Ordonis
Defensible cyber oversight, assurance and reporting.

The cyber picture in front of you is reassuring. How do you know it's right?

The people accountable for cyber risk are increasingly expected by governance codes and regulators to stand behind that picture, and to demonstrate how they got comfortable with it.

Inference is not enough

Until recently, the answer to that question could be inferred from an array of data and metrics, confidently presented, and a reasonable person could conclude things were under control. However, the UK Corporate Governance Code now asks listed boards for a declaration on the effectiveness of their material controls, and whether that includes cyber is a board's own judgement call. Across financial services, enhanced standards for operational resilience all point in the same direction, from the UK regime to DORA in Europe, reaching into the delegated and outsourced arrangements, the suppliers and technology vendors that the business depends on. The Senior Managers regime in the UK also holds named individuals in regulated firms personally to account.

Shareholders are also watching closely. Cyber incidents now move operating profit and appear in results statements, and the declaration itself lands in the annual report, addressed to the company's owners and investors.

Ordonis, an independent advisory practice, was built to help the people accountable, on both sides of that scrutiny, answer the question and stand behind the answer.

Why the question is hard

The picture for cyber is assembled from metrics, dashboards, maturity scores, RAG ratings and assurance summaries. It reads as confident but the subject is technical, and from board altitude, it is hard to test. The availability of data is rarely the real issue. The tougher question is whether a reassuring metric measures the risk, or only appears to, and that is difficult to tell from the report alone.

Financial risk is governable because decades of regulation gave it an architecture. The risk a firm will accept is named, appetite becomes defined tolerances, and performance is measured against them, so an exception is visible the moment it appears. The architecture for cyber is newer and less complete. Where tolerances have never been set, nothing trips, the picture stays green, and the question remains unanswered.

The accountability is real, and meeting it requires an independent way to test the picture, rather than relying on inference.

Cyber risk you can test

A cyber risk position will be tested eventually, by a board, a regulator, shareholders, litigation, or events. Ordonis equips the people who carry that accountability to test it first, to the standard now expected of them.

Oversight

For boards and board committees

Test the cyber reporting you receive, and ask the questions that hold it to account.

Read more →

Assurance

For auditors and assurance providers

Judge whether the cyber evidence in front of you is good enough to rely on.

Read more →

Reporting

For security and risk functions

Produce cyber reporting and evidence that stands up to challenge.

Read more →

Readiness

For enterprise suppliers

Prepare your products and services for the scrutiny regulated institutions apply.

Read more →

For any one firm, Ordonis acts for one of these constituencies, never more than one.

About

Anthony Hines, founder of Ordonis
(Photograph by Tom Trevatt)

Ordonis is the advisory practice of Anthony Hines, founded in 2026 after twenty-five years owning cyber and technology risk outcomes inside highly regulated, global and systemically important financial institutions.

Throughout my career I have designed, engineered and run cyber controls at a global scale, as well as overseen and challenged them independently, run third-party cyber assurance, and led the engagements and examinations from global regulators. I have worked both sides, as the engineer who understands how controls really work, and as the risk governance executive accountable for their oversight. That combined experience is codified into the frameworks and methods my practice runs on. I am a former board member of the Cyber Risk Institute.

I built Ordonis because there is a structural gap in how cyber risk is governed, and it will not be closed by additional reporting or another dashboard. It closes when the people accountable for the cyber picture can stand behind it, and that is the work I do.

Start a conversation

This is for the people accountable for cyber oversight, assurance or reporting who want to test, strengthen, or stand behind the picture of cyber risk they work from, and for the suppliers whose products have to operate inside those institutions.

If that is you, send a note below, or email me directly if you prefer.