Dealing with Disruptive Trends: How to Ensure Your Strategy Remains Relevant in a Period of Accelerating Change

Mauro Mortali
Subscribe Contact us
Mauro Mortali

Disruption now occurs with unprecedented regularity, as industries are upended not by traditional competitors but by unexpected entrants wielding innovative technologies and business models.



The difference between thriving and becoming obsolete increasingly hinges on your organisation's ability to anticipate and adapt to disruption before it's too late. The Ur-case of this was Blockbuster, who ignored the threat of streaming technologies, and specifically Netflix (which it could have bought), until it was far too late to pivot and catch up.


Our article explores how businesses can develop strategies that offer predictions and agility, embedding creativity and insight into frameworks and actionable steps that plot a course through the disruptive landscapes of the next few years and beyond.


Understanding the Nature of Disruption


Disruption is no longer just a buzzword — or the philosophy of ‘break things and move fast’ that drove the early tech start-ups that now dominate our waking lives.


The theory of disruptive innovation, popularised by Harvard Business School professor Clayton Christensen, explains how new technologies, products, or services can start small but eventually surpass established offerings in existing markets[1].


This process typically begins when smaller companies with fewer resources challenge established or traditional businesses by addressing underserved market needs[5] in new ways; usually with business models that bypass normal routes to market and allow these companies to scale at pace.


Recent examples include: fintech banks that challenge the need for brick-and-mortar; online over-the-top media applications that replace the need for print media and traditional broadcast television; digital media and the success of subscription models, replacing physical media for music, films and other forms of entertainment; and platform apps like Uber, which connect us to a fleet of independent drivers who are paid per ‘gig’ and regulated by a ratings system.


Today's notion of disruption is characterised by several key features:


Accelerated Pace of Change


The pace of disruption has accelerated beyond anything previously seen, with transformative technologies reaching mainstream adoption faster than ever[15]. While it took decades for technologies like electricity and telephones to achieve mass adoption, modern innovations like smartphones and AI have transformed entire industries in just a few years.


Cross-Industry Disruption


Disruptive threats increasingly come from outside traditional industry boundaries. Companies must now monitor not only direct competitors but also adjacent industries and completely unrelated sectors where transferable innovations might emerge[15]. For example, tech giants have disrupted financial services, retail, healthcare, and automotive industries without prior experience in these sectors.


Technology-Enabled Business Models


Today's most powerful disruptions combine technological innovation with business model innovation. Examples include:


  • Platform models: Uber revolutionised transportation by connecting riders and drivers through a user-friendly mobile app, utilising independent drivers who pay for their own vehicles for rapid scalability[1].


  • Subscription services: Netflix and Spotify transformed entertainment consumption by shifting from physical media to on-demand streaming with personalised algorithmic content recommendations[1].


  • Direct-to-consumer approaches: Tesla's direct sales model bypassed traditional dealership networks while integrating advanced electric vehicle technology and autonomous capabilities[1].


From Traditional to Adaptive Strategy


Traditional strategic planning approaches — characterised by multi-year roadmaps and rigid implementation plans — have become increasingly inadequate in today's fast-moving business environment. We look at some of the challenges businesses now face below.


The Limitations of Traditional Strategy


Conventional strategies often fail because they:


  1. Assume relative stability in market conditions

  2. Take too long to develop and implement

  3. Lack flexibility to respond to unexpected changes

  4. Rely heavily on historical data to predict future outcomes


The Adaptive Strategy Advantage


Adaptive strategy, often described as the "Be Fast" approach, emphasises agility, experimentation, and continuous evolution[3]. This approach thrives in fluid industries with high uncertainty and a fast pace of change, such as technology, fashion, entertainment, and start-ups[3].


Organisations that embrace adaptive strategies gain significant advantages:


  • Higher profitability: Companies ranking high in adaptability enjoy up to 75% higher profitability than their less adaptive counterparts[10].


  • Faster market response: Adaptive firms achieve approximately 60% faster time-to-market compared to traditional competitors[10].


