6 Questions Smart Companies Ask Their IT Provider Every Quarter
Most technology failures don't begin with an outage.
They begin with a leadership assumption.
If you're responsible for protecting client data, keeping employees
productive, satisfying compliance requirements, and ensuring the business keeps
running, one of the most dangerous assumptions you can make is this:
"Everything must be fine because nothing has broken."
In my experience, major disruptions rarely happen because a company
ignored a flashing red warning light. They happen because small risks were
allowed to sit unnoticed for months.
A quarterly IT review isn't about finding what's broken.
It's about finding what's about to break.
The organizations that avoid costly downtime, failed audits, security
incidents, and productivity losses aren't necessarily spending more on
technology.
They're asking better questions.
Question #1: What Security Risks Need Immediate Attention?
Every business has vulnerabilities.
The question is whether someone is actively looking for them.
Ask your IT provider:
- What are our
top three security risks today?
- Which systems
still need security updates?
- Have there been
suspicious login attempts?
- Are any user
accounts creating unnecessary risk?
- What
recommendations remain unresolved?
Red Flag vs. Green Flag
Question: What security risks do we need to address?
✅ Strong Answer
"We identified four accounts without multi-factor authentication,
two critical security updates that need installation, and several failed login
attempts that require monitoring. Remediation is scheduled."
❌ Weak Answer
"Everything looks secure."
Real security conversations involve evidence, priorities, and action
plans.
Not reassurance.
Question #2: Have Our Backups Been Tested Recently?
Most companies believe they have a backup strategy.
What many actually have is backup software.
Those are not the same thing.
A backup only matters if it can restore operations when the business
needs it.
Ask:
- When was the
last recovery test completed?
- How long would
it take to restore operations?
- How much data
could potentially be lost?
- Are cloud
applications included?
- Are backups
protected from ransomware?
- Who has
verified recovery procedures?
Know These Two Numbers
Recovery Time Objective (RTO)
How long your organization can operate without critical systems.
Recovery Point Objective (RPO)
How much data loss your business can tolerate.
If your IT provider cannot clearly explain both numbers, there is a good
chance your recovery strategy has blind spots.
Red Flag vs. Green Flag
✅ Strong Answer
"Recovery testing was completed this quarter. Systems were restored
successfully. Microsoft 365 data is included and immutable backups are
active."
❌ Weak Answer
"Backups run every night."
One answer demonstrates preparedness.
The other demonstrates hope.
Question #3: Where Is Technology Slowing Down Our Team?
The most expensive technology problems often look harmless.
An application loads slowly.
A file takes too long to open.
A video meeting freezes.
Employees log in multiple times each day.
No individual issue feels significant.
But together they become incredibly expensive.
The Cost of Tiny Delays
Imagine a company with 25 employees.
If each employee loses just 20 minutes every day because of technology
friction:
- More than 8
hours are lost daily
- More than 40
hours are lost weekly
- More than 2,000
hours are lost annually
That's roughly the equivalent of a full-time employee's annual
productivity disappearing into slow systems and inefficient processes.
Ask your provider:
- What recurring
complaints are we seeing?
- Which systems
create the most delays?
- Are we
outgrowing our infrastructure?
- What should be
optimized, replaced, or upgraded?
Technology should remove friction.
Not create it.
Question #4: Are We Still Compliant?
Many organizations treat compliance as an annual event.
The reality is that compliance is a continuous process.
Requirements evolve.
Security standards change.
Insurance carriers raise expectations.
Auditors ask new questions.
Ask your provider:
- Have compliance
requirements changed?
- Are there
documentation gaps?
- Are employee
training requirements current?
- Are security
controls still sufficient?
- Has our cyber
insurance posture changed?
Questions by Industry
Healthcare
- Are access
reviews being completed?
- Can critical
systems remain available during an incident?
- Is sensitive
information adequately protected?
Financial Services
- Are regulatory
controls documented?
- Are retention
requirements being met?
- Are access
permissions reviewed regularly?
Professional Services
- Are client
files properly protected?
- Are
collaboration tools secured?
- Are
confidentiality requirements being enforced?
Manufacturing
- Are production
systems protected?
- Can operations
recover from a technology disruption?
- Are critical
networks properly segmented?
The Boardroom Test
Imagine your executive team asks four simple questions tomorrow morning:
- How long would
recovery take after a ransomware event?
- When was the
last successful backup restoration test?
- Are we ready
for our next audit?
- What is our
biggest unresolved technology risk?
Could your organization answer all four immediately?
If not, the issue is no longer technical.
It's operational.
Question #5: What Should We Budget For Next Quarter?
Technology expenses should rarely surprise leadership.
Strong IT providers identify upcoming costs before they become
emergencies.
