Welcome to the SecAware blog

I spy with my beady eye ...

14 May 2022

Managing professional services engagements

In relation to professional services, management responsibilities are shared between client and provider, except where their interests and concerns diverge. Identifying and exploiting common interests goes beyond the commercial/financial arrangements, involving different levels and types of management:

  • Strategic management: whereas some professional services may be seen as short-term point solutions to specific issues ("temping"), many have longer-term implications such as the prospect of repeat/future business if things work out so well that the engagement is clearly productive and beneficial to both parties. Establishing semi-permanent insourcing and outsourcing arrangements can involve substantial investments and risks with strategic implications, hence senior management should be involved in considering and deciding between various options, designing and instituting the appropriate governance and management arrangements, clarifying responsibilities and accountabilities etc. Organisations usually have several professional services suppliers and/or clients. Aside from managing individual relationships, the portfolio as a whole can be managed, perhaps exploiting synergistic business opportunities (e.g. existing suppliers offering additional professional services, or serving other parts of the client organisation or its business partners).
  • Tactical and operational management: planning, conducting, monitoring and overseeing assignments within a professional services engagement obviously involves collaboration between client and provider, but may also affect and be affected by the remainder of their business activities. A simple example is the provision and direction of the people assigned to assignments, perhaps determining their priorities relative to other work obligations. If either party's management or workforce becomes overloaded or is distracted by other business, the other may need to help out and perhaps take the lead in order to meet agreed objectives - classic teamwork.
  • Commercial management: negotiating and entering into binding contracts or agreements can be a risky process. Getting the best value out of the arrangements includes not just the mechanics of invoicing and settling the bills accurately and on time, but getting the most out of all the associated resources, including the information content. 
  • Relationship management: anyone over the age of ten will surely appreciate that relationships are tough! There are just so many dimensions to this, so much complexity and dynamics. In respect of professional services, there are both organisational and personal relationships to manage, while 'manage' is more about guiding, monitoring and reacting than directing and controlling. Despite the formalities of laws, contracts and policies, relationships seemingly play by their own rules. Part of the challenge in professional services is that clients and providers must collaborate to make the relationship work, blending approaches to reach workable solutions to avoid problems and deal with any issues that crop up in practice. At the same time, clients and providers have other interests, constraints, objectives etc.
  • Risk and opportunity management: whether it's avoiding bad stuff or chasing good outcomes, uncertaintly is the crux of this, either way. There's only so much that can be determined and controlled or constrained, inevitably leaving some aspects to chance. A given professional services engagement may turn out to be a roaring success or an abject failure, and there's only so much the parties can to do to swing the balance towards the former. Within compliance-driven cultures, the emphasis is typically on enforcement through sanctions such as financial penalties ... whereas reinforcement through bonuses and profits may be at least as effective, and in my experience can be even more valuable and motivational in practice. Finding arrangements that benefit both parties and minimise issues or incidents can take professional services engagements up a gear.
  • Information risk, information security, IT/cybersecurity and privacy management: information can be the most valuable yet vulnerable asset in a typical professional services engagement - not just the information directly involved in providing the services themselves but also other/peripheral information that is shared or disclosed incidentally between the parties. For example, a cloud service provider may learn commercially-sensitive details about a client's strategic business interests (or vice versa) during discussions about current and future services. The same friendly, close, trusting relations that typically develop between fellow employees within a business department can develop between workers from separate organisations, especially if the professional service necessarily entails a high degree of trust (e.g. legal services) ... with the potential for individual/personal interests to supplant business/organisational interests. Identifying, evaluating and addressing the risks is the nub of the professional services security guideline.
  • People management: motivating, monitoring and mentoring the people involved in a professional services engagement is similar but a little different to regular management, for two key reasons. First, of course, the people are employed by distinct organisations (or departments, business units etc.), with differing business objectives, policies, concerns etc. If, say, a client has a problem with a particular consultant's competence or suitability for an assignment, the consultant's employer should be informed about it and should probably be actively involved in resolving it. Secondly, professionals like me are by nature strong-willed self-assured egocentric individuals that can be tricky to 'manage' in the traditional sense. The confidence arising from our specialist knowledge and expertise can lead to, or come across as, arrogance and stubbornness. Self-awareness and social skills can be challenging for those of us who focus too heavily on driving towards objectives.
