aa
IT Governance

IT governance
for small business.

Most UK SMEs have IT support. Almost none have IT governance. The gap between your board and your IT supplier is where risk and wasted money hide.

IT governance is not a technical problem. It is a management responsibility — and in most SMEs, nobody owns it.

What IT governance actually means for a business your size

IT governance is not ITIL. It is not a 200-page framework. It is not something your IT support company does.

For a business with 10 to 150 employees, IT governance means having clear answers to three practical questions: who makes IT decisions, who checks that those decisions are right, and who holds your IT supplier to account when they are not.

In most SMEs, nobody has a good answer to any of these. The MD makes IT decisions based on what the IT company recommends. Nobody checks. And nobody challenges.

That is not a technology gap. That is a governance gap — and it costs money and creates risk every day it goes unfilled.

What IT governance covers

  • Who is accountable for IT decisions at board level
  • Whether your IT supplier is giving you honest advice
  • Whether your IT spend is delivering real value
  • Whether your security posture matches your actual risk
  • Whether you have the policies your business actually needs

What happens without it

The absence of IT governance does not look like a crisis. It looks like a slow drain.

IT spend keeps rising but nobody can say exactly what you're getting for it.

Your IT company recommends expensive changes and you have no way to verify if they're right.

A cyber incident happens and it is unclear whose job it is to respond.

A client or insurer asks about your security and nobody in the business has a confident answer.

Technology decisions get made in isolation, with no connection to where the business is going.

Licences auto-renew, contracts quietly continue, and costs compound with nobody reviewing them.

None of these are IT problems. They are governance problems — and they have governance solutions.

Who is responsible for IT governance in an SME?

In a large organisation, the IT Director or CIO owns this. They sit on the board, hold the suppliers to account, and make sure technology decisions serve the business — not the other way around.

In most SMEs, the responsibility falls between the MD (who doesn't want to get into the technical detail) and the IT support company (who has a financial interest in the outcome). Neither can fill the governance role properly.

The MD cannot independently verify whether their IT company is giving them good advice. The IT company cannot objectively review their own work.

What is missing is someone whose only job is to look out for the business — not the supplier.

What good IT governance looks like for an SME

  • A clear point of accountability at board or leadership level
  • Annual review of supplier value, performance, and cost
  • Written IT policies your team actually knows about
  • A security baseline your business can evidence when asked
  • Someone who can challenge IT advice independently — before you commit to it

What it is not

  • A 200-page framework document
  • Something your IT company manages on your behalf
  • A one-off audit that sits in a drawer

Where to start

Start with a Risk and Clarity Session.

In 60 to 90 minutes, we map your current governance position — where the accountability gaps are, where money is leaving without oversight, and what to put in place first. No preparation needed. No report at the end. Just a clear picture and a practical next step.

Your IT governance gaps mapped and ranked

Supplier accountability reviewed honestly

Security posture assessed against your actual risk

One or two practical actions you can take straight away

A clear view of whether ongoing advisory makes sense for your business

IT leadership

Need an IT Director in your corner?

Ongoing fractional IT leadership — strategic oversight, supplier management, and governance without a full-time hire.

IT Director

Cyber security

Need to own cyber risk at board level?

Cyber Essentials, ISO 27001, and board-level cyber governance. Independent, with no vendor agenda.

Virtual CISO

Second opinion

Not sure if you're getting honest IT advice?

A single independent session to review what you've been told — before you commit to it.

IT Second Opinion

Governance starts with a conversation.

Tell me what you're dealing with. I'll tell you where the governance gaps are and what to do about them.

No jargon. No framework documents. Just clarity.

Or see the full advisory approach