A quarterly review should cover:
- Aging hardware
- Warranty
expirations
- Software
renewals
- Security
improvements
- Infrastructure
upgrades
- Capacity
planning
Red Flag vs. Green Flag
✅ Strong Answer
"Several systems are approaching replacement age. Warranty coverage
expires next quarter, and budget planning should begin now."
❌ Weak Answer
"We'll let you know if something comes up."
Good planning prevents emergencies.
Poor planning creates them.
Question #6: Where Are We Falling Behind?
This is where average providers separate themselves from strategic
partners.
Most IT providers discuss today's problems.
Great providers discuss tomorrow's risks.
Ask:
- What
opportunities are we missing?
- What should be
automated?
- Have security
standards evolved?
- What are
similar organizations doing differently?
- What emerging
threats should we prepare for now?
The businesses that continuously improve rarely become tomorrow's
cautionary tale.
How One Company Avoided a Major Outage
A professional services company with approximately 70 employees completed
a routine quarterly technology review after noticing occasional performance
issues.
Nothing appeared urgent.
Employees could still work.
The business was still operating.
During the review, infrastructure monitoring revealed increasing errors
on a storage system supporting critical business data.
The hardware had not failed.
Yet.
Further testing showed the issue was progressively worsening.
The system was replaced during a planned maintenance window.
Several weeks later, follow-up diagnostics confirmed the component likely
would have failed under normal production workloads.
Because the issue was discovered during a quarterly review:
- Operations
continued uninterrupted
- Employees
experienced no downtime
- Data remained
protected
- Emergency
replacement costs were avoided
The most valuable technology discoveries happen before they become
incidents.
What Great Providers Report Every Quarter
A meaningful quarterly review should include four categories:
Security Findings
- Vulnerabilities
discovered
- Security
updates completed
- Outstanding
risks
- Account
protection status
Backup Validation
- Last recovery
test
- Recovery
success rate
- Recovery time
achieved
- Coverage
verification
Compliance Updates
- New
requirements
- Policy changes
- Documentation
gaps
- Employee
training needs
Infrastructure Health
- Aging systems
- Warranty
expirations
- Capacity
concerns
- Recommended
improvements
If leadership isn't receiving this type of information, visibility into
technology risk is limited.
Leadership Dashboard: Metrics Every Executive Team Should Review
|
Metric |
Minimum Standard |
What Great Looks Like |
|
MFA Adoption |
95%+ |
100% with advanced access controls |
|
Patch Compliance |
Critical updates completed |
Automated validation and reporting |
|
Backup Success Rate |
Restorable backups |
Tested recovery with documented
results |
|
Security Findings |
Reviewed quarterly |
Tracked through completion |
|
Asset Lifecycle |
Replacement plan exists |
Multi-year roadmap maintained |
|
Audit Readiness |
Documentation available |
Documentation verified quarterly |
Executives don't need more technical details.
They need measurable visibility.
Quarterly IT Health Scorecard
Score each category:
Green = 2 Points
Yellow = 1 Point
Red = 0 Points
|
Category |
Green |
Yellow |
Red |
|
Security |
Protection fully implemented |
Minor gaps |
Significant gaps |
|
Backups |
Tested quarterly |
Tested occasionally |
Never tested |
|
Compliance |
Current and documented |
Some gaps |
Unknown status |
|
Hardware |
Modern systems |
Aging systems |
End-of-life systems |
|
Productivity |
Minimal complaints |
Recurring issues |
Constant disruption |
|
Recovery Readiness |
Validated regularly |
Partial testing |
Never verified |
Scoring Results
|
Score |
Meaning |
|
10-12 |
Healthy |
|
6-9 |
Moderate Risk |
|
0-5 |
Immediate Review Needed |
What Good Looks Like vs. What Great
Looks Like
|
Area |
Good |
Great |
|
Security |
MFA enabled |
MFA plus advanced access controls |
|
Backups |
Quarterly testing |
Quarterly testing plus immutable
recovery |
|
Compliance |
Documentation exists |
Documentation reviewed every quarter |
|
Recovery |
Written recovery plan |
Tested and measured recovery
capabilities |
|
Reporting |
Risks identified |
Risks tracked through resolution |
|
IT Provider |
Fixes problems |
Prevents future business risk |
Your Next-Week Action
Pull out your most recent IT review.
Highlight every recommendation that remains unresolved after 90 days.
Those unresolved items often represent the greatest hidden risk inside
the organization.
Final Thought
The businesses that consistently avoid costly outages, failed audits,
productivity losses, and security incidents are rarely the lucky ones.
They're the ones asking the right questions before problems occur.
Schedule your 10 minute discovery call with 911 IT.
We'll walk through the scorecard and identify where operational,
security, and compliance risks may exist. This helps confirm whether these
risks apply to your business—and it only takes 10 minutes.