  • Innovation capacity: The ability to experiment boldly and rapidly iterate creates an environment where breakthrough innovations are more likely to emerge[10].


Real-World Adaptive Strategy Success


Consider Netflix's journey from DVD rental service to streaming giant to content producer. Rather than creating a 10-year plan, Netflix constantly evolved based on emerging technologies, customer preferences, and market opportunities. This adaptive approach allowed them to pivot whenever necessary while maintaining their core value proposition of convenient entertainment access[1].


A New Framework for Ensuring Strategy Relevance


To maintain strategic relevance amid disruptive trends, companies need a systematic framework that balances stability with flexibility.


Anticipate Disruption Through Trend Analysis


Successful businesses identify potential disruptions before they manifest fully by monitoring Hard Trends — future certainties based on measurable facts[15]. These include demographic shifts, technological advancements, and regulatory changes that provide predictable directional guidance.

For example, financial services firms that recognised the Hard Trend of increasing digital connectivity were better positioned to respond to the rise of mobile banking and fintech disruption.


Build your Agility


Organisational structures and processes must be designed to support rapid adaptation:


  1. Decentralised decision-making: Empower teams closest to customers and market changes to make decisions without lengthy approval chains[3].

  2. Cross-functional collaboration: Break down silos between departments to enable faster information sharing and coordinated responses to change[3].

  3. Agile methodologies: Adapt software development approaches like sprints, continuous integration, and iterative testing to broader business strategy[3].


Foster a Culture of Innovation


Innovation cannot be an isolated function — it must permeate your entire organisation:


  1. Encourage experimentation: Create safe spaces for testing new ideas with minimal bureaucracy and fear of failure[3].

  2. Customer-centric innovation: Ground innovation efforts in a deep understanding of customer needs rather than internal assumptions[14].

  3. Structured innovation processes: Establish clear pathways for moving ideas from conception to implementation while maintaining flexibility[14].

  4. KPIs that support innovation: For example, looking at the value of a portfolio of innovations rather than a specific innovation project.


Leverage Data & Technology


Data-driven insights provide a vital competitive advantage in your disruption response:


  1. Real-time market intelligence: Deploy advanced analytics to detect weak signals of change before they emerge fully-formed[3].

  2. Predictive modelling: Use Agentic AI to identify patterns and forecast potential disruptions[2].

  3. Digital transformation lifecycle: Invest in the necessary expertise and infrastructure to undertake on-going programmes of transformation — a big step, and potentially expensive, but it can help immunise your business against disruptive technologies and new models.


Practical Implementation Steps


Translating disruption awareness into effective action requires specific tactical approaches.

A surreal, futuristic city with tall rectangular towers in green and pink tones, mirrored perfectly on a reflective surface below. A sleek monorail runs horizontally along the midsection, adding movement to the scene. The soft blue sky above transitions seamlessly into the reflected terrain, creating an infinite and dreamlike visual effect.

Conduct Disruption Risk Assessments


Regularly evaluate your vulnerability to disruption:


  1. Identify potential disruptors in your industry and adjacent sectors

  2. Assess your current business model's vulnerabilities

  3. Evaluate your capacity to respond to different types of disruption

  4. Prioritise areas requiring immediate attention


Develop Scenario Planning Capabilities


Prepare for multiple possible futures rather than betting on a single outcome:


  1. Create diverse but plausible future scenarios based on key uncertainties

  2. Develop strategic options suited to different scenarios

  3. Identify early warning indicators that signal which scenario is unfolding

  4. Maintain agility to pivot quickly as conditions change


Implement Rapid Experimentation Cycles


Test strategic hypotheses quickly and at low cost:


  1. Design small-scale experiments in innovation labs to validate key assumptions

  2. Establish clear success metrics before beginning

  3. Gather data systematically during implementation

  4. Scale successful approaches and terminate unsuccessful ones quickly[12]


Rather than one high-risk 200K business venture, conduct many smaller 10K projects and test them vigorously. When you hit on one that shows potential, then ramp up the investment.


