10-Working-Day IT Risk Review for CEOs and COOs



Get a clear view of where IT risk and supplier control are exposing the business, and leave with a board ready 90-day stabilisation plan.

Deliverables in 10 days: prioritised risk register, supplier and access map, 90-day plan, 12-month roadmap, board pack.


Book a 15-minute fit call

Minimal disruption. Evidence led. UK based delivery.



The uncomfortable truth



If you cannot clearly answer “who has access to what, and why”, your business is exposed.


Most organisations do not fail because they lack technology. They fail because control has drifted: too many suppliers, shared credentials, unclear ownership, and “assumed” resilience.


This Risk Review is designed to restore control quickly and give leadership a plan that can be executed.



This is for you if any of this is true



  • You have multiple suppliers and no single accountable owner.

  • Vendor held admin access exists and you are not confident you could remove it quickly.

  • Costs are rising, but you cannot tie spend to outcomes and priorities.

  • Backup and recovery has not been proven with realistic restore tests.

  • Projects slip because IT priorities are not aligned to business priorities.

  • You have an IT Manager, but no senior IT leadership shaping governance and delivery.



What this Risk Review is



A 10-working-day, executive level review of IT control and risk.


It is designed to be:

  • Evidence led: findings are backed by artefacts and validation, not opinions.

  • Decision grade: written for leadership, not for engineers.

  • Actionable: delivered as a sequenced plan with owners and next steps.

This is not a generic “IT health check”. It is a control and risk reset.



What you get



  1. Executive Summary
    Top risks, quick wins, and the decisions leadership must make.

  2. Prioritised Risk Register
    Likelihood, impact, current controls, recommended controls, owner, and due date.

  3. Supplier and Access Control Map
    A plain English picture of who can access what, where the keys sit, and where dependency risk exists.

  4. 90-Day Stabilisation Plan
    Sequenced actions, dependencies, effort level, and expected risk reduction.

  5. 12-Month Roadmap
    Strategic initiatives, governance upgrades, and budget bands aligned to business priorities.

  6. Board Pack
    Ready to present to the board, investors, or audit committee.

Optional: a short alignment briefing for your IT Manager and key suppliers to set expectations and responsibilities.




What I review



I focus on the areas that cause real world failure and reputational risk:

  • Governance and ownership: decision rights, accountability, operating cadence

  • Supplier control: contract clarity, admin access, key person and exit risk

  • Identity and access: MFA, privileged access, joiner/mover/leaver discipline

  • Endpoint and patching: coverage, EDR posture, baseline configuration

  • Backup and recovery: RPO/RTO reality, restore testing, ransomware resilience

  • Cloud and infrastructure posture: visibility, logging, segmentation basics

  • Incident readiness: monitoring, response plan, communications path

  • Data protection basics: where sensitive data lives, access, retention

This is a review of control and risk, not a deep technical rebuild. Not a full penetration test or vulnerability scan programme



What this is not



  • Not a penetration test, red team, or vulnerability scanning programme

  • Not a compliance certification exercise (ISO, Cyber Essentials)

  • Not a months-long consulting engagement

  • Not a blame exercise against your IT team

If you need those, fine. This comes first, because it tells you what matters and what order to do it in.



Proven outcomes



“I’m brought in when operations are suffering and IT needs control, fast.” - Rob Smith

  • Delivered a 10% annual cost reduction: £300k to £340k savings on a £3m IT budget within 12 months.

  • Stabilised a failing live £6m ERP where poor adoption created undeliverable stock backlogs, working across departments and the delivery partner to restore operations and clear backlog within 12 months.

  • Retained 5 at risk engineers (including the most senior, business critical engineer) who were working their notice, preventing capability loss and stabilising operations.



How it works



Day 1: Kick off (90 minutes) Confirm goals, scope, stakeholders, and success criteria. Issue data request.

Days 2 to 4: Discovery and interviews CEO/COO, Finance, IT Manager, and key suppliers. Review core artefacts and access model.

Days 5 to 7: Evidence validation and risk scoring Sample based checks to validate reality. Identify control gaps and dependency risks.

Day 8: Findings workshop (60 to 90 minutes) Review risks, agree priorities, and confirm trade offs.

Day 9: Report and plan finalisation. Draft deliverables and confirm owners, sequencing, and expected impact.

Day 10: Executive readout and board pack delivery. Clear recommendations, decision points, and next steps.


Minimal disruption. Most work is done with targeted interviews and evidence review.



What “success” looks like after 10 days



  • Leadership can confidently explain the top risks and why they matter

  • Admin access and supplier dependency risks are visible and controllable

  • A realistic 90-day plan exists with owners and sequencing

  • IT priorities are aligned to business priorities

  • You have a board ready narrative, not a technical document



Investment



Investment: £15,000 + VAT (fixed fee)

Includes all deliverables listed. If scope expands, it becomes a separate engagement.



Typical next steps



Pick one:

  1. 90-Day Stabilisation Delivery: I run the plan to reduce risk fast

  2. Project Rescue: If a programme is red, I take control and deliver

  3. Ongoing Fractional IT Leadership: Governance, priorities, supplier management

You are not signing up for a retainer to “see how it goes”. You are buying a defined outcome.

Delivery engagements are scoped and fixed fee



FAQs



How much time will this take from my team?

Light touch. A handful of structured interviews and targeted evidence requests. No weeks of workshops.


Will this disrupt operations?

No. This is designed to be delivered alongside normal operations.


Do you work with our existing MSP and suppliers?

Yes. The point is to restore accountability and control, not create politics.


Will you provide a fixed fee?

Yes. Fixed scope, fixed timeline, fixed fee. If scope expands, it becomes a separate piece of work.


Is this confidential?

Yes. This is leadership work. Discretion is standard.



Ready to regain control in 10 working days?



Book a 15-minute fit call. If you are not a fit, I will tell you quickly.​


Book a 15-minute fit call

No obligation. Clear next steps within 24 hours of the call.



©2023 theITConsultant Limited - Company Number: 15093310

Privacy Policy | T&Cs | 01425 529 224