.

Michael Venner (04:32)

Hmm.

Robert Clements (04:53)

to help them understand it and deliver it. And from my personal perspective, I think a lot of the people at that time were quality management people and not technical people. So they're great with documentation, but maybe didn't understand some of the controls in 27001 So I found that we could really benefit the client by supporting them with that standard. And from there, if I'm honest, it was just about having a nicer life.

Michael Venner (05:06)

Hmm.

Robert Clements (05:19)

An ISO consultancy is quite a nice life, quite friendly, low stress if you do it properly, low stress environment. Whereas when you're working in IT and something's broken, it's panic and it's your fault even though you've never touched it and you've got to fix it quickly. So it just seemed like a sensible decision to me to go somewhere where we could have a coffee and some biscuits and talk to some nice people and get the job done rather than the panic of IT support.

Michael Venner (05:41)

Hmm.

Yeah, it's quite different actually, because like you say, most people, they're a quality manager in a company and then they may redundant or semi-retiring. I know I'm to be an ISO consultant. So it's a bit different really.

Robert Clements (05:59)

Yeah, it certainly was niche in those days. think nowadays, because there's so many different standards, broader range of standards, I think different types of people are coming into it. certainly lots from the military, for example, moving from there to careers in standards. So I think we're much more diverse now than we were. But certainly back in those days, they were all quality managers that, as you say, retired or wanted a better life outside.

Michael Venner (06:11)

Mm.

Hmm.

Yeah, definitely, definitely. So do you think the role of a consultant is misunderstood out there?

Robert Clements (06:31)

Yeah, so depends who you talk to, right? So, yeah, I certainly think consultants. There's obviously a range of consultants that are good ones, bad ones. And also I think different consultants fit different types of companies and how they work. And it's a very human job, same as auditing is actually. There's a lot of the human aspect to it, although we're...

Michael Venner (06:33)

Yeah.

Robert Clements (06:52)

applying clauses and controls, you've got to kind of understand the human aspect to that. Yeah, I think when we work with clients, I always say, firstly, we're on your side to make this work for you. And although they're called standards, the way that you implement them is not standard at all, because they're written for any type of company, aren't they? And so part of our job as consultants, I think, is to interpret that, is to interpret what the spirit of the standard is.

and what it's trying to achieve and then look at what the client's actually doing already. Because mostly we find clients are doing really good stuff already. It's just you've either got to evidence it or write something down or put some formality around it. And so we're really interpreting those things and helping the client to do it for themselves. I think that's another thing that has changed in recent times is consultants have

kind of less ownership of the system than they used to. It's the client system now and the client operates it. We're there to support and advise and help. But really the clients are much more engaged nowadays, I think, and take more ownership of it and we're just there to help.

Michael Venner (07:57)

find that some people though they assume you're just going to come in and wave a magic wand and do everything for them and they think they haven't got to do anything themselves is that something you sort of find?

Robert Clements (08:08)

Occasionally, yeah, mean, sometimes it can be a resource issue, right? So it could be that there's a deadline or an external audit coming up and they've got a bit behind and what they actually want from us is our time to work on this, which to some extent we can facilitate because there are things we can do. But there's always a limit in terms of effecting change in  the company or in a client because we don't have authority to do that. So we do need the backing of the leadership of the client.

but yeah, when it comes to, resourcing and providing resources, that's one area we can help. we can't be completely responsible for somebody else's system though. and yeah, you're right. Some, sometimes occasionally that comes up, but I think in our initial scoping of the project or scoping of the support program, I think we tend to identify that pretty quickly. and those either we change what we, or they change their mindset or we just don't work with those.

those people generally.

Michael Venner (09:04)

So sometimes you sort of walk away and say this, you we're not gonna, we're not good fit. Is that something that happens?

Robert Clements (09:10)

Yeah, again, very occasionally. We don't like to walk away from anything if we can deliver on it. And actually the clients that come into us are generally pretty good, nice people in it for the right reasons. So it doesn't happen very often, but you know, in a similar way, I guess to you guys, you have to be sure that you can fulfill the certification of a client and, you know, tick all the boxes, be competent and that they're going to achieve what they want out of the certification.

