If you want a quick, honest view of your resilience posture, skip the maturity models and answer a few hard yes/no questions.
We have a documented, CSSF‑aligned BCM and BCP framework, formally approved by the Board and reviewed at least annually, with clear ownership across IT, business, and support functions. We have a credible exit and migration strategy from our major US technology providers, including at least one open‑source‑based or EU‑sovereign alternative for critical workloads, and we have tested part of that strategy in practice. We can evidence at least one realistic cross‑border legal/IT disruption scenario test in the last 12 months, with documented lessons learned and remediation actions.
If you hesitate on any of these bullets, you do not just have a documentation gap; you have an exposure that will surface under pressure—through an incident, a regulator, or your own Board. The choice is whether you discover it on your terms or someone else’s.
If you ran this self‑assessment in your next ExCo or Risk Committee, how many green lights would you get—and how much appetite would there be to turn ambers and reds into funded, time‑bound actions instead of “to‑do later” notes?