By providing an interim COO and a strategy for sustainable growth Iknaia is an innovative technology company providing high performance, multi-purpose sensor platforms that can create high density, cost effective sensor networks across many environmental industries both indoors and outdoors, including air, water, acoustic, as well as traffic and footfall. Pushing the boundaries in remote environmental monitoring, their mission is to provide a completely connected environment, that will enable their clients to remotely monitor their assets cost effectively. Iknaia creates bespoke hardware and software in-house and uses state of the art sensors to monitor, measure, and manage all environmental situations, in real-time. Iknaia also employs Edge Computing and AI with data which is accessible to view through an online management dashboard or APIs. Project Overview Iknaia needed a Chief Operating Officer to support the Chief Executive Officer/Owner, who was originally forced to occupy both C-suite positions. The owner sought to onboard a leader to manage the day-to-day operations, thus allowing her to devote more time to focus on strategic initiatives. In addition to elevating the leadership team, the organisation wanted to position itself for future growth, and was looking at ways to expand its service offerings. Specific Challenges facing Start-Ups Limited Capital: One of the most significant challenges for start-ups is limited funding. Securing enough capital to cover initial expenses, operational costs, and unforeseen challenges can be a constant struggle. Operational Efficiency: Optimising internal processes and ensuring smooth day-to-day operations is crucial for start-ups. This includes supply chain management, inventory control, and overall efficiency in delivering products or services. Risk Management: Start-ups inherently involve risk, and managing that risk is vital. This includes financial risk, market risk, and operational risk. Developing contingency plans and being prepared for the unexpected is crucial. Scaling Up: Successfully scaling a start-up from a small operation to a larger, more complex one poses its own set of challenges. This involves expanding the team, increasing production capacity, and maintaining quality while growing. Prioritising the Pipeline: It is crucial to maximise the efficiency and focus of efforts on leads to fit with the business needs, whether that be lead time or size of revenue. Overcoming these challenges requires strategic planning, resilience, and a willingness to learn from both successes and failures. Seeking mentorship, staying adaptable, and being persistent are key factors in navigating the start-up landscape, and ones which Iknaia needed further support to implement. Solutions Though an innovative and rapid-growing technology start-up, Iknaia needed further support structuring their organisation in order to fully maximise their capability. This required the following stages: Thorough Financial Planning: Develop a detailed business plan that includes realistic financial projections. Understand costs, operating expenses, and revenue forecasts. Cash Flow Forecasting: Develop a robust cash flow forecast to anticipate periods of low liquidity and plan accordingly. Diversify Revenue Streams: Explore opportunities to diversify revenue streams. This could involve expanding product or service offerings, targeting new customer segments, or entering new markets. Effective Communication: Foster clear and open communication within the organisation. Ensure that all team members are aware of their roles, responsibilities, and deadlines. Identify and Assess Risks: Conduct a comprehensive risk assessment to identify potential threats. This includes financial risks, operational risks, market risks, and external factors that could impact your business. Develop a Risk Management Plan: Create a detailed risk management plan that outlines the identified risks, their potential impact, and strategies for mitigation. Outcomes & Results 1. Change in Mindset As p art of our restructuring, we implemented a shift from an Operational to a Strategic mindset in Iknaia. 2. 8 Sites in the Netherlands Using our inhouse operational excellence, we were able to tackle Iknaia's large-scale problems. 3. Sites in the US and UK We effectively re-allocated resources, including human capital, technology, and financial resources, to meet organisational goals. 4. Forward Planning We set goals and objectives in order to provide Iknaia with a clear glidepath, including common goals that require collaboration from multiple departments. 5. Clear Governance Structure We defined and established a Governance structure, decision making principles, and clearly articulated the goals and objectives of governance within the organisation. 6. Risk Management We developed and implemented effective risk mitigation strategies. 7. Improved Communication We established clear communication objectives that aligned with the overall organisations goals, ensuring collaboration to achieve said goals.

