Outsourcing

Should you make clients sign off on their bad decisions?

Chip Camden answers a reader's question about whether their consultancy should have a document for clients to sign that acknowledges the risks when they decline a best practices proposal.

A reader sent me an email with the following question:

Do you recall or have any advice on having a document for clients to sign that acknowledges the risks when they decline a best practices proposal?

The owner of my consulting firm wants me to implement a policy that requires an officer of the client's company sign a document acknowledging that they understand the risks associated with not implementing a proposal that provides "best practices" solutions.

As an example, a client was provided a proposal to implement an off-site backup solution, but declined it. Two years later, they have a major failure and their local backups were no good. They conveniently do not remember declining such a proposal.

When you present any legal document to a client and ask them to sign it, the client's first reaction will always be to ask "What is this person trying to take away from me?" In this case, they'd probably think of at least one of the following:

  • Recourse. This document probably limits what legal action they could take against you if something goes badly wrong. Your client is wondering whether you could stretch this agreement to cover things that were actually your fault.
  • Control. An agreement like this seems to say that the client must follow every recommendation you make. A consultant advises, but does not dictate policy.
  • Status. This differs subtly from the previous point. The agreement presumes that when it comes to so-called best practices, you know better than your client does. That may well be the case, but signing it is a broad admission of inferiority.
  • Options. I hate the term "best practices" because it implies that there is One Best Way To Do Things. The client may have other ideas based on business needs. The requirements of this document indicate that the consultant thinks inflexibly as a rule, whereas what the client may want is someone with whom they can have a dialogue of discovering the best path.
  • Trust. When you ask a client to sign something like this at the beginning of an engagement, it says that you really don't trust them, and you'd rather not rely on that trust in your relationship. This, by itself, indicates a poor fit.

Given the above, it's hard to make this into a positive for your client, so you want to avoid it if you can. This prompts the questions: What do you hope to gain from this document? Is there some other way to obtain the desired result?

From the scenario described above, it appears that the client is attempting to punish the consulting firm in some manner for the failure of the backup system. The client may actually think that the consultants did not properly advise them, or they may simply be trying to exploit the situation to gain the upper hand. Either way, the consultants find themselves wishing that they had better documented the advice that they provided. I think they're killing rats with RPGs, though, by trying to establish a policy whereby the client states in writing in advance that the consultants can cut them loose if the client doesn't do everything they say to do. I'd prefer more moderate measures:

  • Document everything. Simply being able to go back and point out that you advised them to take a certain course of action and that they ignored your advice should solve the problem described above without getting the lawyers involved. Make all your recommendations in writing, and keep a copy.
  • Make the dangers clear. Not everything you say prevents the world from blowing up, so you must honestly evaluate the threat level of non-compliance for your clients. If you're constantly sounding false lupine alarms or predicting the immediate demise of the atmosphere, then you can expect that your clients will ignore most of your warnings.
  • Reserve extreme measures for extreme cases. If you feel that in a specific instance your client's decision to ignore your advice poses a significant threat, you must redouble your objections and document that reiteration. Now may be the time to bring out a legal document. "I feel so strongly about the folly of failing to follow this advice that I want you to sign this acknowledgment. It indicates that I've stated the dangers as I perceive them, and that your decision to follow your own course is your own responsibility, made with your full awareness of these warnings."
  • Rely on your standard contract. If you really feel like you need this kind of protection from the stupidity of all of your clients, then don't slap them in the face with a separate agreement to that effect. Your standard contract should already include a clause that releases you from liability for any damages arising from the use of your work product.

My answer to the question in the title is therefore, "Yes, but not before they make them." Treat your clients like intelligent human beings until they demonstrate themselves to be otherwise. We technical folks tend to try to apply a final solution to every problem -- but people are far more complicated than machines, so every strict policy is likely to trigger all sorts of unintended consequences. Apply them as sparingly as possible.

About

Chip Camden has been programming since 1978, and he's still not done. An independent consultant since 1991, Chip specializes in software development tools, languages, and migration to new technology. Besides writing for TechRepublic's IT Consultant b...

