Professional services - operational phase

Following-on from the preliminary phase I covered yesterday, the longest phase of most professional services engagements is the part where the services are delivered. With the contractual formalities out of the way, the supplier starts the service, providing consultancy support or specialist advice. The client receives and utilises the service. Both 'sides' are important to both parties, since a professional service that isn't delivered and used doesn't generate value for the client, and is unlikely to lead to repeat business - such as additonal assignments:


Deliberately taking a simplistic view once again, I have represented 'assignments' (which may be projects, jobs, tasks or whatever) as discrete pieces of work, each with a beginning, middle and end: 
 
Things are never so neat and tidy in practice. Some assignments may never really get off the ground, and some gradually diminish or peter out rather than coming to an abrupt end. On-again-off-again assignments are challenging to plan and resource. Assignments may blend into each other or split apart. If the same supplier resources (mostly people) are involved in multiple assignments, possibly for multiple clients, the work rate on each one may be reduced - and likewise for a busy client, juggling multiple activities and competing priorities.
 
[The guideline could address the lifecycle of each assignment within an engagement, as well as the overall lifecycle. I doubt the benefit would offset the added complexity, though.] 

Information risk-relevant aspects that deserve proactive attention include changes, incidents, performance and quality of service, and compliance. I plan to describe basic processes associated with each of those, briefly, in the guideline. Incident management, for example, should protect the interests of client and provider both separately and together, so communication and collaboration may be key.

Maintaining management's focus on information risk during this phase may involve: 

  • Opportunistically pointing out information risk-related concerns, issues with controls, compliance obligations, improvement opportunities etc.;
  • Incorporating information risk and security metrics into reporting (begging the question 'What metrics?'); 
  • Making information risk a standing agenda item for relationship management meetings, progress meetings, project meetings or whatever; 
  • Emphasizing mutual interest in minimizing incidents, wherever possibly collaborating to reduce the probability and impact; 
  • Reviews and audits to confirm the effectiveness of key controls, identify concerns and provide assurance. 
It helps if such activities were discussed and agreed in the preliminary phase, perhaps being noted in the contract and incorporated into policies and procedures ... which means the guideline will be a worthwhile prompt. The same point applies to the concluding phase that I'll blog about tomorrow: knowing that there may be important information risk-related activities ahead through to the far end of a professional services engagement is something worth bearing in mind from the outset. Forewarned is four-armed, or something.