May 13, 2025
From pilot to capability: The journey to operationalise CRQ
James Hanbury
Global Lead Director, Co-founder

Read the next blog in the series

No items found.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Thought Leadership
CRQ in action
Cracking the CRQ code
From pilot to capability: The journey to operationalise CRQ

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.

In this article, I share a four-stage CRQ maturity ladder. Each stage includes key actions to take, potential blockers, and traps to avoid. Together, these offer a roadmap to help CRQ evolve from a promising experiment to a business-critical capability.

We'll cover:

  • Stage 1: Explore and demonstrate value
  • Stage 2: Expand use and build confidence
  • Stage 3: Standardise and operationalise
  • Stage 4: Embed as capability
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to access the content.
Read now
Oops! Something went wrong while submitting the form.

Summary

Key messages

01

02

03

Thought Leadership
CRQ in action
Cracking the CRQ code
From pilot to capability: The journey to operationalise CRQ

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.

In this article, I share a four-stage CRQ maturity ladder. Each stage includes key actions to take, potential blockers, and traps to avoid. Together, these offer a roadmap to help CRQ evolve from a promising experiment to a business-critical capability.

We'll cover:

  • Stage 1: Explore and demonstrate value
  • Stage 2: Expand use and build confidence
  • Stage 3: Standardise and operationalise
  • Stage 4: Embed as capability
Read now

Summary

Key messages

01

02

03

Recent Insights

8 shifts changing how organisations manage risk

Cyber risk isn’t being rewritten by a shiny new framework, it’s being forced to evolve because the way organisations use technology has changed. We unpack eight shifts already surfacing in incidents, audits and boardrooms.
Martin Tyley
Blog
Mega trends

The hidden variable in cyber risk decisions: The decision environment

Inspired by Nobel prize winner, Daniel Kahneman’s timeless lessons on decision‑making, explore how his ideas can help cyber leaders improve group judgement and overcome bias in strategy discussions.
James Hanbury
Blog
CRQ in action

Calculating the impact of a cyber-attack on critical infrastructure

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.
James Hanbury
Blog
Sector insights

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo