Introduction The National Counterintelligence & Security Center (NCSC) suggests that universities are particularly vulnerable to cyber crime because they are key contributors to the economy, skills development, and innovation. Cambridge MC was approached to conduct a comprehensive cyber capability maturity assessment for a major UK academic institution, leveraging a team of experts with technical understanding and frontline experience in cyber defence. This team carried out a thorough evaluation through a series of tests, interviews, and artefact examinations. Unlike conventional assessments, our strategy focused on actionable insights which were tailored to the unique operational context of the institution. The assessment was structured around recognised capability categories, informed by the team’s extensive experience defending against cyber attacks. The methodology was particularly effective for its sensitivity to the institution’s risk appetite—balancing cost, risk, and investment to propose solutions that were unique to their situation. Project Overview The primary challenge was the institution’s realisation that its existing cyber hygiene practices and IT discipline might not be sufficiently robust to withstand increasingly advanced tactics employed by cybercriminals and their growing interest in the education sector. The institution sought out Cambridge MC to identify these vulnerabilities, assess the overall maturity of its cybersecurity practices, and recommend strategic improvements. This meant not only highlighting technical deficiencies, but also providing a holistic evaluation of the institution’s security posture, considering the practical realities of defending against threats. This included an assessment of the institution’s risk readiness, infrastructure resilience and staff preparedness. Cambridge MC’s goal was to ensure that the recommendations produced as a result of this assessment were not only technically sound but contextually appropriate and aligned with the institution’s strategic objectives and resources constraints. This personalised approach was crucial in designing a cyber security strategy that was both achievable and sustainable. Strategy What we did Our approach involved a thorough assessment of the institution’s cyber infrastructure, including tests, interviews, and the examination of artefacts to gain a holistic understanding of their cyber maturity. To do this, we engaged experts with significant technical depth and extensive experience in cyber defence and leadership roles; a blend which was crucial in conducting a maturity assessment that focused on pragmatic gap closures. Why we did it this way Our methodology was designed to move beyond mere technical details and address the practical aspects of cyber security. By organising our work into recognised capability categories, we targeted areas that, if weak, would likely lead to vulnerability and a high risk of attack. This approach allowed us to pinpoint critical gaps in the institution’s cyber security practices and propose target improvements. Concepts and methodologies applied We applied a risk-based approach, sensitive to the institution’s risk appetite, to make practical trade-offs between cost, risk, and investment. This ensured that our recommendations were contextually appropriate and aligned with the institution’s strategic objectives. Our assessment framework was grounded in industry-best practices and standards, tailored to the unique needs and challenges of the academic sector. Obstacles encountered and overcoming them One of the main obstacles we encountered was resistance to change, a common challenge for institutions with established routines and cultures. To overcome this, we emphasised the importance of cyber hygiene and IT discipline through clear, evidence-based findings and recommendations. We conducted workshops and discussions to engage stakeholders at all levels, highlighting the tangible benefits of enhancing their cyber security posture and demonstrating how our recommendations could be implemented in a manageable manner. The Team The Cambridge MC cyber security team tasked with supporting on this project was comprised of: A technically adept practitioner specialising in vulnerability testing, equipped with cutting-edge knowledge of tools and techniques for identifying weaknesses in the institution’s cyber defences. This role was crucial for uncovering hidden vulnerabilities that could be exploited by attackers, providing a technical foundation for the assessment. Back-office risk experts with a deep understanding of the broader risk landscape and risk management principles, ensuring that the assessment considered not just technical vulnerabilities but also organisational and procedural risks, aligning the cyber security strategy with the institution’s overall risk appetite. A security leader with 30 years of experience building and running security services, who offered strategic oversight and practical insight into effective cyber defence mechanisms and was vital in ensuring the recommendations were not only theoretically sound but also pragmatically achievable. Together, these professionals ensured a comprehensive, nuanced, and highly practical assessment, underlining the importance of a balanced team in addressing complex cyber security challenges. Outcome & Results Optimised Cyber Resilience We recommended and outlined a robust workflow and identity management system across all of the institution’s systems, emphasising the need for multi-stakeholder cooperation. This highlighted the challenge of managing over tens of thousands of accounts for a community of many fewer staff and students. Longevity We made clear, actionable recommendations describing implementation plans for changes, such as improving the security culture and some operational deliverables associated with SOC efficacy, all of which were agreed upon by the leadership team who assured us that these changes would be in place at this institution for the next three years. Staff Readiness We enhanced the security awareness and training of the staff, postgraduate researchers, and students, including specialised training for the Information Security team. We also made recommendations for improving security posture, such as the adoption of Cloud Access Security Broker (CASB) and Data Leakage Prevention (DLP) solutions, and the development of a quantitative risk forecasting methodology. Forward Planning We also made suggestions for future improvements, including SOC operational activities, creating new initiatives targeting cyber kill chain strategy areas, and planning disaster recovery tests for ICT systems.

