IT consulting: Compliance both complex and costly

But you have to do it anyway...

But you have to do it anyway...

Small IT consultancies have always faced tough due diligence challenges when pitching for client business. With the increased focus on compliance, things are about to get worse. Danny Bradbury reports.

When Ian Cohen began working in a senior consulting position within a major financial services company, he was not surprised to find that people had been calling his friends and asking questions about him.

Cohen, a former Morgan Stanley executive who headed up one of its equity exchanges, is now CEO of the Buttonwood Tree Group, a small financial services IT consultancy. In spite of his strong reputation, he knows that in some industries consultants have to be vetted to ensure they're fit for business. Banks want to ensure the third parties they contract are unlikely to render them legally vulnerable.

In the post-Enron era, worries over legal liability have grown in tandem with concerns over corporate governance. More than ever, companies needing to comply with industry regulations have to ensure the consultants they hire are also compliant.

Customers cannot simply abdicate responsibility, points out Peter Stevens, partner in the technology and media department at Manches Solicitors, a London law firm. "If you engage a consultancy, then you are effectively sub-contracting, and that doesn't remove your responsibility," he points out. "If the consultant messes things up, you are still liable from a compliance perspective."

However, there is nothing to stop clients attempting to recover their own losses by suing you, so consultancies must protect themselves against any potential litigation in the event that a contract goes sour, says Stevens.

While professional indemnity insurance can protect a company, directors and officers' (D&O) liability insurance can also protect company executives against personal liability suits, he says. This is a real danger if a client decides a person within the consultancy was personally negligent, because unlike company liability, personal liability can be limitless.

While you may sometimes be able to take shelter under your company's professional indemnity insurance if you're being personally sued, in some cases the Companies Act prohibits executives from claiming indemnity through their companies. Be warned: all this is moot if you or your company are being sued in criminal court, says Stevens, because indemnity insurance usually covers civil litigation only.

In some cases, indemnity insurance may be necessary before a client will consider you. "I have been working with customers who expected me to have £25m of indemnity coverage," recalls Buttonwood Tree Group's Cohen. "We came to a prudent compromise."

Insurance aside, companies must make the effort to prove their compliance and, according to Cohen, the more transparent you can make your operation the more likely you are to satisfy your potential clients' due diligence procedures. Unfortunately, this can present problems for smaller organisations.

For one thing, some consultancies work across different industry sectors when providing IT and management consultancy services. It would be folly to start working for a client in an industry sector without being aware of the regulatory requirements, points out Cohen. "Each sector has their own regulatory bodies and standards and that would be quite an overhead for a small firm," he says. It is one of the reasons why the Buttonwood Tree Group restricts itself to one sector. Another is that sector-specialists are more able to carve out a niche for themselves in the industry.

But even if a small consultancy restricts itself to one industry sector, there are other problems. Some regulations span all sectors, such as Sarbanes-Oxley, the US public accounting legislation that was introduced in 2002 after the Enron scandal and impacts any international firm with a stock exchange listing in the US.

If you are engaged by a US subsidiary in the UK, that company will be bound by those compliance rules (which include auditing and security clauses) - and therefore so will you. And when the client asks to check your company systems and processes, you may find them wanting. The smaller the business, the less organised its internal processes and IT infrastructure are likely to be.

John Redeyoff, director of consultancy at Manchester-based IT consulting company NCC Group, says: "If you're a 30-person consultancy then you can easily run that with a bunch of spreadsheets." But with many regulations now requiring a full audit, an IT infrastructure put together with chewing gum and sticky tape is unlikely to provide clients with much confidence.

Consultancies may find some sanctuary in more generic accreditations, ventures Redeyoff. His organisation opted for BS 7799 accreditation, a security certificate which covers everything from business continuity through data processing and network security management. "It's the only way we can do it or we would spend the rest of our lives carrying out compliance projects and doing inspections," he says, arguing that few clients have asked him about compliance with industry-specific regulations.

BS 7799 may also help to allay concerns over compliance with the principles of the Data Protection Act, which is another generic piece of legislation affecting all consultants and their clients. Simon Halberstam, partner and head of e-commerce law at specialist IT law firm Sprecher Grier & Halberstam LLP, says "be mindful of the DPA", explaining that the consultancy is often classified as the data processor under the DPA and the company engaging their services is the data controller. "The data controller is obliged to ensure that some sort of contract is in place obliging the data processor to comply with their obligations under the DPA."

Just as BS 7799 handles generic security concerns, Alan Russell, director of strategic development for outsourcing consultancy Atos Origin, says many organisations use ISO 9001 accreditation as a catch-all for workflow. "Basically you can put all the internal disciplines you like into that framework and then demonstrate to an independent auditor that you are complying with it," he points out.

Not everyone is convinced about the feasibility of such certifications, however, especially for smaller businesses. First, they can be costly. Redeyoff suggests a ballpark figure of £30,000 to £40,000 for BS 7799 accreditation in a 40-person consultancy, assuming your company has reasonably good security processes to start with. As for ISO 9001, it only shows that you are documenting your processes and doesn't dictate what they are. Cohen says: "ISO 9001 just makes you document what you do, it doesn't prove whether it's right."

Another approach is to subscribe to your own industry's code of conduct. The Management Consultancy Association has its own set of guidelines, explains director Sarah Taylor. Applicants need to provide five client references and three years' accounts. Other criteria are mostly self-certified but it is about to introduce an external auditing programme. Certification isn't cheap, though - it starts at £8,000 and tops out at £36,000 for larger firms.

Meanwhile Intellect, the trade body for the UK ICT industry, is also putting in place a policing mechanism for its own code of conduct, a set of abstract principles which it published last December. But the policing mechanism mostly involves guidelines for customers to question potential clients in broad terms about their compliance. Similarly, the Management Consultancy Association's policing mechanism raises questions. "We'll be rolling it out to do 10 per cent of our membership each year," says Taylor, which means that members will only have to be audited once a decade.

This makes Cohen's view of certifications all the more poignant. "I wonder whether these accreditations are simply a form of confidence building," he says. "I know so many large companies that have certification all over the walls, when the reality is much different."

With self-regulation in the industry seeming relatively toothless, consultancies who really wish to prove their own compliance must focus on making their own systems and processes as transparent as possible. But before they do this, they should ensure that they have nothing to hide. Generic British Standards Institute or ISO accreditations are a popular way to do this, but you'll need deep pockets – even after you rake in all those consultancy fees.