Governance & Compliance
Risk You Can
See. Risk You Can Manage.
Risk, assurance, and due diligence work is about giving decision-makers a clear, honest picture of where exposure sits — and what to do about it. We provide independent, practical assessments that inform real decisions rather than produce filing-cabinet reports.
Talk to UsWhat This Covers
Three disciplines.
One honest picture.
Risk, assurance, and due diligence are often treated as separate activities — but they answer the same fundamental question: what is the real state of this organisation's IT and security, and what could go wrong?
Risk assessments identify and prioritise threats and vulnerabilities so leadership can make informed decisions about where to invest and what to accept. Assurance work provides evidence that controls are operating as intended. Due diligence gives decision-makers the information they need before committing — to a supplier, a merger, an outsource, or a regulatory process.
All three require independence, technical credibility, and the ability to communicate findings clearly to audiences who didn't build the systems being assessed.
IT Risk Assessment
Systematic identification, analysis, and prioritisation of IT and information security risks — with treatment recommendations and risk register output.
Assurance Reviews
Independent verification that your controls, processes, and security measures are actually working — not just documented.
Technical Due Diligence
Pre-acquisition, pre-outsource, or pre-contract assessments that give you a clear picture of what you're taking on.
Third-Party Risk
Assessment of your supplier and vendor landscape — understanding the security and operational risk your supply chain introduces.
When You Need It
Six situations where this work matters most
Risk and assurance work is triggered by specific events and decisions — not just annual compliance ticking. Here are the moments when it's most valuable.
You've had a breach, near-miss, or significant disruption
Post-incident assurance reviews establish what went wrong, whether controls failed, and what needs to change before the next event.
You're about to hand something significant to a third party
Before outsourcing IT, data processing, or a business-critical function, you need to understand what you're exposing — and what safeguards to require.
You're acquiring, merging with, or being acquired by another business
Technical IT due diligence reveals the real state of systems, security debt, and operational risk before the deal closes — when you still have leverage.
An auditor, regulator, or client is about to assess your security
Pre-audit assurance reviews close gaps before they become findings — and give you confidence rather than hope when the assessment starts.
You've grown quickly and aren't sure your IT risk position has kept up
Fast-growing businesses accumulate security debt without realising it. A structured risk assessment gives you a clear picture of where the gaps have opened.
Leadership wants an honest view of IT and security risk
Board members and investors increasingly want independent assurance on IT risk — not just a summary from the internal team who owns the systems being assessed.
What We Provide
Six types of risk and assurance work
Each engagement is scoped to what you actually need — not a fixed-format report that answers questions you weren't asking.
IT Risk Assessment
A structured assessment of your IT and information security risks — identifying threats, vulnerabilities, and likelihood/impact combinations to produce a prioritised risk register with treatment recommendations.
Security Control Assurance
Independent verification that your security controls are actually operating — not just documented. We test, review, and evidence whether the controls your policies describe are present in practice.
Technical Due Diligence
Pre-acquisition and pre-outsource assessments covering IT infrastructure, security posture, technical debt, licensing, and operational risk — giving decision-makers an honest picture before they commit.
Third-Party Risk Assessment
Review and assessment of your supplier and vendor risk landscape — understanding what security and operational risk your critical third parties introduce, and whether appropriate controls are in place.
Board & Leadership Reporting
Risk and assurance reporting designed for non-technical leadership — clear, proportionate, and focused on what matters for strategic and governance decisions. Independent of the internal IT function.
Pre-Audit Readiness Review
An independent review of your control environment ahead of a certification audit, client due diligence, or regulatory assessment — identifying what needs to be addressed before the external assessor arrives.
How We Work
Independent, practical,
and plain English.
Every engagement starts with understanding what decision needs to be made — and what information is needed to make it. We don't produce templated reports that look impressive but don't answer the actual question.
Our work is fully remote — interviews, document reviews, configuration analysis, and technical testing are all conducted without requiring on-site presence. Findings are communicated clearly, with risk prioritised by business impact rather than technical severity alone.
We're independent of the systems and suppliers we assess. That independence is the point.
Scoped to your actual question
We agree what you need to know before we start — so the output answers the decision you're facing, not a generic version of it.
Delivered remotely
All assessment, analysis, and reporting is conducted remotely. No site visits, no logistical overhead, no waiting for diary availability.
Clear, actionable findings
Risk findings are prioritised, explained in plain English, and accompanied by realistic recommendations — not a list of theoretical threats.
Audience-appropriate outputs
Technical detail for the people who act on it. Executive summary for the people who fund it. Both from the same engagement.
No conflicts of interest
We don't assess environments we've built, suppliers we resell, or tools we're paid to recommend. Independence is non-negotiable.
Why independence
matters here.
Risk and assurance work conducted by the team that owns the systems being assessed has a conflict at its heart. We don't have one.
No Commercial Bias
We don't earn referral fees, resell tools, or have preferred suppliers. Our recommendations are based on what's right for your situation.
External Perspective
We see things that internal teams normalise. Familiarity with a system creates blind spots — we don't have them.
Credible to Third Parties
Clients, auditors, insurers, and boards carry more weight from independent assessment than from internal self-certification.
Honest Findings
We report what we find — including things that are uncomfortable. That's the point of independent assurance.
What You Walk Away With
The practical output of this work
Not a filing cabinet report — actionable intelligence for real decisions.
A Clear Risk Picture
Leadership knows what the real risks are, how they're rated, and what treatment options exist — not a vague "could be better" summary.
Prioritised Actions
Findings ranked by business impact, not technical severity — so effort goes where it matters most, not where it's most technically interesting.
Independent Evidence
Documentation and findings from a party with no stake in the outcome — credible to clients, auditors, insurers, and boards.
Informed Decisions
Whether you're acquiring a business, choosing a supplier, or preparing for an audit — you make the decision with the real picture in front of you.
A Risk Register You'll Use
Not a spreadsheet produced for an audit and never opened again. A working document that informs ongoing decisions and is reviewed regularly.
Reduced Exposure
Known risks, addressed proportionately, reduce your actual likelihood of incident — and your exposure when insurers, regulators, or clients ask the hard questions.
Want an honest view of where your risks sit?
Whether you're facing a specific trigger event or just want a clearer picture of your IT and security risk position, we'll provide a practical, independent assessment that gives you something to act on.