Technology Risk in Professional Services

Professional services firms have become technology businesses, whether or not they describe themselves that way. The work of lawyers, accountants, advisers and consultants now depends on a layered estate of systems, platforms and third-party services. When that estate works, it is invisible. When it fails, the consequences reach clients, revenue and reputation within hours.

The difficulty is that technology risk in these firms is rarely concentrated in one obvious place. It accumulates quietly, in the gaps between systems, in dependencies on a small number of people, and in arrangements with suppliers that were sensible when they were made but were never revisited. Boards are often surprised, after an incident, by how much of the firm’s operation rested on something they had never examined.

Concentration risk is the real exposure

The most serious technology risks in professional firms are usually concentration risks: single points of failure that, if they fail, take a disproportionate amount of the firm with them. These are not always large or expensive systems. Often they are modest arrangements that have quietly become critical.

• A single supplier on whom several critical processes depend, with no tested alternative.
• A key individual who is the only person who genuinely understands a core system.
• A platform that holds client data without a clear, tested route to recovery.
• An integration between systems that no one fully owns or monitors.

Each of these is manageable once it is visible. The danger lies in the fact that they are usually invisible until tested. A resilience exercise that surfaces them is almost always cheaper than the incident that would otherwise reveal them.

Resilience is a business capability, not an IT project

It is tempting to treat resilience as a matter for the IT function to resolve. That framing understates the issue. Resilience is the firm’s ability to continue serving clients and protecting their information when something goes wrong. That is a business capability, and the board owns it.

The practical test is simple: if a critical system were unavailable for a day, or a week, would the firm know what to do? Who decides? What do clients hear, and when? How is confidential information protected in the meantime? Firms that can answer these questions calmly have invested in resilience. Firms that cannot are relying on improvisation at the worst possible moment.

Boards are often surprised, after an incident, by how much of the firm’s operation rested on something they had never examined.

A proportionate approach boards can stand behind

Resilience does not require unlimited investment. It requires proportionate investment directed at the right risks. The most effective approach is to identify the handful of capabilities the firm genuinely cannot operate without, understand the dependencies beneath them, and ensure that each has a tested route to recovery and a clear owner.

This is work the board can sponsor and oversee without becoming technical. The board’s role is to insist on clarity: that the firm knows what its critical dependencies are, that someone is accountable for each, and that the firm’s confidence in its resilience rests on tested evidence rather than assumption.

The cost of clarity is low; the cost of surprise is high

The firms that handle technology risk well are not those that spend the most. They are those that have taken the time to understand where they are genuinely exposed and have addressed those exposures deliberately. The exercise of mapping concentration risk is modest. The cost of discovering it through an incident — in client confidence, regulatory attention and partner time — is not.

For boards, the most useful question is not whether the firm’s technology is sophisticated, but whether it is resilient: whether the firm could absorb the loss of a critical capability and continue to serve its clients and protect their trust. That is a question worth answering before circumstances ask it.