EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Quarterly Business Review (QBR) Template · v1.0
12 Jul 2026 Governance · Executive · Renewal-readiness

The quarterly governance cadence — agenda, KPIs, roadmap, escalation closure.

Companion to defoneos-mod-30-60-90-customer.html. The QBR is the formal governance artefact between CSOAI and the buyer, held every 90 days from contract signature. It is the contractually-required executive checkpoint (per Schedule 2 of defoneos-mod-contract-award-letter.html). Its primary output is a counter-signed minutes document that becomes the basis for renewal-readiness scoring.

QBRs per contract year
90 dCadence (contractual)
9Standing agenda items
SIGILCounter-signed minutes

1. Why a QBR — not a status update

Status updates look backwards. QBRs look forward. The quarterly cadence forces three things that status updates miss:

  1. Executive visibility — both parties' executive sponsors attend. The QBR is the meeting that the buyer's CIO and CSOAI's CEO can be in the same room (or video).
  2. Roadmap alignment — CSOAI presents the next 90 days of product / advisory / regulatory changes; buyer presents the next 90 days of operational / compliance / policy changes. Mismatches are caught early.
  3. Renewal-readiness signal — the QBR minutes include a renewal-readiness score (computed per defoneos-mod-30-60-90-customer.html §8). The first QBR where that score is < 0.60 triggers the churn-prevention playbook.

2. Standing agenda (9 items, 90 minutes total)

#ItemOwnerDurationOutput
1Roll-call, previous minutes, SIGIL verificationCSOAI CS lead5 minConfirmed minutes from previous QBR
2Operational KPI review (9 KPIs from 30-60-90 plan)Joint (CS lead + buyer ops lead)15 minKPI dashboard with red/amber/green
3Incident review (closed SEV-1/2 from prior quarter)CSOAI engineering + buyer SC officer10 minClosed-incident ledger with post-mortem links
4Security & compliance posture (12-framework crosswalk)CSOAI compliance + buyer compliance10 minUpdated compliance scorecard
5Adoption metrics (operator hours, workloads, certifications)CSOAI CS lead + buyer training lead10 minAdoption scorecard with trend arrows
6Roadmap walkthrough (CSOAI next 90 days)CSOAI product lead10 minSlide deck + committed-feature list
7Buyer 90-day change plan (operational / compliance / policy)Buyer executive sponsor10 minNamed changes with dates
8Open escalations (active SEV-3 / SEV-4)CS lead + AE10 minClosure plan for each escalation
9Renewal-readiness signal + executive closeJoint (CSOAI CEO + buyer executive sponsor)10 minRenewal-readiness score + executive close statement

3. Operational KPI dashboard (9 KPIs)

The same 9 KPIs from the 30-60-90 plan are reported every quarter, with a trend arrow and a red/amber/green status.

KPI familyKPITargetTrend (QoQ)RAG
DeployEnvironment uptime (rolling 90d)≥ 99.95%
DeployPatch lead time (advisory → deployed)≤ 14 d
DeploySIGIL receipt freshness≤ 24h from event
AdoptTrained-operator coverage≥ 80%
AdoptProduction workloads on DEFONEOS+1 per quarter target
AdoptOperator median weekly usage≥ 60%
GovernSEV-1 incidents (closed)0
GovernSEV-2 incidents (resolved within 5 bd)100%
GovernOpen escalations at quarter end0

4. Incident review — the closed-incident ledger

Every SEV-1 and SEV-2 closed in the prior quarter is presented at the QBR. For each incident, the ledger entry contains:

  1. Incident ID (SIGIL-anchored).
  2. Detection time, containment time, resolution time.
  3. Root cause (one-sentence).
  4. Customer impact (workloads affected, duration).
  5. Post-mortem link (PDF co-signed by CSOAI engineering + buyer SC officer).
  6. Process / control improvement committed.
  7. SIGIL receipt of closure.

5. Security & compliance posture — the 12-framework crosswalk

See defoneos-compliance-suite.html for the full crosswalk. The QBR reviews the 12-framework scorecard for any framework that changed status in the prior quarter (e.g. new SOC 2 evidence, NCSC refresh, ISO 27001 surveillance audit).

FrameworkLast auditNext auditStatus
ISO/IEC 27001:2022
SOC 2 Type II
NCSC Cyber Essentials Plus
NCSC Cloud Security Principle 1..14
EU AI Act Article 50 (transparency)
EU AI Act Annex IV (high-risk)
GDPR Art. 22 + 35 (DPIA)
UK DPA 2018
HIPAA Security Rule
FedRAMP Moderate (US public sector)
JSP 440 (UK MOD SECRET)
NATO INFOSEC

6. Adoption scorecard — operator & workload trends

Adoption is measured monthly and presented quarterly. The trend arrow (↑/→/↓) is computed against the previous quarter. The RAG thresholds: green = on or above target, amber = within 20% of target, red = below 80% of target.

MetricQ1Q2Q3Q4Target
Operators trained & certified≥ 80%
Production workloads migrated≥ 4 by EO Q4
Median operator usage (% week)≥ 60%
Help-desk tickets opened≤ 5 per operator per quarter
Help-desk median time-to-resolve (hr)≤ 8 hr

7. Roadmap walkthrough (CSOAI commitments for next 90 days)

CSOAI commits to a 90-day roadmap in writing at each QBR. The roadmap names each committed feature, advisory release, regulatory update, and CS-process improvement, with the planned ship date and the buyer impact.

  1. Committed features — features that will ship to this buyer's tenant within 90 days; no surprises.
  2. Advisory releases — security advisories planned for the 90-day window; CVE IDs pre-disclosed if known.
  3. Regulatory updates — changes driven by UK / EU / US regulatory calendars (e.g. EU AI Act delegated acts).
  4. CS process improvements — onboarding, training, support, escalations — anything in the CSOAI-to-buyer interface.

8. Renewal-readiness scoring at the QBR

The renewal-readiness score (computed per defoneos-mod-30-60-90-customer.html §8) is presented at every QBR. The first QBR where the score drops below 0.60 activates the churn-prevention playbook within 5 business days.

renewal_readiness_score = (0.40 * ROI_documented) + (0.30 * governance_cadence_held) + (0.20 * adoption_trend) + (0.10 * first_sigil_intact) Threshold tiers: >= 0.80 HIGH — multi-year renewal proposal at next QBR 0.60–0.79 MEDIUM — joint value-realisation workshop within 30 days 0.40–0.59 LOW — executive sponsor intervention within 14 days < 0.40 AT RISK — churn-prevention playbook activated

9. QBR minutes — the SIGIL counter-signed artefact

The minutes are the formal artefact of the QBR. They are drafted by CSOAI within 5 business days, reviewed by the buyer within 5 business days, and counter-signed by both executive sponsors. The counter-signed minutes are recorded as a SIGIL receipt.

SectionContent
HeaderDate, attendees, prior minutes confirmation, SIGIL chain reference
KPI dashboard9 KPIs with red/amber/green, trend arrows, narrative on outliers
Incident ledgerAll SEV-1 / SEV-2 closed in prior quarter
Compliance scorecard12-framework crosswalk update
Adoption scorecardOperator coverage, workloads, usage, tickets
Roadmap commitments90-day CSOAI commitments in writing
Buyer 90-day change planNamed buyer changes with dates
Open escalationsEach escalation with closure plan and named owner
Renewal-readiness scoreComputed score + tier classification
Action registerAll named actions with owner, due date, status
Executive closeJoint executive close statement
SIGIL receiptCounter-signature, timestamp, hash

10. What the QBR is NOT

11. Cross-walk to DEFONEOS pack

12. Honesty register

  1. The 99.95% uptime target is the contractual target in Schedule 2; the actual pilot deployments have observed 99.97-99.99% but the contractual commitment is 99.95%.
  2. The 14-day patch lead time is the advisory-to-deployed window for non-emergency advisories; emergency advisories (active exploitation) are 48 hours per the SLA.
  3. The 60% operator usage threshold is a heuristic; air-gapped buyers with different work patterns may need adjusted thresholds.
  4. The renewal-readiness score weights are calibrated against three pilot deployments and may need re-calibration as more data accumulates.
  5. QBR minutes are counter-signed by executive sponsors, not by legal counsel; legal review happens through separate contract-amendment mechanisms.