ISO 27001: Understanding the Standard

What is ISO 27001?

ISO 27001 is an internationally recognized standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Elements of the Standard

The ISO 27001 standard is comprised of 11 clauses (0 to 10) and includes a catalogue of 93 proposed controls within its Annex A. Clauses 0-3 introduce the ISO 27001 standard by specifying the scope, normative references, and terms and definitions. Clauses 4-10 make up the core of the ISO 27001 standard. These mandatory clauses establish the management system necessary to implement and maintain effective information security.

Clause 4 – Context of the Organization

Requires that the organization evaluates and accounts for all internal and external issues that may be relevant to its business purpose and could affect the implementation of an ISMS.

Clause 5 – Leadership

Requires that the organization’s top management demonstrate leadership and commitment to the establishment, implementation, maintenance, and improvement of the ISMS.

Clause 6 – Planning

Requires that the organization take actions to address risks and clarify the information security objectives.

Clause 7 – Support

Requires the organization to determine and provide the necessary resources to ensure an adequate level of information security competence and awareness.

Clause 8 – Operation

Requires the organization to plan, implement, and control the processes to meet the information security requirements and to implement the actions determined by the risk treatment plan.

Clause 9 – Performance Evaluation

Requires the organization to monitor, measure, analyze, and evaluate the ISMS to ensure its effective performance. This clause requires an internal audit and management review of the ISMS.

Clause 10 – Improvement

Requires the organization to develop a process to continually improve the suitability, adequacy, and effectiveness of the ISMS.

Annex A

Annex A is a catalogue of 93 security controls, divided over four chapters: Organizational, People, Physical, and Technological. Organizations are not required to implement all Annex A controls. An organization may choose to implement custom controls or controls from a different control set (for example, NIST, PCI DSS, ISO 27701, etc.). Selection of Annex A controls, indicated in the Statement of Applicability (discussed in the Implementation section) depends on the organization’s risk assessment, risk treatment, and specific needs. Look to ISO 27002 for further detail on the Annex A controls, as well as implementation guidance.

What is an ISMS?

An ISMS is a collection of documented policies, processes, procedures, and supporting records for systematically managing an organization’s information security. The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. An ISMS addresses information security from a holistic perspective. It provides an assessment of risks, a treatment plan to mitigate risks, a plan of action in case a security breach occurs, and assignment of responsibilities to competent individuals. An integrated ISMS enables organization personnel to readily understand information security risks and embrace controls as part of their daily workplace practices.

Objectives of an ISMS

Identify risks faced by the information assets

Provide safeguards to protect the confidentiality, integrity, and availability of assets

Document the information security processes

Assign responsibilities to relevant roles

Benefits of ISO 27001

The ISO 27001 Process

1. Appoint an ISO 27001 team

The organization should assemble a team responsible for the ISMS implementation to drive the project and keep it on course.

2. Plan the ISMS

The scope of the ISMS shall be defined and documented. The organization’s information security objectives should be established. A thorough and accurate inventory of all assets within the scope is to be created.

3. Plan and conduct a risk assessment

The organization shall outline its risk assessment methodology then execute the plan. The resulting risk assessment report is a central component of an organization’s ISMS.

4. Write the Statement of Applicability

The Statement of Applicability is the main link between risk assessment and risk treatment in an organization. The Statement of Applicability details the organization’s applicable controls. The document justifies the organization’s choice of including or excluding Annex A controls.

5. Implement a risk treatment plan

Create and implement a risk treatment plan to control the risks identified during the risk assessment. An action plan should be implemented to address risks requiring modification.

6. Build and operate the ISMS

Document and implement all policies, processes, and procedures. The organization shall monitor its ISMS for maintenance and continual improvement.

Internal Audit

Clause 9 of the ISO 27001 standard requires that the organization conduct internal audits of its ISMS to ensure that it is adequately implemented and related control activities are operating effectively. Internal audits must take place at least annually. Internal audit activities must be performed by objective auditors who are independent of the organization’s management.

Dansa D’Arata Soucia (“DDS”) has developed an internal audit program which includes the testing of the ISMS to meet Clauses 4-10, the applicable Annex A controls identified within the Statement of Applicability, and any custom controls.