30 comments
Gabby22
Gabby22

Good points, Chip, particularly in my usual environment (it *will* differ in others). I tend to work long term (often years) for a handful of customers in local SMEs (small-medium enterprises), using an hourly rate and casual tasking. This is similar to the (usually misunderstood) Japanese 'face' relationship, and involves a high level of mutual trust. Nothing gets signed and I'm usually working 50+ hours a month on nudges and winks. It's a bit of a tightrope at first, but once you get it working nothing beats it for an interesting and mostly relaxed working relationship. If I'm asked to do something that I think is not good for the customer I either write a disclaimer - as you suggest - or flat out refuse to do it. Sometimes they proceed with someone else, but more often they reconsider a decision made in haste. In either case, it doesn't hurt the relationship. If I asked them to sign an agreement, they'd just laugh and say "Get on with it". If it comes to saying "I told you so", I say it plainly. The usual response is a shrug, a grin and a curt "Happens!", and we get on with the job. All work should be like this, but finding the right clients is not easy.

JGH59
JGH59

What is the "best practice" anyway? This is yet another buzz term consultants use to justify their existence. Is it "best practice" because you say it is? Talk about subjectivity when objectivity is required. The "best practice" is what works with the client's situation and budget. Windows 7 on quadcore machines may be someone's idea of the "best practice", but hardly required for every situation and a nightmare for others.

Tony Hopkinson
Tony Hopkinson

not to mention mutable over time. If they were asking you to do something illegal and you were going to swallow your ethics, then maybe. Clients / customers not taking our advice for various reasons is hardly a new thing, sorting out "I told you so" in advance isn't going to do that much for you though. Part of what they pay us for is for someone else to blame after all.

mikifinaz1
mikifinaz1

I have worked with a lawyer for several years to develope a set of paperwork that does the old CYA, but doesn't look confrontational. One of them is a sign-off for this type of issue. It works like a charm for me. Easily shuffled into a large nest of documents it is designed not to elicit a reaction.

Anita Y. Mathis
Anita Y. Mathis

I'll ask about the circumstances that determine if a signature on this document is legally binding at an upcoming SCORE meeting. I discussed this tool with a partner a few weeks back when formulating our stance on the integration of online services into the environment. Our best practice is recommending the client have their own equipment and software onsite and use the cloud as an extension of it. In that context, having a 3 year plan to reach the desired state would get them to that best practice state. However, if something happended in the interim they would have acknowledged being aware of the associated risk. I'm asking them to formally waive responsibility for their failure to implement the best practice IF that would have eliminated a future failure.

Stovies
Stovies

What a bloody cheek. Consultants have all manner of statements that free them from any responsibility for their poor advice; they even insure themselves against any liability. The instructions or the advice could not have sounded too exciting; or they were cased in computer jargon, which is a problem with smart arse IT Consultants. I was a consultant to Offshore Companies on engineering change and regulations; and they did not refuse any advice; because it made sense and could explain their obligation under the Continental Shelf Regulations. I hope the client dismisses you the moment you hand them the document for signing. I would.

jmarkovic32
jmarkovic32

In the scenario above, I would have tweaked the client's proposal to include the best practices for that solution. Maybe they have some privacy concerns with cloud backups. I would then ammend the proposal doing it their way the RIGHT WAY--local backups with all the fixin's. I'm talking about D2D2T with an armored car picking up tapes to take to a remote site weekly. Usually that's more expensive than the way you wanted to do it and enough for them to capitulate.

rwbyshe
rwbyshe

It's known as CYA (Cover Your Ass)!!! Whether it's a business deal with a friend, relative, or customer you have to consider possible recourse on their part if something goes wrong that they could have prevented with a better business decision if they had done "A" instead of "B". If you've ever seen the Judge Judy show it should be obvious to you that the "CYA Policy" must be implemented in all of your business transactions. So in my mind there is no question that when a customer makes a poor decision then it is ALWAYS best to document it and have them sign off on it.