Successful divestiture and auction process managed by Cambridge MC Cambridge Management Consulting was appointed by the Post Office Limited (the Post Office) to support them on a strategic review of their consumer telecommunications (phone and broadband) business. Following a thorough review of strategic options, it was decided to make a divestiture of the business through an auction process with the outcome that Post Office Telecoms was sold to Shell Energy Retail Limited, SERL, (Shell) in the first quarter of 2021. We were engaged to work with the Post Office and other external advisors to manage the process. The Strategy Given Cambridge MC’s close understanding of both client and sector, we took a leading role in the sale process. We worked closely with the financial and legal advisors to prepare an information memorandum issued to a carefully selected pool of potential buyers. We worked collaboratively with the other advisors, providing insight on the sector and likely buyers. This created a focused and targeted approach to the sale. We provided telecoms, commercial and technical expertise in the review and assessment of all purchase bids, inputting recommendations to the client’s senior management team. We assisted in negotiations with the bidders and input to shortlisting and down selection of the preferred bidder. Interdependencies The Post Office Telecoms Business Unit was highly outsourced, therefore the relationship with the lead outsourcing partner was key to the success of the sale. A good relationship was established with the outsource partner through regular and structured discussions, resulting in a comprehensive and informative output from the review. Cambridge MC carried out a careful review of the existing outsource arrangements, particularly with respect to exit and transition of services in the event of a change in outsourcing partner. Vendor due diligence Vendor due diligence was carried out in two phases; first with a small group of potential bidders, and secondly with a carefully selected preferred bidder. Cambridge MC populated and assisted with the management of the Virtual Data Room and Q&A process, acting as an interface between the bidders, the Post Office’s subject matter experts and the lead outsourcer. Legal Cambridge MC worked collaboratively with both the internal legal team and Norton Rose Fulbright (external legal team). We assisted with the timely creation and review of all sale-related legal documentation, including guidance notes for bidders on the existing outsource agreement and the structure of the novation agreement. Transitional Services Agreement (TSA) Cambridge MC led on the design and content of the Transitional Services Agreement (TSA), working collaboratively with the legal, commercial and procurement teams. This involved negotiation of terms with the preferred bidder and development of a robust separation plan with the Post Office’s operations. Following completion, we executed against the TSA and separation plan. Governance Cambridge MC supported the Post Office’s governance processes throughout, including the preparation of board and shareholder approval papers. Outcomes & Results 1. Smooth TSA process Cambridge MC provided a complete solution with ongoing accountability for early deliverables 2. Exit of services We quickly established ourself as the lead on exit and transition of services. This proved invaluable both in assisting the due diligence of the preferred bidder and also in structuring the transaction documents to enable a successful sale. 3. Advisory roles Cambridge MC provided strategy advice to Post Office executives during the sale process, to ensure that the Post Office maximised its sale price and maintained the probability of delivering an outcome during the tough market conditions of Covid-19. 4. Results Post Office Telecoms was sold successfully to Shell in Q1, 2021. "The Cambridge MC team have been instrumental in delivering a successful sales outcome for the Post Office Telecoms Business Unit” Meredith Sharples, Director, Post Office Telecoms

By using our expertise to analyse their past environmental commitments in order to project future forecasts Telehouse is a provider of industry-leading data centre colocation services, with global connectivity and reach. Owned by KDDI, a Japanese Fortune 500 company and one of the top 10 global telecom companies. Telehouse is acutely aware of the importance of having a robust and consistent renewable sourcing strategy and a clear plan of how it will be achieved as their business grows. Cambridge MC and its sister environmental consultancy, edenseven, were commissioned by Telehouse to help build their long-term renewable sourcing strategy and delivery structure for their UK business. The aim was to enable greater cost certainty, reduced risk and access to renewable projects that meet Telehouse’s specific requirements. The Request Telehouse had four main requests: 1) Outline the current contracting market and the different types of structures available to Telehouse when sourcing long-term renewable contracts 2) To clearly define Telehouse's long-term renewable resourcing strategy, including an outline of the type of technology, terms of contract, pricing boundaries, and operational structures to put in place 3) To create a delivery plan against key timelines and the relevant stages and resources in the process 4) Provide a sourcing model which will satisfy Telehouse's long-term renewable energy requirements Skills & Knowledge Our consultants provided a detailed review of Telehouse's existing and future contracts, environmental commitments, and energy usage forecasts We proposed a workshop with key stakeholders to outline the background and options relating to long-term renewable sourcing and explain the main drivers and risk appetite relating to long-term sourcing Our team produced a thorough report clearly highlighting the preferred sourcing strategy and contracting requirements for Telehouse's UK business, while also ensuring it is aligned to the wider group's targets and strategy Outcomes & Results 1. The successful development of a long-term renewable strategy with recommendations to maximise the benefits on offer through direct sourcing of renewable generation via Power Purchase Agreements (PPAs). 2. Minimising Telehouse's long-term market price risk exposure by securing fixed renewable energy. 3. Meeting Telehouse's customer supply chain requirements to access long-term verifiable renewable power.

