Are you the compliance officer?

Karl Palachuk

I don’t mean to insult your clients, but let’s be honest: People naturally put off things that they don’t want to do. Maybe they don’t want to do it because it’s difficult, or it’s time-consuming, or it’s never as important as the other things on their list. Whatever the case, there are things that go un-done even if they’re important.

Probably the most common example for us in the I.T. business is the maintenance of backups. Whether it’s tapes, USB drives, disc cartridges, or whatever else, our clients just don’t make the time to maintain their backups. The biggest problem with backups, historically, is that they get ignored and people assume they are still working.

As an industry, our response has been to take control of the backups. We verify that they’re running – and verify that they’re working. We take care of offsite backups. We design and maintain cloud-based solutions. We become the “Backup Manager” for our clients.

More and more, it’s becoming necessary for us to take control of more pieces of the client’s operation. One set of growth industries is compliance. You know: PCI, HIPAA, security, privacy, and industry-specific requirements. (PCI is the Payment Card Industry standard for handling credit card information. HIPAA is the Health Insurance Portability and Accountability Act, which governs medical records.)

Complexity is Your Friend

ComplexityOne of the little-recognized truths of the modern business world is that our interactions have a direct effect on the complexity of each other’s lives. Think about it this way: Do you make your client’s life more complex or less complex?

Every interaction has two sides to the equation. It always has a side that increases complexity and a side that decreases complexity. If, in the balance, you decrease complexity, you become an asset to the other party.

In a world of outsourcing, we find companies and individuals who can make our lives easier (less complex). When I outsource a web site design, I’m making my life a tiny bit more complicated by adding an invoice to my stack. At the same time, I’m making my life a lot less complicated by turning over a job that takes me a lot of time to someone who can do it very quickly.

By the same token, I make my client’s business a tiny bit more complex by adding to their list of vendors. But I make it a lot less complex by handling tasks they cannot do (or cannot do easily). When we monitor and patch their network, we make their life easier.

And here’s the juicy good part: When we take on more of their complex chores, we can significantly decrease complexity for them with essentially zero increase in complexity on the other side of the equation.

Lesson One: If you can hand over additional tasks to an existing vendor, you have a very small increase in complexity on one side of the equation and a very large decrease in complexity on the other side of the equation.
What’s true for you is true for your clients as well – and YOU are the vendor. So, Lesson Two is: every important task that you take on has a net decrease in complexity for your client. You are already on their stack of monthly invoices. So paying you to provide additional services is a very small thing compared to the work you can do on their behalf.

All businesses are becoming more complex as they rely more and more on technology. In addition, regulation of technical issues is increasing almost as fast as technology is changing. The world of technology is becoming more complex at a faster pace each year. Clients are experiencing similar changes within their core business. They are busy, perhaps even overwhelmed, keeping up with their industry.

You probably know what it feels like to reach the point of overwhelm. You end up saying to yourself, “I wish someone would just take care of this.”

Jackpot! They’re talking about you. You’ve made their life easier by managing the increasingly-complex computer systems, plus the network, and their software purchases, and their disaster planning. What else can you do?

Two Kinds of Up-Sell

Consulting-ServicesThere are two classic kinds of up-sell in the consulting business. One, which most of us are good at, is to sell deeper into our existing clients with services they already buy. For example, November and December are a great time to push desktop refreshment because clients might have some extra money to spend. The client knows you sell desktop computers. You’re just offering to sell them more.

The second kind of up-sell is the one many of us are not very good at: Informing our clients about all the goods and services they don’t know you sell. Historically, this has included a lot of the “consulting” services, as opposed to goods such as hardware and software. More recently, many consultants have failed to let their clients know that they sell cloud services.

With the emergence of a growth industry in compliance consulting, you have a wonderful opportunity to up-sell your existing clients and make their lives less complicated at the same time. If you can sell them a service that verifies their compliance, you dramatically increase your value to the client.

Let’s look at PCI compliance as an example. Virtually every client you have accepts credit cards. And chances are good that virtually every one of them is not PCI compliant. Think of how much business you could have by selling compliance into those clients.

If you have medical clients, or clients in any other industry that has specific compliance requirements, you can manage their compliance as well. And some clients simply have some industry-specific standards that they like to comply with for professional purposes. If you niche on one of these industries, it can be as lucrative as something required by law.

Training, Packaging, Reporting

ComplianceThe basic formula for providing compliance services is three steps:

  1. You need training
  2. You need to create a “package” you can sell
  3. You need to provide reports to clients

Training is often available by a variety of methods. You might teach yourself by reading books and finding resources online. You might take a formal class (in person or online). Or you might learn enough to sell and execute a tool that does a significant portion of the work for you.

Some compliance requirements are fairly clear-cut. For example, PCI compliance can be determined by an actual checklist. The response to each item is either yes or no. In rare instances an item will not be relevant to a specific client. But everything else either is or is not compliant. When all the answers are “yes,” then your client is PCI compliant.

HIPAA stands out as a major example where compliance is not so straight forward. There are lots of things you can do to claim HIPAA compliance. There are tiny little trainings and big, expensive trainings. You have to find the right one for your clientele.

Packaging is normally very straight forward. I’m going to encourage you to take a managed service approach:

  • Evaluate
  • Educate
  • Remediate
  • Maintain

In other words, your package should include everything you need to get compliant, followed by a program to stay compliant. And that means a monthly report – and a monthly recurring fee.

Can’t you see it now? A new menu item on your web site that says Compliance, with menu items for PCI, HIPAA, security, privacy, and more.

You’re already the outsourced CIO – Chief Information Officer. Now it’s time to make your clients’ lives a lot less complicated and become their outsource Compliance Officer as well.

At MAXfocus we provide MSPs and IT support companies with the integrated Remote Monitoring, Mail Security, Backup and ServiceDesk capability they need to make their clients’ lives easier, to find out more why not sign up for our free, fully-functioning 30-day trial?