Why bad onboarding is the real cause of messy offboarding

By the time an employee hands in their notice, the decisions that will make their departure clean or messy have already been made. They were made in the first weeks of the person's tenure, when nobody was paying close attention, because the new hire had just arrived and there were a hundred other things to do. A shared login here, a quick SaaS sign-up there, a personal laptop used until the company hardware arrived. By month six, none of those feel like decisions at all. They feel like how things are.

We see this pattern constantly with businesses across Melbourne and the Mornington Peninsula. A departure that should take an afternoon turns into a three-week scavenger hunt, and the cause traces all the way back to a rushed first day. This post covers what is really going wrong when offboarding drags out, the four onboarding shortcuts that guarantee a painful exit, how to retrofit hygiene on the team you already have, and what your IT provider should be doing at onboarding that probably is not happening.

What is really going wrong when offboarding takes three weeks

A clean offboarding takes about 90 minutes of IT time. An account is disabled in your identity provider, which cascades access revocation across every tool connected through single sign-on. The device is wiped remotely, or collected and wiped on-site. Email is forwarded to a manager or converted to a shared mailbox. The departing person's accounts in your CRM and project tools are reassigned. A handover note, already templated because it was templated at onboarding, gets filled in and filed.

The messy version of the same process can take three weeks. It starts with a manual list of tools nobody can fully remember, which usually means asking the departing employee to help reconstruct it. You find a design account, a video tool, a Notion workspace and a database app, all set up independently, all with passwords sitting in the departing employee's personal password manager. The laptop is at their house and they are in no rush. A client emails to say they received an odd message from a personal address. Six weeks later, a vendor charges the company card for a seat you thought you had cancelled.

Whether your offboarding is clean or chaotic depends almost entirely on what was set up during onboarding. In the identity world this is called the joiner, mover, leaver lifecycle, and Microsoft and most identity vendors use the same three-phase model. A rushed joiner phase simply defers the work. It compresses months of identity cleanup into the fortnight after the resignation lands.

Four onboarding shortcuts that guarantee a messy exit

1. Letting new hires sign up for SaaS tools on their own

When a staff member signs up for a tool independently, using their work email and a password only they know, that account is functionally theirs. You cannot reset it without triggering a notification to them. You may not even know the account exists until a vendor invoice shows up, or until it goes dark after they leave and a client project breaks.

This is the most common source of the "we cannot find half the logins when someone leaves" problem. The fix is to provision every tool through a central identity system, so any new application is connected to your single sign-on before the first user logs in.

2. Tolerating personal devices "just until we get them sorted"

Personal devices that get used for work do not stay temporary. The employee installs apps, connects to client systems, downloads files, and what was a stopgap becomes how they work permanently. When they leave, you have no ability to wipe company data from a device you do not own and never enrolled in a management system. You are relying on their goodwill, which is usually fine, but goodwill is not a security control.

The fix is to issue company-owned devices on day one and enrol them in mobile device management. Where you do allow a personal device, require managed app access for company email and files. Browser-saved credentials are not a substitute.

3. Shared logins for tools you did not want to pay per-seat for

Shared credentials are the worst offender at offboarding. When five people use the same login, you cannot remove one person's access without changing the password for everyone. You usually find this out at the worst possible time, when the person leaving is the one who set up the account and nobody else remembers the password at all.

Per-seat licensing is the cost of doing this properly. The savings from shared logins reappear during offboarding as wasted hours and exposed access.

4. Letting client relationships live in one person's inbox

This one is specific to agencies and professional services. When a senior account manager or consultant leaves, their client relationships often leave with them. The context, the email history, the preferences and the half-finished threads all lived in one person's inbox. With that person gone, the lot becomes inaccessible or awkward to retrieve, and from the client's side, your business simply does not know who they are anymore.

The fix is a shared inbox or CRM where client communication is logged. Even a Microsoft 365 shared mailbox, with a clear expectation that client threads are copied to it, is a meaningful improvement over what most small businesses have today.

How to retrofit hygiene on the team you already have

The cleanup most businesses need is for the team they already have, before the next hire arrives. You cannot go back and re-onboard your existing staff, but you can audit what is there and close the gaps before the next departure.

