A director is accountable for cyber risk they have no independent way to test

A director carries personal accountability for the oversight of cyber risk. The duty of reasonable care, skill and diligence expects a director to take reasonable steps to be informed and to challenge, and the Senior Managers regime ties that expectation to named individuals in regulated firms. For listed boards, Provision 29 of the 2024 UK Corporate Governance Code adds a declaration on the effectiveness of material controls, made in the annual report, in the board's name.

Yet the reporting a director relies on to discharge that duty is produced by the same executives whose performance it describes. When the reporting is confident and the subject is technical, challenge is hard to mount and a reassuring report can go untested, and the oversight a director is accountable for becomes a sign-off.

Equip directors to exercise the oversight they are accountable for

Ordonis works privately with directors and board committees to equip them to examine the reporting they receive. The result is a director who can walk into the committee able to exercise their duty to challenge in their own words.

Independent and confidential

Committee terms of reference commonly provide for independent professional advice at the company's expense, and engagements are contracted on that basis. Ordonis provides an independent reading of your cyber reporting from outside the teams that produced it.

Diagnostic

The work reads the pack the board already receives and diagnoses where it would not hold, drawing on codified patterns of governance failures that recur in public regulatory enforcement records. The output is a set of sharp, tailored challenge questions the board can take to management.

Practical

You leave with a set of questions to ask in the room, specific to the pack in front of you, and the understanding to press them as your own, without needing to be a technologist. This work sits alongside existing internal audit or external assurance work.

For any one firm, Ordonis acts for one constituency only, the board, the management that produces its reporting, or its assurance provider, and never more than one.

Ordonis is the advisory practice of Anthony Hines. If you carry oversight of cyber risk and want to be better equipped to test the reporting behind it, start a conversation.