Welcome to the SecAware blog

I spy with my beady eye ...

22 Apr 2022

Professional services - preliminaries

Yesterday I proposed a guideline on the information risk, security and privacy aspects of professional services. I introduced a simplistic 3-phase model for the business relationship through which one or more professional services assignments are delivered and consumed. 

Today, I'm exploring the preliminary phase.

Before professional services are delivered, client and provider form a business relationship. They determine the professional services required and offered, and of course negotiate the commercial arrangements. They also have the opportunity to decide how the services are to be provided, and how both the assignment/s and the business relationship are to be managed.

Contracting is an important control in its own right with significant information and commercial risks associated. The contract may for instance:

  • Be inappropriate for either organisation, the relationship and/or the professional service/s; 
  • Be informal, undocumented, invalid and hence unenforceable;
  • Bypass or shortcut due process;
  • Be uneconomic for either party; 
  • Be unfair, biased and perhaps unethical;
  • Lead to problems if an assignment fails or the whole relationship turns sour, perhaps as a result of an incident.

Contracting is a chance for both organisations to think forward, discuss and agree the governance, management, compliance, security/privacy, control and assurance needed for the remainder of the professional services lifecycle (both phases!). It may be infeasible, later on, to modify the terms or specify additional requirements and the associated arrangements for integrity, confidentiality, incident management etc., especially if relationship issues arise.

Also at this stage, client and provider conduct some form of due diligence checks on each other, exploring factors such as solvency, competence, qualifications, certifications and reputations. 

The manner in which both parties participate in this phase can be a valuable predictive indicator - a big clue as to how things are likely to pan out later e.g.:

  • Appreciation of the each party's capabilities and concerns, plus their common interests in making a commercial success of the planned assignment/s and the business relationship as a whole;
  • The willingness to discuss, and flexibility in resolving any issues, perhaps even modifying the provider's 'standard contract terms and conditions' or re-wording service descriptions;
  • The professionalism and competence of those involved, plus their authority to make various decisions and commitments;
  • The nature of the communications - style, formality, speed, depth/volume, quality, relevance etc.;
  • More generally, the quality of the budding relationship: are things setting off on a positive note, or are there already potentially worrying signs that perhaps ought to be addressed now and monitored specifically in due course - assuming it goes ahead? Is there a cultural fit, here, or a misfit?
There's quite a lot going on in this phase, important stuff with potentially significant information risk, security and privacy implications. Consider, for instance, an organisation appointing an HR specialist to provide various HR support services (recruitment, background checks, employment contracts, disciplinary actions, HR advice on legal requirements etc.). The commercial aspects and details of the professional services typically dominate the discussions, while the information risks and controls may be downplayed or even neglected. The client may simply presume that the supplier knows what they are doing in the HR space, and will do whatever is required e.g. to comply with employment laws and regs, while the supplier may presume they are only required to deliver whatever is formally specified, with anything else (such as data privacy controls for GDPR compliance) requiring a contract variation (assuming they are capable and agree to do it, which is not guaranteed). The very fact that the client needs specialist professional services clearly suggests a lack of expertise in this area, a power imbalance and a vulnerability that the provider may actively exploit ... which doesn't bode well for the relationship ahead.
Given all that, I believe I can offer pragmatic advice in the form of a straightforward outline of the main aspects, coupled with simple checklists for the client and provider to work through at each phase, both independently and in some cases together. Would such a guideline and checklist be of interest to your organisation? Do let me know. Maybe you can help me draft and refine one!

No comments:

Post a Comment