What’s your organisation’s type when it comes to cyber security? Is everything justified by the business risks, or are you hoping for the best? Over the decades, I have found that no two businesses or organisations have taken the same approach to cybersecurity. This is neither a criticism nor a surprise. No two businesses are the same, so why would their approach to digital risk be? However, I have found that there are some trends or clusters. In this article, I’ve distilled those observations, my understanding of the forces that drive each approach, and some indicators that may help you recognise it. I have also suggested potential advantages and disadvantages. Ad Hoc Let’s start with the ad hoc approach, where the organisation does what it thinks needs to be done, but without any clear rationale to determine “How much is enough?” The Bucket of Sand Approach At the extreme end of the spectrum is the 'Bucket of Sand' option which is characterised by the belief that 'It will never happen to us'. Your organisation may feel that it is too small to be worth attacking or has nothing of any real value. However, if an organisation has nothing of value, one wonders what purpose it serves. At the very least, it is likely to have money. But it is rare now that an organisation will not hold data and information worth stealing. Whether this data is its own or belongs to a third party, it will be a target. I’ve also come across businesses that hold a rather more fatalistic perspective. Most of us are aware of the regular reports of nation-state attacks that are attempting to steal intellectual property, causing economic damage, or just simply stealing money. Recognising that you might face the full force of a cyber-capable foreign state is undoubtedly daunting and may encourage the view that 'We’re all doomed regardless'. If a cyber-capable nation-state is determined to have a go at you, the odds are not great, and countering it will require eye-watering investments in protection, detection and response. But the fact is that they are rare events, even if they receive disproportionate amounts of media coverage. The majority of threats that most organisations face are not national state actors. They are petty criminals, organised criminal bodies, opportunistic amateur hackers or other lower-level actors. And they will follow the path of least resistance. So, while you can’t eliminate the risk, you can reduce it by applying good security and making yourself a more challenging target than the competition. Following Best Practice Thankfully, these 'Bucket of Sand' adopters are less common than ten or fifteen years ago. Most in the Ad Hoc zone will do some things but without clear logic or rationale to justify why they are doing X rather than Y. They may follow the latest industry trends and implement a new shiny technology (because doing the business change bit is hard and unpopular). This type of organisation will frequently operate security on a feast or famine basis, deferring investments to next year when there is something more interesting to prioritise, because without business strategy guiding security it will be hard to justify. And 'next year' frequently remains next year on an ongoing basis. At the more advanced end of the Ad Hoc zone, you will find those organisations that choose a framework and aim to achieve a specific benchmark of Security Maturity. This approach ensures that capabilities are balanced and encourages progressive improvement. However, 'How much is enough?' remains unanswered; hence, the security budget will frequently struggle for airtime when budgets are challenged. It may also encourage a one-size-fits-all approach rather than prioritising the assets at greatest risk, which would cause the most significant damage if compromised. Regulatory-Led The Regulatory-Led organisation is the one I’ve come across most frequently. A market regulator, such as the FCA in the UK, may set regulations. Or the regulator may be market agnostic but have responsibility for a particular type of data, such as the Information Commissioner’s Office’s interest in personal data privacy. If regulatory compliance questions dominate most senior conversations about cyber security, the organisation is probably in this zone. Frequently, this issue of compliance is not a trivial challenge. Most regulations don’t tend to be detailed recipes to follow. Instead, they outline the broad expectations or the principles to be applied. There will frequently be a tapestry of regulations that need to be met rather than a single target to aim for. Businesses operating in multiple countries will likely have different regulations across those regions. Even within one country, there may be market-specific and data-specific regulations that both need to be applied. This tapestry is growing year after year as jurisdictions apply additional regulations to better protect their citizens and economies in the face of proliferating and intensifying threats. In the last year alone, EU countries have had to implement both the Digital Operational Resilience Act (DORA) and Network and Infrastructure Security Directive (NIS2) , which regulate financial services businesses and critical infrastructure providers respectively. Superficially, it appears sensible and straightforward, but in execution the complexities and limitations become clear. Some of the nuances include: Not Everything Is Regulated The absence