Invest Strategically in Technology & Talent


Prepare for future disruption through targeted investments:


  1. Develop digital capabilities that enable greater responsiveness and feedback

  2. Acquire specialised expertise in emerging areas through hiring or partnerships[2] — or use experienced third-parties who bring in the expertise you need on a part-time or full-time basis

  3. Create learning pathways that continuously upskill your workforce and create a diversification of skills that feed back into your innovation pipeline


Extending the Strategy: Dealing with Financial Turmoil


Financial volatility represents a specific type of disruption that can impact businesses across all sectors simultaneously, regardless of their technological readiness or market positioning. The recent market turbulence triggered by President Trump's totemic series of tariffs in early 2025 exemplifies how policy decisions can create sudden financial headwinds that catch even well-prepared organisations off-guard. 


These tariffs, affecting goods from multiple trading partners, have introduced significant uncertainty into global supply chains, currency markets, and investment landscapes. However, the adaptive strategy framework outlined earlier also provides a valuable roadmap for navigating financial disruptions.


The same anticipatory mechanisms that help businesses identify technological disruption can be repurposed for financial volatility. Conducting regular disruption risk assessments that specifically include macroeconomic and geopolitical factors allows organisations to maintain awareness of potential financial threats before they materialise. For instance, during President Trump's first term, Apple proactively developed contingency plans to address tariff risks, including lobbying for exemptions and accelerating supply chain diversification by shifting some iPad and AirPod production to Vietnam and iPhone assembly to India. When tariffs on Chinese goods threatened to upend its margins, CEO Tim Cook successfully negotiated exemptions for key Apple products, a tactic he is repeating as tariffs escalate in 2025.


Those organisations which have already modelled potential protectionist policy scenarios and identified early warning indicators, are able to implement pre-determined response plans rather than reacting in panic. This approach exemplifies how the ‘anticipate and adapt’ mindset extends beyond technological disruption to financial turbulence.


Conclusion: Turning Disruption to your Advantage


The volatile markets of today will reward organisations that can navigate disruptive trends effectively while maintaining strategic relevance. This requires balancing stability with adaptability, prediction with reaction, and innovation with execution.


The most successful companies will be those that:


  1. View disruption as an opportunity rather than merely a threat

  2. Build capabilities for sensing and responding to change

  3. Embed adaptive thinking throughout their strategy development process

  4. Maintain a clear core purpose while adjusting their approach according to response triggers


By embracing these principles, businesses can transform disruptive trends from existential threats into catalysts for growth and renewed relevance to their customer base.



Take Action: Our Strategy Stress Test


Ready to ensure your business strategy is resilient against disruptive trends? Cambridge Management Consulting offers a focused Strategy Stress Test to rapidly evaluate your business model and challenge the original assumptions of your strategy, particularly in light of what might have changed in the market (macro, micro, competitive activities, etc.) and the impact of emerging disruptive trends.


Strategy Stress Test Process


The Strategy Stress Test offers several key advantages:


  1. Rapid diagnostic - Quickly identifies potential gaps and vulnerabilities in your market approach

  2. Risk mitigation - Highlights areas where execution challenges may arise before significant resources are committed

  3. Identify disruptive trends – We use a blend of data, research and industry knowledge to identify emerging disruptive trends which could upend your strategy

  4. Opportunity identification - Uncovers overlooked market opportunities and competitive advantages

  5. Implementation readiness - Ensures alignment between strategy, resources, and operational capabilities

  6. Stakeholder alignment - Creates shared understanding of strategic priorities and execution requirements


Don't risk implementing an untested strategy in today's complex and volatile market environment. Our Strategy Stress Test offers a low-risk, high-value opportunity to validate your approach in the face of disruptive trends before committing significant resources. Our data-driven methodology and specialised knowledge ensure your business model is ready for successful implementation.


Contact Cambridge Management Consulting today to speak to one of our experts and schedule your Strategy Stress Test or enquire about our other Strategy services.


