u/Aadi--1124

Run a productized fractional CFO service for ecom brands, 8 people on the team, 24 active clients on monthly retainers. Toronto-based but most of the team is remote across Canada and the US.

Got tired of scope creep eating margin so I made the team log every instance. Out-of-scope requests, scope-adjacent asks, "quick favors," the works. 8 months of data, 412 logged incidents.

Here's what I expected to find: that a few problem clients accounted for most of the creep. The 80/20 thing. The "fire your worst customers" answer.

That's not what showed up.

The data showed creep was almost evenly distributed across clients. The variable wasn't the client. The variable was who on our team was responding to the request. Two of our senior people were absorbing about 4x the volume of creep that everyone else was, because they were saying yes by default and only escalating to me when something blew up.

We had a scope document and pricing tiers but no script for the moment where a client asks for one small extra thing in a Slack channel at 4pm and the right answer is a polite redirect, not a sigh and a yes.

So we built one. Two-sentence templates for the most common asks. A weekly review of what got said yes to and what didn't. The senior absorbers went from absorbing 4x to absorbing 1.6x in two months.

It didn't kill creep. The total volume of requests didn't change. What changed was how many of them turned into unbilled work.

Curious if other service businesses have audited this and what you found.

She gave two weeks notice. Professional. Amicable. We wished her well.

Three weeks after she left, a client called asking if we'd "sent someone else from the team to follow up" because a person from a new company had contacted them referencing details that only someone with access to our internal notes would know.

Pulled the access logs. She'd exported our full client database, including contact details, project history, and internal notes, two days before her last day. 340 client records.

She'd started her own competing firm and was using our client data to warm-call our existing accounts. Not cold outreach. Warm outreach with insider information about their projects and pain points.

No non-compete. No non-solicitation agreement. No data protection clause in her employment agreement beyond a generic confidentiality line that my lawyer said would be expensive to enforce.

Lost two clients to her in the first month. Both said she'd referenced specific details about their accounts that made her pitch feel like a continuation of our work rather than a cold approach.

Built a proper data protection policy after. All employees now sign specific non-solicitation agreements. CRM access is role-limited and export privileges require approval. Exit procedures include immediate access revocation and a documented data audit.

Also started sending clients a quarterly relationship summary, a one-pager built in Gamma (visual report tool) showing what we've delivered and what's planned next. Not just for the client's benefit. To reinforce that the relationship is with the firm, not with any individual employee. If someone leaves and reaches out to our clients, the client has a recent document from us that anchors the relationship to the company.

$0 spent on prevention before. Multiple clients and revenue at risk because I trusted that people would behave ethically after leaving. Some do. Some don't. Build the system for the ones who don't.