Certification Audit

The initial certification audit is conducted in two stages. Stage 1 consists of a document review to verify the organization has the required documentation for an operational ISMS. There is a corrective action period between the two stages to allow for the organization to take any corrective actions arising from the Stage 1 audit. Stage 2 is an evidential audit to verify the organization’s ISMS was properly established and implemented and is functioning appropriately. An ISO 27001 certification is valid for 3 years.

Surveillance Audit

Now that you have your certification, you must work to maintain your ISMS. ISO requires a surveillance audit to take place annually during the two calendar years following certification. Each surveillance audit helps the organization get ready for its recertification audit, which takes place at the end of each 3-year cycle. The surveillance audit focuses on key ISMS processes such as management review, corrective action, internal audit, and the implementation of recommendations provided by the organization’s internal auditors.

Looking to take the next step?

For organizations seeking to implement an ISMS in hopes of becoming ISO 27001 certified, DDS can help!

Clause 9 of the ISO 27001 standard requires an organization to have an internal audit of its ISMS performed at least annually. The standard requires the organization to select auditors and conduct audits that ensure objectivity and impartiality of the audit process, meaning it should not be performed by someone internal to the organization who is involved in designing, implementing, and maintaining the ISMS. This is difficult for most small to medium sized organizations that do not have a distinct internal audit department. DDS can cost-effectively perform the internal audit function to prepare your organization for your ISO 27001 certification audit and to meet the annual internal audit
requirements described in Clause 9.

During the internal audit DDS focuses on evaluating your organization’s current ISMS against the ISO 27001 requirements. Our internal audit process aims to be as minimally invasive as possible, while still achieving a value-add list of recommendations that will satisfy the needs of your certifying auditors. We provide a detailed assessment of your compliance, including any gaps, possible nonconformities, as well as opportunities for improvement. DDS has consulted with various certifying auditors to ensure that our internal audit program and reporting methodology are aligned with expectations and give your organization the intended result.

Reach out to us today to discuss your path to ISO 27001 compliance!

Considerations when selecting your SOC 2 auditor

What is SOC 2?

System and Organization Controls (SOC) 2 is a framework developed by the American Institute of CPAs (AICPA) in 2011 under the AICPA’s Standards for Attestation Engagements (SSAE). This allows independent CPA’s a framework in which to report on a Company’s internal control design and the operating effectiveness of their controls over data security, system availability, confidentiality, processing integrity and/or privacy. Service organizations that handle, process, and store customer data are the prime candidates to engage in a SOC 2 examination. Boiling it down, a SOC 2 report will help you answer, and give independent third-party verification to the following question: “How can we trust that you will protect our sensitive data and meet the service commitments that you are promising to us?”. Not to mention, the completed SOC 2 examination should drastically cut down the number of pesky security questionnaires you are being asked to respond to!

Considerations when selecting your SOC 2 auditor

1. Experience

You will want to work with an experienced firm that has “seen it all.” Experienced firms and auditors will be able to guide you through the process, clearly outlining what you can expect before, during, and after the SOC 2 examination. DDS completes hundreds of SOC 2 examinations each year and is prepared to guide you through this process, from initial project scoping, to clearly articulating expectations. We want to feel like an extension of your team.

An experienced auditor understands that communication is key. DDS will never leave you wondering where your engagement stands, or how control testing is progressing. We want to build your confidence and remove surprises.

2. Traditional vs. GRC

Over the past few years there have been several Governance, Risk, and Compliance (GRC) tools built to help with SOC 2 readiness and control evidence automation. If using a GRC tool (i.e. Vanta, Drata, TrustCloud, StrikeGraph), you will want your auditor to have experience working with the GRC tool. There are major efficiencies to be gained, but the auditor must know the capabilities and/or limitations of the tool in order to pass along the best cost-benefit to you. DDS has worked through hundreds of engagements using many of the leading GRC tools on the market.

Alternatively, you may decide that a GRC tool is not for you. Maybe you have the in-house expertise to prepare for the SOC 2 and aren’t worried about the more manual evidence gathering. You will want an audit firm that is comfortable with requesting and evaluating manual evidence. While most DDS clients these days are utilizing GRC tools, we have plenty of experience with rolling up our sleeves and doing this the old-fashioned way!