I think we have exactly the same, you we want to make sure we can get to the end goal with a client. And if we can't, then obviously we'd be clear and transparent about that. As I say, it doesn't happen too often, luckily, but there are occasions.

Michael Venner (09:49)

Yeah. Yeah. So what's the one thing you think business owners get wrong about ISO standards and things like that? Is there a kind of a key thing that you find you're always having to work on and trying to work with

Robert Clements (10:03)

I think probably in general, I would say people overcomplicate it and probably over document stuff. you're left to your own devices as a client, I think the temptation is to read the ISO standards and then document everything, every line as an associated document. And you know, sometimes maybe that's the right thing to do, but generally what we care about is the evidence of it happening right.

And I think ISO have made a real effort lately to reduce the burden of documentation to the point where you document stuff that's useful. So if it's going to serve your business to do that, that's great. But if it doesn't, then don't waste your time documenting it. Just do it and prove that you're doing it. And I think that's where a lot of people get wrong. I think that's where a good consultant can come in. And as I said before, clients are doing good stuff already. it's not.

throw that out the window. Just take that and then just make sure it complies with the standard and make sure it's clear.

Michael Venner (11:00)

Yeah,

I think that's quite important not to shoehorn because obviously you got templates because you do it so long, but not shoehorn that into something that already works. You know, I think that could be a bad consultancy really when they do that. Yeah, just and then they don't use it, do they? The company doesn't use it.

Robert Clements (11:06)

Of course.

No, that's

Yeah, you've really got to win hearts and minds in the company and get support for what you're doing. And I think whether it's ISO or whether it's just compliance stuff in general, it tends to have a bad name out there. it's a bit, people think it's a bit like the police force, you know, you've been told to do something you don't want to do. And we're really careful when we go into places not to have that reputation, you know, trying to build.

a more collaborative approach where, as I say, we're on your side, not just the company, the company side, but the side of the employees that have to do this stuff every day. you you must have seen lots out on the factory floors and, you know, machine shops and stuff. The guys there are generally really good guys, just want to do their job, do it properly, go home safely and be rewarded for that. So the work we do is really just to make

these processes and these compliance pieces second nature so they're just doing it anyway, they're not even thinking about it. It shouldn't really affect them on a day to day basis hopefully.

Michael Venner (12:15)

Yeah.

It's kind of no effort type thing in that sense, isn't it? It just works and runs smoothly. I hate it when I go into places that haven't necessarily used a consultant and they just give me this massive, know, it be a small company, 10 people or something. They basically download it off the internet and it is mammoth documentation. I'm flicking through it. I'm like, what is all of this? And they feel they've got to have it, haven't they?

But in reality, like you say, haven't got to have that amount of paperwork anymore. It's, you know, document what you have to, but no more than that, really.

Robert Clements (12:43)

Yeah.

Yeah, yeah,

absolutely. And I think the danger of having lots of documentation is there's lots in there that can catch you out. There'd be things in there that you've committed to that you don't even know about. especially as the years go by, different people come in and out of the company. You want something that's really easy to understand. We often will still use a document, a quality manual, whatever manual, although it's not a requirement of the standards.

Michael Venner (13:02)

Yeah.

Hmm.

Robert Clements (13:16)

The reason that I quite like that terminology is because a manual is an instruction book, right? So the idea is someone new coming into the company should be able to pick that up and be able to understand how everything works. And for that reason, you don't want it to be too long because no one will read it. It's going to have the right level of information and the key stuff in. But yeah, documentation is definitely a risk factor.

Michael Venner (13:31)

Hmm. Alright.

Do

you sort of use words or more like flow charts? What's your preference? Or have you got a bit of both?

Robert Clements (13:44)

Yeah, I think we're a bit of both actually. So for processes, I love flow charts and process maps and just box, box, box, and then outcome. And it's really easy to communicate stuff that way, I think. And easy for people to make those diagrams up. And when something changes, you can easily understand it. So yeah, we use a lot of diagrams, flow charts and stuff in Visio, which obviously we can give to the clients and they've got the edit rights on it, lives on their tenancy.