  • Performance, quality, competence and capability management: professional services clearly depend on the providers’ competence, capabilities and suitability to provide high quality services. More subtly, clients also play a key part in professional services, for example correctly interpreting advice received and acting accordingly. Simply specifying the services required can be difficult for clients that lack the expertise and knowledge, which is often why they need those very services!
  • Change management: whereas changes are inevitable, coping with them is not. Some professional services are only effective if they achieve worthwhile changes in the client organisation, or at least prevent unwanted changes. If engagements are not effective, that changes the client-provider relationship. Conversely, effective engagements may lead to unanticipated changes, perhaps opening up further opportunities, again changing the relationship. Changes of provider and client personnel can be problematic due to the individual knowledge, competencies, motivations etc., but may also be beneficial if things weren't going so well or could be better. This is yet another area where management may be reactive, neutral or proactive, ideally adjusting to circumstances. Identifying, evaluating and responding to changes, or the potential for change, is conceptually similar to - and indeed part of - information risk management.
  • Incident management: various incidents may be caused or not prevented by a professional services provider or client, or may arise from third parties or natural events, or may involve a combination of factors. Once again, identifying, evaluating and responding to incidents is an integral part of information risk management, and 'management' is tricky. Regardless of the blame and impact costs, such incidents can harm the relationships, particularly if mis-managed. Partners in healthy, productive relationships are more likely to work things out than if there are pre-existing relationship issues, hence there are resilience aspect to this, and more to address than the mere mechanics of incident notification and resolution.
  • Compliance and non-compliance management: two distinct approaches, with two distinct sets of compliance imperatives. Professional services providers and clients must both comply with applicable laws and regulations, plus the obligations they have accepted in the contract or agreement. There are also implicit drivers, such as being trustworthy, ethical, competent and professional. Achieving and maintaining compliance involves informing and motivating the people involved, a proactive and positive style of management. Managing non-compliance, in contrast, involves putting in place the mechanisms to detect and deal with non-compliance - a negative, reactive approach. Legal action following non-compliance is generally considered a costly last resort, implying additional emphasis on proactive compliance management. Compliance management is a preventive control, worth bearing in mind for relationship management meetings, reporting etc.
  • Ethics and ethical management: behaving ethically, and being seen to do so, supports trustworthiness and engenders trust. Managers have a leadership role to play here, particularly by demonstrating ethical actions and decisions. It's all very well having corporate policies and values on ethics: actions speak louder than words. Examples: communicating early, openly and honestly; admitting fault if appropriate, and proactively 'putting things right'; under-promising and over-delivering; forgoing personal gain to maximise business value for the engagement as a whole; expecting/demanding high ethical standards of others, and perhaps rewarding them accordingly; going 'above and beyond' expectations to protect and enhance the value generation.
  • Value management: value is important for both professional services providers and their clients, obviously, but there's more to it. The perceived current and prospective value of a professional services engagement affects the organisations' and the individuals' willingness to invest in it e.g. by engaging and actively participating in the co-creation aspects, over the long term. There is a positive feedback loop here: the more valuable an engagement is or appears to be, the more value can potentially be generated through it - and vice versa in dysfunctional relationships.
"Value is created through co-creation. Both the service provider and the customer must benefit from the service if there is to be a sustainable relationship. Because of these different valuation perspectives, value is by definition multi-dimensional. Another characteristic is that value arises in the interaction and that value can only be determined afterwards. Value can manifest itself in different ways, from the use value for the customer (value in use), to social values (eg image of customer and/or provider), environmental values (eg sustainability, the ecological footprint) and relationship values (the meaning of customer and provider for each other). Many values translate into financial benefits, both for the customer and for the provider." [USM]
In respect of information risks and security, value management is important on both the upside and the downside. On the upside, a highly valuable engagement enables those involved to invest in risk management activities, such as effective controls. On the downside, the potential for loss of value arising from incidents also encourages the same investment - a rare no-lose situation! In short, provider and client are both seeking to generate real value from professional services, making it a common goal, a unifying factor, a rallying cry.

The above activities are layered on top of the formal management of professional services engagements and assignments, such as entering into contractual commitments, plus invoicing and settlement. They require soft skills and collaborative approaches, making professional services engagements more human-focused than, say, the sale and purchase of goods. There are cultural aspects too - but that's enough for now.

No comments:

Post a Comment