101a
101a

Before computing I worked in construction. I've often been struck by how similar in nature these two industries are, the 'one off' high value development, the project oriented and highly collaborative nature etc. However they have an entirely different approach to legal and consultative matters. In construction the contractor/builder works for the customers architect, who has total authority on who does what and how. It is all within the framework of various standard forms of contract. Finances are the domain of Quantity Surveyors, who along with the Architect (and his engineers) consult with the customer to get his project completed. The Architect holds an extensive dialogue with the contractor during the project. The Architect generally gets all the credit, and his Professional Indemnity insurance gets any comebacks. The contractor is only liable for poor working practices, failing to meet a prescribed specification, duty of care etc. In the small value world of building nobody realistically expects a builder to provide an extraordinary level of care, nor would they dismiss their advice too lightly. Realism pervades. I wouldn't be surprised if computing goes more the way of construction, e.g. more distinct on profession and responsibility.

otto
otto

We recently had a situation where one of our clients didn't want to implement antivirus in their enterprise due to the cost of the group license which would have come out to about 25K dollars. Of course they got hit and one of their bank accounts was empties of 140K dollars. They immediatley tried to lay the responsibility on us. Fortunatley we had documented seventeen emails regarding that decision where we had laid out the possible reprecussions. They appologized and spent the 25K. Document, document, document.

Marc Thibault
Marc Thibault

"honestly evaluate the threat level of non-compliance" Aye, there's the rub. With qualitative risk assessment being the appalling "best practice", what's the appropriate response to a "medium-high risk"? My biggest problem isn't my client making bad decisions, but my client being convinced by other consultants to make bad decisions. The guys with CISSP on their business cards are the worst offenders. Documentation and interaction are the minimum requirements for any client situation that involves these kinds of decisions. Everything I do on an assignment includes a plan, and that plan includes all the decisions--mine and the client's. That plan is distributed to all of the stakeholders every time it changes and the "discussion points" are highlighted, becoming fodder for the next meeting's agenda. A lucid paper trail and deep client involvement avoid these kinds of problem. So does asking, "Is everything going the way you'd like?" every few days.

santeewelding
santeewelding

I am asked -- implored -- to do this, that, or another thing which I see in my experience may get somebody killed. My response is nowhere near as accommodating as yours.

Slayer_
Slayer_

If someone wants a change that is out of the ordinary, we require someone of standing (like CEO or manager) to approve it, and if its flat out incorrect, we require written proof from management, in case of a law suit. I don't know the whole process though. My involvement usually ends at the phone call.

reisen55
reisen55

There are documents I have to sign for HIPAA compliancy so the other side of this argument is definately for the client to sign off. To my way of thinking, too, it does not have to be a long document, the shorter the better. In effect, I have warned client of dangers A,B,C and D and client accepts the risk factors as outlined and absolves consultant of any and all blame or responsibility. This is particularly true of malware issues.

SKFee
SKFee

I had this sort of thing happen to me early in my career. Now I document as suggested giving the client a written report of my recommendations. I have the client sign only acknowledgment of receiving the report and keep a copy. I present it as signing for the work I have done. This shows the client what they received from my service and accomplishes documenting my recommendations. I still believe that the customer is always right. I avoid throwing the alternative in there face unless absolutely necessary. Keep the client feeling good about there choices even when they are wrong as long as they understand the risk. Think of it as the band that kept playing when the Titanic sank. My example involves a time when Corel bought Word Perfect and released version 7. The client insisted that they use WP not Word and refused to change. They paid me out the nose to upgrade the existing documents so they could keep the macros and templates they created instead of just recreating the documents as I recommended. I showed it would be cost effective to retype the docs and change to the friendlier app. They spent time learning to use a completely foreign app that could have been used learning Word I did not document the conversation. I spent a lot of time I did not invoice trying to help this client. The client was prominent in the my small community and I wrote it off as word of mouth advertising. I started spending more of my time on people who would listen that I could help and as a result I fortunately lost this client. Now when I am in that office I can only chuckle inside when I see them using MS Word. The ironic thing now is the newest releases of MS Word looks a lot like Corel WP 7 did at that time. The WP7 GUI overwhelmed the user then. The learning curve was steep then. WP7 would not look so foreign today but it was ahead of its time. (about 1999 OR 2000)This client had only recently migrated to Win95 and the trend to a self sustaining computer industry of upgrades was not sitting well with a client that had not spent any money on computers for 15 years. The bad decisions they made out of hardheadedness, arrogance and a lack of confidence in me did not create a liable situation and the recommended disclaimer would have only served to say, "I told you so!"

seanferd
seanferd

Not an IT consultant, but sometimes I have received orders which have prompted the, "Can I have those orders in writing, sir," response. Mostly, I document. I document, in a detailed fashion, everything I do. So, not only does my client or employer know exactly what I have done, I can point to this in the future when I hear the dreaded, "I thought we took care of that." Yes - we took care of that your way, specifically, xxx, and I advised you that it was not a good or permanent solution (or possibly not viable whatsoever). See, right here, on this date. Highly useful.

