Acceptable Risk (Documented)

Because "documented" isn't a mitigation strategy

About Me

Equilateral triangle prism to symbolise governance

Who’s writing this

I’m Paul Maxwell.

I started out as a Royal Navy engineering artificer. My job was maintenance and readiness. If something mattered, it got checked, tested, and owned. If it didn’t, it failed at the worst possible time.

That mindset is why I’m sceptical of “we’ve documented it” as a comfort blanket.

I’ve spent 25+ years in cyber security, information assurance and technology risk across government and commercial environments. A lot of it has been high-assurance work where you don’t get to pretend things are fine because a policy exists. You either have evidence, or you have risk.

What I actually do

Most organisations don’t fail because they lack frameworks.

They fail because basic controls drift. Ownership goes fuzzy. Recovery plans haven’t been rehearsed. Suppliers can’t show proof. And everyone only discovers this when they’re already in the incident.

My work has mostly been about finding and closing that gap. Making risk concrete and operational:

  • who owns it
  • what “good” looks like day-to-day
  • what evidence proves it
  • what to do when the pressure hits

A lot of what I do is simple in principle: find the real risk, not the documented risk, then turn it into something owned, prioritised, and provable.

I’m currently a Partner at FSP, co-leading the Governance, Risk and Compliance capability. I’m responsible for growth and for delivering pragmatic, high-assurance cyber and risk work across public and private sector clients.

Before that, I built and ran Stratia Cyber, delivering security leadership and assurance across multiple sectors.

How I think about security

I care less about how good it looks on paper and more about whether it works in real life.

If you want a simple diagnostic, it’s this:

If something went wrong this Friday afternoon, do you know who is in charge, what the first three actions are, and how you’d prove the backups work?

If the answer is “it’s in a document somewhere”, you’ve got a gap.

Credentials (kept short)

I’m an NCSC ACSC Head Consultant and one of the first UK Cyber Security Council Chartered Cyber Security Professionals. I’m also a Chartered IT Professional (BCS) and hold CISSP, CISA and CCSP.

I list that because some people look for it. It’s not the point.

Why I write

Acceptable Risk (Documented) is my public library of what I’ve seen work, what I’ve seen fail, and the boring disciplines that stop organisations getting surprised.

Because “documented” is not a mitigation strategy.

If you’re honest, is your organisation running on evidence… or paperwork?