10-Working-Day IT Risk Review
for Law Firms and Professional Services



Client confidentiality and operational continuity depend on control. In 10 working days I identify where access, suppliers, and resilience are exposing the firm, then deliver a board ready 90-day stabilisation plan.

Deliverables in 10 days: risk register, access and supplier control map, 90-day plan, 12-month roadmap, board pack.


Book a 15-minute fit call

Evidence led. Minimal disruption. Designed for leadership decisions.



If any of this feels familiar, you are already exposed



  • You cannot confidently answer “who has access to what, and why”.

  • Leavers and contractor access are not consistently controlled.

  • Shared admin access exists somewhere, even if nobody admits it.

  • Your MSP or specialist supplier holds keys you cannot easily revoke.

  • Cyber insurance and client questionnaires are becoming harder to answer.

  • Backup and recovery is assumed, not proven with realistic restore tests.



What this Risk Review does



This is an executive control and risk reset, not a generic IT report.


In 10 working days I:

  • map access and supplier control reality

  • validate resilience and recoverability

  • prioritise risks by business impact

  • deliver a sequenced plan that partners and leadership can execute



What you get



  • Executive Summary
    Top risks, quick wins, and the decisions leadership must make.

  • Prioritised Risk Register
    Likelihood, impact, current controls, recommended controls, owner, and due date.

  • Supplier and Access Control Map
    A plain English picture of who can access what, where the keys sit, and where dependency risk exists.

  • 90-Day Stabilisation Plan
    Sequenced actions, dependencies, effort level, and expected risk reduction.

  • 12-Month Roadmap
    Strategic initiatives, governance upgrades, and budget bands aligned to business priorities.

  • Board Pack
    Ready to present to the board, investors, or audit committee.



Scope



I focus on the issues that typically hurt firms the most:

  • Governance and ownership (decision rights, accountability, operating cadence)

  • Identity and access (MFA coverage, privileged access, joiner/mover/leaver discipline)

  • Supplier control (vendor held admin access, exit risk, key person dependency)

  • Endpoint posture (device control, patching discipline, EDR coverage)

  • Backup and recovery (restore testing, ransomware resilience, realistic RTO/RPO)

  • Monitoring and incident readiness (logging, alerting, response plan, escalation)

  • Data protection basics (where sensitive data lives, access, retention)



What this is not



  • Not a penetration test or red team exercise

  • Not a compliance certification project

  • Not a months long consulting engagement

  • Not a blame exercise against your IT team

This comes first because it tells you what matters and what order to fix it in.




Proven outcomes



“I’m brought in when operations are suffering and IT needs control, fast.” - Rob Smith

  • Delivered a 10% annual cost reduction: £300k to £340k savings on a £3m IT budget within 12 months.

  • Stabilised a failing live £6m ERP where poor adoption created undeliverable stock backlogs, working across departments and the delivery partner to restore operations and clear backlog within 12 months.

  • Retained 5 at-risk engineers (including the most senior, business-critical engineer) who were working their notice, preventing capability loss and stabilising operations.



How it works



Day 1: Kick off (90 minutes) and evidence request

Days 2 to 4: Interviews and artefact review (COO/Partner lead, Finance, IT lead, key suppliers)

Days 5 to 7: Validation, risk scoring, dependency mapping

Day 8: Findings workshop, priorities and trade offs agreed

Day 9: Deliverables drafted and owners locked

Day 10: Executive readout and board pack delivered



Investment



Investment: £15,000 + VAT

Fixed scope, fixed timeline, board ready outputs. If scope expands, it becomes a separate engagement.



FAQs



Will this disrupt the firm?

No. Interviews and evidence review are scheduled to minimise disruption.


Do you work with our MSP and suppliers?

Yes. Supplier control is part of the problem, so suppliers are part of the process.


What do you need from us?

Access to key stakeholders for short interviews, supplier list, and evidence access by read-only view or screen share.


What happens after Day 10?

You can execute internally, via your MSP, or engage us for 90-day stabilisation delivery.



Ready to regain control in 10 working days?



Book a 15-minute fit call. If you are not a fit, we will tell you quickly.​


Book a 15-minute fit call

No obligation. Clear next steps within 24 hours of the call.



©2023 theITConsultant Limited - Company Number: 15093310

Privacy Policy | T&Cs | 01425 529 224