Calling time on time-based billing – use service-based billing if you want to save £££

Cyber Security - Resilience - Data Protection

Calling time on time-based billing – use service-based billing if you want to save £££

When pitching for consultancy work, many of our clients are [initially] surprised we at Fox Red Risk do not price any of our services based on a daily rate model. It seems the majority of consulting organisations, small and large, price their jobs based on some form of time-based billing. This billing approach may be the established norm but we think time-based billing short-changes everyone – but mainly it short-changes the client. That’s why Fox Red Risk does not bill our services based on time…here’s why…

Time-based billing may be simple but…

When engaging people-based resources (i.e. Contractors and Consultants) to carry out work, the route to market typically goes through an HR-centric purchasing process. Something like this. A consultant or contractor of level X will take Y days, to get task Z delivered. As X and Y are numerical values, hiring managers multiply X by Y and boom – that is the cost of getting the job done. For larger projects, work is simplified further by segmenting resource costs into arbitrary 6 or 12-month blocks. Now everyone, technical or otherwise, understands the cost of Task Z – Simple! Simple, yes, but it completely omits any real analysis of the variable Z – the work to be completed. The formula doesn’t price for specification, delays, or quality – only an assumption that a more expensive resource may do a better job, or get the job done in a quicker time.

Ignoring the Z component not only diverts purchasers away from nailing down service quality, but it also hides the true cost of the resource.

The true cost of eXpertise

It’s important for purchasers to know that a consultant’s day rate does not directly correlate with the knowledge and expertise of that specific resource. Paying X for a resource from a medium-to-large-sized consultancy, for example, will not only cover the consultant’s salary/day rate but a proportion of the consultancy’s entire operational overhead and profit margin. This means the actual day rate of the consultant you get is far lower than the amount a customer will pay to the consultancy – customers are therefore paying more for a less qualified consultant. From experience, medium-sized consultancies are likely to be the most expensive. Medium-sized consultancies have high cost bases and less cash available to invest in their consultants’ education. On the top end, larger consultancies tend to invest significantly in their consultants’ education and development but that in turn adds to their cost base. Speaking to a consultant from a large firm in Sept 2021, they told me they had access to a personal £13k/pa training budget and are encouraged to use it. That’s great for the consultant and all that training makes the consultant more useful to their consultancy. However, the cost of all that training, whether useful to your specific needs or not, is something that you as the customer are ultimately paying for. Boutique consultancies on the other hand tend to be staffed by consultant-owners with few operational overheads. They will often be a lot more choosy about where the training and development budget goes too, focusing only on education and development that will support their core business. Essentially, with smaller consultancies, more of your money goes on paying for the expertise you need, and less goes on incidental costs such as sales, marketing, HR et al.

Y are you paying for time?

Time really does fly. You get a contract resource in on a six-month gig. But, for reasons outside your control, the project hits some bumps in the road. That resource is then given some other work to do until they are needed. You’re paying them to tread water just in case they might not be available when you actually need them. In the scenario just described, at least the person may be doing some meaningful work but even so, it’s costing you more than you had originally budgeted. Then there is Parkinson’s Law. Say you’re unsure how long something will take (after all, you’re not the expert) and allocate 3 months of day rate to a task. A consultant may be able to do that job in one month but the consultant has no incentive to finish the job earlier and simply burns through their allocated hours. In both scenarios, have you really got value for money?

There are other hidden time-based costs too. The cost of pitching for work is built into the rate a customer pays. The more time spent negotiating over how long a task should take (often because a client thinks it should take less time), the higher the ultimate cost. The more time spent chasing approvals and sign-offs for individual statements of work, the higher the ultimate cost (or the less time is available to deliver the work to the now pressing deadline). The more time spent re-scoping poorly crafted business requirements…

…ok, I’m sure you get the picture! Every aspect of “non-billable” time is baked into the “billable” rate. Because Fox Red Risk don’t bill on time, we spend less “non-billable” time on all the above aspects. This leaves more time to focus on the service delivery, it also means the cost of the saved time can get passed on to the client. Win-Win.

Z, not X or Y, marks the spot!

If both the cost of a specific resource, and the time allocated to a piece of work, have little or no bearing on delivery of a task, why do organisations purchase people resources on this basis? If resource cost or time allocated will not guarantee quality delivery, why pay for services using a time-based billing model? The short answer – you shouldn’t! Focus instead on paying for what you need. Avoid paying for a resource over time and instead pay for service delivery. In short, use a procurement-centric approach.

A procurement-centric approach looks at the specification of the service (the Z aspect) to be delivered. A procurement-based approach uses service-based billing. Consultants and contractors are invited to put a proposal forward, detailing how they will deliver the service you need. These contractors/consultants will look at what you need and price the work accordingly. The price is then based on what it will cost to deliver the requested service (and some margin). The proposal will highlight what will (and won’t) be in scope. The contracts will codify the service, including items such as service level agreements for quality and delivery. With a procurement-centric model, you as the purchaser will then know what you are getting and, if it is not delivered to the agreed specification or timeframe, you shouldn’t have to pay!



…It’s all well and good recommending a procurement-centric approach but anyone who has gone through the procurement process will know, service provider contracts are often slippery, with plenty of “gotchas” and “get out” clauses. in their terms. Some service providers will word proposals making it look like they offer the world but in reality, offer very little value. Not only could you end up with a service that is well-marketed but, in reality, not fit for purpose, but the supporting contract is so steeped in caveats and, the statements of work so woolly, that when the wheels come off, the customer is often left with very little remedy – and very frustrated! The devil will always be in the detail. With all that said, a service-based offering offers greater transparency than a time-based offering. With a service-based offering, procuring organisations should know exactly what is (and isn’t) to be delivered.

Bespoke vs Cookie Cutter

OK, so expertise and time aside, is it just simply a case of specifying your needs and getting quotes back, then just procuring the cheapest one? Not quite. In order to keep costs down, many medium-to-large consultancies only offer cookie-cutter solutions. That is to say, the consultancy will have a standard set of templates or software, with a standard deployment model. They come in, add your name and logo to a generic policy document or install a piece of software with little to no specific customisation. They then leave you to it.

Smaller consultancies, like ours, do offer standard services but what makes ours different is our hybrid core/non-core approach. This means our clients get some certainty on a baseline of service delivery but can also flex their service for specific projects or situations. Be that something complex like the re-platforming of a core banking system or a new acquisition, or something more simple such as running an IT Service Continuity test.

Fox Red Risk ONLY does service-based billing

Time-based billing is not cost-effective. It encourages sub-optimal behaviour and leaves organisations paying over the odds for resources that often deliver less than expected. It leaves organisations with little ability to recover anything back for failed (or delayed) delivery. It doesn’t have to be this way though. Insist on service-based billing. Insist on paying for delivery of a specific pre-agreed output. Insist on paying not for a “bum on a seat” for Y hours a day but instead pay for the right answer to your specific question. If service-based billing is for you, come and explore our cybersecurity, data protection and operational resilience services.

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.