AboutBlogBusiness First AIFounder FreedomBook a conversation

The core operating systems a 20-person firm should have

May 17, 2026
Two colleagues reviewing a diagram together at a desk in a bright office
TL;DR

A 20-person services firm needs five core systems in place before anything else: identity and access management, email and file collaboration, finance, CRM, and endpoint security. Build them in that order, starting with identity. AI tools, advanced automation, and specialist software all belong after this foundation is solid; deploying them on top of ungoverned access and scattered data creates risks the ICO and NCSC explicitly flag.

Key takeaways

- A 20-person firm's operating system is the five shared layers of identity, email and files, finance, CRM, and endpoint security, not a choice of desktop operating system. - At 20 people, informal controls fail in ways they did not at 10: former employees keep active logins, finance data lives in multiple places, and file access is ungoverned. - Build identity and access management first, with single sign-on and MFA, because every other layer depends on knowing who is inside your digital environment. - Finance and CRM should each be a single system of record; no parallel spreadsheets, no duplicate client lists, clear ownership of each tool. - AI tools and advanced software belong after the core five are in place; the ICO makes clear that data governance is a prerequisite for deploying AI safely in client-facing work.

Somewhere between ten people and twenty, a pattern shows up in almost every services firm. The informal systems that worked at ten, the shared drive everyone knew, the finance package one person owned, the logins created on the fly as people joined, begin to create problems that are harder to fix than they look.

By twenty people, a firm is typically carrying a few former employees with live system access, a file structure that nobody quite trusts, and a finance setup that involves more manual reconciliation than it should. The founder often knows this. Less obvious is where to start: which system comes first, and what to hold off buying until the foundation is actually solid.

What does “operating system” actually mean for a services firm?

For a 20-person services firm, a business operating system is the shared layer of five core systems that holds the firm together: identity and access management, email and file collaboration, finance, CRM, and endpoint security. Each of these decides something specific. Identity controls who has access to what. Finance and CRM hold the commercial records. Security covers how those records are kept protected.

The term has nothing to do with Windows or macOS. UK business-system providers use it to describe the operational layer that brings records, staff data, and workflows into one access-controlled environment. The practical question is whether that layer exists deliberately or has simply accumulated over time. A patchwork of individually reasonable tools that nobody has ever joined up is where many firms at this size find themselves, and it is where things start to go wrong: permissions nobody set, finance data in two places, logins that persist long after someone leaves.

Why does 20 people change the picture?

At 20 people, the informal controls that held at 10 start to fail in visible ways. You have joiners and leavers you cannot track by memory, client data spread across personal folders, and finance reconciliation that takes longer than it should because no single system owns the records. The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses reported a breach or attack in the previous 12 months. Ungoverned access is among the most common enablers.

Below ten people, a founder can hold the whole operational picture in their head. They know roughly who has access to what, where the important files sit, and who owns which system. At twenty, that model stops working. There are too many combinations of devices, logins, and data locations for any one person to track reliably.

The ICO’s accountability guidance makes clear that organisations must be able to demonstrate compliance with data protection rules, not simply claim they are following them. At twenty people, that requires a deliberate system. Relying on memory and good intentions is not a defensible position if the ICO asks how client data is protected and what happened to access when someone left.

Which five systems does a 20-person firm actually need?

The five systems a 20-person services firm needs are identity and access management, email and file collaboration, finance, CRM, and endpoint security. Each one has a specific job. Identity controls who is in and out of the firm’s digital environment. Email and files cover day-to-day work and collaboration. Finance and CRM hold the commercial records. Endpoint security covers the devices the team uses and how they are kept protected.

Identity and access management means one login per person, multi-factor authentication across email, finance, and remote access, and a joiners and leavers process that takes minutes rather than hours. The ICO’s password and authentication guidance recommends passphrases combined with MFA for any system holding personal data, and the NCSC lists MFA as one of the highest-impact controls a small firm can deploy.

Email and file collaboration means one productivity suite with permissions configured deliberately: who can see which client folders, who holds admin rights, and how file retention works. Without this discipline, the suite becomes a more expensive version of the shared-drive problem it was meant to address.

Finance and CRM should each be a single system of record. No invoice spreadsheets running alongside the accounts package. No duplicate client lists split across the CRM and a spreadsheet someone started two years ago. One finance system, one CRM, clear ownership of each. The tool choice matters less than the commitment to use only one.

Endpoint security covers device management, patching, encryption, and remote wipe. For firms without an in-house IT function, this is where a managed IT provider typically earns its fee. A UK MSP covering endpoint management, cloud oversight, network monitoring, and third-party coordination maps well to what a firm this size needs without the cost of a dedicated IT team.

What is the right sequence to build them?

Build identity first. Everything else depends on knowing who is inside your digital environment and who is not. Once single sign-on and MFA are working, add email and file collaboration with properly configured permissions. Then make finance and CRM your systems of record, with clear ownership of each. Then harden endpoint security. Each layer depends on the one before it, and skipping the sequence creates gaps that are harder to close later.

The sequence matters because each layer informs the next. Identity tells you who should have access to the file system. Clean file permissions inform what the finance system can safely pull from. A solid finance and CRM setup gives you the clean data that makes endpoint security policies enforceable. The CMA’s cloud market investigation highlighted switching costs as a real risk for SMEs; when choosing tools for each layer, keep portability in mind and avoid unnecessary lock-in in file storage, identity, and finance workflows.