Sterling chip Camden
Sterling chip Camden

... I've never resorted to this. Have you? If you did, how did it change your relationship with your client?

Sterling chip Camden
Sterling chip Camden

... by Microsoft and various certification programs. But to me they only serve to ossify the industry.

robo_dev
robo_dev

the disagreement is typically not whether a decision is 'good or bad', but rather over how severe a risk is, and whether it should be fixed immediately, later, or not at all. If the client is not willing to spend the time/money to address an issue, or disagrees with the risk severity, then that should be documented clearly, in a diplomatic way.

gechurch
gechurch

That's a nice example of Chip's point. There was no need to force the client to sign a contract here - you documented everything, you used a written form of communication, and as this was a very poor decision from your client you reiterated the point many times. And everything worked out fine - from your point of view. No contracts or lawyers needed.

paul.watson
paul.watson

The proposal should contain a section on risks and mitigation. This section should have enough content that there is not a need for a separate document. Of course, everything that happens must be documented before, during, and after the project. Yes, even going with the client to lunch and the business topics of discussion. There are, naturally, situations such as work for a nuclear power plant that will probably require 2-3 lawyers per page of documentation.

cadman53114
cadman53114

In the past I have provided the customer with a "Project Plan" which laid out specific milestones and review points which the client then had to sign off on before proceeding. Each and every meeting held there were minutes taken and the client was required to sign-off that they received their copy of the minutes. If there was a deviation in the "Project Plan" which was not advised, then this became a milestone that the customer would have to sign off on before work could proceed. They had to acknowledge that the deviation to the Project Plan was their insertion of the deviation to the Project Plan and they acknowledge that its implementation was against our advice. This did not make it a "best practice" only a part of the advised Project Plan. This gives the customer a vehicle to document the project progress as well as giving us a vehicle to document project status, revisions, and implementation. As most of this work is in the nuclear arena, you can believe that deviation from a project plan requires more than just some guy deciding he does not want to do something because of cost. The deviation request gets reviewed by everyone who could possibly be affected by the change. So a manager can't just decide "oh, who needs anti-virus protection."

robo_dev
robo_dev

of course I tend to do more compliance-type work, so that's expected. If somebody decides that running naked thru barbed-wire is an acceptable risk, that's totally acceptable if they sign off on it, and I don't need to clean up their mess.

bmnfan
bmnfan

Asking the client to sign something seems to be an in-your-face kind of response. It essentially puts the consultant in an "I'm right, You're wrong" situation. As an alternative, a followup email might be a little less confrontational. The email could summarize the discussion and recommendations including the ones accepted and rejected by the client. Of course, the consultant should save (and backup) the email so it could be found as a reference in the future. If needed to back up the prior recommendation, the date of the email could be mentioned as a starting point. Even with a hard-case client, it probably will do no good to make him appear stupid.

blarman
blarman

Having worked as a contractor, there are some times when you allow the customer to make a mistake and offer to help them clean up the mess afterward. It does two things: illustrate that you are more interested in a long-term partnership, and highlight your expertise. Just don't go off with "I-Told-You-So's". If they want to hold you accountable for a mistake they made, however, I wouldn't be too worried about a long-term relationship. In this case, make sure you have documentation showing what you recommended. Usually just re-forwarding an email with the same recommendation and a date stamp on it is enough to remind them that you did what you could, but respectfully acceded to their demands.

AnsuGisalas
AnsuGisalas

to have people learn to practice by rote. And cheaper to use people who've only learned to practice thus. It never replaces the need for the real thing.

nkozi
nkozi

This is what we do as well. Include a thorough risk analysis in a relevant document (proposal, SoW, etc) clearly outlining the risk of not following best practice, that the client opted for an alternative, consequences of non-complying, mitigation, etc. If this is done at the start of a project, it is non-confrontational but can save your beehind at a later stage.

AnsuGisalas
AnsuGisalas

that there are differences between what may come down to policy (consultancy), and what may come down to getting one's hands dirty (besmirched with the incompetence of what the client wants) - makes also for different views of what's "extreme".

Editor's Picks