News

Venn diagram showing three overlapping types of risk — financial risk (ACA/ACCA), project risk (PMI/APM) and operational risk (ISO 22301) — with their small area of overlap labelled 'Risk: one word, several meanings

Risk means different things to Different People. That’s the whole problem.

I spent a chunk of last weekend scrolling through risk management job vacancies, out of nothing more than professional nosiness (and a need to avoid 24/7 football). It’s not as if the confusion over what “risk” actually means was news to me — I’ve spent the best part of two decades watching it play out […]

Risk means different things to Different People. That’s the whole problem. Read More »

Relay baton dropped mid-handover, illustrating a failed third-party contract handover

What the Sats Marking Crisis Tells Us About Third-Party Contract Handovers

What the Sats Marking Crisis Tells Us About Third-Party Contract Handovers Every July, Year 6 pupils across England find out how they did in their Sats. This year, a lot of schools found out how their exam board did instead, and the answer wasn’t good. Pearson took over the £180 million Sats marking contract from

What the Sats Marking Crisis Tells Us About Third-Party Contract Handovers Read More »

Fire extinguisher behind break glass panel in an office corridor — the emergency plan nobody reaches for

Your Business Continuity Plan Exists. So Why Did Nobody Use It?

In my experience, organisations that come to me for consultancy often share a similar story. They had a business continuity plan in place, sometimes one they had developed internally, sometimes one built by a previous consultant. Something went wrong, and nobody invoked it. Not because the disruption was trivial, but because nobody felt confident enough

Your Business Continuity Plan Exists. So Why Did Nobody Use It? Read More »

A gloved hand on a computer mouse next to a keyboard, with a patient record displayed on a hospital computer screen in the background

The NHS doesn’t have a data security problem. It has a culture problem.

The NHS doesn’t have a data security problem. It has a culture problem. This week, Cambridge University Hospitals referred itself to the Information Commissioner’s Office after it emerged that around 40 members of staff had accessed the medical records of a three-year-old boy injured in a crocodile attack. The child was treated at Addenbrooke’s following

The NHS doesn’t have a data security problem. It has a culture problem. Read More »

Aerial view of a stone architectural maze with a clear navy blue path marked through it, representing navigation through complex ISO standards

ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It)

The five standards worth knowing about ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It) I have lost count of the number of tender documents I have reviewed that specify ISO 22301 and ISO 27001 and ISO 31000, sometimes with ISO 22361 thrown in for good measure. Occasionally all four

ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It) Read More »

Aerial view of a port at dusk with a network of connected transport and logistics icons overlaid, illustrating supply chain interdependency.

The cyber law your organisation probably doesn’t need to worry about — and why that might be exactly the problem

The cyber law your organisation probably doesn’t need to worry about — and why that might be exactly the problem The Cyber Security and Resilience Bill passed its third reading in the House of Commons on 16 June and arrived in the Lords the following day. If you’ve seen coverage of it, you could be

The cyber law your organisation probably doesn’t need to worry about — and why that might be exactly the problem Read More »

Teenager holding a smartphone displaying an age verification prompt — illustrating the data protection challenges of the UK social media ban for under-16s

Banning Social Media for Under-16s: The Data Protection Question Nobody’s Answering

Banning Social Media for Under-16s: The Data Protection Question Nobody’s Answering So it’s official. This morning, the Prime Minister stood in Downing Street and announced a full ban on social media for children under 16. TikTok, Instagram, Snapchat, X, YouTube, Reddit — the lot. Legislation before Christmas, enforcement potentially from Spring 2027. As a parent

Banning Social Media for Under-16s: The Data Protection Question Nobody’s Answering Read More »

Eroding coastline path — disruption is a gradual slope, not a cliff edge

The Problem with MTPD

The Problem with MTPD. There is a number buried in every business impact analysis that drives more planning decisions than almost anything else: the Maximum Tolerable Period of Disruption. It determines recovery time objectives, shapes recovery strategies, and informs how much money an organisation is prepared to spend on resilience. It sits at the heart

The Problem with MTPD Read More »

A framed certificate hanging on an office wall, slightly out of focus, with a laptop screen showing a security alert in the foreground

Does Your ISO 27001 Certificate Mean You’re Secure?

Does Your ISO 27001 Certificate Mean You’re Secure? After I published my recent piece on the GCHQ Director’s Bletchley Park lecture, a fellow practitioner left a comment that I’ve been turning over in my head ever since. It’s a question about ISO 27001 certification and what it really proves about security that deserves more than

Does Your ISO 27001 Certificate Mean You’re Secure? Read More »