Most cyber reporting focuses on threat profiles, controls, traffic-light ratings and heatmaps. All of that is useful – but what informs those reports, and how do you decide which data points really matter?

Our Impact Analysis starts from a different place: Which services matter most, how much disruption you can tolerate, and what needs to come back first when something breaks. We use a simple five-step approach:

1. Set the context
   We work with the board and executive team to understand your objectives, current risk appetite and any external obligations.

2. Identify what you care about most
   Together we select your critical services and map the key systems, data, locations and suppliers they depend on.

3. Consider what could go wrong
   For each service we explore realistic cyber scenarios that could affect its availability, integrity or confidentiality.

4. Judge how bad it could get
   Through structured conversations we capture qualitative and (where sensible) quantitative impact over time (financial, customer, operational, reputational), plus maximum tolerable downtime and data loss.

5. Decide what to do about it
   We translate the analysis into a prioritised set of improvement actions, linked to your cyber risk appetite, incident response focus and investment choices.

What you will get:

• A critical services map with named business and technology owners.

• One-page impact profiles for each critical service.

• Key input into your cyber strategy, your cyber risk register and guardrails for your incident response plan.

• A mapping of wider consequences of disruption – showing how outages affect your stakeholders, suppliers, customers and the broader sector you operate in.

Book a meeting to discuss an impact analysis for your organisation.