Publications

Field notes from M&A programs and cybersecurity GRC engagements: what actually works, written for executives, CIOs and investment funds.

Cyber resilience in M&A: the attackers’ favorite moment

Identities in motion, reorganized teams, hastily interconnected systems: an M&A deal is an ideal exposure window for an attacker. Why, and how to build cyber resilience into the program rather than catching…

Read the article

Cyber crisis management: why the exercise matters more than the binder

In a cyber crisis, the binder does not answer the phone. What keeps an attacked organization standing is a trained crisis cell, clear roles and reflexes acquired through exercises. How to build…

Read the article

ISO 27001: from gap analysis to certification audit, the realistic journey

6 to 18 months: that is the realistic duration of an ISO 27001 certification journey, from gap analysis to audit. The steps, the classic pitfalls (including paper compliance), and what happens after…

Read the article

DORA: what the regulation actually requires from financial entities and their providers

Applicable since January 2025, the DORA regulation imposes a complete digital operational resilience framework on the financial sector: ICT risk management, incident notification, testing, third-party oversight. The essentials, without the jargon.

Read the article

Change management in M&A: bringing teams along without the exodus

In a merger, a carve-out or an integration, the most fragile variable is neither technical nor legal: it is human. How to manage change when uncertainty is at its peak and your…

Read the article

The first 100 days of a post-merger integration: governance and quick wins

After closing, the 100-day window sets the momentum of the whole integration. What to install, deliver and communicate during this period, and what can wait.

Read the article

PMI: why so many post-merger integrations destroy value

Reference studies have pointed for decades at a 70 to 90% failure rate of M&A deals to deliver the expected value. The cause is rarely the deal itself: it is the integration.…

Read the article

Day 1 checklist: the control points of an IT separation that holds

Day 1 is the first Monday morning when nothing is allowed to fail. Identities, email, access, payroll, communication: the control points to verify before, during and after the big day.

Read the article

BCP, DRP, BIA: the three pillars of business continuity under ISO 22301

BIA, BCP, DRP: three acronyms often confused, three distinct building blocks of the same edifice. What each one covers, how ISO 22301 ties them together, and why an untested plan is not…

Read the article

NIS2: are you in scope, and what should you actually do?

The NIS2 directive is in force and covers thousands of entities across 18 sectors in the EU. Are you in scope? What are the obligations, the penalties, and where should you start?…

Read the article

IT carve-out: the 7 workstreams of a separation plan

A successful IT carve-out rests on a separation plan covering seven interdependent workstreams: identities, workplace, applications, infrastructure, contracts, cybersecurity and TSA governance. A workstream-by-workstream review.

Read the article

TSA: how to negotiate it, and above all how to exit it

The Transitional Service Agreement is the most underestimated contract of a carve-out. Well negotiated, it buys time. Poorly managed, it becomes an annuity for the seller. How to scope it, monitor it…

Read the article