of regulation doesn’t mean there is no risk. It just means that the powers that be are not overly concerned. Your business will still be exposed to risk, but the regulators or government may be untroubled by it. Regulations Move Slowly Cyber threats are constantly changing and evolving. As organisations improve their defences, the opposition changes their tactics and tools to ensure their attacks can continue to be effective. In response, organisations need to adjust and enhance their defences to stay ahead. Regulations do not respond at this pace. So, relying on regulatory compliance risks preparing to 'Fight the last war'. The Tapestry Becomes Increasingly Unwieldy It may initially appear simple. You review the limited regulations for a single region, take your direction, and apply controls that will make you compliant. Then, you expand into a new region. And later, one of your existing jurisdictions introduces an additional set of regulations that apply to you. Before you know it, you must first normalise and consolidate the requirements from a litany of different sets of rules, each with its own structure, before you can update your security/compliance strategy. Most Regulations Talk about Appropriateness As mentioned before, regulations rarely provide a recipe to follow. They talk about applying appropriate controls in a particular context. The business still needs to decide what is appropriate. And if there is a breach or a pre-emptive audit, the business will need to justify that decision. The most rational justification will be based on an asset’s sensitivity and the threats it is exposed to — ergo, a risk-based rather than a compliance-based argument. Opportunity-Led Many businesses don’t exist in heavily regulated industries but may wish to trade in markets or with customers with certain expectations about their suppliers’ security and resilience. These present barriers to entry, but if overcome, they also offer obstacles to competition. The expectations may be well defined for a specific customer, such as DEF STAN 05-138 , which details the standards that the UK Ministry of Defence expects its suppliers to meet according to a project’s risk profile. Sometimes, an entire market will set the entry rules. The UK Government has set Cyber Essentials as the minimum standard to be eligible to compete for government contracts. The US has published NIST 800-171 to detail what government suppliers must meet to process Controlled Unclassified Information (CUI). Businesses should conduct due diligence on their suppliers, particularly when they provide technology, interface with their systems or process their data. Regulations, such as NIS2, are increasingly demanding this level of Third Party Risk Management because of the number of breaches and compromises originating from the supply chain. Businesses may detail a certain level of certification that they consider adequate, such as ISO 27001 or a System & Organization Controls (SOC) report. By achieving one or more of these standards, new markets may open up to a business. Good security becomes a growth enabler. But just like with regulations, if the security strategy starts with one of these standards, it can rapidly become unwieldy as a patchwork quilt of different entry requirements builds up for other markets. Risk-Led The final zone is where actions are defined by the risk the business is exposed to. Being led by risk in this way should be natural and intuitive. Most of us might secure our garden shed with a simple padlock but would have several more secure locks on the doors to our house. We would probably also have locks on the windows and may add CCTV cameras and a burglar alarm if we were sufficiently concerned about the threats in our area. We may even install a secure safe inside the house if we have some particularly valuable possessions. These decisions and the application of defences are all informed by our understanding of the risks to which different groups of assets are exposed. The security decisions you make at home are relatively trivial compared to the complexity most businesses face with digital risk. Over the decades, technology infrastructures have grown, often becoming a sprawling landscape where the boundaries between one system and another are hard to determine. In the face of this complexity, many organisations talk about being risk-led but, in reality, operate in one of the other zones. There is no reason why an organisation can’t progressively transform from an Ad Hoc, Regulatory-Led or Opportunity-Led posture into a Risk-Led one. This transformation may need to include a strategy to enhance segmentation and reduce the sprawling landscape described above. Risk-Led also doesn’t mean applying decentralised, bespoke controls on a system-by-system basis. The risk may be assessed against the asset or a category of assets, but most organisations usually have a framework of standard controls and policies to apply or choose from. The test to tell whether an organisation genuinely operates in the Risk-Led zone is whether they have a well-defined Risk Appetite. This policy is more than just the one-liner stating that they have a very low appetite for risk. It should typically be broken down into different categories of risk or asset types; for instance, it might detail the different appetites for personal data risk compared to corporate intellectual property marked as 'In Strict