By implementing a VoIP system to reduce costs, promote collaboration, and streamline patient care Our Partner and VoIP expert, Mario Hanzek, recently completed a telephony transformation project for one of the major Healthcare NHS Foundation Trusts, with over 4,000 telephony users. The project aimed to exchange several of the original phone systems with a hosted state-of-the-art VoIP (Voice over Internet Protocol) system. The key objectives were to reduce costs, enhance flexibility, improve scalability, and ensure superior call quality. In doing so, Mario implemented, end-to-end encryption for enhanced security, seamless integration with existing platforms, and collaboration among employees and patients. Project Overview The NHS Foundation Trust was facing numerous communication challenges, the most significant being: Increased cost of maintenance contracts for on-premise telephony systems Call costs across multiple service providers Limited flexibility for remote working and long-distance collaboration between teams Outdated hardware These challenges disrupted communication within the organisation, therefore impacting operational efficiency and crucial patient care. Why VoIP? Cost Reduction: Implementing VoIP significantly reduces maintenance and call expenses. The organisation can now make calls over the internet, thus avoiding associated with traditional phone lines. Flexibility: With the new VoIP system, employees gained the flexibility to make calls from anywhere or any device with internet access. This is particularly beneficial for staff working remotely or in different healthcare facilities. Collaboration: The VoIP system promotes seamless collaboration among the trust's healthcare professionals, allowing for instant communication across various departments and with patients. This is further enhanced by the system's video conferencing and messaging capabilities. Scalability and Functionality: Using VoIP allows for easier scalability and flexibility to accommodate the growing needs of the healthcare organisation. Additional features, such as contact centres, voice recording, voicemail-to-email and call forwarding, were easily integrated, providing enhanced functionality as required, regardless of the user's location. Integration: The VoIP system slots in perfectly among the trust's existed applications and processes. This integration streamlined administrative tasks, improved patient management, and enhanced overall operational efficiency. Outcomes & Results 1. This successful telephony transformation project for the NHS Foundation Trust proves the positive impact that VoIP technology can have on communication within healthcare organisations. 2. The project successfully addressed challenges related to cost, flexibility, collaboration, scalability, and integration.

Ensuring that University of Bristol remains the university of choice for students, academics and partners in a globally competitive market The University of Bristol is a Russell Group University and a leader in many global league tables, including the QS World University Rankings where in 2023 it ranked 9th in the UK. To strengthen its competitive position, the University is undertaking an ambitious digital transformation strategy. As a foundation of this strategy, the Modern Network will deliver a significant increase in capacity, flexibility, automation, resilience, security and experience for all users. Cambridge Management Consulting was selected as the consulting firm to help the University establish and refine the requirements, design the network in collaboration with University of Bristol experts and lead the technical procurement for a Modern Network. Cambridge MC’s technical and commercial expertise helped University of Bristol navigate a complex procurement exercise and deliver the first stages of the transformation programme. The Challenge The current University of Bristol campus network requires significant modernisation to support the University’s Digital Strategy. All staff, students and visitors interact with the University's network every day, whether it's connecting a device to Wi-Fi, emailing a colleague, or running a session on the University’s Digital Learning Platform. The University of Bristol recognised that improving their global competitiveness requires a step change in the digital experience offered to all users and so it launched its Modern Network programme. Key objectives of the Modern Network are to introduce a high-performance network that gives users access to comprehensive teaching and learning resources, as well as specialist equipment, data, and scalable fibre for innovative research. The Modern Network programme also aims to enable students to connect with friends and family, and socialise online from wherever they are on campus, at any time, day or night. The new network will enhance the Wi-Fi coverage and capacity to give users the best digital experience round the