The IT Leadership Review Framework: The 7 Questions Every Business Should Ask Their IT Provider Every Quarter
If you're a business leader responsible for operations, compliance,
uptime, and growth—but not necessarily responsible for IT itself—you've
probably experienced this feeling:
You assume technology is fine because nobody is complaining.
Then something breaks.
A server fails. A critical file disappears. A software renewal gets
missed. A cyber insurance questionnaire arrives. A client asks about your
security posture. Suddenly IT isn't a background function anymore. It's a
business problem.
I've seen this happen repeatedly.
The issue usually isn't bad technology.
The issue is a lack of measurable accountability.
Most businesses receive technical support.
Very few receive strategic technology leadership.
The difference matters.
The companies that avoid costly surprises don't wait for problems to
appear. They review risk, performance, and readiness every quarter.
That's why we use the IT Leadership Review Framework.
Not to ask better questions.
To measure whether your technology environment is actually supporting the
business.
Why Most Quarterly IT Meetings Fail
Many quarterly reviews sound productive but accomplish very little.
The provider talks about completed tickets.
They mention projects.
They discuss upgrades.
Then everyone leaves feeling informed but unable to answer a simple
question:
Are we in a better position than we were three months ago?
A useful quarterly review should answer four questions:
- What is
protected?
- What is
exposed?
- What has
changed?
- What requires a
business decision before next quarter?
If those questions are not answered with measurable evidence, you're
discussing activity—not business outcomes.
What Great IT Providers Report Every Quarter
A strong quarterly review should include data, not opinions.
At a minimum, leadership should receive:
- Patch
compliance percentage
- Multi-factor
authentication (MFA) adoption percentage
- Backup test
success rate
- Help desk
resolution performance
- Ticket volume
trends
- Open critical
risks
- Device
lifecycle status
- Employee
security training completion
- Warranty and
renewal schedules
- Recovery
readiness results
If your provider cannot measure these areas consistently, it's difficult
to manage them consistently.
How Does Your Environment Compare?
Numbers only matter when you have context.
As a starting point, healthy organizations typically aim for:
|
Metric |
Healthy Target |
|
Patch Compliance |
95%+ |
|
MFA Coverage |
100% of business-critical users |
|
Backup Testing |
Quarterly |
|
Security Awareness Training |
Annual completion by all employees |
|
Device Lifecycle |
4-6 year replacement cycle |
|
Recovery Testing |
At least annually |
|
Critical Incident Reviews |
Quarterly |
The goal isn't perfection.
The goal is visibility.
Organizations that know where they stand can improve.
Organizations operating on assumptions usually discover problems after
they've become expensive.
The 911 IT Business Technology Health Index
Most companies believe they're operating strategically.
Many aren't.
That's why we pair scorecards with a maturity model.
|
Level |
Description |
|
Level 1: Reactive |
Problems are discovered after users
are impacted. |
|
Level 2: Managed |
Maintenance occurs regularly, but
reporting is inconsistent. |
|
Level 3: Measured |
Security, backup, compliance, and
performance metrics are reviewed consistently. |
|
Level 4: Strategic |
Technology decisions align with
growth, risk management, and operational goals. |
Many businesses believe they operate at Level 3.
In reality, they're often Level 2.
If your provider cannot show documented recovery testing, lifecycle
planning, measurable reporting, and executive recommendations every quarter,
you're probably managing technology—not measuring it.
The jump from Managed to Measured is often where the largest risk
reduction occurs.
The Business Technology Health Scorecard
|
Area |
Green |
Yellow |
Red |
|
Patch Compliance |
95%+ |
85%-94% |
Below 85% |
|
MFA Coverage |
100% |
Partial |
Major gaps |
|
Backup Testing |
Tested Quarterly |
Tested Annually |
Never Tested |
|
Device Lifecycle |
Less than 10% Outdated |
10%-20% Outdated |
More than 20% Outdated |
|
Ticket Resolution |
Consistently Within Goal |
Occasionally Missed |
Frequently Missed |
|
Compliance Readiness |
Documentation Current |
Minor Gaps |
Significant Gaps |
|
Business Continuity |
Tested Plan Exists |
Untested Plan Exists |
No Plan |
|
Vendor Accountability |
Fully Tracked |
Partial Tracking |
Reactive Only |
Print this.
Bring it into your next quarterly review.
It will tell you more than dozens of pages of technical reporting.
What We See During Quarterly Reviews
After reviewing business technology environments for years, I've noticed
something surprising.
The issues that create the biggest disruptions are rarely the issues
leadership worries about most.
Instead, we repeatedly see:
- MFA enabled for
some users, but not all.
- Backup systems
running but never tested.
- Critical
devices operating well beyond supported lifecycles.
- Recovery
procedures existing only in someone's memory.
- Vendor renewals
tracked manually.
- Former
employees retaining unnecessary access.
- Security
updates delayed because nobody owns the process.
None of these issues usually create immediate outages.
That's why they survive.
