Professional services - concluding phase
Having introduced this blog series and covered information risks applicable to the preliminary and operational phases of a professional services engagement, it's time to cover the third and final phase when the engagement and business relationship comes to an end.
Eventually, all relationships draw to a close. Professional services clients and providers go their separate ways, hopefully parting on good terms unless there were unresolved disagreements, issues or incidents (hinting at some information risks).
It is worth considering what will/might happen at the end of a professional services engagement as early as the preliminary pre-contract phase. Some of the controls need to be predetermined and pre-agreed in order to avoid or mitigate potentially serious risks later-on. Straightforward in principle ... and yet easily neglected in the heady rush of getting the engagement going. This is not unlike a couple drawing up their "pre-nup" before a wedding, or a sensible organisation making suitable business continuity arrangements in case of severe incidents or disasters ahead.
A potentially significant information risk in the concluding phase stems from the inappropriate retention by either party of [access to] confidential information obtained or generated in the course of the engagement - whether commercially sensitive or personal information. Imagine the implications of, say, a law firm being hit by a ransomware attack, office burglary or insider incident, giving miscreants access to its inadequately-secured client casework files and archives. Meta-information about the engagement, assignment/s and contracts may also be commercially-sensitive, for instance if the supplier deliberately under-priced the contract to secure the business and gain a foothold in the market, only to find it uneconomic to deliver the contracted services - a decidedly embarrassing situation if disclosed.
Information risks in this phase are amplified if the relationship ends in dispute, perhaps leading either party to complain bitterly about and criticise the other (whether truly justified or not). Reputations are at stake here, with the potential to cause brand damage that harms future business opportunities. Conversely, if things went well, there is value to be gained from positive references, case studies, endorsements etc. ... with further implications for the way the engagement is managed in the earlier phases. In other words, the way information risks are handled can lead to beneficial, neutral or detrimental business outcomes.
On an even more positive note, there are opportunities to draw out and learn the lessons from professional services relationships. What went well and is worth repeating if the opportunity arises? What went badly and should be avoided if possible? From either organisation's risk management perspective, what have we learnt about our threats, vulnerabilities, impacts and controls? What incidents could/should have been avoided or mitigated? As with post-incident reviews and audits, simply posing and answering such questions achieves little unless changes are then made to improve strategies, policies and procedures.
In the ethical dimension, as mentioned previously, the alignment and closeness that engenders trust between client and provider also makes them more vulnerable to exploitation, as guards are dropped. The professional services security guideline I am drafting will touch on aspects such as reminding those involved of reasonable and persistent ethical expectations going forward. At the very least, simply refusing to discuss the details of prior business arrangements is better than raising old wounds.
That's it from me for this blog series. I have more to say about the risks, controls, assurance, compliance, governance etc. for business services, and plenty of pragmatic advice to impart, but you'll have to wait for the guideline ... which may yet emerge as an ISO27k standard, complete with simplified checklists for each phase. Who knows?