clock. The University realises that a significant increase in network performance is needed to support data intensive activities, including centralised and de-centralised computing, large scale sensor networks, media rich applications like augmented and virtual reality, data intensive instrumentation and modelling. The architecture designed is going to be more flexible, highly scalable, adaptable and evergreen. Security will be improved to cope with the continuously evolving threat landscape and to enable Modern Network users to safely perform their activities from any location in the world, with a consistent, hassle-free experience. The Modern Network will deliver a reliable platform with world-class operational capabilities, making the services easy to consume, monitor and manage. The Strategy Cambridge Management Consulting used its expertise and knowledge to quickly establish a comprehensive set of requirements and to test market appetite to deliver a Modern Network via an RFI. Requirements Management used a structured approach based on a Cambridge MC requirements catalogue. This accelerated the process of engaging University of Bristol stakeholders to validate requirements and helped to shape the University’s procurement process. An efficient and comprehensive stakeholder engagement process also saw the development of multiple personas that were used to explain how the Modern Network would deliver capabilities for students, academics, researchers and professional services colleagues. Cambridge MC, in conjunction with the university, then helped to shape a structured procurement approach. Modern Network capabilities were put into 3 main procurement categories to provide purchasing and transformation flexibility. Cambridge MC led the Procurement technical dialogue. Working in partnership with experts from the University of Bristol, a highly scalable, flexible, secure and resilient target state network was designed. The design is modular and makes use of multiple technical patterns. This provides a repeatable, standardised way for the University to deliver capabilities that can have customised performance service and levels. To assist the Procurement activities, Cambridge MC also created a Model Modern Network. The Model allowed a consistent financial assessment to be made at each stage of the Procurement, including providing a detailed estimate of the transformation milestones and payments. The Cambridge MC team also shaped the Modern Network programme. It was broadly shaped into mobilisation, discovery, design, prove, pilot and deploy phases. Cambridge MC are providing support in the early transformation phase to help the University of Bristol deliver the ambitious programme. The resulting Modern Network will be a high performance, flexible, resilient and secure platform. It will introduce self-service and automation, such as zero touch deployments and autonomous networks for research activities. It will leverage programmatic control and AIOps to improve the digital experience and inclusiveness, sustainability and the global competitiveness of the University. A technical modernisation like this requires a similar shift to a world-class operating model. Cambridge MC supported the service management redesign throughout the procurement phase. Using comprehensive requirements structured around ITIL, the team co-designed the enhanced set of service capabilities and are now helping University of Bristol to introduce these services. The new service management approach will provide full end-to-end visibility of the network, formal SLAs and SLA management and enhanced fault, change, configuration and knowledge management. This will complement the new technical capabilities and provide significant benefits to the University. The Team Cambridge Management Consulting provided procurement, commercial, technical business analysis and service management expertise. Cambridge MC also provided expertise for the procurement and post-procurement implementation activity. Cambridge MC worked exceptionally well with the University's digital and procurement teams to ensure end-to-end success for the University. Not only did the Cambridge MC team help support, but they also provided extensive knowledge transfer to, the University to minimise the future need for external support, minimise future costs for external consultants and help further develop the in-house ICT and procurement capabilities. Outcomes & Results 1. Cambridge Management Consulting's attention to detail ensured there were clear winners of the Procurement lots, with no challenges or disaffected potential suppliers. The winners of the three lots were all world-class organisations with a desire to support the University with its ambition to deliver a first-class service. 2. Cambridge MC have since assisted the University with other aspects of their Digital Strategy and continue to be engaged to help University of Bristol transform.

What’s your organisation’s type when it comes to cyber security? Is everything justified by the business risks, or are you hoping for the best? Over the decades, I have found that no two businesses or organisations have taken the same approach to cybersecurity. This is neither a criticism nor a surprise. No two businesses are the same, so why would their approach to digital risk be? However, I have found that there are some trends or clusters. In this article, I’ve distilled those observations, my understanding of the forces that drive each approach, and some indicators that may help you recognise it. I have also suggested potential advantages and disadvantages. Ad Hoc Let’s start with the ad hoc approach, where the organisation does what it thinks needs to be done, but without any clear rationale to determine “How much is enough?” The Bucket of Sand Approach At the extreme end of the spectrum is the 'Bucket of Sand' option which is characterised by the belief that 'It will never happen to us'. Your organisation may feel that it is too small to be worth attacking or has nothing of any real value. However, if an organisation has nothing of value, one wonders what purpose it serves. At the very least, it is likely to have money. But it is rare now that an organisation will not hold data and information worth stealing. Whether this data is its own or belongs to a third party, it will be a target. I’ve also come across businesses that hold a rather more fatalistic perspective. Most of us are aware of the regular reports of nation-state attacks that are attempting to steal intellectual property, causing economic damage, or just simply stealing money. Recognising that you might face the full force of a cyber-capable foreign state is undoubtedly daunting and may encourage the view that 'We’re all doomed regardless'. If a cyber-capable nation-state is determined to have a go at you, the odds are not great, and countering it will require eye-watering investments in protection, detection and response. But the fact is that they are rare events, even if they receive disproportionate amounts of media coverage. The majority of threats that most organisations face are not national state actors. They are petty criminals, organised criminal bodies, opportunistic amateur hackers or other lower-level actors. And they will follow the path of least resistance. So, while you can’t eliminate the risk, you can reduce it by applying good security and making yourself a more challenging target than the competition. Following Best Practice Thankfully, these 'Bucket of Sand' adopters are less common than ten or fifteen years ago. Most in the Ad Hoc zone will do some things but without clear logic or rationale to justify why they are doing X rather than Y. They may follow the latest industry trends and implement a new shiny technology (because doing the business change bit is hard and unpopular). This type of organisation will frequently operate security on a feast or famine basis, deferring investments to next year when there is something more interesting to prioritise, because without business strategy guiding security it will be hard to justify. And 'next year' frequently remains next year on an ongoing basis. At the more advanced end of the Ad Hoc zone, you will find those organisations that choose a framework and aim to achieve a specific benchmark of Security Maturity. This approach ensures that capabilities are balanced and encourages progressive improvement. However, 'How much is enough?' remains unanswered; hence, the security budget will frequently struggle for airtime when budgets are challenged. It may also encourage a one-size-fits-all approach rather than prioritising the assets at greatest risk, which would cause the most significant damage if compromised. Regulatory-Led The Regulatory-Led organisation is the one I’ve come across most frequently. A market regulator, such as the FCA in the UK, may set regulations. Or the regulator may be market agnostic but have responsibility for a particular type of data, such as the Information Commissioner’s Office’s interest in personal data privacy. If regulatory compliance questions dominate most senior conversations about cyber security, the organisation is probably in this zone. Frequently, this issue of compliance is not a trivial challenge. Most regulations don’t tend to be detailed recipes to follow. Instead, they outline the broad expectations or the principles to be applied. There will frequently be a tapestry of regulations that need to be met rather than a single target to aim for. Businesses operating in multiple countries will likely have different regulations across those regions. Even within one country, there may be market-specific and data-specific regulations that both need to be applied. This tapestry is growing year after year as jurisdictions apply additional regulations to better protect their citizens and economies in the face of proliferating and intensifying threats. In the last year alone, EU countries have had to implement both the Digital Operational Resilience Act (DORA) and Network and Infrastructure Security Directive (NIS2) , which regulate financial services businesses and critical infrastructure providers respectively. Superficially, it appears sensible and straightforward, but in execution the complexities and limitations become clear. Some of the nuances include: Not Everything Is Regulated The absence of regulation doesn’t mean there is no risk. It just means that the powers that be are not overly concerned. Your business will still be exposed to risk, but the regulators or government may be untroubled by it. Regulations Move Slowly Cyber threats are constantly changing and evolving. As organisations improve their defences, the opposition changes their tactics and tools to ensure their attacks can continue to be effective. In response, organisations need to adjust and enhance their defences to stay ahead. Regulations do not respond at this pace. So, relying on regulatory compliance risks preparing to 'Fight the last war'. The Tapestry Becomes Increasingly Unwieldy It may initially appear simple. You review the limited regulations for a single region, take your direction, and apply controls that will make you compliant. Then, you expand into a new region. And later, one of your existing jurisdictions introduces an additional set of regulations that apply to you. Before you know it, you must first normalise and consolidate the requirements from a litany of different sets of rules, each with its own structure, before you can update your security/compliance strategy. Most Regulations Talk about