The first email arrived on the Wednesday. “Just a quick one, the SSL certificate on our booking site has expired. Can you fix?” SSL is the small file that proves a website is who it says it is and turns on the padlock in the browser. We could fix it, but we hadn’t been managing it, and we hadn’t been told to start. The IT manager who’d been handling it had left on the Tuesday. The handover meeting we’d been promised, the one where we’d be walked through what was in his head, hadn’t happened, he’d taken his last day as leave, and the calendar item had fallen off the back end of the agenda.
Over the next eight weeks we found nine more like it. Three more SSL certificates. Two domain renewals, one of which we caught with about 48 hours to spare. A backup system that hadn’t been tested for fourteen months; the tests had been on his personal calendar, not the shared one. A piece of finance software whose annual licence was paid through his personal corporate card and would lapse the day his card was cancelled. The phone system maintenance contract that wasn’t on any list we had.
None of this was hidden on purpose. He just hadn’t documented it, or he’d documented it in a notebook nobody had thought to ask for, or he’d documented it in a OneNote that lived on a personal OneDrive that got cleared the day his identity was disabled. He was a decent IT manager; the problem wasn’t him but the shape of the handover.
The handover meeting nobody books
Turnover risk in SME IT is one of those things everyone nods about and almost nobody plans for. The IT manager (sometimes a single person, sometimes one of two) knows where the bodies are buried. They’ve been there for years. They’ve been doing things in their head, on paper, on personal calendars, in chat threads with vendors who text them directly. The shared documentation is a fraction of what they know.
When they leave, three things happen in sequence. Week one, the urgent things break and get noticed. SSL certificates expire. Renewals lapse. A vendor calls and asks who they’re talking to now. These are the easy ones, because they announce themselves.
Months two to six, the things that operate on a quarterly cadence reveal themselves. Quarterly backup tests. Quarterly disaster-recovery walk-throughs. Quarterly licence reconciliations. Quarterly invoices from vendors nobody quite remembers.
Year one to two, the annual things bite. Annual renewals nobody put on a calendar. Annual filings. Asset refreshes that should have been planned a quarter earlier. Cyber Essentials Plus (CE+, the UK government’s annual cyber-hygiene certification, audited by an external assessor) recertifications. Cyber-insurance proposals. ISO surveillance audits (the yearly check-ins on your ISO 27001 or similar certification) if you have them.
By the time the annual things are showing up, the new IT manager, or the new IT supplier, has been blamed at least three times for things they had no way of knowing about. The trust deficit is hard to climb out of.
What we now do at takeover
After enough of these, we’ve changed our onboarding for any new managed-services client. The first thirty days are scoped around finding what isn’t in the documentation we’ve been given.
We look at three places. The renewals trail. Every domain, every certificate, every software licence, every support contract, every maintenance contract, every cyber-insurance policy. We pull the list from the client’s finance system, not from IT documentation, because the finance system catches the things IT didn’t track. We then cross-reference everything we found against the IT documentation. The gap is the work.
The shared mailboxes and forward rules. Vendors send renewal notices to the address they have on file. Often that’s a single person’s address, sometimes a generic one that nobody actually monitors. We get visibility on what’s hitting both, and we redirect to a shared inbox that survives any one person leaving.
The asset register. Real physical kit and real licences. Walked, counted, checked against the supplier’s record. In years of running these handovers we find at least one device nobody knew was there, and at least one licence that’s been paid for and not used for two years. The licence overpayment usually covers the cost of the audit on its own.
It’s not a glamorous thirty days, but the unglamorous work that earns the right to do the more interesting work later.
Why this is a managed-services question, not an HR one
You might reasonably ask why this is an IT supplier’s problem rather than a question for the company’s own HR or operations function. The honest answer is that nobody else in an SME has the visibility. HR knows the person’s leaving and runs the leaver checklist: laptop returned, accounts disabled, badge collected. Operations might own the office side of it. But neither of them knows that the SSL on the booking site renews on the 11th of October, or that the printer maintenance contract auto-renews unless you cancel sixty days before the anniversary.
That kind of operational knowledge is exactly where our Managed Services practice spends its time. We treat it as a continuity layer that survives staff changes on either side, ours or theirs. Documentation that’s actually current. Renewals that live in a shared system. Vendor relationships in shared inboxes, not personal ones. Asset registers that match what’s on the desks.
None of which prevents the turnover. It just stops the turnover from costing twenty thousand pounds in surprise renewals and missed certifications.
In summary
If your IT is a single point of failure, the failure isn’t a question of if but of when. When it happens you’ll spend the first month firefighting expired certificates, the next six months reconstructing a quarterly cadence nobody wrote down, and the year after that picking up the annual renewals you didn’t know existed. Twenty thousand pounds in surprise costs is the middle of the range. The expensive end is the customer who finds your booking site offline, the insurer who declines a claim because cover lapsed, the auditor who turns up to a certification you forgot to renew. The cheapest time to fix it is before they tell you they’re leaving.
Worried about what you’d lose if your IT manager left tomorrow? Drop us a note at info@jmopartners.co.uk. One of us will read it.
JMO|Partners · Enterprise IT, sized for SMEs.