Visit our Strategy services homepage here: https://www.cambridgemc.com/strategy


Citations


[1] https://www.imd.org/blog/innovation/what-is-disruptive-innovation/ [2] https://www.linkedin.com/pulse/management-consulting-landscape-2025-pzmuf [3] https://www.linkedin.com/pulse/navigating-uncertainty-power-adaptive-strategy-gopal-fewvc [4] https://www.linkedin.com/posts/nicolaayan_disruptive-strategy-lessons-part-1-of-3-activity-7182331207689383936-gr-5 [5] https://online.hbs.edu/blog/post/disruptive-strategy-skills [6] https://pll.harvard.edu/course/disruptive-strategy [7] https://www.cambridgemc.com [8] https://www.digital-adoption.com/digital-disruption-and-transformation/ [9] https://www.inc.com/soren-kaplan/the-business-consulting-industry-is-being-disrupted-nothing-can-stop-it.html [10] https://www.sapta.io/thrive-in-uncertain-times/ [11] https://professionalprograms.mit.edu/blog/technology/top-disruptive-technologies/ [12] https://www.wearetriple.com/en/becoming-a-tech-company/disruptive-strategy/ [13] https://www2.deloitte.com/content/dam/insights/us/articles/anticipating-disruptive-strategy-of-market-entrants/DUP-1098_Patterns-of-disruption_vFINAL.pdf [14] https://www.cambridgemc.com/Digital-and-Innovation/innovation [15] https://www.burrus.com/2025/02/the-new-rules-of-disruption/ [16] https://www.silicon.co.uk/workspace/silicon-uk-in-focus-podcast-disruptive-trends-shaping-our-future-596928 [17] https://www.cambridgeconsultants.com/deep-tech/digital-transformation/ [18] https://deloitte.wsj.com/riskandcompliance/turning-disruptive-trends-into-opportunity-1456376534 [19] https://www.chiefdisruptor.com/the-2024-disruptive-trends-report [20] https://www.innosight.com/insight/six-disruptive-forces/ [21] https://hakia.com/startup-success-stories-case-studies-of-disruptive-companies/ [22] https://digitalleadership.com/blog/disruptive-innovation-examples/ [23] https://online.hbs.edu/blog/post/4-keys-to-understanding-clayton-christensens-theory-of-disruptive-innovation [24] https://brandingstrategyinsider.com/10-disruptive-marketing-trends/ [25] https://emulent.com/blog/trends-in-the-management-consulting-industry/ [26] https://bts.com/insights/adaptive-organizations-the-bts-blueprint-for-turning-organizational-flexibility-into-a-competitive-advantage/feed/ [27] https://whatfix.com/blog/disruptive-technology/ [28] https://hbr.org/2015/12/what-is-disruptive-innovation?_ptid=%7Bkpdx%7DAAAA3n7ZjaTyoQoKbWJzNzdxdHpVehIQbTN6NGQxZ2VnOGVsMnY1cRoMRVhTM04yRExGRkVIIiUxODA1amJnMGNjLTAwMDAzNHJia2thdWVzYjA5c2tjbHNlZ2pvKhpzaG93VGVtcGxhdGVPQ1FKWVdFQjZWWlkzNzABOgxPVFVKNkxSUVRBUVJCDU9UVjVHRUhUTFhOOUZKHG9yZ3NvY2lhbF9ta3RnOjE3MzI2NjU2MDAxNzRSEnYtogDwGWhhOGl0ZWR4ZXNaDTY2LjI0OS43NS4xNjFiA21iYmipxJ-6BnAVeAQ [29] https://hbr.org/2015/12/what-is-disruptive-innovation [30] https://www.gartner.com/en/articles/7-disruptive-technologies-you-might-not-see-coming [31] https://pmworldlibrary.net/wp-content/uploads/2017/06/pmwj59-Jun2017-Pells-five-disruptive-trends-editorial-welcome.pdf [32] https://kpmg.com/us/en/articles/2023/four-disruptive-trends.html [33] https://stlpartners.com/research/five-principles-for-disruptive-strategy/ [34] https://www.entrepreneur.com/growing-a-business/how-to-spot-trends-and-anticipate-market-shifts-before-your/482509 [35] https://www.youtube.com/watch?v=lAPO08Loqow [36] https://www.investopedia.com/terms/d/disruptive-innovation.asp [37] https://www.cbinsights.com/research/disrupting-management-consulting/ [38] https://www.linkedin.com/posts/cambridge-consultants_futuretrends-deeptech-innovation-activity-7292468948015403009-l_Tr [39] https://www.cambridgemc.com/insights [40] https://www.cambridgemc.com/Digital-and-Innovation [41] https://online.em.jbs.cam.ac.uk/digital-disruption [42] https://www.cambridge.org/core/product/98655A769374AB12E05D3EFB4F20FF87/core-reader

Contact - Smart City article

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Abstract kaleidoscope of AI generated shapes

What Is the Third Way to Successful AI Adoption?

by Tom Burton 10 September 2025
This article explores the ‘Third Way’ to AI adoption – a balanced approach that enables innovation, defines success clearly, and scales AI responsibly for lasting impact | READ FULL ARTICLE
A Data centre in a field

Case Study: Expanding Deep Green's Market Presence Through Cambridge MC's Global Network

by Stuart Curzon 22 August 2025
Discover how Deep Green, a pioneer in decarbonised data centres, partnered with Cambridge Management Consulting to expand its market presence through an innovative, sustainability‑driven go‑to‑market strategy | READ CASE STUDY
Crystal ball on a neon floor

Fixing the Future: How Digital Twins Will Transform Project Management

by Jason Jennings 21 August 2025
Discover how digital twins are revolutionising project management. This article explores how virtual replicas of physical systems are helping businesses to simulate outcomes, de-risk investments and enhance decision-making.
A vivid photo of the skyline of Stanley on the Falkland Islands

Cambridge Management Consulting, Falklands IT, and Hermes/Viraat Heritage Trust Provide Educational Resources to the Falklands

by Cambridge Management Consulting 20 August 2025
Cambridge Management Consulting (Cambridge MC) and Falklands IT (FIT) have donatede £3,000 to the Hermes/Viraat Heritage Trust to support the learning and development of young children in the Falkland Islands.
A modern office building on a wireframe floor with lava raining from the sky in the background

What Drives Your Organisation’s Cyber Security?

