Writing a Business Case That a CFO Will Read
Most business cases for managed IT services fail before they're presented because they're framed around IT, not finance. They lead with uptime statistics and response times and security features that a CFO or board member has no reference point for. The result is a conversation about whether IT deserves more budget, which is a conversation you'll lose.
The business case that works is framed around total cost of ownership, risk exposure, and predictability. Those are financial concepts that every CFO understands. The goal is to show that the current model – whether that's internal IT staff, break-fix contractors, or no IT support structure at all – costs more than it appears to when all costs are counted, carries more risk than appears on the balance sheet, and produces less certainty than the business needs to plan effectively.
This article gives you the structure and the numbers to build that case. The specific figures will vary for your business, but the model holds across most Australian mid-market companies with 20–150 staff.
Total Cost of Ownership: The Internal IT Model
The most common comparison point is a single IT generalist – the person who handles helpdesk, infrastructure management, vendor relationships, and everything else. The question is what that person actually costs versus what they deliver.
For an Australian mid-market company with 50 staff, a competent IT generalist in 2025 earns a base salary of $80,000–110,000. But the all-in cost is significantly higher:
- Base salary: $90,000 (midpoint of market range)
- Superannuation (11.5%): $10,350
- Annual leave loading and payroll tax: approximately $8,000–10,000
- Recruitment cost: $10,000–18,000 per placement, amortised over a two to three year tenure – approximately $5,000–8,000 per year
- Training and certifications: $3,000–6,000 per year to keep skills current
- Tool licences: monitoring, endpoint management, documentation, ticketing – $4,000–8,000 per year
- Hardware and peripherals: $2,000–4,000 per year
Total all-in cost: $122,000–156,000 per year. The commonly cited figure of $180,000–240,000 for a fully loaded IT generalist represents the higher end of this range, factoring in businesses with higher base salaries (senior generalists), higher tool licences, and more significant recruitment costs. A conservative midpoint for most 50-person businesses is $130,000–160,000 per year.
Now compare that to a managed IT services contract for the same business. An MSP engagement covering helpdesk, endpoint management, patch management, monitoring, backup and recovery, and security typically runs $60,000–90,000 per year for a 50-person organisation. That's a saving of $40,000–70,000 per year on direct cost alone – before you consider what you're not getting with the internal model.
The Bench Capacity Problem
The direct cost comparison understates the case for managed services because it treats the internal IT person as always available and always capable. Neither is true.
A single IT generalist is one person. When that person is on annual leave – which they take four to five weeks of per year – your IT support stops. When they're sick – average Australian worker takes 9–10 sick days per year – your IT support stops. When they leave – average tenure for IT staff in Australia is two to three years – you have a gap of four to eight weeks while you recruit and onboard a replacement.
Aggregate that: a 50-person business with one IT generalist has roughly 10–12 weeks per year where IT support is materially degraded or absent. Businesses rarely account for this when they calculate the cost of the internal model. But they feel it acutely when the server fails on the Friday before Christmas and their IT person is on leave.
An MSP provides team capacity – multiple engineers, 24/7 monitoring, after-hours coverage, and no single point of failure. When one engineer is sick or on leave, the next available engineer picks up the ticket. The business doesn't experience a service gap.
The parallel capability gap matters too. An IT generalist knows a bit of everything but deeply specialises in none of it. When a business needs expertise in cloud architecture, when a security incident occurs requiring forensic analysis, or when a specific vendor system requires deep configuration knowledge, the generalist either works it out slowly, googles their way through, or refers it to an external consultant at day rates of $150–250/hour. An MSP has specialists in different areas available within the team, which the managed contract cost already covers.
Response Time and SLA Comparisons
The response time comparison is where managed services frequently wins on the metrics that matter to staff and operations, even though it's counterintuitive – people assume an internal person who sits in the office responds faster.
An internal IT person has no formal SLA. There's no documented commitment to respond to a P1 incident within 15 minutes, or to resolve a workstation failure within four hours. Response depends on what they're doing, whether they're at their desk, whether the issue requires skills or access they don't currently have. In practice, for most SMBs, response to a serious IT incident with an internal generalist is 2–6 hours.
A properly contracted MSP has binding SLA commitments that typically look like:
- P1 (system down, business impact): 15–30 minute response, 4-hour resolution target
- P2 (degraded service, multiple users affected): 1-hour response, 8-hour resolution target
- P3 (single user affected, non-critical): 4-hour response, next business day resolution
Those SLAs are contractually binding and measured. If the MSP misses them consistently, there are remedies in the contract. The internal IT person has no equivalent accountability structure.
For a business case, the SLA comparison translates to a downtime reduction argument. If managed services reduces your average incident resolution time from 4 hours to 2 hours, and you have 8–12 incidents per year, you've recovered 16–24 hours of productive capacity. At 50 staff averaging $60/hour loaded cost, each hour of downtime costs $3,000. That's $48,000–72,000 in annual downtime cost reduction – material in the total cost comparison.
Risk Transfer: What CFOs and Boards Are Actually Worried About
The strongest element of the managed IT services business case for a board audience is risk transfer. The cyber risk conversation has reached board level for most Australian businesses, and for good reason.
The Australian Cyber Security Centre's Annual Cyber Threat Report documents an average self-reported loss of $46,000 per cybercrime report for small businesses, $97,200 for medium businesses, and $71,600 for large businesses. These are self-reported figures and likely understate the true impact when you include recovery costs, productivity loss, and reputational impact. The ACSC receives one report every six minutes from Australian businesses.
Cyber insurance – which most businesses with any meaningful digital asset base should carry – increasingly requires demonstrated security practices as a condition of coverage. Insurers are asking for evidence of: multi-factor authentication enforcement, documented patch management processes, regular backup testing, endpoint detection and response (EDR), and security awareness training. An MSP engagement typically includes or provides the infrastructure for all of these. A business trying to meet these requirements with a single generalist and no formal security framework struggles to produce the documentation insurers require.
The practical risk transfer value works in three directions:
- Insurance eligibility and premium reduction. Businesses with documented managed security practices typically receive better cyber insurance terms. Premium savings of 15–30% on cyber policies are achievable, which for a business with $30,000 in cyber premiums represents $4,500–9,000 per year.
- Compliance documentation. Regulated businesses (healthcare, financial services, government contractors) face increasing documentation requirements. MSPs maintain the audit logs, security reports, and incident records that compliance frameworks require. This reduces the cost of audits and assessments.
- Liability transfer. A well-structured MSP contract includes professional indemnity for the services provided. If an MSP-managed system fails to catch a security incident that falls within their documented scope, they carry liability. That's not a position a single internal IT employee can offer.
Structuring the Business Case: Current State, Risk, and Year 1–3 Comparison
A business case that works for a CFO or board needs three sections: current state costs, risk exposure, and forward comparison. Here's the structure with indicative figures for a 50-person business currently running with one internal IT generalist:
Section 1: Current state costs
- All-in IT staff cost: $140,000/year
- Tool licences (paid separately from MSP): $6,000/year
- Downtime cost (annualised, 10 incidents × 3 hours average × $3,000/hour): $90,000/year
- Break-fix and emergency contractor costs: $15,000/year
- Total current state cost: $251,000/year
Section 2: Risk exposure
- Probability of significant cyber incident in next 3 years: ACSC data supports approximately 1 in 4 for SMBs of this size
- Average SMB cyber incident cost: $97,000 (medium business, ACSC figure)
- Single IT person leaving: 4–8 weeks coverage gap, estimated cost $20,000–35,000 in lost productivity and emergency coverage
- Uninsured downtime risk per major incident: $50,000–150,000
Section 3: Year 1–3 comparison
- MSP contract (comprehensive coverage, 50 users): $75,000/year
- Transition cost (Year 1 only): $8,000–12,000 for onboarding, documentation, and migration
- Projected downtime reduction (50% reduction in incident cost): $45,000/year saving
- Staff cost saving: $65,000/year (MSP vs. internal all-in)
- Net annual saving from Year 2: $110,000/year
- 3-year net saving: approximately $215,000 after transition costs
These are illustrative numbers for a specific profile. Your business case should use your actual costs, not these figures. The structure is the important part – moving the conversation from "what does managed IT cost?" to "what does our current model actually cost, and what are we risking?"
CX Direct can help you build this business case with your actual figures and the right level of specificity for your board or CFO. We also offer a no-obligation assessment of your current IT environment as a starting point. Get in touch to start that conversation.