Most organisations only discover how resilient their technology really is during an actual crisis. At this point, it's usually too late to fix anything. A TRA lets you find out the gaps in your technical capabilities safely, collaboratively and before disruption strikes. Here are the main reasons organisations commission one:
Resilience is often assumed rather than evidenced. A TRA gives you a defensible maturity baseline for each critical domain, scored on a consistent 0–4 model. This allows improvement to be tracked, budgeted and proven over time.
Multiple critical applications often depend on a single platform, database or third party. The TRA is specifically designed to show concentration risk and missing exit strategies before they bite — a common finding we uncover.
Tabletop exercises show how your people respond in a moment of crisis. A TRA measures the resilience beneath the response and gives you a prioritised path to improve it. It's the logical next step after tabletops, and a strong starting point if you haven't run them.
Regulatory expectations continue to rise, particularly for financial services firms under the FCA/PRA operational resilience regime (PS21/3, SS1/21) and, where EU exposure exists, DORA. TRA produces the technical evidence that underpins those conversations.
Every recommendation comes with a rationale, timeline, effort/cost estimate and resource requirements so your IT leadership can sequence remediation and defend budget requests with evidence.
The TRA records strengths as well as gaps. Teams leave the process with recognition of what's working, clarity on what isn't, and morale intact — because it's blame-free by design.
We handle all preparation, facilitation and reporting. Your team's only commitment is the session itself.
A Technical Resilience Assessment is designed for the people who build, run, support and recover your critical technology services.
Recommended participants include:
The best participants are the people who understand the systems in practice: the teams who know how the platform is built, how it fails, how it is monitored and how it would be recovered under pressure.
Most assessments tell you how exposed you are. Our Technical Resilience Assessment goes further by showing how each finding affects technical resilience, recovery capability and the organisation’s ability to maintain critical services.
The assessment is:
Practitioner-led: Facilitated by experienced resilience and cyber practitioners.
Scenario-based: Built around realistic disruption scenarios rather than abstract questionnaires.
Evidence-informed: Findings are based on facilitated discussion and supporting evidence where available.
Maturity-scored: Capability is assessed against a defined resilience maturity model.
Remediation-focused: Recommendations are practical, prioritised and aligned to technical ownership.
Collaborative, not punitive: The purpose is to find improvement opportunities, not blame individuals.
Most organisations believe they understand their critical systems until disruption exposes hidden dependencies, undocumented recovery steps or assumptions about failover, backups, logging or supplier support.
A TRA helps answer questions such as:
- Could this critical platform continue operating if a major component failed?
- Do we know how to recover the service, or does recovery depend on one or two individuals?
- Are recovery procedures documented, tested and understood?
- Could we detect and investigate application-layer compromise or data exfiltration?
- Are infrastructure, application, database and security responsibilities clear during a crisis?
- Do we have a plan if a critical platform becomes unsupported, compromised or commercially unviable?
each with rationale, timeline, effort, required resources, implementation steps and success criteria.

Capability is scored against our proprietary five-level framework
Understand how prepared your critical systems are to withstand, respond to and recover from serious disruption.
Build confidence by documenting what is working well, not just what needs improvement.
Single platforms, shared dependencies and missing exit strategies get exposed before they cause outages.
Receive clear, practical recommendations mapped to technical ownership, effort and priority.
Identify visibility gaps (e.g. application-layer logging) that would blind you during a real compromise.
Establish a measurable starting point that can be reassessed after remediation or material change.
A TRA is valuable when your organisation needs evidence of technical resilience, confidence in recovery capability or a clear path to reduce technology risk.
Good triggers include:
- Before launching a new critical digital service
- After a major platform, cloud or infrastructure change
- After a cyber incident, outage or near miss
- Before or after a tabletop exercise
- During operational resilience programme delivery
- When preparing for board or risk committee reporting
- When a critical supplier, platform or application is changing
- When technical recovery processes have not been tested recently
- When regulated growth depends on technology availability and control
A TRA is a structured, practitioner-led assessment of how well a defined technology domain can withstand, respond to and recover from serious disruption. Your technical teams work through realistic failure scenarios with our facilitators, and capability is scored against the five-level CM-Alliance Resilience Maturity Model, producing a maturity baseline and a prioritised remediation roadmap.
A TRA is an assessment, not an audit. It's collaborative, blame-free and built to find improvement, not fault. Unlike a penetration test, which probes for exploitable vulnerabilities, the TRA evaluates your capability to detect, respond to and recover from disruption, including catastrophic scenarios a pen test can't safely simulate.
Each assessment is a single focused session of one to two hours with your technical and IT leads. We handle all preparation, facilitation and reporting, so demand on your team is deliberately minimal.
It's our proprietary five-level scoring framework, ranging from Level 0 (Unprepared — no procedures, no backups, no testing) to Level 4 (Operationally Resilient — automated detection and response with continuous testing). Every scenario in your TRA receives a maturity score against this model, giving you a consistent, defensible baseline.
A confidential report containing detailed findings with evidence, a maturity score per scenario, documented areas of strength, and a consolidated set of prioritised recommendations — each with rationale, timeline, effort/cost, required resources, implementation steps and success criteria.
No. The TRA is interactive by design. It's a facilitated, scenario-based discussion with the people who actually run your critical systems in the room. Documentation supports the assessment, but findings are based on real capability, not paperwork alone.
Tabletops test how you respond on the day; a TRA measures the underlying resilience — architecture, documentation, recovery capability and detection visibility — and gives you a prioritised improvement path. It's the natural next step after tabletop exercises.
Your technical and IT leads for the domain being assessed: typically application owners, infrastructure and platform engineers, database administrators and IT operations. These are the people who build, run and recover the systems, so their input drives accurate findings.
We recommend re-assessing each domain annually, or sooner after any material change to the platform, its dependencies or the applications it hosts. Re-assessment evidences your movement up the maturity levels and demonstrates the return on your remediation investment.
They're standalone, companion assessments sharing the same evidence base and maturity scoring. The TRA serves technical teams with detailed remediation; the ORA translates the same findings into business impact, growth implications and regulatory relevance for board and risk-committee audiences. Take either on its own, or both — having done one, the other is the natural next step.
"In order for BMJ to the right way forward we looked for a VCISO to advise us on the right way to do things and give us expertise. We went to Cyber Management Alliance and it's been about a year now and we ran workshops, looked at our response to incidents, created the incident response plan and we are in a position now where we understand our way forward. Our VCISO keeps us on our toes and overall it's been a very effective way of delivering expertise into the organisation that we wouldn't have normally had."
Aaron Townsend, Service Delivery Manager, British Medical Journal
It starts with a short scoping conversation — we'll define the domain to assess, agree the scenarios, and confirm who should be in the room. One session. One clear roadmap.