Michael Venner (14:08)

Hmm.

Robert Clements (14:09)

So we a lot of that, but also it depends on the use case, doesn't it? Sometimes some people prefer wordy stuff, some people prefer pictures that we try and adapt.

Michael Venner (14:17)

Mm-hmm.

and adapt to both. Yeah the visual stuff's good for quick learning isn't it, people on the shop floor to get an understanding of what the process is. It makes my life easier as well to be honest, I don't like reading so yeah pictures I love it yeah. So do you think there's a particular clause that's often misunderstood by people like a specific area of any of the standards that people just totally get wrong?

Robert Clements (14:27)

Yeah.

No, me neither actually, funnily enough.

Yeah.

I think, so if we're talking about Annex SL sort of the integrated system as a whole. I think maybe one area we're not perfect at either, but you really have to focus on is within our clause six is risks and opportunities. And I think there's a real tendency for all of us and ourselves included to focus on risks and the negative and what could go wrong, and not take full advantage of those opportunities that it discusses in there as well. So.

you know, not that that's a necessarily a huge problem because risks do need to be managed, but I think we could all definitely make more of the opportunities in that section.

Michael Venner (15:18)

Yeah, take hold of it and do something with it. Do you ever, do you get people say, ISO slows us down? Do you sometimes go into a company that's already certified and they sort of think, I don't want to do it anymore because it just slows me down. Do you ever come across that?

Robert Clements (15:33)

Yeah, unfortunately, I think you probably do a lot. And I don't know about you as well, you probably do as well. I think where that's the case, there's probably something wrong. So maybe it's like we were talking about too much documentation or maybe what they do has changed. so now their management system doesn't meet what they're actually doing. There's normally an issue there. I think people can feel held to ransom a bit because if they've got a big customer, there's

Michael Venner (15:37)

Yeah.

Robert Clements (15:59)

forcing them in their mind to do this stuff. I can kind of understand how they might start begrudging that process. But it will be because the system isn't right for them, it's not set up in the right way and they're not getting the benefits out of it for themselves and they just feel like they're doing it for someone else. So that could be challenging when that comes up and it is a case of changing the perception of the system and realigning it I think.

Michael Venner (16:02)

Mm-hmm.

and do you eventually win those people over? mean, I'm guessing not every time, but do people slowly start to realise there are some benefits to this?

Robert Clements (16:32)

Yeah, hopefully, I think so. mean, one thing that we were quite keen on early on in our consultancy was knowledge transfer, as we call it, but basically just sort of educating the people we're working with, so our clients and their representatives, you know, sharing information, sharing our knowledge with those people to, you know, for the benefit of everyone. And, you again,

don't want go back to the old days too much, but in the old days I think there was an idea within consultancy that you should keep your knowledge to yourself because that's what people pay for. They're paying for your knowledge. Whereas nowadays you can go on Google or other search engines or you can go on AI chatbots and you can access everything that me and you know, Michael, if you've got enough time to sit there and do that, you could. And I think that's no longer the driver for clients necessarily coming to us.

Michael Venner (17:01)

Hmm.

Robert Clements (17:20)

It's not just about the knowledge that they want access to, but it's the whole package. It's how do we deploy that knowledge? How do we do it best for us? How do we do it in the quickest possible way? One of the most efficient way.

Michael Venner (17:33)

And how do you sort of go about that? You you're setting the system up, so how do you relay that knowledge?

Robert Clements (17:38)

Yeah, so we take a structured approach personally here. So we go through whenever there's a new standard, we'll sit down with our people here that are interested and we'll break it apart. So, you know, we were talking earlier about the AI standards for ISO 42001 We had a series of sessions where anyone that was interested here, we jumped on a call, we had a meeting and we went line by line through that standard. And we tried to interpret it and we tried to apply it to different types of company.

and work out what it really means. And after a few of those sessions, you tend to end up with a project plan, which is a series of steps that you walk through, which, you know, is sort of fairly high level. So it kind of fits most companies. But then as you start to work with those standards, you learn from it over the years and you add different tasks in and you customize it for each company anyway.

But generally there's a series of steps that you go through to make sure that they've got what they need.

Michael Venner (18:33)

Yeah, and then when you first start implementing it the client, is there quite a lot of involvement from the client you need or is it just one person you need to tap into there or is there a of team of the people?

Robert Clements (18:44)

Yeah, this is a really good question actually. It's something that we get asked a lot at the quoting stages on who should be involved. And generally, think you tend to have one person that coordinates it from their side. I think you kind of need that because being, you know, for all intents and purposes, we're an outsider, although we get to know the companies very well and we're on friendly terms. We are external, so we do need a key point of contact. But then from there, I think as you work through the standards,

Michael Venner (18:49)

Hmm.

Robert Clements (19:10)

Often we would start with a gap analysis exercise, for example. That really helps to highlight who needs to be in the room for each part of the standard, each part of the management system. They obviously all interlink, interact with each other in those processes. But once you do that gap analysis, then you have a group of people at the company that are involved.

And you can start to be more efficient with people's time because the last thing they want to do is be on a meeting all day long on the team's meeting, you know, going through this stuff. You want to kind of share that around the group a little bit. So, yeah. And it depends on the standards as to who those people are.

Michael Venner (19:45)

Yeah, yeah. And you find sometimes there's people that just don't want to get involved. You know, it's sort of lumbered with one person, they'll deal with it and, you know, we don't want to know. Do you get that?

Robert Clements (19:58)

Yeah, well, think, I think this is a leadership issue, more often than not. so for something like ISO 27,001, we talked about that being information security, but often, you know, the leadership will put that with the IT manager or the IT contact. you know, which is not necessarily a bad thing because you can get a lot, a lot of progress there, but sooner or later they have to bring in other people because you're covering parts of HR or you're covering.

Michael Venner (20:12)

Hmm.

Robert Clements (20:25)

physical security or something like that. I think, you know, however it starts, it can naturally spider out into the organisation. Yeah, or drags people in the air. Yeah, one of them. Yeah, I you might be right there. Yeah. And I think there's, there's a real fear of failure, isn't there? So, know, I've been working with a client this week and, know, very nice client in London, working on a standard.

Michael Venner (20:33)

drags people in. Kicking and screaming.

Robert Clements (20:52)

that is the first one they've had. They haven't had any other standards. and it was, the sort of operations manager that was leading this. and people really want to get this right. Most of the time, you know, I really do think most humans in this industry, they just, they want to get it right. And they want to do a good job. And when you're being audited by people like yourselves, it's, can feel, to daunting and intimidating. And you start to think what happens if we fail this and.

know what's the leadership going to think and have I done my job properly and I think the first time can be very stressful. Again, part of our job as a consultant is to try and reassure and calm that down and try and preempt potential issues and smooth the process over. That's why we're working with certification bodies like yourselves where we've got a good relationship and we're all trying to achieve the same goal, which is really that the client complies with the standard, right? We want them to.

to meet the standard. And I think that's really important because you can get auditors, obviously not from Auva but from other places that can be quite stern and quite impersonal and quite borderline aggressive, I would say sometimes. And we just don't want to be working in that environment. It's not fair on the client side.

Michael Venner (21:52)

there.

Hmm.

No, I like to say we're all trying to get to the same goal. We want them to be certified. They obviously want to be certified. You obviously want your clients to be certified. And I think sometimes certification bodies forget that this is a service. There is a choice. Why go in and be aggressive? know, people don't make mistakes on purpose, I find. So it's maybe a misinterpretation or, you know, someone had a bad day or system lapse, whatever it is, you know, just

Okay, there's a problem, move on from it. We don't need to beat anyone up. That's not what we're there for, is it? And you're there to support them to make that journey as smooth as possible. Yeah. So do you approach it any different for like a startup to someone that's quite well established as an organisation big and small? Do you approach it any different or is it, how's it work?

Robert Clements (22:46)

Yeah, absolutely.

