A Pre-Mortem Checklist for Senior Managers

This is not a technical audit. It is a leadership exercise. It is designed for CISOs, COOs, CTOs and senior managers who need to translate cloud dependency and operational risk into business decisions, not engineering detail.

Below is a structured set of questions, each followed by the business meaning behind it, that organisations should be able to answer with confidence:

1. Which critical services would stop immediately if our primary cloud region or provider failed?

This is the starting point. Not every system needs to survive an outage, but every organisation should know which services are mission-critical: trading, payments, client communications, internal collaboration. If the answer is unclear, resilience planning has not truly begun.

2. Do we have a secondary region or provider — and has it been tested?

Redundancy only works if it exists and functions under pressure. Many firms assume data backups or mirrored environments will work when needed, but if they have never failed over in real time, it remains theoretical. A secondary region or provider does not need to be identical — it needs to be functional.

3. How quickly do we detect provider-level failures — do we rely on dashboards or customer complaints?

Speed of awareness defines speed of response. If employees or clients notice the issue before internal monitoring, the business has already lost time and trust. Senior leaders should know how long detection takes and whether alerts are automated, standardised and owned.

4. What would be the financial and operational impact of a four, eight or twelve-hour outage?

This is where resilience becomes commercial. If the impact is not quantified — lost revenue, delayed settlements, manual workarounds, client churn — then investment in resilience cannot be prioritised or justified.

5. Are cloud outages explicitly reflected in our business continuity and disaster recovery plans?

Many continuity plans still focus on local data centre failures or cyber breaches. Cloud dependency introduces a different kind of risk — where infrastructure outside your control becomes unavailable. Plans must reflect that difference, clearly and practically.

6. When was the last time we tested failover or recovery at scale?

Business continuity is a capability, not a document. The organisations that respond best are not the ones with the largest plans — but the ones that have rehearsed those plans. Tabletop exercises, simulated outages and failover drills expose gaps long before they become headlines.

7. Are contracts and SLAs with cloud and SaaS providers fit for purpose?

SLAs do not prevent outages, but they determine visibility, accountability and response. Senior managers should know the following: what uptime is contractually guaranteed, what support is available during an incident and whether exit or multi-cloud options are viable.

8. Do we have prepared communication plans for clients, regulators and employees?

Reputation is often affected more by silence than by failure. Clear, honest and timely communication reassures stakeholders that an incident is being managed. Messaging should not be written during a crisis — it should be drafted, approved and ready.

9. Are incident lessons captured, acted upon and reported to senior leadership or the board?

Every outage — internal or external — should lead to a documented review with actions, deadlines and owners. If no improvements follow an incident, resilience remains static, and exposure accumulates.

10. Has the board been briefed on cloud concentration risk and our mitigation plans?

Resilience is now a governance issue. Regulators increasingly expect boards to understand technology concentration risk and the organisation’s ability to recover from disruption. Briefing the board is not about sharing technical detail — it is about demonstrating awareness, ownership and a plan.

In summary

Pre-mortems are not about predicting failure. They are about building confidence — in systems, in teams and in leadership. If these questions can be answered clearly and calmly, organisations are not just ready to respond to disruption; they are ready to continue serving clients, protecting value and maintaining trust when it matters most.

A pre-mortem is not an exercise in predicting disaster or fostering anxiety. It is a disciplined way of building confidence before that confidence is tested. When leaders ask these questions, and insist on clear, evidence-based answers, they are not expressing doubt in their teams but demonstrating responsibility for the organisation’s resilience.

The goal is not to eliminate all risk, which is impossible, but to ensure that if disruption comes, the business can remain calm, continue to operate and communicate clearly with clients, regulators and employees.

True resilience is quiet, often unnoticed, and built long before it is needed. By treating these questions not as a compliance exercise but as an ongoing leadership practice, organisations move from a posture of fear to one of preparedness and assurance. In that shift lies the real value of a pre-mortem: it turns uncertainty into something that can be understood, planned for and managed with confidence.

Executives must focus on integration, address challenges head-on and measure maturity with discipline. By doing so, they can build organisations where AI enhances human expertise, strengthens trust and delivers lasting resilience.

The firms that are likely to optimise the value from AI will be those that treat it as a strategic partner in their long-term security journey.