Three tiers, one operating discipline.

Tier 1

IT Management

For portcos that already have IT in place but need senior oversight on top. We take responsibility for IT being run properly without taking over delivery. The MSP, internal IT team, reseller and other suppliers stay where they are. We sit above them.

What gets done each month

• Health check across infrastructure, identity, endpoints and core applications
• Patch and update status reviewed against policy
• Backup runs verified, with a recovery test scheduled at least quarterly
• Joiner, leaver and mover activity audited for hygiene
• Licence usage compared against entitlement
• Open tickets and incidents reviewed with internal IT or the MSP
• Risk log updated with any new exposures
• Renewal calendar checked for the next 90 days

What the monthly report covers

The CFO receives a written report each month. Same shape every month, so trends are visible.

• Headline status against the prior month
• Open risks with owner and target date
• Supplier performance against SLA
• IT spend against budget
• Any item the board should know

Four pages, never more. Written for the CFO, not for IT.

What supplier oversight looks like in practice

Most portcos run IT through a mix of suppliers. An MSP for day to day support, a reseller for licences, a connectivity provider, and one or two specialist tools.

We sit between the portco and those suppliers. We attend supplier review meetings on the portco's behalf. We track SLA performance. We validate invoices against the contracted scope. We hold suppliers to their renewal commitments.

When a supplier underperforms, we escalate. The CFO does not have to chase.

What "security baseline" means here

Operational security hygiene. Not penetration testing. Not red teaming.

• MFA coverage across user accounts
• Privileged and admin account inventory
• Endpoint protection coverage and alert posture
• Backup verification and tested recovery
• Patch compliance against policy
• Conditional access configuration
• Joiner, leaver and mover discipline

If a control slips, it shows up in the next report with an owner and a target date. Baseline drift does not accumulate quietly.

What licence optimisation actually involves

Most portcos overspend on licences. The pattern is consistent. Dormant accounts still licensed. The wrong tier purchased for the actual usage. Overlap between tools that do similar things.

• Licences assigned to inactive users
• Tier mix against actual usage
• Duplicate tooling across functions
• Unused seats on annual contracts
• Upcoming renewals where rightsizing is possible

Recommendations are presented at renewal points. The portco decides. We do not move licences without authorisation.

What contract review covers

We hold a register of every IT and software contract the portco is bound by. For each contract we track:

• Renewal date
• Auto renewal clauses
• Termination notice period
• Price escalation terms
• Scope and any deviation from it
• Exit and data return obligations

Exit obligations matter at sale. Missed termination windows and unclear data return terms create friction in due diligence. We surface them long before the diligence room opens.

Tier 3

IT Build-Out

For portcos where IT needs to be stood up, replaced, separated or rebuilt. Time bound. Scoped. Delivered with a clear handover.

What triggers a Tier 3 engagement

• Carve out from a parent group, with a TSA running down
• Post acquisition integration into a target operating model
• Replacement of legacy infrastructure at end of life or no longer supportable
• Standing up IT for a newco
• Recovery of a stalled or failed prior programme
• Regulatory change forcing a structural shift in how IT operates

The trigger is usually visible to the deal partner before it is visible to internal IT. By the time it reaches IT, the timeline is already compressed.

What a typical project scope looks like

Scope is set at the start, in writing, with the sponsor. A scope might cover:

• M365 tenant stand up or migration
• Identity platform implementation
• Endpoint management deployment
• Network refresh
• Security baseline implementation
• Backup and recovery platform
• Supplier transition from a parent or an incumbent
• Office relocation IT scope
• TSA exit programme

We do not take on undefined scope. Where the work is exploratory, we run a short discovery first and then scope the build.

What gets built before TechSteady hands over

Handover is concrete. Before we leave, the following are in place:

• Architecture documented and signed off
• Operational runbooks for routine activity
• Supplier contracts signed and in force
• Identity, endpoint, network and security configurations at the agreed baseline
• Backup verified and recovery tested
• Joiner, leaver and mover process documented and rehearsed
• Risk register populated with named owners
• Internal IT or the MSP demonstrably running BAU

Handover is not a document drop. It is an operational acceptance.

How long a typical engagement runs

Most Tier 3 engagements run between three and six months. Complex carve outs can run to nine. We give a clear estimate at the start, with the assumptions named. If something material changes, we say so and revise the estimate. We do not let an engagement drift.

What "exit criteria" means

Tier 3 ends when defined criteria are met, not when the budget runs out.

• Sponsor sign off on each contracted deliverable
• Documentation handed over and validated by the receiving team
• Internal IT or the MSP running BAU for at least 30 consecutive days
• Open risks logged with named owners and review dates
• Any handover to Tier 1 or Tier 2 agreed in writing

If the criteria are not met, we do not exit. If they are met, we do.