Yeah, think every client is different every time you go in. But yeah, there's obviously a marked difference between a startup in the early stages of their development and a more established business. So I think we would customize our approach to either. And we work across lots of different types of businesses and at different points in the lifecycle. Startups would be quite interesting, I think, because

Sometimes they're funded by certain investors or VCs or whatever. And you might think that this would be a real burden to them to have ISO. But actually they see it as an important part of their development and their growth. And we're seeing more now that investors are putting value on the system.

of governance because the management system, so it's a system of managing the company, right? And they're putting value on not only that, but having that certified by an impartial third party. So they're kind of, from an investor point of view, I think they kind of get two bites of the cherry there because they've got a structured management system in place so that they know that that startup is managed well. And they've also got the impartial, you know, check from you guys and the certificate.

that confirms that it's all going well. So yeah, think start-ups get a lot of value from ISO As established businesses, obviously they're doing lots of good stuff already. And it's probably more a case that we just need to tweak that and document it and evidence it.

Michael Venner (24:36)

Yeah, formalise it a little bit. I suppose pull it all together. Yes. Do you think it can help people scale up then if they're a brand new startup? I mean, we do quite a few startups funny enough. And we're getting at the early stages. It's great to see, you know, this young fledgling company, a bit chaotic, which we love. And then they put all this control in and then, you know, a couple of years time, they've transformed their business and they're, you know, they're doing great things. So you think that can help?

Robert Clements (24:38)

Hmm.

Yeah, I definitely do. Yeah. I really think putting structure into a business on the compliance side of things really helps. It helps all stages of the growth because it helps you through regulations. If you apply it correctly, know, can adhere to regulations. You can become a more attractive acquisition proposition. If that's what you're after, if you want an exit strategy, then that helps.

if you're looking to acquire other businesses, it's much easier to bring other businesses into an established framework, and grow that way. So, I often think it's the missing piece of the puzzle that a lot of founders are probably looking for. It's, know, you've got your passion and you're doing your good stuff in terms of your niche and what you're trying to achieve, but all the other stuff that some would say are boring. Obviously you and I wouldn't, we love it.

Michael Venner (25:58)

Yeah.

Robert Clements (25:59)

But then stuff that maybe a founder finds boring, it's probably the stuff that you and I are taking care of all day, every day. And we you know, relieve that stress from them. So yeah, I think it's a real good thing for start-ups.

Michael Venner (26:10)

Yeah, and

I've found sort of some founders or anything like that, where they want to try and step back a little bit from the business and start to get their own personal time back. That they need that structure in place within the office environment within the operations to allow them that space to be able to walk back and know that it's in good control really.

Robert Clements (26:32)

Yeah, exactly. Well, mentioned control there. That's exactly what across my mind is that it allows them to step back, but know that everything's under control and get the right level of information about their business fed up to them, escalated up. And the standards are really good at that, I think now, because we've got the leadership part that came in, well, I say recently, terms of our lifespan, ISO, it's recent, but it's been a few years now. Yeah, I think you might be right there.

Michael Venner (26:42)

Hmm.

Hmm.

It's nearly 10 years ago now.

Robert Clements (26:57)

So yeah, the leadership piece I think is really good because it links the top guys to the bottom of the organisation but it also allows appropriate levels of responsibility throughout. So it's not all on one person, it's a team effort.

Michael Venner (27:11)

Yeah, definitely. Hopefully, which should be anyway. Can you think of a time where ISO sort of helped a company, I don't say avoid disaster, you know, they were going off in a wrong direction and they could have really got themselves in trouble and it's kind of pulled them back and helped them out at all.

Robert Clements (27:32)

Yeah, I think there's probably a few examples of that because as part of our process of implementing these standards, we would do some internal audits. Normally we do them as consultants because we're, although we're on the client side, we're impartial from the actual day-to-day work. So we can do those audits, which is very similar to the audits that you would do as a certification body. We'll be looking for evidence to back stuff up. But I think

That's the piece that has real value and can uncover some stuff and stop you heading to disaster. Because you can view things with a fresh pair of eyes. So for example, we found, and obviously no names mentioned, but we were working with a travel company and they had an inquiry form on their website for their

their travelers to put some details in and talk about their travel and their plans and what they wanted the company to do. And we were looking at it from the information security perspective. So we're trying to work out where does that data go? How long is it stored for? You know, the retention of that. Anyway, eventually, and there was nothing sinister about it, but it was just one of those things that was overlooked. We found that all of those responses through that web form

were not only emailed to the company, but they were also stored by the web designers on their side of things. know, again, nothing sinister about it. There's no issue, but there wasn't a need for it. You know, it was then in two places, which means you've got to protect it twice as much over. it was just a question that we asked and no one had ever thought about. And we've managed to uncover that item and, you know, potentially.

