Three years.
Nothing to report.
The case study about a Calgary-headquartered service company with operations in Canada, the US, Argentina, and now Brazil - and three years of quiet, well-executed IT operations that the CEO has stopped thinking about because nothing breaks.
FOR: Operators · 60–100 people · international multi-jurisdiction ops
Quick answer
A 75-person Calgary-headquartered service company operating in Canada, the US, Argentina, and now Brazil. Three years into a Vencer engagement, the CEO has stopped thinking about IT - not because nothing is happening, but because nothing is breaking. Patch cadence held, backups tested clean every quarter, M&A diligence questions answered the same day they were asked, the Brazil expansion handled before the lawyers finished the documents. The most valuable case studies are the quietest ones.
A 75-person service company. Three years. No crises. Nothing dramatic to report.
75 people. A Calgary-headquartered well intervention specialty firm operating across the WCSB, the Williston Basin in North Dakota, and Vaca Muerta in Argentina. Mid-cycle posture throughout the engagement. This case study is about what does not happen when the work is being done well.
This is the case study that no firm writes because there is nothing dramatic to report. We are writing it because the absence of drama is the point. Most of our clients in steady-state operations look more like this than like the M&A war stories or the cyber-wall scrambles. The work is professional, scheduled, well-executed, and quiet. Years go by. Nothing breaks. Nobody talks about IT because nobody needs to.
The company - we will call them by their internal nickname, “the WCSB-plus operator,” because their footprint had grown beyond Canada in 2022 - came to us in early 2023. The CEO had been quietly unhappy with their previous IT provider for about eighteen months. The previous provider was not bad. They just were not particularly good at being a partner. The CEO put it to us this way in the first call: “I want an IT operation I can stop thinking about. I do not want to be impressed. I want to be unsurprised.”
That sentence has shaped how we have operated with this client for three years.
The company’s reality was Mixed across three jurisdictions: Microsoft 365 in Calgary, a specialized intervention platform with field-data capture running on a local server in Calgary, WolfePak for accounting on the Canadian side, a smaller QuickBooks instance for the US operations, and a regional platform for the Argentine operations that handled local currency, local tax, and Spanish-language reporting. Three operating jurisdictions. Three currencies. Three regulatory regimes. One IT operating model needed to hold all of it together.
No challenge in particular. Just steady operations across three time zones.
The honest answer to the question “what was the challenge” is: nothing dramatic. The company was operationally healthy. The cyber posture was reasonable. The team was experienced. The cross-border operations were complex but well-understood. The challenge was simply to keep all of that running well, month after month, across three time zones and three regulatory regimes, without becoming a thing the senior team had to think about.
The kinds of work that needed to happen consistently, none of which would ever make a marketing case study on their own:
- Monthly patching across roughly 95 endpoints in three countries with documented exceptions for the small number of specialized systems that could not be patched on the standard cadence. None of the patches caused incidents. None of the exceptions caused incidents. The work happened. Nothing broke.
- Quarterly access reviews that caught the occasional account that should have been deactivated. Most quarters surfaced one or two. Over twelve quarters, we caught nineteen accounts in total - none of them resulting in actual exposure, all of them closed before they could.
- Two cyber insurance renewals that came in flat or slightly improved against a market backdrop where similar operators were seeing 22% to 38% increases. The renewals required no scrambling because the controls had been current the whole time.
- One minor incident in three years - a phishing email that reached a controller in Calgary, was reported by her within two hours, was investigated and contained within four hours, and resulted in no data loss and no operational impact. The investigation found that the email had reached her because of a vendor-side filtering issue, not a configuration gap. The incident never showed up on the company’s board agenda because there was nothing to escalate.
- Twelve quarterly business reviews with the CEO and CFO, each one running about 45 minutes, each one covering the same standardized format: operational health, cost trend, threat landscape update, and a forward-looking conversation about what was coming next. No surprises in any of them.
- Cross-border operational coverage through our Singapore plus Calgary monitoring footprint. Singapore handled the Argentine field operations during the South American business day. Calgary handled the WCSB and Williston operations. The CEO never had to think about which time zone was being watched at any given moment because both were always being watched.
The case studies that get written tend to be the ones where something dramatic was needed and the dramatic work was delivered. Those are real and they matter. But most of our long-term clients look more like this one than like the M&A or cyber-wall stories. The value of the engagement is measured in incidents that did not occur, audit findings that did not happen, surprise costs that did not appear, and senior-team attention that was not consumed by IT issues.
The math is harder to demonstrate in a case study because the unit of value is absence. How do you write a compelling story about three years of nothing going wrong? You do not, really. You write a case study that explains why nothing went wrong and why that should be considered the most valuable outcome an IT operation can produce.
A Co-Managed engagement, run with discipline for thirty-six months.
The engagement structure was Co-Managed throughout the three years. The CEO did not want to be involved in operational decisions but did want a real strategic partner. The CFO managed the day-to-day relationship with our account engineer. The company’s part-time IT generalist - who handled the on-site Calgary office work and was respected by the team - stayed in his role and coordinated with our team rather than competing with it. The structure suited the company. The company suited the structure.
Year one - foundation and stabilization.
The first year was about getting the operational foundation in place across all three jurisdictions. The cyber baseline came up to where it needed to be. The cross-border monitoring through Singapore and Calgary started catching the things that needed catching. The Argentine operations were brought into the same operational view as the WCSB and Williston operations - one dashboard, three jurisdictions, one consistent set of controls.