3. Customer Base

Are you a start-up or early-stage company? You will want your audit firm to have experience working with smaller, nimble teams. Certain control recommendations do not lend themselves nicely to small teams (think segregation of duties). You will want your auditor to have experience guiding smaller clients around the nuances of meeting the SOC 2 control objectives. While DDS has performed SOC 2 work for clients that have over 1,000 employees, the majority of our clients are smaller teams going through SOC 2 for the first time. This is our bread and butter. We take pride in minimizing the stress and providing clarity to these organizations.

4. Communication

You will want to make sure your auditor is available for frequent questions and check-ins. Whether you prefer to email, Slack message, schedule Zoom calls, or communicate via Skype, your auditor should be prepared to communicate with you and your team how you most feel comfortable.

5. Peer Review

Your auditor should be able to show you their most recent peer review report that covered SOC 2. Firms issuing reports under SSAE standards are supposed to be enrolled in the AICPA’s Peer Review Program. During Peer Reviews, an independent CPA reviews both a firms system of quality control as well as reviews engagements to make sure the engagements are performed and reported on in conformity with applicable professional standards. In the past couple of years as the market demand for SOC 2 has increased, there have been a number of “pop-up” companies offering SOC 2 services. Evaluating their independence and experience is critical. One way to do this is by asking to see the firm’s most recently issued peer review report.

6. Independence

CPA firms opining under SSAE standards are required to be independent of their clients both in fact and appearance. The users of your SOC 2 report may take exception if there is any indication that your auditor did not meet independence requirements. While DDS tries to be as helpful as possible, and offer as much insight as possible, we do have some limitations. For instance, we cannot write your policies for you or tell you exactly which controls to implement. GRC tools (which we are independent from) help us maintain our independence by being the unrelated entity that is helping with policy creation, and control recommendations.

7. Timeline/Deadline

When having discussions with potential auditors, you want to ensure that timeline expectations are clearly communicated and are attainable. Discussions surrounding the auditor’s process will be important as you need to ensure that timelines will be compatible. For example, any deadlines that you may have for your SOC 2 report should be communicated with your auditor.

The process of selecting your auditor

You will want to start by having a conversation with all of the audit firms you are interested in. This is your opportunity to ask questions based on the points outlined above to help you determine which firm will be a good fit.

Once you have narrowed down your selection of firms, you may want to vet their reputation. You can do this by asking the firms to provide you with a few references of past clients to reach out to and ask them about their experience.

Looking to take the next steps?

For organizations seeking to undergo a SOC 2 examination, DDS can help! Please reach out to us to discuss any questions you may have and learn about why hundreds of organizations have engaged with us for their SOC 2 attestations.

Reach out to us today utilizing the contact information below to discuss your path to SOC 2!

The “kiddie tax” hurts families more than ever

Years ago, Congress enacted the “kiddie tax” rules to prevent parents and grandparents in high tax brackets from shifting income (especially from investments) to children in lower tax brackets. And while the tax caused some families pain in the past, it has gotten worse today. That’s because the Tax Cuts and Jobs Act (TCJA) made changes to the kiddie tax by revising the tax rate structure.

History of the tax

The kiddie tax used to apply only to children under age 14 — which provided families with plenty of opportunity to enjoy significant tax savings from income shifting. In 2006, the tax was expanded to children under age 18. And since 2008, the kiddie tax has generally applied to children under age 19 and to full-time students under age 24 (unless the students provide more than half of their own support from earned income).

What about the kiddie tax rate? Before the TCJA, for children subject to the kiddie tax, any unearned income beyond a certain amount was taxed at their parents’ marginal rate (assuming it was higher), rather than their own rate, which was likely lower.

Rate is increased

The TCJA doesn’t further expand who’s subject to the kiddie tax. But it has effectively increased the kiddie tax rate in many cases.

For 2018–2025, a child’s unearned income beyond the threshold ($2,200 for 2019) will be taxed according to the tax brackets used for trusts and estates. For ordinary income (such as interest and short-term capital gains), trusts and estates are taxed at the highest marginal rate of 37% once 2019 taxable income exceeds $12,750. In contrast, for a married couple filing jointly, the highest rate doesn’t kick in until their 2019 taxable income tops $612,350.

Similarly, the 15% long-term capital gains rate begins to take effect at $78,750 for joint filers in 2019 but at only $2,650 for trusts and estates. And the 20% rate kicks in at $488,850 and $12,950, respectively.

That means that, in many cases, children’s unearned income will be taxed at higher rates than their parents’ income. As a result, income shifting to children subject to the kiddie tax won’t save tax, but it could actually increase a family’s overall tax liability.