If that web company had suffered a data breach or something like that and those details, some of that travel information can be quite personal. Potentially you could have had passport numbers or even just know the dates of your trip could be pretty sensitive. It could have escalated quite quickly.

Michael Venner (29:25)

Yeah,

that's what I think is important for second party audits, internal audits and things like that, that you're impartial and you can actually ask questions and probe certain things that someone internal they might not have ever thought about, which obviously they didn't ever consider. It's only when someone external comes in and goes, what about this? And that doesn't look right. It makes them question and then it seems obvious, doesn't it, after that?

Robert Clements (29:49)

Yeah,

well that's right. And I think there is a knock on effect because once you've found one thing, then obviously the client starts to think, what else might, where else might this be a problem? So yeah, I think it adds some good value.

Michael Venner (30:00)

Yeah, definitely. Yeah, I suppose the internal audits is a big part of it, of what consultants can do. Yeah, definitely. It brings a value. So do you think this, what can people do once they're certified? Because obviously we do our job, we walk away. There's your certificate, there's your logos. What do think people can then do with that to grow the business or promote themselves? Is there anything you'd advise people to do once they've got the shiny new certificate?

Robert Clements (30:15)

Yeah.

Yeah,

no, absolutely. Well, the first thing I would do is shout about it, right? Because it is a big achievement. However, you know, whatever way you look at it, it's a big achievement to get this stuff over the line. And I'm actually always surprised at how, how few people do make a big fuss about it once they got the certificate. A lot of the times we'll get through the successful audit and the certificate will go to whoever has asked for it.

But they, you know, they never discuss it again. So yeah, I would definitely promote it. definitely, not just the badge, which obviously you would put on your website and on your paperwork, obviously in line with the license and terms and conditions of the certification body. But definitely promote the badge, but also promote what you've done. So you've managed risk to a certain level. You've, you've set up some objectives.

Michael Venner (31:04)

Mm-hmm.

Robert Clements (31:15)

which you've either achieved or you're on your way to achieving certain objectives. And I would definitely put that out there either on an area of the website where you're discussing what you've committed to or through social media or through podcasts like this. mean, we've got a podcast at Assent that we run, which you're very kindly guesting on. Obviously we're on your podcast. I'm sure both of us would be happy to invite clients on to discuss there.

Michael Venner (31:35)

Mm-hmm.

Yeah,

I've had a few.

Robert Clements (31:45)

their journey, which

I think is a really good thing and yeah I think you should make the most of it, not just the certificate but what you've actually achieved by going through that process.

Michael Venner (31:55)

Yeah, because I do find with some to go back, obviously we go back every year clients. So then three years in their like, I've never got anything else of it, never got any work and always sort of say, well, what have you done to promote it? Nothing. It's not like a magic wand, is it? I say it can open a door, but it won't let you walk through it. So you've to push that out there. Definitely.

Robert Clements (32:15)

Yeah, that's right. there's two aspects to it, isn't there? It can open that door in terms of through the tendering process because it's a very easy way to create a shortlist because you just knock off the people that aren't certified and then you've got your instant shortlist. But I think that's mostly the reason people approach this stuff is because they've hit that barrier. But then the other thing is once you are certified, you should definitely promote it because competitors that...

Michael Venner (32:35)

Hmm.

Robert Clements (32:42)

people might be going to, they might not be certified or they might be certified and they just haven't mentioned it. So make sure that you tell clients or potential clients that you've got this stuff.

Michael Venner (32:52)

Hmm, yeah, definitely. So have you ever had any of those audits that have just gone horribly wrong that you've been on or a client's been on that you weren't involved? Have you got any of those stories?

