Executive summary
Most boards do not need a deeper technology background; they need a tighter governance framework. This guide structures the conversations a board should be having quarterly, who should bring the data, and what good answers look like.
Service performance, what to measure
- SLA compliance trend (not just current quarter)
- Incident volume and categorisation
- Mean time to resolution by priority
- Change-management discipline (planned vs unplanned)
- User-impact reporting (lost productive hours)
Security and compliance, what to verify
- Current certifications with audit-trail evidence (ISO 27001, SOC 2)
- Privileged access review cadence and last execution
- Backup restoration drill outcome (not just backup completion)
- Identity hygiene metrics (dormant accounts, MFA coverage)
- Incident response readiness, when was the last tabletop?
Vendor and concentration risk
- What percentage of operational risk sits with a single provider?
- What is the documented exit plan for the top 3 vendors?
- Are credentials and tenant ownership held by the customer, not the MSP?
- Is renewal negotiation calendarised 6+ months ahead, not reactive?