Note: For purposes of the kiddie tax, the term “unearned income” refers to income other than wages, salaries and similar amounts. Examples of unearned income include capital gains, dividends and interest. Earned income from a job or self-employment isn’t subject to kiddie tax.

Gold Star families hurt

One unfortunate consequence of the TCJA kiddie tax change is that some children in Gold Star military families, whose parents were killed in the line of duty, are being assessed the kiddie tax on certain survivor benefits from the Defense Department. In some cases, this has more than tripled their tax bills because the law treats their benefits as unearned income. The U.S. Senate has passed a bill that would treat survivor benefits as earned income but a companion bill in the U.S. House of Representatives is currently stalled.

Plan ahead

To avoid inadvertently increasing your family’s taxes, be sure to consider the kiddie tax before transferring income-producing or highly appreciated assets to a child or grandchild who’s a minor or college student. If you’d like to shift income and you have adult children or grandchildren no longer subject to the kiddie tax but in a lower tax bracket, consider transferring assets to them. If your child or grandchild has significant unearned income, contact us to identify possible strategies that will help reduce the kiddie tax for 2019 and later years

© 2019

Responding to the nightmare of a data breach

It’s every business owner’s nightmare. Should hackers gain access to your customers’ or employees’ sensitive data, the very reputation of your company could be compromised. And lawsuits might soon follow.

No business owner wants to think about such a crisis, yet it’s imperative that you do. Suffering a data breach without an emergency response plan leaves you vulnerable to not only the damage of the attack itself, but also the potential fallout from your own panicked decisions.

5 steps to take

A comprehensive plan generally follows five steps once a data breach occurs:

1. Call your attorney. He or she should be able to advise you on the potential legal ramifications of the incident and what you should do or not do (or say) in response. Involve your attorney in the creation of your response plan, so all this won’t come out of the blue.

2. Engage a digital forensics investigator. Contact us for help identifying a forensic investigator that you can turn to in the event of a data breach. The preliminary goal will be to answer two fundamental questions: How were the systems breached? What data did the hackers access? Once these questions have been answered, experts can evaluate the extent of the damage.

3. Fortify your IT systems. While investigative and response procedures are underway, you need to proactively prevent another breach and strengthen controls. Doing so will obviously involve changing passwords, but you may also need to add firewalls, create deeper layers of user authentication or restrict some employees from certain systems.

4. Communicate strategically. No matter the size of the company, the communications goal following a data breach is essentially the same: Provide accurate information about the incident in a reasonably timely manner that preserves the trust of customers, employees, investors, creditors and other stakeholders.

Note that “in a reasonably timely manner” doesn’t mean “immediately.” Often, it’s best to acknowledge an incident occurred but hold off on a detailed statement until you know precisely what happened and can reassure those affected that you’re taking specific measures to control the damage.

5. Activate or adjust credit and IT monitoring services. You may want to initiate an early warning system against future breaches by setting up a credit monitoring service and engaging an IT consultant to periodically check your systems for unauthorized or suspicious activity. Of course, you don’t have to wait for a breach to do these things, but you could increase their intensity or frequency following an incident.

Inevitable risk

Data breaches are an inevitable risk of running a business in today’s networked, technology-driven world. Should this nightmare become a reality, a well-conceived emergency response plan can preserve your company’s goodwill and minimize the negative impact on profitability. We can help you budget for such a plan and establish internal controls to prevent and detect fraud related to (and not related to) data breaches.

© 2019

Don’t let scope creep ruin your next IT project

Today’s business technology is both powerful and restive. No matter how “feature rich” a software solution or hardware asset may be, there’s always another upgrade around the corner. In other words, it’s just a matter of time before your company’s next IT project.

When that day arrives, watch out for “scope creep.” This term refers to the tendency of a project’s objective (or “scope”) to gradually expand while the job is underway. As a result, the schedule may drag and dollars may go to waste.

Common culprits

A variety of things can cause scope creep. In many cases, too few users give input during the planning stage. Or misunderstandings may occur between the project team and users, obscuring the purpose of the job.

Excessive implementation time undoes many projects as well. As weeks and months go by, business processes, policies and priorities tend to change. For a new system to meet the needs of the business, the project’s scope needs to be executable within a reasonable time frame.

Ineffective project management is another common culprit. Scope creep often arises when a project manager underestimates the complexity of the tasks at hand or fails to adequately motivate his or her team.

5 steps to success

To stop or at least minimize scope creep, follow these five steps:

1. Distinguish “must-haves” from “nice-to-haves.” Draw a red line between the functionalities your business absolutely must have and any added features that would be nice to have. Schedule the prioritized requirements in the form of phased deliverables during the project’s life cycle. Add “nice-to-haves” to the final phase or, better yet, defer them to future projects.

2. Put agreed-on deliverables in writing. Use a Statement of Work document to clearly outline the stated project requirements. Be sure to cover both those that are included and those that aren’t. Have everyone involved sign off on this document.

3. Divide and conquer. Segregate the project into small, manageable phases. As it proceeds, continue to review and sign off on each phase as it’s delivered, following an adequate testing period.

4. Introduce a formal change management process. If someone demands a change, ask him or her to rationalize the request in writing on a change order form. Then analyze the potential impact, estimate the added cost and time, and obtain consensus before proceeding. Adhering to this step typically eliminates many low-priority demands.

5. Anticipate some scope creep. It’s a rare project, if any, that proceeds exactly as planned. Allow for some scope creep in your budget and timeline.

Head-on approach

Improving your company’s technology should be cause for excitement and, eventually, celebration. Unfortunately, it too often brings anxiety and conflict. Tackling scope creep head on can help ensure that your IT projects go more smoothly. Our firm can help you assess the financial impact of any technology solution you’re considering and, if you decide to proceed, set a budget for the job.

© 2019

4 business functions you could outsource right now

One thing in plentiful supply in today’s business world is help. Orbiting every industry are providers, consultancies and independent contractors offering a wide array of support services. Simply put, it’s never been easier to outsource certain business functions so you can better focus on fulfilling your company’s mission and growing its bottom line. Here are four such functions to consider:

1. Information technology. This is the most obvious and time-tested choice. Bringing in an outside firm or consultant to handle your IT systems can provide the benefits we’ve mentioned — particularly in the sense of enabling you to stay on task and not get diverted by technology’s constant changes. A competent provider will stay on top of the latest, optimal hardware and software for your business, as well as help you better access, store and protect your data.

2. Payroll and other HR functions. These areas are subject to many complex regulations and laws that change frequently — as does the software needed to track and respond to the revisions. A worthy vendor will be able to not only adjust to these changes, but also give you and your staff online access to payroll and HR data that allows employees to get immediate answers to their questions.

3. Customer service. This may seem an unlikely candidate because you might believe that, for someone to represent your company, he or she must work for it. But this isn’t necessarily so — internal customer service departments often have a high turnover rate, which drives up the costs of maintaining them and drives down customer satisfaction. Outsourcing to a provider with a more stable, loyal staff can make everyone happier.

4. Accounting. You could bring in an outside expert to handle your accounting and financial reporting. A reputable provider can manage your books, collect payments, pay invoices and keep your accounting technology up to date. The right provider can also help generate financial statements that will meet the desired standards of management, investors and lenders.

Naturally, there are potential downsides to outsourcing these or other functions. You’ll incur a substantial and regular cost in engaging a provider. It will be critical to get an acceptable return on that investment. You’ll also have to place considerable trust in any vendor — there’s always a chance that trust could be misplaced. Last, even a good outsourcing arrangement will entail some time and energy on your part to maintain the relationship.

Is this the year your business dips its toe in the vast waters of outsourced services? Maybe. Our firm can help you answer this question, choose the right function to outsource (if the answer is yes) and identify a provider likely to offer the best value.

© 2019

A refresher on major tax law changes for small-business owners

The dawning of 2019 means the 2018 income tax filing season will soon be upon us. After year end, it’s generally too late to take action to reduce 2018 taxes. Business owners may, therefore, want to shift their focus to assessing whether they’ll likely owe taxes or get a refund when they file their returns this spring, so they can plan accordingly.

With the biggest tax law changes in decades — under the Tax Cuts and Jobs Act (TCJA) — generally going into effect beginning in 2018, most businesses and their owners will be significantly impacted. So, refreshing yourself on the major changes is a good idea.

