top of page
Join the community driving the latest GRC, sustainability and resilience ideas, without the background noise.
We can't predict the future, but we can be ready to thrive in it.
Featured Story
UK Housing Sector Outlook: What’s next for UK housing associations?
Practical strategies to turn pressure into progress—drawn from twelve leaders helping to create safer, sustainable homes. Why we created this report The last 18 months have moved UK housing associations from policy statements to proof. Consumer standards, programmed inspections, Tenant Satisfaction Measures and SRS v2.0 have hardened expectations, while costs, ageing stock and climate pressures stretch capacity. The Housing Association Outlook Report 2026 was built to help h
Third-party resilience under PS21/3: What the FCA wants you to prove - and the simplest way to prove it
Third-party resilience is now a board-level accountability.
Under the FCA’s PS21/3 standard, outsourcing doesn’t remove responsibility. Firms must prove they can withstand supplier disruption and stay within impact tolerances. That means mapping dependencies, testing scenarios, and holding evidence that stands up to scrutiny. When failure hits, the regulator won’t ask who caused it; they’ll ask why you weren’t ready.
Andrew Lingley
3 min read
The Board can’t outsource CPS 230 accountability… and APRA knows it
CPS 230 has dragged operational resilience out of the server room and into the boardroom.
No longer a back-office task, it’s now a live legal responsibility for directors. APRA expects boards to approve frameworks, set tolerances, test scenarios — and be able to explain, in plain language, how the organisation stays standing when disruption hits.
You can outsource the work. But not the accountability.
Andrew Lingley
4 min read
‘We’ve got it covered’: The four most expensive words in CPS 230 compliance
APRA expects live proof, not outdated docs or assumptions. That means updated critical operation maps, tested tolerances, and board oversight. Gaps in vendor registers or forgotten dependencies are compliance risks, not prep issues. It’s time to go from “we’ve got it covered” to “here’s the proof.”
Andrew Lingley
4 min read
bottom of page