Professional services organizations, especially those providing app dev and IT consulting services, provide intangible expertise and therefore face a unique set of legal risks.
This blog describes 5 legal risks professional services organizations often face and how their C-level leaders, legal team and other departments should work together to help mitigate them.
1: Uncapped or disproportionate liabilities
It’s generally considered best practice to offer a mutual liability cap as a factor of project value (generally 1-2x). But if a prospective client pushes for a higher cap, or no cap at all, during contract negotiations, the organization needs to evaluate the probability of a high liability event as well as the proportion of liability to revenue.
Take a $15,000 project as an example. You don’t want to risk that this small project could result in $500,000 of damages. On the other hand, if the project involves entry into a client’s network, the traditional 1-2x value may not provide the client with sufficient protection. Therefore, it is useful to create an MSA that has an either/or option for liability. This means the liability is capped at either 2x the value of the project or $500,000, depending on the type of damages.
As a failsafe, the maximum recommended value for a liability cap is the amount of insurance coverage you have.
2: Unclear project deliverables
An unrefined SOW also can be a legal risk because a customer may expect the company to do things that aren’t specified or are unclear in the SOW.
Technologies such as Configure Price Quote (CPQ) systems can help populate standard deliverables for defined project types rather than relying on individuals, which runs the risk of human error.
It is important to set clear expectations as to what services will be performed and to be sure that the client knows what deliverables are attributable to the company. If the client is unhappy with the software, that’s often not a reflection of the installation, customization or upgrade provided by the consulting company, but rather a shortcoming of the system.
To mitigate these type of risks, ensure each SOW is clear on what is considered a “deliverable” and control the scope. To protect against scope creep, use the following tools:
- A separate SOW for scoping: This is preliminary project scoping that assesses a client’s current data and legacy systems to better pinpoint what’s needed for the main project.
- An assumption-based SOW: This is where the scope is written based on specific assumptions of the data and systems a client has and the role the client will play in the project. If the assumptions turn out to be incorrect, change orders can be utilized to adjust the scope.
3: Failed AR recovery
Failed accounts receivable (AR) recovery is difficult because account reps often spend so much time building a good client relationship, they are hesitant to bring up the sometimes-awkward conversation of overdue funds. The client expects to pay for services, so it’s not a topic to be avoided.
If the client has not paid, don’t prolong or avoid the situation. If the client has lost the ability to pay, that’s something you need to know quickly to protect from further loss. Additionally, if the client is purposely not paying due to dissatisfaction, the sooner that can be addressed the better. If work is requested outside the agreed upon scope, it must be addressed via a change order or you run the risk of the client refusing to pay for it.
Having a solid financial system that tracks client billing and receivables can also help better manage these issues. For example, Oracle's ERP Cloud can help track outstanding invoices to mitigate the potential for failed AR recovery.
4: Security breaches
Security breaches can affect nearly every organization, but for professional services organizations, it’s imperative that consultants are trained on proper use of client data and network access (including downloads of data and having corporate control over permitted device usage). At Emtec, we follow best practices which include annual training for all employees, and individual and group training that’s project specific based on the client’s security requirements or industry specific risks (such as healthcare and financial).
To avoid data breaches, ensure strict IT policies and procedures are in place—and that employees adhere to them. For example, at Emtec, we have mobile device management tools for our employees’ computers and mobile devices so that if they are lost or stolen our IT department can perform a remote wipe to clear any company or sensitive data.
Such precautions cost more in time and money, but are a lot better than managing a security breach, and the related financial and brand reputation impact.
5: Employee lawsuits
Professional services organizations aren’t immune to employee lawsuits, so it’s crucial their C-level and legal staff work directly with HR to avoid them. It’s not just that employee lawsuits can be expensive, they can also reflect poorly on the company.
In the case of terminations, HR should record all compliance issues and employee reviews to ensure there’s proper documentation. Many HCM systems, such as Oracle HCM Cloud, offer applications for performance appraisals to make it easier to manage such documentation.
It’s also essential to develop policies and create awareness to address ADA requests to prevent them from becoming claims. It’s important to understand what laws protect employers and employees.
Professional services organizations face unique legal risks because of the nature of the offerings they provide. By working with legal departments and executive staff to develop solid operating procedures, ensure proper training, and implement modern and efficient technologies, these can be successfully minimized.
If your organization is looking for an experienced and professional IT services organization, Emtec offers a breadth of advisory, implementation, analytics and infrastructure services. Contact us today to learn more.