Taxation of pass-through entities

These changes generally affect owners of S corporations, partnerships and limited liability companies (LLCs) treated as partnerships, as well as sole proprietors:

  • Drops of individual income tax rates ranging from 0 to 4 percentage points (depending on the bracket) to 10%, 12%, 22%, 24%, 32%, 35% and 37%
  • A new 20% qualified business income deduction for eligible owners (the Section 199A deduction)
  • Changes to many other tax breaks for individuals that will impact owners’ overall tax liability

Taxation of corporations

These changes generally affect C corporations, personal service corporations (PSCs) and LLCs treated as C corporations:

  • Replacement of graduated corporate rates ranging from 15% to 35% with a flat corporate rate of 21%
  • Replacement of the flat PSC rate of 35% with a flat rate of 21%
  • Repeal of the 20% corporate alternative minimum tax (AMT)

Tax break positives

These changes generally apply to both pass-through entities and corporations:

  • Doubling of bonus depreciation to 100% and expansion of qualified assets to include used assets
  • Doubling of the Section 179 expensing limit to $1 million and an increase of the expensing phaseout threshold to $2.5 million
  • A new tax credit for employer-paid family and medical leave

Tax break negatives

These changes generally also apply to both pass-through entities and corporations:

  • A new disallowance of deductions for net interest expense in excess of 30% of the business’s adjusted taxable income (exceptions apply)
  • New limits on net operating loss (NOL) deductions
  • Elimination of the Section 199 deduction (not to be confused with the new Sec.199A deduction), which was for qualified domestic production activities and commonly referred to as the “manufacturers’ deduction”
  • A new rule limiting like-kind exchanges to real property that is not held primarily for sale (generally no more like-kind exchanges for personal property)
  • New limitations on deductions for certain employee fringe benefits, such as entertainment and, in certain circumstances, meals and transportation

Preparing for 2018 filing

Keep in mind that additional rules and limits apply to the rates and breaks covered here. Also, these are only some of the most significant and widely applicable TCJA changes; you and your business could be affected by other changes as well. Contact us to learn precisely how you might be affected and for help preparing for your 2018 tax return filing — and beginning to plan for 2019, too.

© 2018

Economic damages: Recovering what was lost

A business can suffer economic damages arising from a variety of illegal conduct. Common examples include breach of contract, patent infringement and commercial negligence. If your company finds itself headed to court looking to recover lost profits, diminished business value or both, its important to know how the damages might be determined.

What methods are commonly used?

The goal of any economic damages case is to make your company, the plaintiff, “whole” again. In other words, one critical question must be answered: Where would your business be today “but for” the defendants alleged wrongdoing? When financial experts calculate economic damages, they generally rely on the following methods:

Before-and-after. Here, the expert assumes that, if it hadnt been for the breach or other tortious act, the companys operating trends would have continued in pace with past performance. In other words, damages equal the difference between expected and actual performance. A similar approach quantifies damages as the difference between the companys value before and after the alleged “tort” (damaging incident) occurred.

Yardstick. Under this technique, the expert benchmarks a damaged companys performance to external sources, such as publicly traded comparables or industry guidelines. The presumption is that the companys performance would have mimicked that of its competitors if not for the tortious act.

Sales projection. Projections or forecasts of the companys expected cash flow serve as the basis for damages under this method. Damages involving niche players and start-ups often call for the sales projection method, because they have limited operating history and few meaningful comparables.

An expert considers the specific circumstances of the case to determine the appropriate valuation method (or methods) for that situation.

What’s next?

After financial experts have estimated lost profits, they discount their estimates to present value. Some jurisdictions have prescribed discount rates, but, in many instances, experts subjectively determine the discount rate based on their professional opinions about risk. Small differences in the discount rate can generate large differences in final conclusions. As a result, the subjective discount rate is often a contentious issue.

The final step is to address mitigating factors. What could the damaged party have done to minimize its loss? Most jurisdictions hold plaintiffs at least partially responsible for mitigating their own damages. Like discount rates, this subjective adjustment often triggers widely divergent opinions among the parties involved.

Are you prepared?

You probably don’t relish the thought of heading to court to fight for economic damages. But these situations can occur — often quite unexpectedly — and it’s better to be prepared than surprised. Contact us for more information.

© 2019

Do your long-term customers know everything about you?

