5 impacts CISOS should be aware of
April 2020 is approaching fast - and with it the private sector IR35 reforms.
Cyber security departments are particularly contractor heavy due thier large change programmes and niche skill requirements. It is therfore likely they will be hit singularly hard by the upcoming IR35 reforms.
This article reviews the key impacts those reforms had on the public sector in 2017, and recommends steps that CISOs can take now to successfully manage them.
1)Loss of current contractors
76% of projects and departments in the public sector lost contractors due to the IR35 reforms.
The exodus wasn’t simply an issue of pay. Contractors were concerned that if their engagements were determined inside IR35, or turned into permanent roles, this would lead to retrospective tax reviews and liabilities. The easiest way to minimise this risk was to move to new engagements.
2) Project Delays
71% of projects in the public sector were delayed as a direct result of the IR35 reforms.
Now is the time for CISOs to identify projects that rely on contractors and take concrete action. Build extra contingency into project plans, identify where there may be additional cross dependencies, and communicate changed timelines to project sponsors and other stakeholders.
3) Increased Costs
The public sector IR35 changes led to significant cost increases with 42% of contractors raising their rates to counter the impact of being caught within IR35.
Expect project resource costs to increase between 10% and 20% regardless of how your organisation addresses the IR35 reforms, and ensure this is budgeted into financial forecasts.
4) Scarcity of Skilled Workers
94% of contractors stated in a recent survey that they would that avoid contracts that placed them 'inside IR35’ with 23% stating that they would stop contract work altogether.
Contractors will have three choices come April 2020 - find a contract that falls outside of IR35, increase rates to balance the cost of being inside IR35 or take up a permanent position. Quite possibly some contractors will do all three in a short space of time as the market stabilises.
Whatever they choose, this will lead to disruption and delays in engaging specialised resource, and a period of uncertainty.
5) Increased Administrative burden
Whilst this is mainly an HR issue, CISOs should be aware of the extra administrative burden the IR35 reforms will bring:
- Identifying contractors used both internally and in the supply chain
- Training HR staff to make IR35 status determinations
- Identifying and making adjustments to working practices and IT systems
- Ongoing management of IR35 status determinations, statements and the disputes process
What can CISOs do now?
Many public sector organisations introduced blanket policies to avoide allocating time, money and resource to the new rules. However this is not recommended for organisations which require a flexible workforce.
The three options which we would recommend are as follows:
- Engage with HR to carry our status determinations for all your contractors, and manage extra costs etc. accordingly
- Engage with IT Service providers and outsourcers
- Engage with Big4 and boutique consultancies to provide interim specialists under a consultancy agreement
Nicolson Bray won’t let IR35 disrupt your cyber security projects. We provide consultants with decades of cyber security experience at a 25% cost reduction to the Big4.
If you would like to know more about our boutique cyber security offerings, please click here