by Tom Burton 29 July 2025
What’s your organisation’s type when it comes to cyber security? Is everything justified by the business risks, or are you hoping for the best? Over the decades, I have found that no two businesses or organisations have taken the same approach to cybersecurity. This is neither a criticism nor a surprise. No two businesses are the same, so why would their approach to digital risk be? However, I have found that there are some trends or clusters. In this article, I’ve distilled those observations, my understanding of the forces that drive each approach, and some indicators that may help you recognise it. I have also suggested potential advantages and disadvantages. Ad Hoc Let’s start with the ad hoc approach, where the organisation does what it thinks needs to be done, but without any clear rationale to determine “How much is enough?” The Bucket of Sand Approach At the extreme end of the spectrum is the 'Bucket of Sand' option which is characterised by the belief that 'It will never happen to us'. Your organisation may feel that it is too small to be worth attacking or has nothing of any real value. However, if an organisation has nothing of value, one wonders what purpose it serves. At the very least, it is likely to have money. But it is rare now that an organisation will not hold data and information worth stealing. Whether this data is its own or belongs to a third party, it will be a target. I’ve also come across businesses that hold a rather more fatalistic perspective. Most of us are aware of the regular reports of nation-state attacks that are attempting to steal intellectual property, causing economic damage, or just simply stealing money. Recognising that you might face the full force of a cyber-capable foreign state is undoubtedly daunting and may encourage the view that 'We’re all doomed regardless'. If a cyber-capable nation-state is determined to have a go at you, the odds are not great, and countering it will require eye-watering investments in protection, detection and response. But the fact is that they are rare events, even if they receive disproportionate amounts of media coverage. The majority of threats that most organisations face are not national state actors. They are petty criminals, organised criminal bodies, opportunistic amateur hackers or other lower-level actors. And they will follow the path of least resistance. So, while you can’t eliminate the risk, you can reduce it by applying good security and making yourself a more challenging target than the competition. Following Best Practice Thankfully, these 'Bucket of Sand' adopters are less common than ten or fifteen years ago. Most in the Ad Hoc zone will do some things but without clear logic or rationale to justify why they are doing X rather than Y. They may follow the latest industry trends and implement a new shiny technology (because doing the business change bit is hard and unpopular). This type of organisation will frequently operate security on a feast or famine basis, deferring investments to next year when there is something more interesting to prioritise, because without business strategy guiding security it will be hard to justify. And 'next year' frequently remains next year on an ongoing basis. At the more advanced end of the Ad Hoc zone, you will find those organisations that choose a framework and aim to achieve a specific benchmark of Security Maturity. This approach ensures that capabilities are balanced and encourages progressive improvement. However, 'How much is enough?' remains unanswered; hence, the security budget will frequently struggle for airtime when budgets are challenged. It may also encourage a one-size-fits-all approach rather than prioritising the assets at greatest risk, which would cause the most significant damage if compromised. Regulatory-Led The Regulatory-Led organisation is the one I’ve come across most frequently. A market regulator, such as the FCA in the UK, may set regulations. Or the regulator may be market agnostic but have responsibility for a particular type of data, such as the Information Commissioner’s Office’s interest in personal data privacy. If regulatory compliance questions dominate most senior conversations about cyber security, the organisation is probably in this zone. Frequently, this issue of compliance is not a trivial challenge. Most regulations don’t tend to be detailed recipes to follow. Instead, they outline the broad expectations or the principles to be applied. There will frequently be a tapestry of regulations that need to be met rather than a single target to aim for. Businesses operating in multiple countries will likely have different regulations across those regions. Even within one country, there may be market-specific and data-specific regulations that both need to be applied. This tapestry is growing year after year as jurisdictions apply additional regulations to better protect their citizens and economies in the face of proliferating and intensifying threats. In the last year alone, EU countries have had to implement both the Digital Operational Resilience Act (DORA) and Network and Infrastructure Security Directive (NIS2) , which regulate financial services businesses and critical infrastructure providers respectively. Superficially, it appears sensible and straightforward, but in execution the complexities and limitations become clear. Some of the nuances include: Not Everything Is Regulated The absence of regulation doesn’t mean there is no risk. It just means that the powers that be are not overly concerned. Your business will still be exposed to risk, but the regulators or government may be untroubled by it. Regulations Move Slowly Cyber threats are constantly changing and evolving. As organisations improve their defences, the opposition changes their tactics and tools to ensure their attacks can continue to be effective. In response, organisations need to adjust and enhance their defences to stay ahead. Regulations do not respond at this pace. So, relying on regulatory compliance risks preparing to 'Fight the last war'. The Tapestry Becomes Increasingly Unwieldy It may initially appear simple. You review the limited regulations for a single region, take your direction, and apply controls that will make you compliant. Then, you expand into a new region. And later, one of your existing jurisdictions introduces an additional set of regulations that apply to you. Before you know it, you must first normalise and consolidate the requirements from a litany of different sets of rules, each with its own structure, before you can update your security/compliance strategy. Most Regulations Talk