Enterprise DR & BCP Assurance
Resilience audits for UK and EU organisations — ISO 22301, DORA, FCA Operational Resilience, NIST CSF. Continuity you can audit. Resilience you can prove.
Hexalink Meridian
Meridian — operational resilience advisory you can hand to a regulator
Hexalink Meridian is the DR and BCP service line for UK and EU organisations with regulatory or board-level resilience exposure. We audit recovery posture across applications, infrastructure, data, third parties, and people — and produce the scorecard, gap register, and remediation roadmap your audit committee, regulator, or insurer needs.
Meridian is independent advisory only — no downstream tooling sale, no managed services lock-in. The recommendation is the recommendation. Read about Compass if your question is AI transformation rather than operational resilience.
How Meridian works — three phases
A structured, phased engagement from scoping through audit to board-ready findings.
Scope & Important Business Services
Output · Scope document + impact-tolerance map
Map the important business services that must keep running, identify in-scope domains (applications, infrastructure, data, third parties, people), and select the target frameworks (ISO 22301, DORA, FCA OpRes, NIST CSF).
Audit & Maturity Assessment
Output · Maturity scorecard across 8 domains
Score 120 controls across 8 resilience domains. Gather evidence, validate recovery runbooks, test dependency mapping. Produces a board-grade scorecard plus a per-domain RAG view.
Gap Register & Remediation Roadmap
Output · Gap register + framework heatmap + board report
Compile every gap with risk rating and remediation timeline; map % compliance against each target framework; deliver a board-ready report in PDF and Word with executive summary and phased roadmap.
What you get
Three engagement sizes — each scopes which phases are included and at what depth.
Meridian Diagnostic
Phase 1 + scoped Phase 2
Single resilience domain, fixed scope, fixed price. Entry SKU for a targeted check before committing to enterprise-wide work.
Meridian Audit
Full Phase 1 + Phase 2 + Phase 3
Full enterprise resilience audit across all 8 domains. Maturity scorecard, gap register, board report. Core SKU.
Meridian Programme
Phase 1 + 2 + 3 on annuity cadence
Multi-entity programme with quarterly re-baseline, scenario testing, and certification-readiness support. Annuity SKU.
Standards we audit against
Deep mapping across the resilience standards regulators and audit committees expect.
ISO 22301
Business continuity management system gap analysis, audit, and roadmap to certification readiness.
DORA
Digital Operational Resilience Act readiness for financial services — ICT risk management, third-party register, incident reporting.
FCA Operational Resilience
Important business services mapping, impact tolerances, scenario testing, and the supervisory documentation regulators expect.
NIST CSF · ISO 27031
ICT readiness for business continuity. Recovery time / point objectives, dependency mapping, validated runbooks.
What lands on your desk
Four concrete outputs you can hand to a board, regulator, or insurer.
Maturity Scorecard
Per-domain RAG and composite score across 8 resilience domains — applications, infrastructure, data, people, third parties, governance, recovery, testing.
Gap Register
Every Non-Compliant or Partially-Compliant control with risk rating, owner, and remediation timeline. Exports to xlsx for tracking.
Framework Heatmap
% compliant against each selected framework (ISO 22301, DORA Articles, FCA OpRes principles, NIST CSF functions) — at a glance.
Board-Ready Report
PDF and Word, with executive summary, top critical findings, framework attestation, and a phased remediation roadmap.
Why Meridian is different: recovery posture, instrument-led, vendor-neutral
Recovery posture, not control posture
The unit of analysis is the important business service and its end-to-end dependency chain — applications, data, infrastructure, third parties, people — not isolated controls. The deliverable is a tested impact tolerance, not a compliance attestation.
120-control instrument, 8 resilience domains
Activity-level resilience assessment with framework-mapped controls. Gets you to certification-ready faster than a free-form audit because the work is already structured.
Advisory-only, vendor-neutral
No managed services sale, no tooling lock-in, no DR-as-a-service upsell. The recommendation is independent of any vendor relationship — which is why audit committees and regulators take it seriously.
Audit instrument, published
The Meridian audit instrument — 120 controls across 8 resilience domains, framework-mapped against ISO 22301, DORA, FCA Operational Resilience, NIST CSF, and ISO 27031 — is documented in full. Available on request to qualified enterprise buyers under NDA.
Request the instrumentWho Meridian is for
Four buyer segments, each with a specific use of the Meridian deliverables.
Boards & Audit Committees
A maturity scorecard you can present at the audit committee, with critical-finding visibility and a remediation timeline that's actually achievable.
CIOs & Heads of Technology
An evidence-based view of ICT recovery posture across applications, data, and infrastructure — including dependency mapping and validated runbooks.
Heads of Risk / Operational Resilience
DORA / FCA OpRes alignment, important business services mapping, and the scenario test programme to validate impact tolerances.
Internal Audit
Framework-mapped controls (ISO 22301, NIST CSF, DORA Art.11) ready for review against your existing audit programme — saves weeks of evidence gathering.
Book a Meridian scoping call
A 30-minute call to map your important business services, identify the applicable regulatory regime, and decide which Meridian SKU fits — Diagnostic, Audit, or Programme.
Book a callFrequently asked
Have a specific resilience question? Talk to us
v1.1 · May 2026 · Hexalink Ltd × Novoflux