Seeing the cracks

Most audits are paperwork theatre. Not all, but most. Boxes get ticked, reports gather dust, and everyone pretends risks are “managed.” Meanwhile, attackers, accidents, and reality itself continue unimpeded.

This workshop takes a different approach. Instead of focusing solely on compliance, we make risks visible in practical, human terms so your team can actually act on them. It is about surfacing weak points before they break and building resilience that survives first contact with the unexpected.

Core principles

  • Evidence over paperwork: No checklists for their own sake. Every finding is tied to observable practices, processes, or assets.

  • Cross-functional, not siloed: Risks rarely respect departmental boundaries. We bring IT, operations, finance, and HR into the same conversation.

  • Transparent, not performative: The goal is clarity, not “scoring well.” Problems are surfaced to be solved.

  • Resilience, not just risk identification: We do not stop at identifying what can break. We explore how your organisation can bend without snapping.

How it works

The workshop is modular and adaptable, scalable from a focused half-day session to a multi-day deep dive depending on your organisation’s complexity and needs.

1. Mapping what is at stake (The “What”)

  • Identify your most critical assets: systems, processes, and relationships

  • Capture interdependencies that often get ignored (key personnel, vendors, data flows)

  • Surface hidden assumptions about what “keeps the lights on”

2. Running stress scenarios (The “So What”)

  • Explore realistic “what-if” events: supply chain disruption, ransomware outbreak, critical staff absence, regulatory changes

  • Discuss cascading consequences across departments

  • Map recovery pathways and decision points under pressure

Stress scenarios are not only discussion exercises. When the team walks through a ransomware scenario and discovers that the offsite backup is three days behind, or that two of the four named responders are on leave simultaneously, the discovery is behavioural evidence: it confirms that an assumption encoded in the continuity plan does not hold in the current operational environment. This is what separates resilience assessment from risk documentation.

3. Prioritising weak spots (The “Now What”)

  • Evaluate single points of failure and fragile processes

  • Distinguish between acceptable risks and unacceptable exposures

  • Highlight practical opportunities for mitigation, redundancy, or monitoring

4. Actionable output

  • A concise, visual “resilience map” showing risks, dependencies, and potential mitigations

  • Prioritised recommendations that enable immediate action rather than filing another report

  • Clear ownership and next steps for addressing critical gaps

Who it is for

This workshop is designed for organisations that want clarity and action. We can tailor the content for:

  • Executive & leadership teams: Understand systemic risk without technical jargon. See the big picture of organisational vulnerabilities.

  • IT & security teams: Map technical risks within real-world operational context. Connect infrastructure concerns to business impact.

  • Operations, HR, and finance teams: Surface overlooked dependencies and non-technical risks that can bring operations to a halt.

  • Cross-functional task forces: Get everyone speaking the same language about risk, resilience, and organisational priorities.

How this differs

Traditional risk assessments often (not always) produce lengthy documents that look impressive but change little. This workshop is designed for teams who want to:

  • Understand their vulnerabilities, not just document them

  • Have honest conversations about what could go wrong

  • Develop practical responses rather than theoretical frameworks

  • Build organisational muscle for handling the unexpected

We work with your actual or by you chosen systems, processes, and people, not generic templates or hypothetical scenarios that do not reflect your reality.

When a gap identified in one session reappears in the next after a corrective action was applied, the corrective action addressed the surface condition but left an assumption intact. The question worth asking is not why the corrective action failed but what the organisation believed about this process that made the gap seem impossible. That belief is what needs to be corrected at the design level.