I received the following questions requesting advice on how to navigate difficult relationships.

  1. When you run into billing/payment issues with clients, what are your go-to solutions to avoid or mitigate negative outcomes?
  2. If your client doesn’t take cybersecurity seriously and/or introduces unnecessary vulnerabilities, what are best practices for helping them make change?
  3. How do you deescalate the situation when your client and your business encounter a dispute about either service levels or support hours?

Billing or payment issues

From 29 years’ experience in the IT consulting industry, I have found two primary methods of avoiding problems.

  1. Have a clear MSA with a supplementary FAQ that clearly spells out how financial transactions will be conducted and billing terms. Manage expectations effectively. We convey to clients that we do not wish to spend time doing collections or additional unnecessary accounting transactions which would take away from our capacity to deliver services to clients who pay on time.
  2. Work on retainer or get payment up front. Amazon is not going to ship product to the client unless they pay for it. They should not simultaneously expect you to provide discounted pricing while subsidizing their cash flow that would not have occurred with an ecommerce vendor. There is a tremendous amount of control and clarity that exists when a client pays up front. If they are invoiced and they pay the invoice for the product, that means they wanted it. The client can control the level of services provided if the MSP works only on retainer or prepayment. If they do not pay, you do not do the work. Therefore, the client is in control. This type of relationship also avoids clients needing to be locked into a long‑term agreement. They can cancel at any time.

Additional tips

  • Work on retainer or bill one month in advance.
  • Bill annually for things that should be annual subscriptions or services. Reducing the frequency of billing and accounting transactions reduces costs for all parties.
  • If a client has a question about a bill, respond to it immediately.
  • Use a secure payment gateway that is both low cost and high trust. We do not ACH because we have no wish to know the client’s bank account information, nor are we interested in direct debiting a client’s checking account. Instead, we have found that Bill.com is extremely economical, highly secure, and the client is in full control of payments. Credit card transaction fees are also avoided in this way. Bill.com is widely used by businesses in every industry and highly regarded by CPAs and CFOs.
  • Do not mix product and services on the same invoice. This helps your client track differentiation in their own chart of accounts. It is important that they track M365 licensing separate from your MSP services. They must track their annual or recurring expenses separately from project expenses. If this is not proactively managed, they can easily end up with unsegmented chart of accounts and have a perception that the MSP is very expensive because the only cost analysis mechanism they have is “sales by vendor”. Do not assume that accounting expense segmentation is being done well even in large organizations.
  • Annual pre‑paid items are not refundable if the client terminates the relationship. Many of those items are services the MSP has pre‑paid on behalf of the client. Those subscriptions will continue until the end of the subscription period allowing the client time to transition those subscriptions to another vendor if desired.

Cybersecurity posture lacking

Information security risk management is ultimately a business risk decision. That requires client executives to make informed risk decisions. In 98% of cases, business owners and executives do not make time for meetings to become informed business risk deciders as related to information security risk. Inadequate cybersecurity posture is just information security risk that is not properly being managed.

As a CISO, I find that the most effective strategy is to educate the client over time. Respect that they must make risk decisions and convey to them that all you seek is for them to make informed risk decisions. Simultaneously, it is necessary to share with clients the liability management requirements of the MSP. For example, that may mean that you are required by your cybersecurity or E&O insurance to offer certain services to all clients because doing otherwise is not legally defensible.

Document the ways in which these necessary services, their value, the risk mitigation they provide, and the costs have been communicated to the client via emails, proposals, and meetings. If the client declines a service, send them a polite meeting follow-up email thanking them for their time to become an informed risk decision maker. Include information regarding how you will be there for them if they change their mind. But be sure to include written notification that by them declining that service, they do not have a legally defensible information security risk management posture and may be invalidating their legal and insurance protections. Politely also make it clear that the MSP cybersecurity insurance policy does not offer coverage to the client. Clients need their own cyber policy and their own proofs attestation documentation. Many business owners believe that the MSP is responsible for the BCDR plan.

While your CISO can help you with a business impact analysis, they cannot write the entire BCDR plan for the organization. https://www.ready.gov/business-continuity-plan BCDR plans involve a great deal more than just recovery of electronic data and systems. It is not likely that the MSP has visibility or control over all of the client’s systems anyhow. So how is it that the MSP could write the BCDR plan for the business by themselves?

Include in every SOW a section about legal compliance. Every SOW should include a section on client responsibilities related to the service. Sometimes this is handled in a master client responsibilities document.

Disputes about service levels or support hours

Ideally, a well established and communicated support policy would be proactively known to all parties involved. Resolving disputes about service levels or support hours is no different than resolving disputes regarding any other aspect of the relationship.

  1. Proactively communicate the policies and procedures in advance in order to manage expectations.
  2. Identify if clients believe they need service levels or support hours outside of what is in the existing support policy. Determine if the MSP is willing to modify the support policy to include additional service levels or support hours and how that affects fees.
  3. Each time someone is emotional about the topic, listen and have empathy while remaining calm, but direct them back to the support policy. It may be detrimental to be accommodative in violation of the support policy simply in order to resolve a person’s emotional distress because by doing so they learn that kind of behavior will elicit a response that is beneficial to them, but not mutually beneficial to the MSP. Abusive client staff can be the reason why an MSP loses valuable employees. It is important that MSP management support MSP staff.