A technician at a mobility equipment supplier was servicing the motorized wheelchair of a long-time customer and noticed it was a brand-new model. “Where did you buy the chair?” he asked the customer. “At the health care supply store on the other side of town,” the customer replied. The technician paused and then asked, “Well, why didn’t you buy the chair from us?” The customer replied, “I didn’t know you sold wheelchairs.”

Look deeper

Most business owners would likely agree that selling to existing customers is much easier than finding new ones. Yet many companies continue to squander potential sales to long-term, satisfied customers simply because they don’t create awareness of all their products and services.

It seems puzzling that the long-time customer in our example wouldn’t know that his wheelchair service provider also sold wheelchairs. But when you look a little deeper, it’s easy to understand why.

The repair customer always visited the repair shop, which had a separate entrance. While the customer’s chair was being repaired, he sat in the waiting area, which provided a variety of magazines but no product brochures or other promotional materials. The customer had no idea that a new sales facility was on the other side of the building until the technician asked about the new wheelchair.

Be inquisitive

Are you losing business from long-term customers because of a similar disconnect? To find out, ask yourself two fundamental questions:

  1. Are your customers buying everything they need from you? To find the answer, you must thoroughly understand your customers’ needs. Identify your top tier of customers — say, the 20% who provide 80% of your revenue. What do they buy from you? What else might they need? Don’t just take orders from them; learn everything you can about their missions, strategic plans and operations.
  2. Are your customers aware of everything you offer? The quickest way to learn this is, simply, to ask. Instruct your salespeople to regularly inquire about whether customers would be interested in products or services they’ve never bought. Also, add flyers, brochures or catalogs to orders when you fulfill them. Consider building greater awareness by hosting free lunches or festive corporate events to educate your customers on the existence and value of your products and services.

Raise awareness

If you have long-term customers, you must be doing something right — and that’s to your company’s credit. But, remember, it’s not out of the question that you could lose any one of those customers if they’re unaware of your full spectrum of products and services. That’s an open opportunity for a competitor.

By taking steps to raise awareness of your products and services, you’ll put yourself in a better position to increase sales and profitability. Our firm can help you identify your strongest revenue sources and provide further ideas for enhancing them.

© 2018

Getting ahead of the curve on emerging technologies

Turn on your computer or mobile device, scroll through Facebook or Twitter, or skim a business-oriented website, and you’ll likely come across the term “emerging technologies.” It has become so ubiquitous that you might be tempted to ignore it and move on to something else. That would be a mistake.

In today’s competitive business landscape, your ability to stay up to date — or, better yet, get ahead of the curve — on the emerging technologies in your industry could make or break your company.

Watch the competition

There’s a good chance that some of your competitors already are trying to adapt emerging technologies such as these:

Machine learning. A form of artificial intelligence, machine learning refers to the ability of machines to learn and improve at a specific task with little or no programming or human intervention. For instance, you could use machine learning to search through large amounts of consumer data and make predictions about future purchase patterns. Think of Amazon’s suggested products or Netflix’s recommended viewing.

Natural language processing (NLP). This technology employs algorithms to analyze unstructured human language in emails, texts, documents, conversation or otherwise. It could be used to find specific information in a document based on the other words around that information.

Internet of Things (IoT). The IoT is the networking of objects (for example, vehicles, building systems and household appliances) embedded with electronics, software, sensors and Internet connectivity. It allows the collection, sending and receiving of data about users and their interactions with their environments.

Robotic process automation (RPA). You can use RPA to automate repetitive manual tasks that eat up a lot of staff time but don’t require decision making. Relying on business rules and structured inputs, RPA can perform such tasks with greater speed and accuracy than any human possibly could.

Not so difficult

If you fall behind on these or other emerging technologies that your competitors may already be incorporating, you run the risk of never catching up. But how can you stay informed and know when to begin seriously pursuing an emerging technology? It’s not as difficult as you might think:

  • Schedule time to study emerging technologies, just as you would schedule time for doing market research or attending an industry convention.
  • Join relevant online communities. Follow and try to connect with the thought leaders in your industry, whether authors and writers, successful CEOs, bloggers or otherwise.
  • Check industry-focused publications and websites regularly.

Taking the time for these steps will reduce the odds that you’ll be caught by surprise and unable to catch up or break ahead.

When you’re ready to undertake the process of integrating an emerging technology into your business operation, forecasting both the implementation and maintenance costs will be critical. We can help you create a reasonable budget and manage the financial impact.

© 2018