What should you hold off on until the core is solid?

AI tools, advanced automation, and specialist vertical software all belong after the core five are in place. The ICO’s guidance on AI and data governance makes clear that access controls and data minimisation are prerequisites for deploying AI in client-facing work. A firm without a clean identity layer, properly configured file permissions, and a single finance system of record is not in a position to deploy AI safely.

The pattern that keeps appearing in owner-managed firms is buying new software to solve a problem that is actually a systems problem. An AI tool that summarises client notes cannot operate safely if that data sits in an ungoverned shared folder. A new CRM does not fix scattered data. Sorting the five core systems first means every new tool you add sits on a foundation that can support it.

For firms serving regulated clients, there is a further reason to get this in order. The FCA’s operational resilience expectations can flow down contractually even where the firm itself is not directly FCA-authorised. If your clients are regulated, their compliance teams will ask about your systems. That conversation starts with the five core layers, not with your choice of AI platform.

If you want to talk through whether your current setup is ready, or where to start, a conversation is the fastest way to find out. Book a conversation and we can look at where you are.

Sources

- UK Government (2025). Cyber Security Breaches Survey 2025. Reports that 43% of UK businesses experienced a cyber breach or attack in the previous 12 months; 70% for medium-sized businesses; cited for the security exposure context at 20-person firm scale. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025 - NCSC. Small Business Guide. Baseline cyber controls for small firms including MFA, patching, backups and phishing awareness; cited for identity management and endpoint security priorities. https://www.ncsc.gov.uk/section/advice-guidance/all-topics/small-business-guide - ICO. Accountability and Governance Guidance. The ICO's accountability principle requires organisations to demonstrate GDPR compliance, not merely claim it; cited for why a deliberate access-control system is necessary at this size. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/ - ICO. Passwords and Authentication Guidance. Recommends passphrases and MFA for all systems holding personal data; cited for identity and access management design. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/passwords/ - CMA (2024). Cloud Services Market Investigation Order and Implementation. Sets out remedial directions on interoperability and switching costs for cloud providers; cited for the lock-in risk when selecting file storage and identity tools. https://www.gov.uk/government/publications/cloud-services-market-investigation-order-and-implementation - FCA. Operational Resilience Guidance. Operational resilience expectations can flow contractually to supplier firms even where not directly FCA-authorised; cited for regulated-client context. https://www.fca.org.uk/firms/operational-resilience - Microsoft. Windows for Business. Microsoft's SME endpoint strategy bundles identity management, MFA and AI productivity tools; cited for the managed-identity and endpoint security discussion. https://www.microsoft.com/en-gb/windows/business - Nash Business Systems. Business Operating Systems. UK business-system provider describes a shared operational layer for SMEs covering records, staff data and workflows; cited for the definition of a business operating system. https://www.nashbusinesssystems.co.uk/business-operating-systems - EC-MSP. Small Business Server Guide. UK MSP guide addressing headcount thresholds for file storage architecture, with NAS recommended for firms of 25 or fewer; cited for the 20-person headcount context. https://www.ecmsp.co.uk/it-blog/small-business-server-right-business/ - Chorus. Managed IT Services for SMBs. UK MSP scope covering endpoint management, cloud and infrastructure oversight, network management, and third-party coordination; cited for the managed IT provider model for firms without in-house IT functions. https://www.chorus.co.uk/services/it-services/managed-it-services/

Frequently asked questions

What systems does a 20-person services firm actually need?

The core five are identity and access management, email and file collaboration, finance, CRM, and endpoint security. Each has a clear job: identity controls who has access to what, email and files cover day-to-day work, finance and CRM hold the commercial records, and endpoint security covers devices. Together they form the operational layer a services firm at this size needs before adding any further tools.

Why does identity management need to come first?

Identity is the layer everything else depends on. Without knowing who has access to your files, your finance system, and your client data, controlling those systems is not practical. The NCSC lists MFA as one of the highest-impact controls for a small firm, and it only works when you have a clear picture of who your users are and what each person should be able to see.

Is a 20-person firm ready to use AI tools?

Potentially, but only if the core systems are already in place. The ICO's guidance on data governance makes clear that access controls and data minimisation are prerequisites for using AI in client-facing work. A firm running on ungoverned shared folders and inconsistent logins is not in a position to deploy AI safely. Sort the identity layer, file permissions, and finance system of record first.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two professionals reviewing documents together across a meeting table

Should your management team buy the business?

A practical guide for founders weighing up whether their management team is ready to buy the business and what the decision actually turns on.

Two professionals in a focused conversation across a meeting table with papers and a laptop between them

How private equity buyers approach law, accountancy and consultancy firms

Private equity is moving into UK law, accountancy and consulting at pace. Here is what PE buyers look for, how they change firms, and what it means for UK owner-operators who may or may not want to sell.

Two people in discussion across an office desk, papers spread between them

Comparing the main succession planning options for owners

Five succession routes for UK owner-managed businesses explained: the trade-offs between family transfer, MBO, EOT, trade sale, and wind-down, and how to choose.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd