All Services
Board & Executive Services

Identity Risk, Explained for the People Who Are Accountable for It

Boards and executives are increasingly accountable for identity security — under DORA, NIS2, and general director liability frameworks. Our board-facing services translate technical identity risk into business language, board-ready evidence, and concrete decision options.

Non-technical language    Board-ready outputs    90-day action plans included

Book a Scoping Call

Why Boards Are Being Asked About Identity

Identity is now a board-level governance issue — not just a technical one. Regulatory frameworks are explicit about director accountability for access controls and incident preparedness.

  • DORA (Art. 5): Management bodies must define and approve ICT risk frameworks — including access control and identity governance
  • NIS2: Senior management can be held personally liable for security failures including inadequate access controls
  • FCA / PRA: Operational resilience requirements demand that boards understand and attest to critical system access controls
  • Cyber insurers: Increasingly require board sign-off on security posture as a condition of cover

The Board's Problem

Most boards receive security updates that either:

  • Go too deep into technical detail without a business translation
  • Provide a traffic-light RAG status with no explanation of what it means for business risk
  • Focus on what was done, not on the residual risk that remains
  • Present no concrete decision options — just a report

Our board services are designed to fill this gap — giving directors and trustees the understanding and evidence they need to fulfil their oversight obligations.

Board & Executive Services

Assessment

Board-Level Identity Exposure Assessment

A structured review of identity risk across your Active Directory, Entra ID, cloud IAM, and key trust relationships — presented as board-ready output with clear exposure scoring and a 90-day action plan.

This is not a technical report given to the board. It is a board-facing document produced from a technical assessment — with business-language explanations, financial-risk framing, and concrete decisions for leadership to make.

What You Receive

  • Identity exposure scoring — clear risk rating in business terms
  • Privileged access concentration analysis
  • Non-human identity visibility and risk summary
  • Key trust relationships and interdependency map
  • Three concrete decision options for the board (invest / accept / defer)
  • 90-day action plan with executive ownership for each item
  • Board-meeting presentation pack (editable)
Book a Scoping Call
Briefing

Board Education Briefing

A facilitated briefing for boards, trustees, or senior leadership teams on identity as a business risk and governance issue. Covers the threat landscape, what regulators expect, what questions boards should be asking their security teams, and concrete options for follow-on investment.

Delivered remotely or in-person. Tailored to your sector and regulatory context. No technical background required from participants.

What's Covered

  • What identity attacks look like — in business terms
  • What DORA, NIS2, and FCA expect from boards on access controls
  • The five questions every board should ask their CISO about identity
  • How to read a security report and understand residual identity risk
  • Investment decision framework — what to prioritise and why
  • Follow-on options with indicative costs and timelines
Book a Scoping Call
Simulation

Executive Identity Incident Simulation

A facilitated tabletop exercise built around a realistic identity-compromise scenario — tailored to your sector, your regulatory context, and the specific access risks in your environment.

Walks participants through attack progression, lateral movement, financial-system exposure, regulatory notification timelines, and communications escalation. Concludes with a post-exercise action register with named owners.

What Participants Experience

  • Realistic identity-compromise scenario tailored to your environment
  • Decision points at each stage — with no pre-announced correct answers
  • Regulatory notification triggers and timing decisions
  • Communications escalation — board, customers, regulators, media
  • Financial impact modelling woven through the scenario
  • Post-exercise debrief and written action register

Typically 3–4 hours. Can be delivered as a half-day board session or a standalone executive workshop.

Book a Scoping Call

Sector Applicability

Our board services are tailored to your regulatory context and sector norms.

Financial Services

FCA, PRA, DORA — board accountability for ICT risk and access controls

Healthcare

NHS and private — data protection obligations and clinical system access controls

Legal & Professional Services

SRA, ICAEW — client data protection and privileged access governance

Charities & Trusts

Trustee accountability, Charity Commission expectations, donor data protection

Board Asking Questions About Identity?

Whether you need to brief your board, prepare for a tabletop exercise, or get a board-ready exposure assessment — book a call and we'll scope the right engagement.

Book a Scoping Call All Services