How do cycle-survivors build IT budgets across three scenarios?
Three IT budget scenarios, three discipline patterns, named triggers for switching between them. The framework that operators who survived 2014-2016 and 2020-2021 wished they'd built earlier.
Quick answer
A cycle-survivor IT budget for a Canadian mid-market oil and gas operator is three budgets, not one. Upcycle scenario ($90+ WTI sustained): opportunistic investment in capability and integration capacity. Mid-cycle scenario ($65-90 WTI): steady-state with continuous improvement. Downcycle scenario ($40-65 WTI): deliberate compression preserving every baseline control. The never-cut list defines what stays through all three scenarios; named triggers (90-day WTI moving average, broker renewal signals, deal pipeline state) define when to switch between them.
1. Why is one budget not enough?
Every Canadian energy operator builds an annual IT budget. Most build it for one oil price scenario - typically the price assumption embedded in the corporate plan. Operators who survive both ends of the cycle build three budgets and switch between them based on what the market actually does.
Not three plans. Three budgets, with three discipline patterns, with named triggers for switching between them.
The framework is straightforward. The discipline is real. The operators who've used it through 2014-2016 and 2020-2021 are the ones still operating in 2027 - and the ones with materially better positions for whatever cycle event arrives next.
The cyber capability you deploy at $90 oil determines the cyber incidents you do or don't experience at $50 oil. The M&A capability you build at high commodity prices determines the deals you can or can't execute at distressed prices. The operational discipline you maintain across stable years determines the cash flow you can or can't preserve across crisis years. This guide encodes that asymmetric pattern into a budget framework.
2. Scenario A - Upcycle ($90+ WTI sustained)
Cash flow is strong. Activity levels are high. You're hiring, growing, possibly considering acquisitions. This is the build phase.
The discipline pattern: investment in capability that compounds across cycle turns.
What to accelerate in upcycle
- Cyber baseline. Full deployment of the twelve controls. Named industry-standard products. 24/7 monitoring. Documented incident response. Annual tabletop. Budget: $80-150K/year for a typical 75-person operator.
- M&A readiness infrastructure. Identity systems that can absorb new users in a day, not a week. Production accounting that can integrate target data cleanly. Documented integration playbook. Budget: $40-80K of capital + ongoing operational discipline.
- OT/IT segmentation maturity. Move beyond "we use VLANs" to documented architecture with jump hosts, logged crossings, and quarterly review. Budget: $30-75K for the initial deployment.
- AI augmentation pilots. Three 90-day pilots in finance, production telemetry, and cyber operations. Budget: $60-120K for all three.
- Vendor consolidation projects. Use upcycle cash flow to absorb the cost of cutting SaaS sprawl now rather than under downcycle pressure. Net cost: typically negative (savings exceed transition costs by year two).
Upcycle total IT budget for a 75-person operator: typically $350-600K/year including the strategic investments above plus baseline operations.
3. Scenario B - Mid-cycle ($65-90 WTI)
Operations are stable. Cash flow is reliable but not abundant. You're not aggressively expanding or contracting. This is the steady-state phase.
The discipline pattern: maintain what you built, execute on the projects in flight, preserve optionality for the cycle to turn either direction.
What to do in mid-cycle
- Maintain the cyber baseline. Don't cut named-product cyber to save money. The renewal math always favors keeping it deployed.
- Continue scheduled tabletop exercises and IR plan updates. The discipline preserves capability that becomes critical in either direction.
- Quarterly vendor governance reviews. Prevent sprawl from returning. One hour per quarter between CFO and IT lead.
- Defer new strategic capability investments. The mid-cycle isn't the time to launch new AI initiatives or major platform migrations. Save those for the upcycle (when you can afford) or the early downcycle (when activity slows and there's bandwidth).
- TBR cadence. Quarterly Technology Business Review. What's working, what isn't, what to adjust.
Mid-cycle total IT budget for a 75-person operator: typically $250-400K/year. The strategic investments either deferred or completed; baseline maintenance and governance continue.
4. Scenario C - Downcycle ($40-65 WTI)
Cash flow is constrained. Counterparties are stressed. RBL redeterminations are coming. This is the harvest phase - harvesting the compounding from earlier investments.
The discipline pattern: protect the capabilities that survived multiple cycles. Cut capabilities that are discretionary at the current price. Don't break what's working.
What never to cut (the protected list)
- Named-product cyber stack - the carrier renewal math becomes worse, not better, in a downcycle
- 24/7 monitoring - attack volume increases in distressed sectors; defense matters more, not less
- Immutable backups - ransomware doesn't pause for downcycles
- Identity infrastructure - controls drift becomes operational risk fast
- Core production accounting and JIB platforms - these are the operations
What to cut first
- Strategic capability projects not yet started - defer to next upcycle
- Discretionary AI pilots beyond the ones that have proven ROI
- Travel-and-engagement budgets associated with IT vendor relationships
- Premium tiers of bundled IT engagements (drop from Premier to Professional, not from Premier to nothing)
- SaaS sprawl that wasn't consolidated in the upcycle - now is the moment
What to add (counter-intuitively)
- Distressed acquisition integration capability if your strategic posture is offensive - the downcycle is when targets become available at attractive prices
Downcycle total IT budget for a 75-person operator: typically $180-320K/year. The 30-40% reduction from upcycle levels comes from cutting strategic investments and discretionary spend, not from cutting baseline capability.
5. What is the never-cut list (in detail)?
Across two oil price collapses, the operators who maintained baseline cyber and operational capability through the downturn emerged in materially better position than operators who cut to the bone. Five categories that should never be cut:
Cyber - full named-product stack
SentinelOne, Proofpoint, Veeam, Microsoft Entra (or equivalent Gartner Leaders). Annual cost: $60-120K for a 75-person operator. Cutting any of them during a downturn produces immediate cyber posture degradation, which produces premium increases at renewal, which more than offsets the in-year savings.
24/7 monitoring
Real 24/7 SOC with geographic redundancy. $80-150K/year. Downcycles increase attack volume against distressed sectors. Cyber monitoring is more important in downcycles, not less.
Immutable backup
Veeam Hardened Repository, Rubrik immutable snapshots, S3 Object Lock, or equivalent. $15-40K/year. The defense against ransomware that targets backups specifically.
Identity infrastructure
Microsoft Entra Premium, FIDO2 keys on privileged accounts, documented offboarding. $10-30K/year. Identity drift becomes operational risk fast when headcount is changing rapidly.
Core operational platforms
Production accounting (Quorum, P2, 3esi-Enersight). JIB platform. Historian. AFE management. These are the operations - cutting them doesn't reduce cost, it impairs cash flow management at exactly the wrong moment.
6. What are the named triggers for switching scenarios?
The framework only works if scenario transitions happen consciously, not by drift. Four trigger types:
Trigger 1 - Sustained 90-day price action
WTI averaging a different scenario range for 90+ days = re-evaluation trigger. Not daily price moves. Sustained price action.
Trigger 2 - Hedge book exhaustion approaching
Hedge protection within 6 months of exhaustion = transition to next scenario's discipline. The hedge book is your buffer; when it's running out, your real exposure becomes the operative scenario.
Trigger 3 - RBL redetermination scheduled
Three months before RBL = downside scenario stress testing. Even if you don't transition all the way to Scenario C, run the downside numbers and confirm the cuts you'd execute.
Trigger 4 - Activity level signals
Rig count, completion crew utilization, day-rate moves. Operational reality often shifts before commodity price does. These signals are leading indicators.
The trigger framework isn't predictive. It's reactive - but with discipline. You're not betting on the cycle direction. You're recognizing the cycle direction faster than competitors and adjusting your IT budget posture accordingly.
7. What 2014-2016 and 2020-2021 taught us
Five patterns from two full cycle observations:
Pattern one - Cyber built pre-collapse paid off post-collapse
Operators with deployed cyber capability before March 2020 absorbed the 40% increase in ransomware attack volume without operational impact. Operators without it lost weeks of capacity at the worst possible time.
Pattern two - JIB discipline maintained across the cycle preserved cash flow
Operators with current JIB receivables (under 90 days aged) going into the downturn collected materially better than operators with aged balances they hadn't been working consistently.
Pattern three - Focused vendor stacks had flexible cost structure
Operators with focused stacks (6-10 named industry-standard products) cut IT opex 15-30% in the downturn without operational disruption. Operators with sprawling stacks couldn't cut without serious disruption.
Pattern four - Mature identity infrastructure handled rapid workforce changes
Operators with SSO, documented offboarding, and privileged access management absorbed the 2020 workforce reductions with clean termination. Operators without that capability had access drift become operational risk.
Pattern five - Integration capability built pre-downturn enabled 2022+ acquisitions
The Canadian consolidators that drove the 2024-25 wave built their integration playbooks during 2020-2021 when activity was slow. They emerged in 2022 with structural advantage.
8. Master budget template
For each category, document the budget in each scenario:
| Category | Scenario A ($90+) | Scenario B ($65-90) | Scenario C ($40-65) |
|---|---|---|---|
| Cyber stack (named products) | $80-120K | $80-120K | $60-100K |
| 24/7 SOC monitoring | $80-150K | $80-150K | $80-120K |
| Immutable backup | $20-40K | $20-40K | $15-30K |
| Identity infrastructure | $15-30K | $15-30K | $10-20K |
| Production accounting platform | $40-80K | $40-80K | $40-60K |
| JIB / AFE platforms | $20-40K | $20-40K | $15-30K |
| M&A readiness work | $40-80K | $15-30K | $0-15K |
| AI pilots | $60-120K | $15-40K | $0 |
| Vendor consolidation projects | $30-60K (capital) | $0-15K | $0 (capture only) |
| Strategic capability development | $40-100K | $0-20K | $0 |
| Fractional CIO function | $60-180K | $60-180K | $60-120K |
| TOTAL RANGE | $485-1000K | $345-735K | $280-495K |
Note: Ranges are illustrative for a typical 75-person Canadian energy operator. Specific numbers will vary based on existing deployments, vendor pricing, and operational scope.
Need help building your three-scenario budget?
The IT-and-the-Cycle Assessment includes three-scenario budget construction as part of the structured engagement. Three to five days, written report, no obligation. Includes scenario-specific deployment patterns for your particular operation.
Request the IT-and-the-Cycle AssessmentOperator-authored framework built from 30+ deals and 19 years - not a universal prescription. Every organization has different variables. This guide tells you what to look at; the Assessment tells you what it means for your situation.
→ Book the 30-min review