Technology Governance Overhaul for a Growing Professional Services Firm

Client Context

Professional Services, Melbourne head office, six offices across VIC, NSW and QLD. 280 staff, ~$72M annual revenue. The client is anonymised to protect commercial sensitivity, but the operational facts and quantified outcomes below are reported as they were measured.

The Challenge

A Melbourne-based professional services firm with 280 staff across 6 offices had grown rapidly through acquisition. Each office ran its own IT setup with different tools, vendors, and security practices. Shadow IT was rampant, with over 40 unapproved SaaS subscriptions discovered during the initial audit. Two minor security incidents in the previous quarter had the board demanding action.

The firm had completed three acquisitions in 36 months without ever consolidating the back-office technology of any of them. Eleven different password managers were in use across the offices. The two security incidents — both phishing-driven, both contained without client data loss — had spooked the board enough that the COO was given an explicit mandate to fix governance, but no internal capability to run the programme. The previous IT manager had resigned six weeks before the engagement began. Annual audit had flagged inadequate access controls for two consecutive years.

Our Approach

Engaged as fractional CIO one day per week for 12 months. Delivered a complete technology governance framework including vendor consolidation strategy, cybersecurity uplift programme, and standardised technology operating model. Ran workshops with office managers to build buy-in rather than imposing top-down mandates.

Rather than mandating a single national stack from the centre, we held a half-day workshop in each of the six offices to surface what was working locally and why. That produced a vendor map with clear keep-replace-retire recommendations and, more importantly, a coalition of office managers who had helped shape the change. The cybersecurity uplift was sequenced against a 90-day-quick-win, 180-day-strategic-control, 365-day-certification-readiness timeline. We deliberately delayed the most disruptive change — the identity provider migration — to month seven, after the easier wins had built credibility for the programme. Every governance decision was published to a single internal SharePoint page so partners could see the trail of reasoning, not just the policy document.

The Outcome

Reduced vendor count from 38 to 19, achieving $95k annual savings. Achieved ISO 27001 readiness within 8 months. Established a scalable IT operating model with clear ownership, and reduced shadow IT to near zero through a simple approval process that staff actually used.

Beyond the headline savings, the operating model itself became repeatable. When the firm completed a fourth acquisition in month ten of the engagement, the integration of the acquired technology stack was completed in six weeks against a previous baseline of nine months. Cyber insurance premiums fell 18% at the next renewal because the firm could now evidence ISO 27001-aligned controls. Internal Net Promoter Score for IT services rose from -12 to +34 across the year, measured by quarterly all-staff survey. The COO was able to step back from day-to-day IT decisions, reclaiming roughly one day per week of executive capacity.

What This Means for Similar Businesses

For partner-led professional services firms growing through acquisition, the trap is that each acquired firm comes with its own technology preferences and the path of least resistance is to leave them alone. That works until it does not. The pragmatic move is to invest in a lightweight national operating model early — well before the third or fourth acquisition — and to bring office leaders into the decision-making rather than imposing a stack on them. Governance imposed from the centre rarely sticks; governance built with the partners almost always does.

How We Would Approach Your Situation

If you are seeing similar symptoms — stalled transformations, unreliable platforms, ballooning vendor costs, or a board that has lost faith — the first step is a rapid diagnostic. We run a structured two-week assessment that surfaces the real root causes behind what your team has been telling you. From there we build a phased roadmap your CFO will fund and your engineers can actually ship, with clear milestones and measurable exit criteria.

Every engagement ends with you owning the playbook, the governance artefacts, and the relationships with key vendors. We are not building dependency. We are building the technology capability your organisation needs to keep compounding value long after we step back. Read more about how we approach engagements like this on our Digital Transformation page, or take the Tech Health Check to surface where your own organisation sits.