The internal IT generalist was initially uncertain about the engagement. He had been with the company for six years and was protective of the institutional knowledge. We spent the first quarter working alongside him deliberately, asking questions rather than offering answers, learning what he knew before suggesting changes. By the end of year one, he was actively coordinating with us rather than waiting to be told what to do. That transition was the most important relational outcome of the first year, and it was not anything we could have engineered. We had to earn it.
Year two - steady-state operations.
The second year was the year nothing dramatic happened. The patching cadence held. The access reviews ran on schedule. The quarterly business reviews happened on the same dates each quarter. The cross-border coverage worked as designed. The cyber insurance renewal in mid-year came in flat against a hardening market.
The only event worth mentioning happened in October. The phishing email that reached the controller. Reported within two hours of arrival. Contained within four hours. No data loss. No operational impact. The post-incident review took 90 minutes and produced two minor process refinements that have prevented similar incidents since. The CEO heard about the incident from the CFO during their regular Friday catch-up, three days after it had been resolved.
Year three - the engagement that does not need to be sold.
By year three, the engagement was operating on accumulated history. We knew the team. The team knew us. The CEO had stopped asking about IT in board meetings because there was nothing to report. The CFO had stopped reviewing monthly reports in detail because the patterns had become predictable. The work was getting done. Nothing was breaking. The senior team was free to focus on operations, growth, and strategy - which was exactly what they had asked for in the first call three years earlier.
One quiet outcome worth naming: in mid-year three, the company expanded the Argentine operations and added a small Brazilian footprint. The IT operational integration of the new Brazilian work took six weeks. There was no drama, no escalation, no special project. The cross-border operational capability we had built over the previous two years simply absorbed the new jurisdiction, the way a competent operation absorbs a new piece of work. The CEO mentioned it in passing during the year-three review as “the kind of thing I no longer worry about, because you handle it.”
Three years. No incidents of consequence. The engagement continues.
Before and after.
The moment it mattered.
The moment that mattered most in this engagement happened in year two, in conversation. The CEO was on a call with a peer - another Canadian service-company CEO - who was in the middle of a ransomware recovery. The peer asked our client’s CEO what their IT setup looked like. The client’s CEO described our engagement in roughly forty seconds: “Vencer handles everything. They send me a quarterly summary. The last time something happened, my CFO told me three days later because there was nothing for me to do.”
The peer called us the following week. He is now a Co-Managed client of ours as well. That referral - quiet, unstructured, born of one CEO describing a working IT operation to another - is the kind of growth that this engagement has been quietly producing for three years. Most of it does not make it back to us in attribution. We hear about it in stray comments during quarterly reviews, or in the first call with a new prospect who mentions that they have heard about us from someone they trust.
The CEO of the original client never gave us a testimonial. He has not been asked. The work being done well, year after year, is the testimonial. The next M&A target the company evaluates will be done with the same operational backbone that has been quietly compounding in their favor since 2023. The next cyber insurance renewal will be done with the same posture. The next jurisdiction added will be absorbed the same way the Brazilian one was. None of it will be newsworthy. All of it will compound.
The crisis case studies in this series describe the work Vencer does when something specific is at stake - an M&A program, a cyber wall, a downcycle, a transformative contract. This case study describes the work we do when nothing in particular is at stake, year after year, for clients who have decided that having a real operational partner is more valuable than having a vendor they can replace quarterly. Most of our long-term clients look more like this case study than like the crisis ones.
The Co-Managed engagement model is the most common fit for this profile because it preserves the internal IT capability while adding the depth, the 24/7 coverage, and the cross-border operational footprint that an internal generalist cannot match alone. For Canadian operators with international exposure - whether US basin extension, South American or African service contracts, or cross-border M&A - the operational footprint that comes with Vencer’s Singapore plus Calgary plus four-continents structure is what makes the engagement steady rather than reactive. The steadiness is the point. The steadiness is what compounds.
Does this story sound familiar?
The pattern in this case study has played out across dozens of Canadian oil and gas companies in the 10 to 100 person range. If you recognize parts of it in your own operation - or you suspect you might - the next step is a structured conversation with a Vencer engineer.
The IT-and-the-Cycle Assessment is a 3 to 5 day structured review of your specific operational situation. We pressure-test where your IT stands today, where it needs to be for what you intend to become, and what one bad day looks like at current state. You leave with a written report, a 90-day plan, and named owners. No hype. No vendor pitch. Just the truth about where you are and what to do next.
For a faster diagnostic, three free tools at vencergroup.com cover the same territory in less time: the Hidden IT Cost Calculator (12 minutes, quantifies your IT cost burden across three price-cycle scenarios), the Cyber Risk Self-Score (5 minutes, scores your cyber baseline against 12 critical controls), and the IT Myth-Buster sheet (the seven objections you’ll hear from inside your own company and how to think about them).
Vencer operates from Calgary headquarters with delivery teams across four continents. For Canadian-headquartered operators with international exposure - whether that means US basin extension, international service contracts, cross-border M&A, or international counterparties with their own cyber and audit requirements - the cross-border operational capability is built in, not bolted on.
Calgary, AB T2P 3J4
insights@vencergroup.com
One operator's outcome. Your situation has different variables. These numbers are real; the applicability to your operation requires conversation. The 30-min review is where that starts.
→ Book the 30-min review