Could your firm evidence its IT risk and control?

A short check on IT, risk and control

Most firms have a view of how IT, security and risk are managed.

The harder question is whether that view can be backed up with clear evidence.

These areas don’t tend to be questioned day to day. They come into focus when something needs to be recovered, accessed, reviewed or explained.

That is when it becomes clear how well they actually hold up.

→ Could you clearly show who is responsible for IT and risk across the firm?

Not in principle.
In practice.

→ Could you demonstrate that access to sensitive information is controlled and regularly reviewed?

Not how it should work.
How it actually works today.

→ Could you evidence that systems and data can be recovered fully?

Not that backups exist.
That recovery has been tested end to end.

→ Could you show how the firm would respond under pressure?

Not that a plan exists.
That roles are clear and decisions can be made quickly.

→ Could you explain how IT risk is assessed and reviewed?

Not assumptions.
A clear understanding of where risk sits and how it is being managed.

→ Could you demonstrate that the firm could continue to operate if systems were unavailable?

Not theoretical plans.
What would happen in practice.

Fewer are consistently evidenced.

If any of these are difficult to demonstrate clearly, that is usually where attention is needed.

This is why IT risk is increasingly a leadership issue, not just an operational one.

It also reflects the expectations set out in the UK Cyber Governance Code of Practice, where boards are ultimately accountable for cyber risk.

If useful, we can sense-check how these areas are currently handled.

No pitch. No pressure.

Apr 28, 2026

Apr 22, 2026