Confidence'. Each category should clarify the tolerance, the circumstances under which risk will be accepted, and who is authorised to sign off. I’ve seen some exceptionally well-drafted risk appetite policies that provide clear direction. Once in place, any risk review can easily understand the boundaries within which they can operate and determine whether the controls for a particular context are adequate. I’ve also seen many that are so loose as to be unactionable or, on as many occasions, have not been able to find a risk appetite defined at all. In these situations, there is no clear way of determining 'How much security is enough'. Organisations operating in this zone will frequently still have to meet regulatory requirements and individual customer or market expectations. However, this regulatory or commercial risk assessment can take the existing strategy as the starting point and review the relevant controls for compliance. That may prompt an adjustment to security in certain places. But when challenged, you can defend your strategy because you can trace decisions back to the negative outcomes you are attempting to prevent — and this intent is in everyone’s common interest. Conclusions Which zone does your business occupy? It may exist in more than one — for instance, mainly aiming for a specific security maturity in the Ad Hoc zone but reinforced for a particular customer. But which is the dominant zone that drives plans and behaviour? And why is that? It may be the right place for today, but is it the best approach for the future? Apart from the 'Bucket of Sand' approach, each has pros and cons. I’ve sought to stay balanced in how I’ve described them. However, the most sustainable approach is one driven by business risk, with controls that mitigate those risks to a defined appetite. Regulatory compliance will probably constitute some of those risks, and when controls are reviewed against the regulatory requirements, there may be a need to reinforce them. Also, some customers may have specific standards to meet in a particular context. However, the starting point will be the security you believe the business needs and can justify before reviewing it through a regulatory or market lens. If you want to discuss how you can improve your security, reduce your digital risk, and face the future with confidence, get in touch with Tom Burton, Senior Partner - Cyber Security, using the below form.

Jason Jennings | Elevate your project management with AI. This guide for senior leaders explains how AI tools can enhance project performance through predictive foresight, cognitive collaboration, and portfolio intelligence. Unlock the potential of AI in your organisation and avoid the common pitfalls.

A New Era of Local Power: What’s in the English Devolution Bill? The UK Government has taken a major step forward in reshaping local governance in England with the publication of the English Devolution and Community Empowerment Bill. This is more than a policy shift — it’s a structural rethink that sets out to make devolution the norm, not the exception. This is a welcome change in direction. This framework could unlock new potential for place-based leadership, community decision-making, and joined-up regional delivery. But as with any big reform, the opportunity lies in the detail — and in how we respond. Key Changes Introduced by the Bill Standardised Framework for Strategic Authorities: Combined Authorities, the GLA, and County Combined Authorities will all fall under a new, consistent legal model — making future devolution smoother and more transparent. Mayors Gain More Leverage: Elected mayors now have a legal right to request further powers, with the Government required to respond. This could pave the way for greater local control over transport, housing, energy, and skills. Neighbourhood Governance Becomes a Duty: Councils will be required to introduce or enhance neighbourhood governance models, supporting community voices and hyper-local decision-making. Simplified Local Government Reorganisation: The Bill makes it easier to create unitary authorities and restructure Strategic Authorities, while mandating the leader-and-cabinet model across councils. Expanded Local Powers: Local authorities will gain new tools to manage shared transport (e.g. e-scooters), protect community assets, and take greater ownership of local planning and infrastructure decisions. Financial Oversight with New Audit Body: A dedicated Local Audit Office will strengthen transparency and public trust in the financial performance of devolved authorities. Why This Matters This legislation has the potential to reshape the relationship between central and local government. It provides: Greater clarity for local leaders navigating the devolution journey Stronger alignment between regional planning, investment, and delivery Formalised community empowerment as a core part of local governance Faster implementation of reforms, removing historical friction with Whitehall If implemented well, it could accelerate levelling up, boost public confidence, and enable councils to better serve their communities. Things to Watch While the ambitions are clear, some areas need close attention: Will funding follow the powers? Without sustained financial backing, councils risk being given responsibilities without the means to deliver. Can neighbourhood structures scale inclusively? Capacity and engagement are key. Local