Robert Clements (33:05)

Yeah, we certainly had a mixed bag over the years. I've experienced many types of audit scenarios, that's for sure. I guess before we go into the stories though, we should say you can always recover from a bad audit. There's obviously findings that come up in audit as non-conformities, major, minor opportunities to improve. Even a major non-conformity you can.

correct and you can recover from. So it's not the end of the world. But obviously just for all of our sakes, we want it to be as smooth as possible and get there as quickly as possible. So we haven't had anything too terrible. We've certainly had situations where auditors have gone to the wrong address because the company has moved and hasn't been updated or for whatever reason that's happened. And that's not a great start because you do...

Michael Venner (33:31)

Die.

Robert Clements (33:55)

As the client and as the consultant, do want to the auditor in the best mood possible. That's why you make them coffee and you bring the biscuits in. Usually you order lunch, a nice lunch in for lunchtime. Not that they ever demand that, but it just smooths over the day. yeah, we certainly had one that went to the wrong address. And we obviously were there for the client's fault for not making it clear. We had to do some making up on that day, although we did get through the audit though

But it was just bit of a time delay, which was a shame.

Michael Venner (34:23)

Yeah, it's one of those things. I've

had it. Yeah, I've had it. You know, an hour later I'm driving somewhere else, know, knocking on doors. There's no one here. I've had one. I turned up. I knew it was all planned. They'd accepted. Sent the audit plan, turned up and going there. It was like quite a big company. No one in the car park apart from one car. So this doesn't look good. Knocked on the door and the owner turns up.

And he says, oh, we've closed the company. Everyone's gone. that's just obviously firstly, sorry, because that's no one wants to hear that. And it was just, well, I guess I'll go home then. Yeah, was. Yeah, we do get some. But, you know, yeah, like you say, just communicate with us, tell us stuff. It's it's fine. People move. know, but yeah, don't panic. We're used to it. We're to stuff like that. OK.

Robert Clements (34:54)

Yeah.

Yeah, no, definitely.

Michael Venner (35:19)

So what's the first step someone should take when they sort of see it, getting a consultant in? it have a chat? Is that the top of process first of all?

Robert Clements (35:30)

Yeah, always. mean, we, we always try and book a call, know, we always offer a call, a Teams meeting and, or even sometimes we will go on site and meet someone in person because, well, a few reasons. It's a very human business. We've said that already, but you do need to be confident that you can work with each other. So the consultant is a good fit for your organisation and that you.

know us as consultants want to make sure that we can work with you guys as well. So I think it's always good to have a call or a meeting firstly for those personable reasons. But also that by having a chat, you start to define the scope of the audit. Also the scope of the system. And that's really important at every stage of the process. And, you know, as you say, that might change over time, but as long as we keep a handle on the scope.

which means, you know, what processes are covered, you know, what products and services do you provide? Whereabouts do you do them? So which locations? How many staff are involved in that kind of structure? So, so yeah, meeting to discuss that is a good step. And that can change later on, but to start off with a strong scope is, is obviously important. And I think it means that we can, as consultants, we can understand what

the client is trying to achieve. Obviously certification is the main thing, but there's lots around that. Isn't there any particular deadlines? What customer has asked them for it and what have they actually asked for? Because sometimes it isn't quite as straightforward as just such as such, ISO certificate. Sometimes you have to get behind, well, why have they asked that? What are you doing for them? Is there any more we can build into the management system? Is there any particular legislation like GDPR or?

the EU AI Act or some waste regulations that maybe that's the real reason they want you to do this. And let's make sure that when we build the system, we're answering that question.

Michael Venner (37:29)

Yeah, answering the question. Yeah. Okay.

Is there anything people can do to better leverage or utilise their ISO consultant? Do think?