The SaaS audit

Pull three months of statements for every card used for business expenses, and list every recurring SaaS charge. For each one, find out who set it up, who holds the login, whether the account uses a personal or company email, and whether anyone else could access it if that person left tomorrow.

You will find tools nobody remembers signing up for, tools used by one person with no backup access, and accounts where the original owner has already left while you are still paying for the seat. None of this is a technical exercise. All it takes is a spreadsheet and an afternoon.

The device register

Build a simple list: who has what, when each device was issued, whether it is enrolled in a management system, and what company data each device can reach. Ask every staff member to confirm the devices they use for work, including personal ones. The goal is to map what you are working with. Most people are happy to confirm what they use once they know nothing punitive will come of it.

For any personal device that has been used to access company systems, the minimum is making sure company email and file access happens through managed apps that can be remotely disconnected.

Client communication in shared places

Move client communication into shared places so the relationship belongs to the business when an individual moves on. Continuity is the goal. Set up a shared inbox or alias for client-facing communication, and use a CRM where contact history and notes are logged. Again, even a shared Microsoft 365 mailbox with a clear rule that client threads are copied to it is a real step up from where most small businesses sit today.

What your IT provider should be doing at onboarding

Most IT providers get called when someone resigns. They show up, disable the account, collect the laptop if they can find it, and do their best with whatever documentation exists. That is the wrong end of the lifecycle to be involved in. If that is the only time your IT provider touches staff transitions, you are not getting much value from the relationship.

The model that works puts your managed IT provider at onboarding too. They set up the new account in your identity provider, enrol the device in mobile device management, and provision access through single sign-on, so every tool the new hire uses is connected to a central identity that can be switched off in one action. They should also maintain a handover document for each staff member, updated periodically, listing every system the person accesses, every client relationship they own, and every credential tied to their identity.

When that is in place, offboarding becomes a checklist and an hour rather than a three-week excavation. Ask your IT provider what they do at onboarding. If the answer is "not much," or "we usually just get called when someone leaves," that is worth a conversation.

A 60-day plan before your next round of departures

You do not need to know the date of the next resignation to start. In fact the work is far more manageable when nothing is urgent.

• Weeks 1 and 2. Run the card-statement SaaS audit. List every tool, every account owner, and every login that only one person controls. Flag the ones where access would be lost or complicated if that person left this week.
• Weeks 3 and 4. Build the device register. Confirm what every staff member uses for work. For personal devices with company access, implement managed app access at minimum. Enrol company-owned devices in a management system if they are not already.
• Weeks 5 and 6. Audit client-facing communication. Identify any client relationships that exist mainly in one person's inbox or on someone's mobile. Set up shared mailboxes or CRM logging for the highest-risk accounts first.
• Weeks 7 and 8. Write the onboarding process you wish you had, using everything you found in the previous six weeks as the input. Apply it to your next hire from day one, and use it as the template for a handover document for every existing staff member.

Most of this is an operational task rather than a technology project. A spreadsheet, some honest conversations with your team, and a few hours of your IT provider's time will cover the bulk of it.

Frequently asked questions

How long should offboarding take in a small business?

With proper onboarding hygiene and a central identity, the IT side of offboarding takes about 60 to 90 minutes. Take that foundation away and the same task can stretch to two or three weeks of scattered cleanup.

How do I find SaaS tools my team signed up for without telling me?

The fastest way is a three-month review of every credit card or bank statement used for business expenses. Most unsanctioned SaaS shows up as a small recurring charge somewhere on the card.

Can I wipe a personal device after someone leaves?

Only the company data, and only if you set that up while they were still employed. Mobile device management or managed app access lets you remove company email, files and credentials from a personal device without touching the rest of it. If those tools were not in place during their employment, your options are limited.

What is the role of single sign-on in offboarding?

Single sign-on means every tool a person uses is tied to one central identity. Disabling that identity in one place revokes access everywhere. Without single sign-on, you have to log into each platform separately and remove the user by hand.

Should I make my employees use only company devices?

Where practical, yes. For personal devices, enrolling them in a management system or requiring managed app access is the next best thing. A personal device with saved company credentials and no management is the highest-risk setup for offboarding.