The UK’s Devolution White Paper represents a significant milestone in the evolution of local governance. By transferring greater powers and funding to regions, devolution has the potential to rebalance the economy, drive local innovation, and improve public services in ways that reflect regional needs. However, while the policy direction is clear, ensuring that devolution delivers on its promise will require focus, leadership, and a commitment to making it work in practice. The opportunity ahead is vast. With both new Combined Strategic Authorities (CSAs) and new Unitary Authorities (UAs) set to emerge, the challenge is not just about establishing new structures but about delivering real outcomes for people, businesses, and communities. To do this, leaders must prioritise three key areas: getting early decisions right, establishing strong partnerships, and moving beyond governance to delivery. The First 100 Days: Setting a Clear Direction For newly devolved regions, the early months are crucial. The way new Combined Authorities and Unitary Authorities establish themselves will determine their credibility and effectiveness in the years to come. Experience from existing devolution settlements suggests that success depends on: A strong, unified vision that aligns political, business, and community interests. Early investment in strategic priorities such as transport, skills, and business support. Clear governance and decision-making structures that enable action rather than bureaucracy. For new Combined Strategic Authorities, which will bring together multiple local councils under a regional governance model, the key challenge will be to establish strong relationships between constituent authorities and ensure that devolution delivers meaningful economic and social benefits. These authorities must act as catalysts for regional growth, shaping investment strategies and infrastructure development. Meanwhile, new Unitary Authorities, which will replace existing two-tier local government structures in some areas, face a different challenge: ensuring a smooth transition from district and county councils while maintaining service delivery. Early decisions on financial sustainability, workforce integration, and community engagement will be critical to their success. When these new authorities get these fundamentals right, they build public confidence, attract investment, and demonstrate the real benefits of devolution. The alternative—slow decision-making, fragmented priorities, or uncertainty—risks undermining the potential benefits before they can be realised. Beyond Structures: Delivering Growth and Public Value For devolution to succeed, it must be measured not by the governance arrangements it creates but by the impact it delivers. At its best, devolution can: Support economic rebalancing – allowing regions to shape their own growth strategies and attract investment tailored to local strengths. Improve public services – integrating health, transport, and housing policies in ways that work for local communities. Drive innovation and sustainability – empowering regions to lead on green growth, digital transformation, and new models of service delivery. However, turning these ambitions into reality requires expertise, collaboration, and a focus on delivery. It is essential to recognise that devolution is not a one-size-fits-all solution. Challenges and Pitfalls to Avoid Devolution must be tailored to local needs rather than driven by central government’s preferred model. As Councillor John Merry, Chair of Key Cities and Deputy Mayor of Salford, has noted, the government’s current approach to devolution, which often emphasises large unitary authorities as a prerequisite for greater powers, does not suit all areas. While a move towards larger authorities may improve efficiency in some regions, it risks overlooking the distinct economic and social needs of smaller urban areas. Local leaders must be actively involved in shaping devolution settlements to ensure they work in practice, not just on paper. Similarly, the County Councils Network (CCN) has warned that while local government reorganisation may be necessary in some areas to unlock more ambitious devolution deals, it must be evidence-based. They have raised concerns that breaking up county councils into smaller unitary authorities could create structures that lack the scale to drive economic growth or deliver major infrastructure projects effectively. This highlights the need for carefully considered and locally led approaches to reform.  Another critical risk is funding uncertainty. Many local leaders have welcomed devolution in principle but remain concerned that new authorities will be given responsibility without the long-term financial certainty needed to deliver real change. Without multi-year funding settlements and greater fiscal autonomy, there is a danger that new authorities will find themselves constrained by short-term financial pressures rather than empowered to drive transformation. The National Opportunity While much of the focus has been on how local areas can use devolution to their advantage, the opportunity is equally significant for the UK as a whole. A successful devolution agenda would mean: A stronger, more balanced economy where growth is not concentrated in London and the South East but driven by thriving regional economies. A more responsive state, with policies shaped closer to the people and businesses they affect. Greater trust in government, as local leaders demonstrate the ability to deliver tangible improvements. The next phase of devolution must be a shared national effort—where central government, regional leaders, businesses, and communities work together to ensure that this is not just a shift in structures but a real shift in power, funding, and impact. The UK stands at a crossroads. If devolution is done well, it has the potential to unlock one of the most significant economic and social transformations in a generation. The question is whether we will seize this opportunity or allow it to become another layer of bureaucracy. The choice, and the challenge, lies ahead.

Cambridge MC engaged with a historic and world-famous university to support the reinvigoration of their Human Resource functions. Specifically, we were asked to improve HR service delivery, and establish the first steps towards change readiness preparation to support the HR function during a college-wide Enterprise Resource Planning (ERP) Project. To achieve these outcomes, we conducted a 3-dimensional process review model to assess their current HR operations. Within this, we evaluated and understood the university's HR department through multiple data streams, using the information collected to identify current quick wins and present recommendations going forward. Strategy Cambridge MC used a unique ‘3-dimensional process view model’ to evaluate the efficacy of the processes, people, and systems that formed the HR department at the outset of the project. These three dimensions include: A Maturity Assessment and identification of any Quick Wins to restore. confidence in HR delivery. A Process Map Review against future Employee Life Cycle, using our own ‘Employee Life Cycle Model’, and 40k Service Tickets to improve automation and efficiency. The development of an implementation plan and blueprint for the successful roll-out of HR ERP. Data Streams & Findings The HR Maturity Assessment highlighted strong management support experienced by participants, as well as a solid understanding of HR strategy and of overall University strategy. The HR Process & Programmes Review uncovered that 196 processes in Nimbus (an end-to-end patented cloud WorkForce Optimisation application) are not linked to the HR Sub Functions; the current SLAs are based on historical volume and thus are not fit for an SSO environment; and current expertise in the Hub is not sufficient to deal with the volume of service tickets. Five quick wins were identified as follows: Recruitment Fixed Term Contracts Review Current SLAs Re-Routing Payroll and Pension Queries One single mailbox for sending Service Tickets In the detailing phase, we implemented the aforementioned agreed quick wins, the blueprint for HR ERP, assured the build readiness of the HR team, and built the HR SSO to accommodate HR ERP. Finally, in the communications stage, we developed a Communications Grid for HR Maturity assessment, established Cambridge MC presence in the process, and implemented . Outcomes & Results  1. Cost Savings We identified quick wins that led to an annual saving of £500k, by tightening the relation and process flow between HR and payroll. 2. Systems Optimisation We analysed the efficacy of HR Service Tickets solutions delivery and recommended different workflows for the 1.8k tickets received per month. 3. Forward Planning Our ‘Employee Life Cycle Model’ was instrumental in analysing the gap between current and future HR process and systems needed in an ERP environment.

Introduction The National Counterintelligence & Security Center (NCSC) suggests that universities are particularly vulnerable to cyber crime because they are key contributors to the economy, skills development, and innovation. Cambridge MC was approached to conduct a comprehensive cyber capability maturity assessment for a major UK academic institution, leveraging a team of experts with technical understanding and frontline experience in cyber defence. This team carried out a thorough evaluation through a series of tests, interviews, and artefact examinations. Unlike conventional assessments, our strategy focused on actionable insights which were tailored to the unique operational context of the institution. The assessment was structured around recognised capability categories, informed by the team’s extensive experience defending against cyber attacks. The methodology was particularly effective for its sensitivity to the institution’s risk appetite—balancing cost, risk, and investment to propose solutions that were unique to their situation. Project Overview The primary challenge was the institution’s realisation that its existing cyber hygiene practices and IT discipline might not be sufficiently robust to withstand increasingly advanced tactics employed by cybercriminals and their growing interest in the education sector. The institution sought out Cambridge MC to identify these vulnerabilities, assess the overall maturity of its cybersecurity practices, and recommend strategic improvements. This meant not only highlighting technical deficiencies, but also providing a holistic evaluation of the institution’s security posture, considering the practical realities of defending against threats. This included an assessment of the institution’s risk readiness, infrastructure resilience and staff preparedness. Cambridge MC’s goal was to ensure that the recommendations produced as a result of this assessment were not only technically sound but contextually appropriate and aligned with the institution’s strategic objectives and resources constraints. This personalised approach was crucial in designing a cyber security strategy that was both achievable and sustainable. Strategy What we did Our approach involved a thorough assessment of the institution’s cyber infrastructure, including tests, interviews, and the examination of artefacts to gain a holistic understanding of their cyber maturity. To do this, we engaged experts with significant technical depth and extensive experience in cyber defence and leadership roles; a blend which was crucial in conducting a maturity assessment that focused on pragmatic gap closures. Why we did it this way Our methodology was designed to move beyond mere technical details and address the practical aspects of cyber security. By organising our work into recognised capability categories, we targeted areas that, if weak, would likely lead to vulnerability and a high risk of attack. This approach allowed us to pinpoint critical gaps in the institution’s cyber security practices and propose target improvements. Concepts and methodologies applied We applied a risk-based approach, sensitive to the institution’s risk appetite, to make practical trade-offs between cost, risk, and investment. This ensured that our recommendations were contextually appropriate and aligned with the institution’s strategic objectives. Our assessment framework was grounded in industry-best practices and standards, tailored to the unique needs and challenges of the academic sector. Obstacles encountered and overcoming them One of the main obstacles we encountered was resistance to change, a common challenge for institutions with established routines and cultures. To overcome this, we emphasised the importance of cyber hygiene and IT discipline through clear, evidence-based findings and recommendations. We conducted workshops and discussions to engage stakeholders at all levels, highlighting the tangible benefits of enhancing their cyber security posture and demonstrating how our recommendations could be implemented in a manageable manner. The Team The Cambridge MC cyber security team tasked with supporting on this project was comprised of: A technically adept practitioner specialising in vulnerability testing, equipped with cutting-edge knowledge of tools and techniques for identifying weaknesses in the institution’s cyber defences. This role was crucial for uncovering hidden vulnerabilities that could be exploited by attackers, providing a technical foundation for the assessment. Back-office risk experts with a deep understanding of the broader risk landscape and risk management principles, ensuring that the assessment considered not just technical vulnerabilities but also organisational and procedural risks, aligning the cyber security strategy with the institution’s overall risk appetite. A security leader with 30 years of experience building and running security services, who offered strategic oversight and practical insight into effective cyber defence mechanisms and was vital in ensuring the recommendations were not only theoretically sound but also pragmatically achievable. Together, these professionals ensured a comprehensive, nuanced, and highly practical assessment, underlining the importance of a balanced team in addressing complex cyber security challenges. Outcome & Results Optimised Cyber Resilience We recommended and outlined a robust workflow and identity management system across all of the institution’s systems, emphasising the need for multi-stakeholder cooperation. This highlighted the challenge of managing over tens of thousands of accounts for a community of many fewer staff and students. Longevity We made clear, actionable recommendations describing implementation plans for changes, such as improving the security culture and some operational deliverables associated with SOC efficacy, all of which were agreed upon by the leadership team who assured us that these changes would be in place at this institution for the next three years. Staff Readiness We enhanced the security awareness and training of the staff, postgraduate researchers, and students, including specialised training for the Information Security team. We also made recommendations for improving security posture, such as the adoption of Cloud Access Security Broker (CASB) and Data Leakage Prevention (DLP) solutions, and the development of a quantitative risk forecasting methodology. Forward Planning We also made suggestions for future improvements, including SOC operational activities, creating new initiatives targeting cyber kill chain strategy areas, and planning disaster recovery tests for ICT systems.

Well Intended Guidance Leaves more Questions than Answers The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology. At first sight this appears encouraging. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up. But for guidance to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may reveal some unknowns, but without increasing certainty. The Guidance in a Nutshell A summary of the guidance is as follows: Look wider than UK: Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet. Irrespective, their staff are likely to be distributed around the world if the service is supported 24/7. There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site. Get legal advice: Before you even consider a non-UK option you need to seek advice from your own legal advisors and your Data Protection Officer (DPO). Ensure compliance with ICO guidance: Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and you should get further guidance from your own legal advice and DPO. Do a full review of vendor security: Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies. In a nutshell, it says: 'you should consider options outside of the UK but only if you have checked everything is legal and secure'. This seems to be verging on a statement of the obvious; the real difficulty in going offshore is covering all of the legal, regulatory and security compliance aspects. Adequacy is a Moment in Time On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK. Sound advice. But even this is not that simple. For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework. This framework is dependent on an Executive Order that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant. Consideration is Far Wider than Residency Security is far wider than data residency though. This is where point 4 both states the obvious and understates the complexity. Managing risk in the supply chain is inherently difficult. Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude. By their nature they are solutions designed for a broad and varied range of customers. This means they will always involve compromise. If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace. If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves. They are also highly opaque. The vendor presents their service as a black box. The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden. This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control. Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly. Third party certifications and audits, such as the ISO27000 series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances. But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered. Summary It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors. This includes looking wider than just the UK when national security requirements are not paramount. But this is not something that can be distilled onto a single sheet of A4 in any meaningful way. Yes, there are legal and regulatory issues that need to be reviewed. And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control. But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas. The SaaS world is opaque, and balances priorities across a broad and varied customer base. The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to. But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership. Sources/Links: DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎ ICO Guide to International Transfers ↩︎ Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎ Note: This article originally appeared on Tom Burton's personal blog at https://digility.net/insights/

The Digital Communities All-Party Parliamentary Group (APPG) shared the ‘Care to connect: Public Switched Telephone Network (PSTN) Migration’ report with key parliamentarians on Monday at a launch meeting on Parliament Street. This report highlights key recommendations for managing the ongoing Public Switched Telephone Network (PSTN) migration, focusing on protecting vulnerable residents and ensuring effective solutions. Here are the major takeaways for local government and communication providers: Data-Sharing Agreements (DSAs) DSAs between communication providers (CPs), local authorities, and telecare providers are crucial for identifying vulnerable residents during the migration. Challenges include inconsistent responses from local authorities and fragmented approaches across CPs. The APPG recommends all local authorities and housing associations sign DSAs, regardless of progress in digital switchover, to promote uniformity and resident safety. Telecare Devices The sale of analogue telecare devices must end, as these can leave residents unsupported during the transition. The government, in collaboration with the TEC Services Association (TSA), should enforce higher standards (TEC Quality’s Quality Standards Framework) across the telecare industry to achieve robust digital migration practices. Financial support for local councils is critical to replace outdated telecare devices and prevent double costs. Battery Backup Solutions Existing guidance from Ofcom, requiring one-hour resilience for power cuts, is insufficient. The APPG recommends increasing power backup requirements to at least 4 hours in homes and 6 hours for fixed networks. Communication and energy providers must jointly create resilient power solutions, particularly for vulnerable residents reliant on telecare devices. A multi-sector priority service register should integrate communications and energy service protection for those at risk. Sunset of 2G and 3G Networks UK mobile network operators plan to stop supporting 2G and 3G networks by 2033, with some networks already switched off. There are cases where local authorities and residents have purchased telecare devices using 2G/3G SIM cards, as a lower-cost, interim solution — these devices will need to be replaced again, posing double replacement costs for local authorities and additional risks to residents. The government should stop the sale of analogue devices and accelerate efforts to prevent the redeployment of outdated telecare alarms. Summary We welcome these recommendations alongside the December 2023 PSTN Charter, the Telecare National Action Plan and the PSTN Non-voluntary Migration Checklist. The conclusions make it clear that coordination between local and central government, industry regulators (such as Ofcom and Ofgem), and communication providers (CPs), as well as significant investment in digital teams at a local level, are essential goals to ensure a safe and inclusive digital switchover for all vulnerable residents and telecare users. Read the full report here: https://digitalcommunities.inparliament.uk/care-to-connect-public-switch-telephone-network-migration-report About the APPG The Digital Communities APPG is a cross-party group of parliamentarians, with the aim to promote the delivery of digitally equipped places that support and foster a connected, healthy, and productive community. This includes the creation and maintenance of sustainable digital infrastructure, as well as providing residents with equal opportunity to thrive in a digital world. The LGA provides the secretariat to the APPG. Cambridge Management Consulting Our Public Sector and PSTN teams can help local councils and other public bodies by providing strategy, financial planning, procurement, and project management services to ensure that you have a comprehensive transition strategy and accurate financial costing for the PSTN switch-off. We can help you follow the recommendations in this report by completing a full audit, signing DSAs with CPs and most importantly, protecting vulnerable service users. Get in touch with Craig Cheney, Managing Partner and lead for Public & Education, to discuss a range of services which might suit your needs: ccheney@cambridgemc.com (or use the form below). Act now, before time and resources run out.

What Do Your Scope 3 Emissions Have to Do with Inflation? Scope 3 emissions cover everything outside your direct operations —the carbon footprint of your supply chain, purchased goods, logistics, business travel, and more. The higher your Scope 3 emissions, the more energy-intensive your supply chain is. And the more energy-intensive your supply chain, the more vulnerable you are to rising costs. Think of it this way: High Production Costs- If your suppliers are heavily dependent on fossil fuels, their production costs are rising fast Price Volatility- If your supply chain lacks efficiency and resilience, price volatility will hit you harder Locking in High Costs- If you’re not actively engaging with suppliers to reduce emissions, you’re locking in long-term cost increases that could have been avoided Without accurate Scope 3 data and a clear engagement strategy , businesses are leaving themselves open to higher prices, lower margins, and greater financial risk . Why Businesses Struggle with Scope 3 A major challenge is that Procurement and Sustainability teams often operate in silos: Procurement teams focus on cost and supplier relationships but often lack deep sustainability expertise Sustainability teams focus on compliance and decarbonisation but aren’t typically measured on financial performance This disconnect means emissions reduction is rarely treated as a financial opportunity —when in reality, cutting carbon from your supply chain is also one of the most effective ways to reduce exposure to cost inflation. The Businesses That Get This Right Will Lower their Costs Leading organisations are already taking action. They are: Gathering detailed Scope 3 emissions data to map out cost risks in their supply chain Engaging suppliers to drive efficiency, reduce emissions, and lower costs Building resilience by shifting towards lower-carbon, more cost-stable alternatives The result? Lower long-term costs, reduced financial risk, and a competitive edge over those stuck with inefficient supply chains. This is not just about sustainability compliance —it’s about smart financial decision-making. If You’re Not Taking Action, You’re Losing Money Every business will feel the impact of rising supply chain costs—but not every business will be prepared for them. If you don’t have accurate Scope 3 emissions data and an effective engagement strategy, you are: Paying more than you need to for essential goods and services Exposing your business to long-term cost inflation Missing out on opportunities to build a stronger, more resilient supply chain The sooner you act, the better the outcome for your bottom line and the planet. Is your business ready to take control of its costs? Get in touch with Cambridge Management Consulting and edenseven today. About edenseven edenseven is the sustainability-focussed sister-company of Cambridge Management Consulting. We work with businesses across all sectors in multiple regions to deliver robust and deliverable net-zero strategies. The success of any strategy relies on its awareness of how changes in policy and subsidies can create both risks and opportunities for a business. If you are a business trying to enter a new market or evolving in an existing market and would like to learn more about how edenseven can support you, please get in touch with the team at edenseven at info@edenseven.co.uk or use the contact form below. Find out more about edenseven on their website: edenseven.co.uk