about Appropriateness As mentioned before, regulations rarely provide a recipe to follow. They talk about applying appropriate controls in a particular context. The business still needs to decide what is appropriate. And if there is a breach or a pre-emptive audit, the business will need to justify that decision. The most rational justification will be based on an asset’s sensitivity and the threats it is exposed to — ergo, a risk-based rather than a compliance-based argument. Opportunity-Led Many businesses don’t exist in heavily regulated industries but may wish to trade in markets or with customers with certain expectations about their suppliers’ security and resilience. These present barriers to entry, but if overcome, they also offer obstacles to competition. The expectations may be well defined for a specific customer, such as DEF STAN 05-138 , which details the standards that the UK Ministry of Defence expects its suppliers to meet according to a project’s risk profile. Sometimes, an entire market will set the entry rules. The UK Government has set Cyber Essentials as the minimum standard to be eligible to compete for government contracts. The US has published NIST 800-171 to detail what government suppliers must meet to process Controlled Unclassified Information (CUI). Businesses should conduct due diligence on their suppliers, particularly when they provide technology, interface with their systems or process their data. Regulations, such as NIS2, are increasingly demanding this level of Third Party Risk Management because of the number of breaches and compromises originating from the supply chain. Businesses may detail a certain level of certification that they consider adequate, such as ISO 27001 or a System & Organization Controls (SOC) report. By achieving one or more of these standards, new markets may open up to a business. Good security becomes a growth enabler. But just like with regulations, if the security strategy starts with one of these standards, it can rapidly become unwieldy as a patchwork quilt of different entry requirements builds up for other markets. Risk-Led The final zone is where actions are defined by the risk the business is exposed to. Being led by risk in this way should be natural and intuitive. Most of us might secure our garden shed with a simple padlock but would have several more secure locks on the doors to our house. We would probably also have locks on the windows and may add CCTV cameras and a burglar alarm if we were sufficiently concerned about the threats in our area. We may even install a secure safe inside the house if we have some particularly valuable possessions. These decisions and the application of defences are all informed by our understanding of the risks to which different groups of assets are exposed. The security decisions you make at home are relatively trivial compared to the complexity most businesses face with digital risk. Over the decades, technology infrastructures have grown, often becoming a sprawling landscape where the boundaries between one system and another are hard to determine. In the face of this complexity, many organisations talk about being risk-led but, in reality, operate in one of the other zones. There is no reason why an organisation can’t progressively transform from an Ad Hoc, Regulatory-Led or Opportunity-Led posture into a Risk-Led one. This transformation may need to include a strategy to enhance segmentation and reduce the sprawling landscape described above. Risk-Led also doesn’t mean applying decentralised, bespoke controls on a system-by-system basis. The risk may be assessed against the asset or a category of assets, but most organisations usually have a framework of standard controls and policies to apply or choose from. The test to tell whether an organisation genuinely operates in the Risk-Led zone is whether they have a well-defined Risk Appetite. This policy is more than just the one-liner stating that they have a very low appetite for risk. It should typically be broken down into different categories of risk or asset types; for instance, it might detail the different appetites for personal data risk compared to corporate intellectual property marked as 'In Strict Confidence'. Each category should clarify the tolerance, the circumstances under which risk will be accepted, and who is authorised to sign off. I’ve seen some exceptionally well-drafted risk appetite policies that provide clear direction. Once in place, any risk review can easily understand the boundaries within which they can operate and determine whether the controls for a particular context are adequate. I’ve also seen many that are so loose as to be unactionable or, on as many occasions, have not been able to find a risk appetite defined at all. In these situations, there is no clear way of determining 'How much security is enough'. Organisations operating in this zone will frequently still have to meet regulatory requirements and individual customer or market expectations. However, this regulatory or commercial risk assessment can take the existing strategy as the starting point and review the relevant controls for compliance. That may prompt an adjustment to security in certain places. But when challenged, you can defend your strategy because you can trace decisions back to the negative outcomes you are attempting to prevent — and this intent is in everyone’s common interest. Conclusions Which zone does your business occupy? It may exist in more than one — for instance, mainly aiming for a specific security maturity in the Ad Hoc zone but reinforced for a particular customer. But which is the dominant zone that drives plans and behaviour? And why is that? It may be the right place for today, but is it the best approach for the future? Apart from the 'Bucket of Sand' approach, each has pros and cons. I’ve sought to stay balanced in how I’ve described them. However, the most sustainable approach is one driven by business risk, with controls that mitigate those risks to a defined appetite. Regulatory compliance will probably constitute some of those risks, and when controls are reviewed against the regulatory requirements, there may be a need to reinforce them. Also, some customers may have specific standards to meet in a particular context. However, the starting point will be the security you believe the business needs and can justify before reviewing it through a regulatory or market lens. If you want to discuss how you can improve your security, reduce your digital risk, and face the future with confidence, get in touch with Tom Burton, Senior Partner - Cyber Security, using the below form.
AI co-pilot