Appropriateness As mentioned before, regulations rarely provide a recipe to follow. They talk about applying appropriate controls in a particular context. The business still needs to decide what is appropriate. And if there is a breach or a pre-emptive audit, the business will need to justify that decision. The most rational justification will be based on an asset’s sensitivity and the threats it is exposed to — ergo, a risk-based rather than a compliance-based argument. Opportunity-Led Many businesses don’t exist in heavily regulated industries but may wish to trade in markets or with customers with certain expectations about their suppliers’ security and resilience. These present barriers to entry, but if overcome, they also offer obstacles to competition. The expectations may be well defined for a specific customer, such as DEF STAN 05-138 , which details the standards that the UK Ministry of Defence expects its suppliers to meet according to a project’s risk profile. Sometimes, an entire market will set the entry rules. The UK Government has set Cyber Essentials as the minimum standard to be eligible to compete for government contracts. The US has published NIST 800-171 to detail what government suppliers must meet to process Controlled Unclassified Information (CUI). Businesses should conduct due diligence on their suppliers, particularly when they provide technology, interface with their systems or process their data. Regulations, such as NIS2, are increasingly demanding this level of Third Party Risk Management because of the number of breaches and compromises originating from the supply chain. Businesses may detail a certain level of certification that they consider adequate, such as ISO 27001 or a System & Organization Controls (SOC) report. By achieving one or more of these standards, new markets may open up to a business. Good security becomes a growth enabler. But just like with regulations, if the security strategy starts with one of these standards, it can rapidly become unwieldy as a patchwork quilt of different entry requirements builds up for other markets. Risk-Led The final zone is where actions are defined by the risk the business is exposed to. Being led by risk in this way should be natural and intuitive. Most of us might secure our garden shed with a simple padlock but would have several more secure locks on the doors to our house. We would probably also have locks on the windows and may add CCTV cameras and a burglar alarm if we were sufficiently concerned about the threats in our area. We may even install a secure safe inside the house if we have some particularly valuable possessions. These decisions and the application of defences are all informed by our understanding of the risks to which different groups of assets are exposed. The security decisions you make at home are relatively trivial compared to the complexity most businesses face with digital risk. Over the decades, technology infrastructures have grown, often becoming a sprawling landscape where the boundaries between one system and another are hard to determine. In the face of this complexity, many organisations talk about being risk-led but, in reality, operate in one of the other zones. There is no reason why an organisation can’t progressively transform from an Ad Hoc, Regulatory-Led or Opportunity-Led posture into a Risk-Led one. This transformation may need to include a strategy to enhance segmentation and reduce the sprawling landscape described above. Risk-Led also doesn’t mean applying decentralised, bespoke controls on a system-by-system basis. The risk may be assessed against the asset or a category of assets, but most organisations usually have a framework of standard controls and policies to apply or choose from. The test to tell whether an organisation genuinely operates in the Risk-Led zone is whether they have a well-defined Risk Appetite. This policy is more than just the one-liner stating that they have a very low appetite for risk. It should typically be broken down into different categories of risk or asset types; for instance, it might detail the different appetites for personal data risk compared to corporate intellectual property marked as 'In Strict Confidence'. Each category should clarify the tolerance, the circumstances under which risk will be accepted, and who is authorised to sign off. I’ve seen some exceptionally well-drafted risk appetite policies that provide clear direction. Once in place, any risk review can easily understand the boundaries within which they can operate and determine whether the controls for a particular context are adequate. I’ve also seen many that are so loose as to be unactionable or, on as many occasions, have not been able to find a risk appetite defined at all. In these situations, there is no clear way of determining 'How much security is enough'. Organisations operating in this zone will frequently still have to meet regulatory requirements and individual customer or market expectations. However, this regulatory or commercial risk assessment can take the existing strategy as the starting point and review the relevant controls for compliance. That may prompt an adjustment to security in certain places. But when challenged, you can defend your strategy because you can trace decisions back to the negative outcomes you are attempting to prevent — and this intent is in everyone’s common interest. Conclusions Which zone does your business occupy? It may exist in more than one — for instance, mainly aiming for a specific security maturity in the Ad Hoc zone but reinforced for a particular customer. But which is the dominant zone that drives plans and behaviour? And why is that? It may be the right place for today, but is it the best approach for the future? Apart from the 'Bucket of Sand' approach, each has pros and cons. I’ve sought to stay balanced in how I’ve described them. However, the most sustainable approach is one driven by business risk, with controls that mitigate those risks to a defined appetite. Regulatory compliance will probably constitute some of those risks, and when controls are reviewed against the regulatory requirements, there may be a need to reinforce them. Also, some customers may have specific standards to meet in a particular context. However, the starting point will be the security you believe the business needs and can justify before reviewing it through a regulatory or market lens. If you want to discuss how you can improve your security, reduce your digital risk, and face the future with confidence, get in touch with Tom Burton, Senior Partner - Cyber Security, using the below form.

