Here's a pattern we see constantly with Ontario businesses: an employee resigns, and what should be a same-day IT task turns into a three-week scavenger hunt. Nobody can remember which SaaS tools they signed up for. Their laptop is a personal one they've been using "temporarily" for eight months. A client emails asking why they got a message from someone's personal Gmail. A vendor charges the company card for a seat nobody remembers approving.
None of that happened because offboarding is hard. It happened because of decisions made in the person's first few weeks on the job, back when nobody was paying close attention because there were a hundred other things going on. By month six, a shared login or a quick self-serve sign-up doesn't feel like a decision anymore. It just feels like how things are done.
The good news: this is entirely fixable, and fixing it is mostly about tightening up onboarding, not scrambling harder at offboarding.
Done properly, offboarding an employee takes about 90 minutes of IT time. One account gets disabled in a central identity system, and that single action cascades access removal across every connected tool. The device gets wiped or collected. Email forwards to a manager or converts to a shared mailbox. CRM and project tool ownership transfers. A handover document, already templated from onboarding, gets filled in and filed.
The messy version of the same task can eat three weeks: a manual hunt through tools nobody fully remembers, passwords sitting in a departed employee's personal password manager, a laptop still sitting at their house with no urgency to return it.
Whether an exit is clean or chaotic was mostly decided the day that person was hired.
Letting new hires sign up for tools on their own. The moment someone creates an account with their own work email and a password only they know, that account is functionally theirs. You can't reset it without notifying them, and you may not even know it exists until an invoice shows up or the account goes dark the week they leave.
Tolerating personal devices "just until we sort it out." Temporary never stays temporary. Files get downloaded, apps get installed, client systems get connected. When the person leaves, there's no way to remove company data from a device the business never owned or enrolled in a management system.
Shared logins to avoid paying per seat. When five people share one login, you can't remove one person's access without changing the password for everyone else too, usually right when the departing person was the only one who remembered it in the first place.
Client relationships living in one person's inbox. For agencies and professional services especially, this is the quiet killer. When an account manager leaves, the email history, the context, and the half-finished threads leave with them. From the client's perspective, the business just lost track of who they are.
Beyond the operational headache, this connects directly to obligations under PIPEDA and, increasingly, to what cyber insurance carriers and client security questionnaires are asking about access control. An employee walking out the door with lingering access to client files, email, or company systems isn't just messy — it's exactly the kind of gap that shows up on an insurance renewal form or an ISN submission as unaddressed risk.
This is also why we build identity and access hygiene into onboarding from day one for our clients, rather than treating it as an offboarding fire drill:
You can't go back and re-onboard your existing staff, but you can audit what's already there before your next departure forces the issue.
Run a SaaS audit. Pull three months of business credit card statements and list every recurring charge. For each one, find out who set it up, who has the login, and whether anyone else could access it if that person left tomorrow. You'll usually find at least one tool nobody remembers signing up for.
Build a device register. List who has what, whether it's enrolled in a management system, and what company data it can reach. Ask staff to confirm what they actually use for work, including personal devices — most people are happy to disclose this once they know it isn't punitive.
Move client communication into shared places. A shared mailbox or CRM with logged contact history, even a simple Microsoft 365 shared inbox with an expectation that client threads get CC'd, keeps the relationship with the business instead of with one inbox.
Most IT providers only show up when someone resigns: disable the account, collect the laptop if they can find it, do their best with whatever documentation exists. That's the wrong end of the relationship to be involved in.
The model that actually works has your IT provider involved at onboarding, too. New accounts go through a central identity system, devices get enrolled in management, and access is provisioned so a single action can switch it all off later. A handover document gets maintained and updated for every staff member, not written from memory after they've already left.
If you ask your IT provider what they do at onboarding and the honest answer is "not much, we usually just get called when someone leaves," that's worth a conversation.
Want a second set of eyes on where your onboarding and offboarding process might have gaps? We're happy to walk through it with you. contact our team today at 905-432-7751 and check out our related articles at www.attitudeit.ca