authorities will need support to build neighbourhood governance that is truly representative and impactful. Is the framework flexible enough? A standardised model may reduce complexity, but different places have different needs. Will the new system allow enough room for local variation? Politics, Patchworks and Practicalities: Navigating the Real World of Devolution While the Bill sets out a bold framework, turning that into action won’t be straightforward. Key challenges include: 1. Political Variation Across England Party control differs widely across councils and combined authorities. Some areas will embrace the model enthusiastically; others may resist due to local politics, institutional inertia, or differing visions of place-based governance. The perception of centralisation vs. genuine empowerment may vary depending on the colour of national vs. local government. 2. Tension Between Standardisation and Local Identity The Bill’s aim to simplify and harmonise structures may clash with deeply rooted local differences. Places with strong local identities (e.g. Cornwall, Yorkshire) may be wary of “off-the-shelf” devolution deals or generic governance templates. 3. Differing Appetite for Mayoral Leadership Not all areas want or have elected mayors. Extending powers to Strategic Authorities with mayors may widen the gap between those “inside” and “outside” the model. This could reinforce a two-speed devolution system unless flexibility is built in. 4. Election Cycles and Political Continuity Leadership turnover, locally and nationally can stall momentum, undo hard-won consensus, or shift priorities mid-implementation. Cross-party collaboration will be essential, but not always easy in contested regions. The advantages will need to be sold well. 5. Capacity and Capability Gaps Even with strong local political will, some councils may struggle with resourcing, skills, or institutional readiness to implement new duties or governance changes. What Should Local Leaders Do Now? Start preparing governance structures in anticipation of new duties Identify gaps or priorities where additional powers could unlock outcomes Engage partners early—from VCS organisations to universities to SMEs — to co-design delivery models Assess audit and performance frameworks to ensure compliance and transparency Final Thoughts This Bill is a welcome statement of trust in local institutions. It’s now up to councils, combined authorities, and delivery partners to turn this framework into lasting, meaningful change.

Today, we are proud to be spotlighting Faye Holland, who became Managing Partner at Cambridge Management Consulting for Client PR & Marketing as well as for our presence in the city of Cambridge and the East of England at the start of this year, following our acquisition of her award-winning PR firm, cofinitive. Faye is a prominent entrepreneur and a dynamic force within the city of Cambridge’s renowned technology sector. Known for her ability to influence, inspire, and connect on multiple fronts, Faye plays a vital role in bolstering Cambridge’s global reputation as the UK’s hub for technology, innovation, and science. With over three decades of experience spanning diverse business ventures, including the UK’s first ISP, working in emerging business practices within IBM, leading European and Asia-Pacific operations for a global tech media company, and founding her own business, Faye brings unparalleled expertise to every endeavour. Faye’s value in the industry is further underscored by her extensive network of influential contacts. As the founder of cofinitive, an award-winning PR and communications agency focused on supporting cutting-edge start-ups and scale-ups in tech and innovation, Faye has earned a reputation as one of the UK’s foremost marketing strategists. Over the course of a decade, she built cofinitive into a recognised leader in the communications industry. The firm has since been featured in PR Weekly’s 150 Top Agencies outside London, and has been named year-on-year as the No. 1 PR & Communications agency in East Anglia. cofinitive is also acknowledged as one of the 130 most influential businesses in Cambridge, celebrated for its distinctive, edge, yet polished approach to storytelling for groundbreaking companies, and for its support of the broader ecosystem. Additionally, Faye is widely recognised across the East of England for her leadership in initiatives such as the #21toWatch Technology Innovation Awards, which celebrates innovation and entrepreneurship, and as the co-host of the Cambridge Tech Podcast. Individually, Faye has earned numerous accolades. She is listed among the 25 most influential people in Cambridge, and serves as Chair of the Cambridgeshire Chambers of Commerce. Her advocacy for women in technology has seen her regularly featured in Computer Weekly’s Women in Tech lists, and recognised as one of the most influential women in UK tech during London Tech Week 2024 via the #InspiringFifty listing. Faye is also a dedicated mentor for aspiring technology entrepreneurs, having contributed to leading entrepreneurial programs in Cambridge and internationally, further solidifying her role as a driving force for innovation and growth in the tech ecosystem. If you would like to discuss future opportunities with Faye, you can reach out to her here .

From left to right: Tim Passingham, Tom Burton, Erling Aronsveen, Polly Marsh, and Clive Quantrill.