Jason Jennings | Elevate your project management with AI. This guide for senior leaders explains how AI tools can enhance project performance through predictive foresight, cognitive collaboration, and portfolio intelligence. Unlock the potential of AI in your organisation and avoid the common pitfalls.

A New Era of Local Power: What’s in the English Devolution Bill? The UK Government has taken a major step forward in reshaping local governance in England with the publication of the English Devolution and Community Empowerment Bill. This is more than a policy shift — it’s a structural rethink that sets out to make devolution the norm, not the exception. This is a welcome change in direction. This framework could unlock new potential for place-based leadership, community decision-making, and joined-up regional delivery. But as with any big reform, the opportunity lies in the detail — and in how we respond. Key Changes Introduced by the Bill Standardised Framework for Strategic Authorities: Combined Authorities, the GLA, and County Combined Authorities will all fall under a new, consistent legal model — making future devolution smoother and more transparent. Mayors Gain More Leverage: Elected mayors now have a legal right to request further powers, with the Government required to respond. This could pave the way for greater local control over transport, housing, energy, and skills. Neighbourhood Governance Becomes a Duty: Councils will be required to introduce or enhance neighbourhood governance models, supporting community voices and hyper-local decision-making. Simplified Local Government Reorganisation: The Bill makes it easier to create unitary authorities and restructure Strategic Authorities, while mandating the leader-and-cabinet model across councils. Expanded Local Powers: Local authorities will gain new tools to manage shared transport (e.g. e-scooters), protect community assets, and take greater ownership of local planning and infrastructure decisions. Financial Oversight with New Audit Body: A dedicated Local Audit Office will strengthen transparency and public trust in the financial performance of devolved authorities. Why This Matters This legislation has the potential to reshape the relationship between central and local government. It provides: Greater clarity for local leaders navigating the devolution journey Stronger alignment between regional planning, investment, and delivery Formalised community empowerment as a core part of local governance Faster implementation of reforms, removing historical friction with Whitehall If implemented well, it could accelerate levelling up, boost public confidence, and enable councils to better serve their communities. Things to Watch While the ambitions are clear, some areas need close attention: Will funding follow the powers? Without sustained financial backing, councils risk being given responsibilities without the means to deliver. Can neighbourhood structures scale inclusively? Capacity and engagement are key. Local authorities will need support to build neighbourhood governance that is truly representative and impactful. Is the framework flexible enough? A standardised model may reduce complexity, but different places have different needs. Will the new system allow enough room for local variation? Politics, Patchworks and Practicalities: Navigating the Real World of Devolution While the Bill sets out a bold framework, turning that into action won’t be straightforward. Key challenges include: 1. Political Variation Across England Party control differs widely across councils and combined authorities. Some areas will embrace the model enthusiastically; others may resist due to local politics, institutional inertia, or differing visions of place-based governance. The perception of centralisation vs. genuine empowerment may vary depending on the colour of national vs. local government. 2. Tension Between Standardisation and Local Identity The Bill’s aim to simplify and harmonise structures may clash with deeply rooted local differences. Places with strong local identities (e.g. Cornwall, Yorkshire) may be wary of “off-the-shelf” devolution deals or generic governance templates. 3. Differing Appetite for Mayoral Leadership Not all areas want or have elected mayors. Extending powers to Strategic Authorities with mayors may widen the gap between those “inside” and “outside” the model. This could reinforce a two-speed devolution system unless flexibility is built in. 4. Election Cycles and Political Continuity Leadership turnover, locally and nationally can stall momentum, undo hard-won consensus, or shift priorities mid-implementation. Cross-party collaboration will be essential, but not always easy in contested regions. The advantages will need to be sold well. 5. Capacity and Capability Gaps Even with strong local political will, some councils may struggle with resourcing, skills, or institutional readiness to implement new duties or governance changes. What Should Local Leaders Do Now? Start preparing governance structures in anticipation of new duties Identify gaps or priorities where additional powers could unlock outcomes Engage partners early—from VCS organisations to universities to SMEs — to co-design delivery models Assess audit and performance frameworks to ensure compliance and transparency Final Thoughts This Bill is a welcome statement of trust in local institutions. It’s now up to councils, combined authorities, and delivery partners to turn this framework into lasting, meaningful change.