They become visible only when a business measures reality instead of
assuming everything is working.
Question 1: What Security Problems Need Attention Right Now?
Every organization has risk.
The goal isn't eliminating all risk.
The goal is knowing where it exists before it becomes expensive.
Ask:
- What systems
need patching?
- Which users
still lack MFA?
- Have there been
unusual login attempts?
- What is our
highest priority security gap?
- What should be
fixed before next quarter?
Industry breach research consistently shows that people, compromised
credentials, and missing controls play roles in many successful attacks.
The lesson isn't that employees are the problem.
The lesson is that organizations need visibility, safeguards,
accountability, and repeatable processes that prevent a routine mistake from
becoming a business interruption.
Question 2: Have You Tested Our Backups Recently?
The most dangerous backup is the one you assume works.
A backup is not a recovery plan.
Ask:
- When was the
last recovery test?
- How long did
restoration take?
- What systems
were included?
- Did every
restore succeed?
- Are cloud
applications included?
- Who receives
alerts when backups fail?
One company we reviewed believed their backups were functioning
correctly.
A recovery test revealed a critical folder had never been included in the
backup job.
Nothing had failed yet.
But the quarterly review exposed the risk before a deletion, ransomware
incident, or hardware failure exposed it painfully.
That's the value of testing.
Question 3: Where Is Technology Slowing Us Down?
Not every expensive IT problem feels urgent.
Some are quiet.
A slow application.
An unreliable VPN.
A reporting system everyone avoids.
A video platform that freezes during client meetings.
Ask:
- What issues
appear repeatedly?
- What systems
generate the most complaints?
- Where are
employees losing time?
- What
infrastructure is struggling to keep pace?
Technology should increase momentum.
Not teach your team to tolerate inconvenience.
Question 4: Are We Still Aligned With Compliance Requirements?
Compliance isn't a project.
It's maintenance.
Ask:
- Have
requirements changed?
- Are policies
current?
- Are access
reviews occurring?
- Are insurance
requirements being met?
- Could we prove
compliance today?
Here's the external evaluator test:
If an auditor, cyber insurance carrier, regulator, board member, or major
client reviewed your environment tomorrow, what evidence could you provide
immediately?
That's the real measure.
Question 5: What Should We Budget For Next Quarter?
Good planning eliminates surprises.
Ask:
- Which devices
are approaching end-of-life?
- Which
warranties are expiring?
- Which licenses
require renewal?
- Which risks
should be funded proactively?
A 35-person accounting firm once discovered during a quarterly review
that nearly half of its workstations were beyond normal support life.
Replacing them proactively cost far less than replacing them during tax
season after failures occurred.
That's what strategic planning looks like.
Question 6: Where Are We Falling Behind?
This is often the most valuable question.
Ask:
- What are
similar organizations doing that we're not?
- Are we behind
on any security standards?
- What processes
should we automate?
- What would you
address first if this were your company?
A strategic provider should have answers.
Not sales pitches.
Answers.
Question 7: How Prepared Are We For A Major Business Interruption?
This is the question leaders care about most.
Because uptime, compliance, cybersecurity, and budgeting all lead here.
What happens when the business stops?
Ask:
- If ransomware
hit tomorrow, what happens first?
- How long would
recovery take?
- Which systems
recover first?
- Who owns
recovery decisions?
- When was the
plan tested?
The Business Interruption Readiness Checklist
A complete continuity discussion should address:
Internet Outage
- How long can
operations continue?
- What backup
connectivity exists?
Ransomware
- What systems
recover first?
- How long will
recovery take?
Cloud Provider Outage
- Which
applications become unavailable?
- What manual
processes exist?
Key Employee Loss
- Are passwords
documented securely?
- Are vendor
relationships documented?
Vendor Failure
- What happens if
critical software becomes unavailable?
- Are alternative
workflows defined?
The organizations that recover fastest are rarely the organizations with
perfect technology.
They're the organizations that discussed these scenarios before the
crisis happened.
The One-Page Quarterly Leadership Review
Every quarterly review should end with one page.
One.
Not forty.
Leadership should receive:
- Current
Business Technology Health Index score
- Top three
operational risks
- Top three
improvement opportunities
- Recovery
readiness status
- Budget
considerations
- Assigned
ownership
- Actions
required before next quarter
If your technology review cannot be summarized on one page, there's a
good chance it's reporting activity rather than helping leadership make
decisions.
That's a distinction many businesses don't realize until they experience
a major disruption.
Your Next Step
Next week, pull out your most recent quarterly IT review and compare it
against the Business Technology Health Index.
If you can't determine your maturity level, patch compliance, backup
testing status, recovery readiness, or top three risks, your review is missing
critical business information.
Schedule your 10 minute discovery call with 911 IT. We'll walk through
your Business Technology Health Index together and help you determine whether
your organization is operating at a Reactive, Managed, Measured, or Strategic
level. You'll leave with a clearer picture of your biggest technology risks and
priorities before they become business problems.
