Monday, October 22, 2007

Employee Termination Policy in the SMB segment

Browsing Chris’s blog (which has tons of useful and informed commentary) I came across a post on employee termination policies. This is an often overlooked piece of working in the SMB segment. Why the miss? Good question…

First – perhaps most obvious … Small IT service providers (which really should already have lots of familiarity with security and trust), usually don’t have the right experience here, and as a result most of them are terrible at it. Why? Maybe they’re too small to know what a larger organization needs … or maybe they have the wrong employees (or owners)… but I’d be willing to wager that most who are bad at this, are bad because they’re so concerned about preserving the existing revenue streams… with not rocking the boat, that they turn a blind eye to helping clients manage other forms of risk. Let me give you a couple of examples on risk… Licensing a mess? See no evil. Employee’s with grossly inappropriate (or negligent) access? Hear no evil. Or the worst offender… provider is too busy. They’re too busy to add-value… too scared of risking the revenue stream, or too fill-in-the-blank that they really fail across the board… and unfortunately, it’s the customer who pays.

Need examples of the risks here?
Employee X is terminated, no one tells the IT service provider – and… use your imagination.

Employee X misrepresents their previous employer … or steals sensitive information, or wreaks havoc by deleting files (or randomly modifying data). An endless stream of nightmare-ish events.

And the worst thing about this? Most clients will have no idea that their IT service provider is responsible for this miss. Sure, the client might not have notified you… but did you ever bring it to their attention that the risk existed?

I can hear the complaints now… it’s too hard to sell a client on this. Really? You really can’t sell clients on having a policy and procedure in-place for managing turnover? What kind of effort does it take to put something in-place, and get HR and ownership to buy-in? Hours? Days? Is that too much for your clients to swallow? If so – start upgrading your client-base. Because I haven’t found a business owner – or decision making HR-person that didn’t think this was a reasonable risk to address - it's your job to figure out how to address it within the context of your client's expectations. And remember, this isn’t selling on fear… in fact, if you have to sell this at all, and it’s not a frank conversation between you – the trusted advisor – and your client, then you’re missing more than just this.

If this doesn’t make sense to you, put yourself in the shoes of an IT manager, HR person, or owner of your client organization (and then ask yourself why you haven’t been doing this all along). I guarantee you that if you were in those shoes at a mid-size organization, you’d be taking ownership of this yourself and getting it addressed ASAP. So do, and it might open up more doors at the client. At the very least, you’re cleaning up messes, and addressing real-world risk.

No comments: