By Stu Long, CTO, Orro
TL;DR — Key Points
- The first 100 days of FY27 have a disproportionate influence on the year’s outcomes — organisations that establish momentum in the opening quarter create an advantage that is genuinely difficult to close later.
- The technology leader’s core challenge is translation: converting annual strategy into sequenced, accountable operational delivery before the year’s inertia reasserts itself.
- A 30/60/90 day sprint structure provides a practical framework for managing that translation — establishing the true starting point, initiating priority programmes, and reviewing assumptions before Q1 is gone.
- New compliance obligations landing in FY27 impose their own sequencing on the first 100 days — organisations that have not mapped these against delivery capacity will find Q1 consumed by reactive work rather than strategic programme delivery.
- Strategic velocity is not about moving fast — it is about moving on the right things, in the right order, from an accurate picture of where your environment actually stands.
The first week of July has its own distinct feeling. The EOFY pressure has lifted. The budget is confirmed, the strategy document is approved, and the new financial year is, technically, underway. For most technology leaders, there is a brief window of clarity in these early days — a moment before the operational calendar fills back up, before the carry-over from June reasserts itself, and before the year’s inertia takes hold again.
What happens in that window matters more than most organisations recognise.
The decisions made in the first 100 days of a financial year — the priorities confirmed, the programmes initiated, the visibility established — have a compounding influence on outcomes that no amount of Q3 course-correction can fully replicate. Organisations that convert their FY27 strategy into operational momentum in July and August create a structural advantage. Organisations that treat July as a settling-in month rarely fully recover the ground.
Why the opening quarter matters more than the plan
Strategy documents are necessary, but they are not sufficient. The organisations that consistently deliver on their annual technology commitments are rarely the ones with the most comprehensive plans. They are the ones that converted those plans into an operating rhythm early — before the year’s competing pressures had time to erode the clarity that EOFY planning produced.
The post-EOFY period has a specific set of dynamics that work against early momentum. There is almost always administrative carry-over from June — procurement decisions that were deferred, projects that missed their pre-EOFY initiation window, and stakeholder alignment conversations that should have happened in May but did not. Add the tendency for most organisations to treat July as a transition month rather than a delivery month, and the opening quarter frequently passes without the momentum that the planning cycle intended to generate.
By the time August arrives, Q1 is already half gone. The gap between strategic intent and operational delivery starts to look less like a timing problem and more like a structural one.
The translation problem
Most technology strategies are written in the language of outcomes and capabilities. They describe the security posture the organisation intends to achieve, the infrastructure modernisation it plans to undertake, the compliance uplift it needs to deliver. This language is appropriate for annual planning — it communicates direction and priority at the level that boards and executive teams need.
Operational delivery runs on a different language entirely. Projects, resources, change windows, vendor dependencies, sprint cycles, and escalation thresholds. The translation between these two registers is where strategic intent most commonly breaks down — not through lack of effort or commitment, but through the absence of a disciplined process for making the translation explicit.
Most technology leaders have experienced this. The annual plan looks coherent at the strategy level. Then the operational calendar arrives — existing support commitments, vendor lead times, staff leave patterns, and a handful of carry-over projects from FY26 that were never formally closed — and the plan that seemed well-sequenced in June suddenly has dependencies that were not visible in the planning documents. The organisations that handle this best are not the ones that avoid the problem. They are the ones that treat the translation as its own distinct phase of the planning cycle — one that begins in the first 30 days of the new financial year, not after Q1 has passed.
The 30/60/90 framework
A 30/60/90 day sprint structure gives technology leaders a practical way to manage the translation from strategy to execution without losing the discipline that annual planning was supposed to create. Each phase has a distinct purpose.
The first 30 days: establish the true starting point. Before any programme can be initiated with confidence, the organisation needs an honest picture of where it actually stands — not where last year’s planning documents assumed it would be. What carried over from FY26? What is the genuine compliance exposure as new obligations take effect? What does the environment actually look like in terms of security posture, infrastructure state, and vendor performance against SLAs? This is not a planning exercise. It is a verification exercise. The starting point most organisations document in their strategy is a projection; the starting point the first 30 days reveals is the reality. Those two things are frequently different.
The 60-day mark: initiate the highest-priority programmes. Not the programmes that feel urgent because they were deferred from last year. The ones that are both strategically important and operationally ready to move — with resourced teams, confirmed vendor commitments, and clear ownership. The temptation at this stage is to initiate broadly, using the energy of a new financial year to get multiple streams moving simultaneously. The discipline is to initiate narrowly and well, because programmes that start without adequate preparation tend to generate the same kind of carry-over in FY27 that created the problem in FY26.
The 90-day review: assess and resequence. By day 90, Q1 is drawing to a close and the assumptions embedded in the original FY27 plan have had their first real contact with operational reality. Some will have held. Others will not. The review at this stage is not about identifying failures — it is about making deliberate decisions about what to protect, what to adapt, and what to defer, rather than allowing those decisions to be made by default as Q2 begins.
The value of this structure is not in the specific day counts. It is in the discipline of treating the opening quarter as a distinct execution phase with its own milestones and accountabilities, rather than simply the first installment of a twelve-month delivery programme.
Evidence Snapshot
According to analysis of PMI’s Pulse of the Profession data and the CHAOS dataset for IT programme outcomes (PMI / CHAOS Report synthesis, 2025), only around 31% of technology projects are completed fully on time, on budget and on scope. The majority are challenged or fail outright — not because organisations lack the technical capability to deliver, but because the translation from strategic intent to accountable operational execution breaks down early.
In Australia, the compliance timeline for FY27 adds an additional layer of sequencing pressure. Tranche 2 AML/CTF obligations commenced for newly regulated entities on 1 July 2026 (AUSTRAC). For affected organisations — including legal, accounting, real estate, and financial planning businesses now captured for the first time — this is not a background consideration. It is an immediate operational obligation that competes directly with strategic programme delivery for Q1 capacity.
The Horizon 2 phase of the 2023–2030 Australian Cyber Security Strategy is now underway (Department of Home Affairs), bringing with it an expectation that organisations scale their cyber maturity — not just maintain it. The organisations best placed to respond are those that enter FY27 with clear visibility into their current posture, not those still working from the assumptions carried forward from last year’s planning cycle.
The compliance dimension of the first 100 days
For CISOs and technology leaders in affected sectors, FY27 does not begin with a blank slate. Two significant regulatory obligations shape the sequencing of the first 100 days in ways that cannot be accommodated through flexible planning.
AML/CTF Tranche 2 obligations commenced on 1 July 2026 for thousands of newly regulated entities across professional services, real estate, and related sectors (AUSTRAC). For technology leaders in those organisations — or supporting them as managed service or advisory partners — the first 30 days of FY27 are not available for optional prioritisation. AML/CTF programme documentation, customer due diligence procedures, and AUSTRAC enrolment are legal obligations with fixed commencement dates.
Simultaneously, the Horizon 2 phase of Australia’s 2023–2030 Cyber Security Strategy is now underway, with an explicit national agenda to scale cyber maturity across the economy (Department of Home Affairs). The practical implication for technology leaders is that the regulatory and policy environment expects more of them in FY27 than it did in FY26 — and the organisations that will navigate this well are those that mapped their compliance obligations against their delivery capacity before Q1 began, not those discovering the conflict in August.
The articles that follow in this edition address the compliance and programme delivery dimensions of FY27 in detail. The point here is narrower: compliance obligations impose their own sequencing logic on the first 100 days, and technology leaders who have not made that sequencing explicit will find Q1 consumed by reactive work rather than the strategic programme delivery that the annual plan assumed.
The first 100 days of FY27 will pass regardless of what any organisation does with them. The question is whether they pass with momentum established — with clear priorities, accountable ownership, honest visibility into the starting point, and the first tranche of strategic programmes genuinely underway — or whether they pass in the same combination of administrative recovery and deferred initiation that characterised the end of FY26.
The organisations that finish FY27 in the strongest position are unlikely to be the ones with the best strategy documents. They will be the ones that converted those documents into operational reality in the opening quarter, from an accurate picture of where they actually stood on 1 July.
That picture is the starting point for everything that follows.
Start with an accurate starting point
The 30-day starting point in any FY27 technology programme is an honest picture of where your environment actually stands. Orro’s Security Maturity Assessment gives you that picture — independent, evidence-based, and actionable for the planning conversations that matter in Q1.
Further Reading & Sources
- PMI Pulse of the Profession 2025 — Project delivery performance data and strategic initiative outcomes.
- AUSTRAC — AML/CTF Reform (Tranche 2) — Commencement dates, obligations for newly regulated entities.
- Department of Home Affairs — Australian Cyber Security Strategy 2023–2030 — Horizon 2 (2026–28) phase.
- ASD/ACSC — Cyber.gov.au — Authoritative guidance for Australian organisations on cyber security uplift.
Orro is an Australian-owned partner with Australian-based support escalation and 24/7 global operations capability. Learn more about our approach to trust and security.