Skip to content
McCullochRegulatory Compliance
All practices

Risk Management & Business Continuity

Risk and resilience built on recognised standards, from enterprise and quality risk management to business continuity and crisis response, so audits, disruption, and the unexpected find you prepared.

ISO 31000ISO 22301ICH Q9Life SciencesTechnology & AI

Governing standards

  • ISO 31000

    Risk management · principles & guidelines

    Foundational

  • ISO 22301

    Business continuity management systems

    Certifiable

  • ICH Q9(R1)

    Quality risk management (GxP)

    In effect

  • ISO 14971

    Medical device risk management

    In effect
Aligned toCOSO ERMISO/IEC 27005ISO 22316ISO 22317 (BIA)ISO 22361 (crisis)NIST SP 800-30

What we do

Risk you can see is risk you can manage.

Resilience is not luck. It is the product of knowing what can go wrong, deciding what to do about it, and being ready before it happens.

We help organisations build risk and continuity capabilities on the standards their auditors, customers, and boards already recognise. The same discipline that satisfies an inspection also makes the business steadier and quicker to recover.

Whether you need a first risk framework, a quality risk file for a regulated product, or a continuity plan that has actually been tested, we provide practical, proportionate support across the full lifecycle.

The risk lifecycle

From appetite to aftermath, end to end.

Framing, assessment, treatment, continuity, and crisis response, scaled to your exposure and the standards you are held to.

01 / Frame

Context & appetite

  • Risk policy & governance
  • Risk appetite & tolerance
  • Roles & accountability

ISO 31000

02 / Identify

Risk assessment

  • Identify, analyse, evaluate
  • Risk register & scoring
  • FMEA & scenario analysis

ISO 31000 · ICH Q9

03 / Treat

Controls & mitigation

  • Treatment plans
  • Control ownership
  • Residual-risk acceptance

ISO 31000

04 / Prepare

Business continuity

  • Business impact analysis
  • Continuity & recovery plans
  • Exercising & testing

ISO 22301

05 / Respond

Crisis & recovery

  • Incident & crisis management
  • Communications & decisions
  • Post-event review

ISO 22361

Three disciplines, one standard of rigour

Enterprise, quality, and continuity.

Risk shows up differently across the business: as strategy, as product quality, and as operational resilience. We work across all three, mapped to the controlling standard.

ISO 31000 · COSO ERM

Enterprise risk

A single, coherent view of risk across the organisation, built on ISO 31000 and aligned to the COSO enterprise risk management framework, so leadership can make risk-informed decisions and evidence them.

Risk framework & policyISO 31000 cl. 5

Design a proportionate risk-management framework: policy, governance, roles, and integration into how decisions are actually made.

Risk appetite & toleranceBoard-level

Define and articulate risk appetite and tolerances that leadership can own and apply consistently.

Risk register & assessmentISO 31000 cl. 6

Establish a living risk register with consistent scoring, analysis, evaluation, and clear treatment ownership.

Third-party & supply-chain riskVendor risk

Assess and monitor supplier, outsourcing, and supply-chain risk, with contractual allocation and ongoing oversight.

Reporting & assuranceBoard reporting

Risk reporting that gives the board and investors a clear, defensible picture, and stands up to audit.

Who we help

From first framework to tested resilience.

We scale support from a single risk assessment or continuity plan through to an integrated, standards-based risk and resilience programme.

01

Scaling organisations

Standing up a first risk framework and continuity capability as the business and its obligations grow.

02

Regulated manufacturers

Embedding ICH Q9 and ISO 14971 risk management that holds up in audits and inspections.

03

Resilience-critical operations

Hardening continuity, recovery, and crisis response where downtime carries real cost.

Practical · Proportionate · Defensible

Standards-based, and built for the real world.

We combine hands-on regulatory experience with recognised risk and continuity standards, so your programme is both certifiable on paper and effective when it is tested. Every recommendation is mapped to the controlling standard and sized to your exposure.

Mapped

Every decision traced to the standard

ISO clause, ICH reference, or framework function: risk work with a source, not gut feel.

Proportionate

Sized to the risk

Rigour where exposure is real, and no bureaucracy where it is not. Risk management that gets used.

Defensible

Built for the audit and the bad day

Evidence that satisfies an auditor, and plans that hold up when disruption actually hits.

Know your risks, and be ready for the ones you cannot avoid.

Tell us what you need to protect, and we will help you build the risk and continuity capability to match.

Get in touch