You run a company with 50 or more employees. Your last serious look at IT was... when exactly?

Not a look at the invoice. You do that regularly. We mean a real look: What is actually going on? What does it really cost? Where are the risks you don’t see?

If you’re thinking about it right now: this is the answer.

Why IT assessments are a management priority

Every year, we conduct dozens of initial consultations with managing directors of Swiss SMEs. The IT department usually has everything "under control". At least according to the status report. And then comes the moment when we ask three simple questions—and suddenly, it gets quiet.

Not because anyone is hiding something. But because certain questions are simply never asked.

According to industry studies, only around 35% of SMEs have a documented IT strategy. That means: two out of three companies are steering one of their biggest cost blocks blind.

The consequences are predictable:

• IT costs grow faster than revenue without anyone being able to explain why

• Security gaps remain undetected until something happens

• Compliance requirements such as NIS2 or ISO 27001 are ignored until an auditor is at the door

The problem is not technical. It is organizational. IT is delegated instead of led. And that is exactly where we come in.

The 30-minute IT assessment: Five questions

From hundreds of initial consultations, we developed a format that uncovers the most important blind spots in 30 minutes. No PowerPoint presentation, no 200-page report. Five strategic questions every managing director should be able to answer.

Try it out. Grab a coffee and take 30 minutes. Honest answers count.

Question 1: What does your IT really cost?

Not the monthly bill. The total cost.

On average, Swiss companies spend 5–8% of their revenue on IT. For an SME with CHF 20 million in revenue, that is CHF 1–1.6 million per year. That’s a lot of money. And most managing directors only know the visible part: licenses, hardware, maybe cloud costs. The rest—shadow IT, hidden maintenance contracts, unused licenses, internal personnel costs for IT tasks—remains in the dark.

Here is an example we see all the time: A company pays for 100 Microsoft 365 licenses, but only 40 are actively used. The remaining 60 still cost money. Or: three different departments independently purchased CRM tools. No one knows about the others. (We described this in detail in our article on license costs and usage.)

We have regularly found savings potential of 30–45% for clients. Not because anyone was wasteful. But because no one was looking.

Can you say within two minutes what your IT costs per employee per month? If not, this is your first blind spot.

Question 2: What happens if everything fails tomorrow?

Ransomware. Server outage. Cloud outage. Update error. The cause is almost irrelevant. What matters is: how quickly are you back online?

More than 60% of SMEs do not have tested business continuity plans. Having a plan is one thing. Having tested it is another. (We wrote in detail about why business continuity plans fail in emergencies.)

Ask your IT manager: When was the last full recovery test? How long did it take? What didn’t work?

If the answer remains vague, you know enough.

Question 3: What are your three biggest IT risks right now?

Not the technical ones. The business ones.

43% of cyberattacks target small and medium-sized businesses. And according to IBM, the average cost of a data breach is over EUR 100,000 for SMEs. But the risk is not just cyber.

It is also about:

• Dependency on a single IT service provider without an exit strategy

• Key knowledge that exists in only one person’s head (what happens if your IT manager resigns?)

• Legacy systems that no one can maintain anymore, but everyone uses

If, as a managing director, you cannot name the top 3 risks, you lack the basis for every IT investment decision. We describe the five typical warning signs in a separate article. Most of them can be recognized without technical knowledge.

Question 4: Does your IT support business growth—or slow it down?

This is where it gets strategic. Most IT landscapes grow organically. New software here, a plugin there, a cloud service because a colleague recommended it. After ten years, the result is: isolated solutions, duplicated data, integration chaos.

The question is not: does all of this work? (It usually does—somehow.)

The question is: can your IT keep up if you want to grow by 20% next year? Open a new location? Integrate an acquisition target?

We regularly see companies fail because of their IT, not because of their business model. The new location cannot be connected because the VPN infrastructure is at its limit. The acquisition is delayed because no one knows how to merge two Active Directories. The ERP cannot be scaled because it is running on a version that has not received updates for three years.

70% of IT projects in mid-sized companies miss their goals in terms of time, budget, or quality. That is rarely due to the technology. It is due to missing strategy and insufficient groundwork. (Related reading: How to make IT decisions that don’t end in disaster.)

Question 5: Are you getting the right information?

The last question is the most important—and the most uncomfortable.

Your IT manager reports to you regularly. But are you getting the information you need as a managing director? Or are you getting a technical status report you can’t do anything with?

Typical: You receive an email with "99.9% uptime last month" and "47 tickets closed." Nice. But what does that mean for your business? Nothing. That is like a financial report showing only the number of postings, but not the account balance.

Useful IT reporting for management has exactly three dimensions:

• Costs: What are we spending, on what, and is it appropriate?

• Risks: What are our biggest exposures, and how are we addressing them?

• Value: What measurable business value does IT deliver?

If your IT reporting does not answer these three questions, you are getting the wrong information. And without the right information, you make the wrong decisions.

What your result means

Take a moment. How did you do?

Answered all five questions clearly? Congratulations! You’re in a minority. Most managing directors can answer two or three of them. All five? Rare.

Two or more questions were unclear? That is not failure. That is normal. But it is a signal that your IT has a leadership vacuum—and that costs you money, time, and security.

Every unanswered question is a risk you are currently not managing.

What we find in every IT audit

We want to be honest: We do not run this assessment because it is nice. We run it because it works.

What we almost always find: license costs for software nobody uses. Backup strategies that were never tested. IT service provider contracts without exit clauses. And managing directors asking the right questions for the first time.

We have documented the typical findings in detail. Almost every SME recognizes itself.

The honest question

You now have five questions. 30 minutes. No consultant needed, no budget, no project.

But here is the real question: Will you ask them?

Not next month. Not at the next strategy offsite. This week.

The answers will be uncomfortable. But they will show you where your greatest need for action lies—before someone else does.

(And if after those 30 minutes you need someone to sort through the answers with you: that is exactly what we are here for. Vendor-neutral, pragmatic, and backed by experience from 50+ projects with Swiss companies. IT strategy consulting)