AI as Your Project Management Co-Pilot: Beyond Basic Automation

by Jason Jennings 28 July 2025
Jason Jennings | Elevate your project management with AI. This guide for senior leaders explains how AI tools can enhance project performance through predictive foresight, cognitive collaboration, and portfolio intelligence. Unlock the potential of AI in your organisation and avoid the common pitfalls.
St Pauls Cathedral

English Devolution Bill: What It Means for Local Authorities and Communities

by Craig Cheney 24 July 2025
Craig Cheney | The UK Government has taken a major step forward in reshaping local governance in England with the publication of the English Devolution and Community Empowerment Bill. This is more than a policy shift — it’s a structural rethink that sets out to make devolution the norm, not the exception.

Partner Spotlight: Faye Holland

by Faye Holland 11 July 2025
Today, we are proud to be spotlighting Faye Holland, who became Managing Partner at Cambridge Management Consulting for Client PR & Marketing as well as for our presence in the city of Cambridge and the East of England at the start of this year, following our acquisition of her award-winning PR firm, cofinitive. Faye is a prominent entrepreneur and a dynamic force within the city of Cambridge’s renowned technology sector. Known for her ability to influence, inspire, and connect on multiple fronts, Faye plays a vital role in bolstering Cambridge’s global reputation as the UK’s hub for technology, innovation, and science. With over three decades of experience spanning diverse business ventures, including the UK’s first ISP, working in emerging business practices within IBM, leading European and Asia-Pacific operations for a global tech media company, and founding her own business, Faye brings unparalleled expertise to every endeavour. Faye’s value in the industry is further underscored by her extensive network of influential contacts. As the founder of cofinitive, an award-winning PR and communications agency focused on supporting cutting-edge start-ups and scale-ups in tech and innovation, Faye has earned a reputation as one of the UK’s foremost marketing strategists. Over the course of a decade, she built cofinitive into a recognised leader in the communications industry. The firm has since been featured in PR Weekly’s 150 Top Agencies outside London, and has been named year-on-year as the No. 1 PR & Communications agency in East Anglia. cofinitive is also acknowledged as one of the 130 most influential businesses in Cambridge, celebrated for its distinctive, edge, yet polished approach to storytelling for groundbreaking companies, and for its support of the broader ecosystem. Additionally, Faye is widely recognised across the East of England for her leadership in initiatives such as the #21toWatch Technology Innovation Awards, which celebrates innovation and entrepreneurship, and as the co-host of the Cambridge Tech Podcast. Individually, Faye has earned numerous accolades. She is listed among the 25 most influential people in Cambridge, and serves as Chair of the Cambridgeshire Chambers of Commerce. Her advocacy for women in technology has seen her regularly featured in Computer Weekly’s Women in Tech lists, and recognised as one of the most influential women in UK tech during London Tech Week 2024 via the #InspiringFifty listing. Faye is also a dedicated mentor for aspiring technology entrepreneurs, having contributed to leading entrepreneurial programs in Cambridge and internationally, further solidifying her role as a driving force for innovation and growth in the tech ecosystem. If you would like to discuss future opportunities with Faye, you can reach out to her here .
Cambridge MC Falklands team standing with Polly Marsh, CEO of the Ulysses Trust, holding a cheque

The Ulysses Trust Receives £10,000 Donation from Cambridge Management Consulting

by Lucas Lefley 10 July 2025
From left to right: Tim Passingham, Tom Burton, Erling Aronsveen, Polly Marsh, and Clive Quantrill.
More posts