End of month is when IT debt becomes visible. The certificate that expires on a Saturday. The auditor’s request for a network diagram nobody drew. The leaver who took the WiFi password with them. The work isn’t dramatic, but the bill always lands somewhere.
What we mean by IT debt
The phrase is borrowed from finance for a reason. IT debt is the bill that arrives whenever the gap between what an estate runs and what it has documented has to be paid. It isn’t theoretical, and it isn’t framed as such on the day it lands. It looks like a sales team locked out of their CRM at 09:00 on a Monday because the SSL certificate expired over the weekend and the renewal reminder went to an inbox that was decommissioned eighteen months ago.
I have seen this play out across a dozen SMEs over the last several years. The shape is always the same. Work that could have been done in a planned half-day three months earlier instead consumes two weeks of crisis time, a vendor call-out fee, and a fair amount of standing in the corridor explaining what happened to people who don’t care about the explanation, only the disruption.
The scorecard at the end of this post breaks IT debt into four categories. They map to where the work tends to build up. Most SMEs we work with score badly in one category and then somewhere between adequate and bad in the others; the categories feed each other.
Staffing and time debt
One person knows where everything lives. The MFA seeds for the firewall, the recovery codes for the M365 tenant, the supplier account for the printer fleet. They are good at their job, they hold a great deal in their head, and the firm has been steadily growing for years on the assumption that the situation is stable. The assumption holds until they take a new job, get ill, or retire. The day the IT lead hands in their notice is the day the firm discovers it was running on tribal knowledge rather than documentation.
In one estate I supported, rotating an AD admin password after the office manager left took six weeks of vendor calls because the rotation procedure was a sequence of steps she carried in her head. The handover document existed; it described the wrong systems.
Time debt sits next to staffing debt. If the IT person is spending more than half their week firefighting, the debt is compounding while you read this. Firefighting time is what would otherwise have gone to the runbook, the certificate inventory, the quarterly review of admin accounts. Each hour of crisis time is two hours of debt that didn’t get paid down.
Renewals and cycles debt
Certificates, licences, cyber-insurance, Cyber Essentials Plus, hardware refresh cycles. Each carries a date the business often doesn’t know yet. The renewal reminder doesn’t go missing because somebody is careless; it goes missing because the renewal email lands in a personal inbox of someone who left two roles ago, or in a shared mailbox that no one has owned since the procurement team restructured.
Cyber-insurance is where renewals debt becomes visible to the board, because the questionnaire arrives with thirty-eight questions about MFA, backup testing, patch cadence, admin account inventories, and supply chain controls. Half of those questions ask for documentation that doesn’t exist. The questionnaire deadline is three weeks. The work to actually answer them with evidence is closer to three months. The shortcut everyone is tempted by, ticking what you wish were true, is exactly what voids the policy at claim time.
Hardware cycles drift in a related way. A laptop refresh that was approved in the 2024 budget gets pushed twice, and the helpdesk starts seeing the same five machines come back every fortnight with the same intermittent fault. The refresh would have cost twenty-five thousand pounds once; the deferrals cost eight thousand a year in lost hours, then the twenty-five thousand anyway, two years later.
Asset-management debt
What devices do you own. What cloud services do you pay for. What rooms do which switches feed. None of those are exotic questions, and yet most SMEs we audit cannot answer all three in writing.
The shape this debt takes is auditors and insurers asking for a register and getting either a spreadsheet that was last edited in 2022 or, more commonly, a long pause followed by a polite request to come back next quarter. It isn’t the absence of the register that costs the firm; it’s the four weeks of someone’s time that gets eaten reconstructing it under deadline pressure.
Account hygiene sits in the same family: leavers should be off the systems by close of business on their final day. In practice, ex-staff still have inbox access six months later because the offboarding procedure is a conversation rather than a checklist. The risk is obvious; the work to fix it is a quarterly review of a small spreadsheet and an hour of disabling accounts. Most teams agree it should happen, and most teams don’t have it on a calendar.
Documentation and resilience debt
The most expensive of the four, because it only becomes visible when something has already gone wrong.
Runbooks for disaster recovery, password recovery, backup restores. If those documents exist at all, they often live on the IT lead’s laptop rather than in a shared location, and they describe the system the firm had three years ago. Backup restores that have never been tested aren’t actually backups. They look like backups, on paper, until the first time you try to run one against a real outage.
MFA on admin accounts is the canary, because user accounts almost always have it enabled by now. Admin accounts often don’t, on the grounds that admins are technical enough not to need it. Admin accounts are also the ones that, when compromised, cost the firm the entire estate. The fix is fifteen minutes per account and a calendar entry to review quarterly. The debt is the months it takes to schedule that fifteen minutes.
Why these compound
The four categories aren’t independent. Staffing debt makes renewals debt worse, because the one person who tracks the dates is also the one whose successor isn’t named. Asset debt makes documentation debt worse, because you cannot write a runbook for a system you cannot list. A firm that scores cleanly on one category and badly on the others is rare; in our experience, the score is consistent across all four or it isn’t.
That’s why the scorecard treats the four categories as one diagnostic. The total tells you how much debt the estate is carrying. The breakdown tells you which corner is bleeding fastest.
The scorecard
Twenty questions in four categories of five. Five minutes. Each answer scores 0, 1, 2 or 3 points, so the total runs from 0 to 60. A band score and a short list of next actions follow.
Download the IT Debt Self-Scorecard.
If you’d prefer the visual version of the same diagnostic, the IT Debt Spiral infographic maps the same four categories as a single page showing how each kind of debt feeds the next.
The scorecard is for whoever owns the consequences. If you’re the IT person, you already know most of the answers and the scorecard tells you which case to make to the budget holder. If you’re the ops director or the CEO and IT has been somebody else’s problem until the auditor asks for the network diagram, the scorecard gives you a structured way to find out where the firm actually stands without having to sit through a vendor pitch first.
What to do with the score
Higher totals mean more basics in place. The scorecard maps to three bands.
Forty-one to 60 is the healthy band. The basics are covered: a named IT lead, a renewal calendar, someone who could pick up the phone if the lead were away. The few questions where you scored low are the punch-list, and they are the cheap wins. Re-run the scorecard quarterly. The work is keeping the score where it is rather than letting it slide back over twelve months.
Twenty-one to 40 is the carrying-debt band, where most of the SMEs we audit actually land. The system is running but it depends on a small number of people remembering things. A leaver, a missed renewal, or a failed restore would hurt. Build one master spreadsheet of devices, licences, and renewal dates this month. Document the top three runbooks. Identify a second pair of hands, internal or external. Run a backup-restore test in the next 90 days with someone other than the IT lead present.
Zero to 20 is the at-risk band. Critical knowledge sits with one person, renewals arrive unannounced, and there is no documented recovery path. A single resignation or a single audit could become a crisis. The priority is removing single points of failure rather than optimising anything else. Stop adding systems, write down what you have, and bring in external help for a four-week handover audit if the IT lead might leave.
In each band, the scorecard PDF lists the next three or four actions to take. Bring the result to whoever owns the budget. The list is harder to argue with than the conversation.
If you ran the scorecard and the result was uncomfortable, that’s our Consulting Services practice. We’ll walk the estate with you, prioritise the worst categories, and either do the documentation work or sit alongside whoever does. Drop us a note at info@jmopartners.co.uk and we’ll start the conversation.
JMO|Partners · Enterprise IT, sized for SMEs.