Defining The Scope Of Work: Increase Your Value By Solving The Real Problems
Don't just treat the immediate problem. Learn how to look at the root cause of the problem and tackle that too.
Welcome to my consultancy newsletter. If you want to build a thriving consultancy practice in your niche, I want to help. Please subscribe to my newsletter and browse my favourite posts.
A big shift in moving from an in-house role to a consultant is learning to think like a consultant when approaching problems.
Take a second to reflect on this story.
On 3 August, the Police Service of Northern Ireland (PSNI) received a FoI request from a member of the public which asked: "Could you provide the number of officers at each rank and number of staff at each grade?"
What they got back was not only a numerical table, but, by mistake, a huge Excel spreadsheet.
This was referred to by the police as "the source data" and should not have been released as part of the FoI.
A data breach is never good. In this case, it’s potentially horrifying. But if you were to put your consultancy hat on for a moment, what would your recommendation be?
The simple solution is to simply fire the person who released the data. It was a horrendous mistake and the individual should have known better. That’s what a typical manager would do. Find the person at fault and dismiss them. Problem solved.
…only the problem clearly isn’t solved.
If you have sensitive data sitting around in huge Excel spreadsheets which anyone can access and distribute without approval, the problem clearly runs a lot deeper than one single individual.
Make The Problem Impossible To Happen Again
In a well-functioning system, it shouldn’t be possible to make this kind of mistake.
By that I mean it shouldn’t be physically possible for a staff member to access and distribute this data. There should be preventative safeguards in place.
Thus our recommendations might zero in on how to make this mistake impossible in the future.
Access to data should be restricted by default on a ‘need to use’ basis. It should be encrypted. If someone needs to gain access to it, they submit a request which is approved by an internal data controller etc…
Our recommendations then might be then to put in place basic systems and safeguards to limit access to sensitive data, protect data through appropriate encryption and access measures, and develop systems for the official release of data.
This is a lot better, but it still doesn’t go as far as it could.
Understand Why The Problem Hasn’t Been Solved Already
We need to ask the question here why aren’t these solutions in place already?
It’s not like organisations haven’t had enough warnings about data breaches.
There is clearly a cultural issue at work. There’s a lack of respect for sensitive data. The story also notes the dataset included former police officers - data that should have been destroyed. So there’s a lack of understanding about what’s required. And there’s a lack of knowledge about what protecting data means.
There’s no point in implementing the safeguards above if the organisation doesn’t understand them, believe in them, and know how to maintain them.
So we might expand our recommendations beyond simply terminating a single employee and building better systems to also fixing the real problem - building a culture of respect and professionalism towards sensitive data.
Scoping Out The Project
At this stage, we can scope out what a project might look like. We might have two objectives:
Build a data-aware culture and improve data security knowledge across all staff members.
Develop a system to secure and protect data.
The deliverables in this project might be:
Benchmarking current efforts against best practices.
Develop a roadmap towards full ISO27001 compliance.
Create the system to maintain this compliance on an annual basis.
All-hands staff training workshops on data privacy.
Updated internal handbook for data policies.
In-house workshop with those responsible for executing data policies.
Don’t treat these as prescriptive. This post isn’t about data security, but it’s about thinking like a consultant in approaching problems, scoping out work, and delivering the best value to clients.
You never just treat the symptoms. Your goal is to tackle the real causes of the problem. Once you understand that most problems are systemic problems, it becomes easier to look at the system and identify the areas where you can have the biggest impact.
Most problems ultimately come down to organisations either:
a) Not knowing the right thing to do.
b) Not able to do the right thing (knowledge, budget, skills shortages)
c) Not willing to do the right thing (conflicting priorities etc..)
Figure out which it is and you have an idea of where to focus your efforts.
Deliver The Best Possible Value
If you want to increase your fees, you have to deliver more value.
One of the most effective ways you can do that is to move beyond just treating the symptoms and instead work on building the kind of culture and solution your clients really need.
Focus on the systems first. Almost all issues are systemic issues which require specific interventions for improvements.
Then focus on the knowledge and culture of the client. Improvements in either will ensure you’re delivering solutions for the long term.