Robert Clements (37:38)

yeah, I mean, always, always come back to consultants and ask them questions, I think is really, really important from our point of view. of course we manage a calendar. So we book in time with clients on particular days or half days or whatever the situation is. But, that doesn't mean that you need to reserve your questions till then. So what we try and do here at Assent we've got a very good back office here. actually where I am now in Southend.

not too far from you guys. They're always available to answer any questions. And actually you'd be surprised at how much they can sort out here in the office and probably best they do rather than trust me to mess it up. Any sort of arranging dates, communicating with certification bodies or discussing a change in certification, the guys in our office here have probably seen it all so they can often help. If they can't then...

Michael Venner (38:05)

Mm-hmm.

Robert Clements (38:29)

And here at Assent we have a help desk system that we operate. So you can always raise a ticket in the help desk, which is just a case of emailing into the help desk. And then either your consultant or someone else from the team will be able to pick up that query and answer it. And we do that as kind of a fair use policy. anything that we can quickly answer as soon as we can, we will. Obviously, if it gets to an extent where it's a lot of... ⁓

Michael Venner (38:55)

gonna take a lot of time.

Robert Clements (38:56)

Requests.

Yeah, exactly. And, and it comes back to that thing of can we deliver it within, you know, is it so we can deliver in a quick email? Or do we need to book a day of paid day to sort of, then obviously we sort of escalate, but nothing just keeping in touch with the  consultant is the best thing I can say.

Michael Venner (39:15)

Yeah,

yeah, because I think it works the same way. We don't like walking on and finding surprises. It's probably the same for you. You go and do your internal audit and you turn up at the wrong address. Suddenly there's a new standard to, well, we've got to do this. Well, hang on a minute. You know, so, keep, keep  communicating with your consultant really. Yeah, keep in touch. Yeah, they're there. Okay, right. I've got to do a quick lightning round if that's all right. So these are quick short, put you on the spot. Okay.

Robert Clements (39:25)

Yeah. ⁓

Okay, there's show.

Michael Venner (39:43)

So most underrated ISO clause.

Robert Clements (39:47)

clause, It would have to be that 6.1, the opportunities part.

Michael Venner (39:48)

underrated. Any other standards? Go on.

Yeah, yeah, I that's a answer. Yeah. clause you would remove if you could. So if you're in power, what's one you would remove?

Robert Clements (40:00)

Oh, okay.

Uh, Oh, don't know about removing any. I think the, adapt, yeah, maybe adapt. Um, yeah, possibly, uh, the improvement one at the end. Again, I suppose it's cheating a bit. It's a little bit like the opportunities, but I always find that's, um, a difficult thing for people to audit because everything you've done in the whole system is about improvement. So once you get to, to that clause in clause 10, I always think it's,

Michael Venner (40:03)

Or maybe adapting then. ⁓

Okay.

Bit of a head scratcher.

Robert Clements (40:27)

Yeah it

is I think for the certification auditors as well because they've done the whole thing all over three or four days and they get to this piece well we've seen loads of improvements because that's what you've been doing so you know it's kind of a of a non-clause on

Michael Venner (40:38)

Hmm.

Yeah, yeah, okay. And any compliance myths or anything that drive you crazy that people think about the industry or compliance in general?

Robert Clements (40:52)

Yeah, I think probably just that it's all paperwork and it sits on top of what you're doing, which we know is not the case. You've got to build it into what you're doing every day.

Michael Venner (41:01)

Yeah,

I like it. Good. Okay, brilliant. Is there anything else you wanted to add?

Robert Clements (41:05)

No, don't think so. It's been a good chat about the industry.

Michael Venner (41:09)

Yeah, I appreciate your time. been good. Good catch up. How can people get in touch with you? Or Assent

Robert Clements (41:13)

Yeah, no, thank you. Well,

yeah, of course, you can find us online. So Assent Risk Management, Assent is A-S-S-E-N-T. So you can find us on our website, on socials, or contact yourself. I'm sure you'd be happy to link us up.

Michael Venner (41:28)

Yeah,

I mean we'll put all the details in the show notes and obviously on our website we have got all the consultants there as well so your details are on our website which are free for people to go and look at and that's got links to your website and things like that so you know yeah people definitely get in touch that way. Okay brilliant so appreciate your time thanks for that. Thanks Rob, take care.

Robert Clements (41:42)

Perfect.

You're welcome. Thank you.

Bye bye.