top of page

Independent Validation and Pre-Implementation Review

  • Writer: Brian Couzens
    Brian Couzens
  • Jun 19
  • 8 min read

Somewhere in your organisation, a cryptographic transformation programme is on a desk waiting for board approval. It is a multi-year, eight-figure commitment. It will reshape the cryptographic estate, the regulatory posture, and the operational risk profile of the firm. The decision to fund it is fiduciary. It will sit in the board minutes alongside the names of the directors who signed off. Once approved, it cannot be unwound without consuming a second budget on top of the first.


There is a control point in this process. It opens when the design lands on the CIO's desk. It closes when the board approves the budget. Inside that window, the design can be tested, challenged, revised, or stopped. After the window closes, the organisation is committed.


That control point exists in theory. In practice, no one occupies it.


The consultancy that designed the programme will not challenge its own work. The Big Four will not challenge a programme they hope to win. The CISO is fighting the strategy as it is written. The board is being asked to approve a multi-year, eight-figure undertaking against a design that has never been independently tested.


This is the gap. SITG-Consulting Independent Validation is the service that closes it.


Why the gap exists

The market has been captured. Quantum washers are out in force. (A quantum washer is a firm that overstates the quantum threat to manufacture demand for an oversized programme it intends to deliver itself.)


Global systems integrators, Big Four advisory firms, and unscrupulous third parties have built a commercial machine around cryptographic transformation. They write the strategy. They scope the architecture. They draft the RFP. Then they pitch for the build.


The reviewer is the builder. The builder is the beneficiary. The beneficiary defines the work.


This is not a conflict of interest in the regulatory sense. It is a structural condition in which independent challenge cannot occur without an external mechanism. No one inside the engagement has the standing, the incentive, or the authority to say: this design will not survive execution.


The result is predictable. Boards approve. Mobilisation begins. Years later, the programme has consumed millions and delivered nothing that survives audit.


This is not a rare failure mode. It is the operating model.


The principle

Each element of the programme is tested as a claim, not as a finished implementation.

This is the line that distinguishes Independent Validation from every other form of review. Audit examines what has been built. Assurance examines what is being built. Independent Validation examines what is being claimed before anything is built.


The consultancy has produced a strategy, an architecture, a sequencing plan, a tooling proposal, and a cost model. Each of these is a claim about how the programme will work, what it will deliver, and what it will cost. Each can be tested against evidence, against industry standards, and against the operational constraints of the actual organisation.


A claim that survives this challenge is fit to fund. A claim that fails is fit to revise. A claim that cannot be defended at all is fit to terminate.


What gets tested

Architecture viability. Does the proposed design survive real-world constraints, or is it a theoretical model that collapses under operational load?


Sequencing logic. Is the proposed order of work coherent, safe, and executable, or does it create early-stage exposure, dead-ends, or irreversible dependencies?


Assumption integrity. Are the assumptions about estate complexity, cryptographic footprint, legacy systems, and cloud boundaries grounded in reality?


Tooling and vendor selection. Are the proposed tools, libraries, HSM and KMS configurations, and cloud services appropriate, or do they create lock-in, blind spots, or future migration barriers?


Risk framing. Does the proposed threat model reflect the organisation's actual exposure, or is it generic risk language designed to justify a large programme?


Procurement alignment. Do the RFI and RFP materials reflect genuine requirements, or have they been shaped to point to a predetermined vendor outcome?


This is the design challenge. Five to ten days. Targeted, forensic, evidenced.


A common challenge to the speed: how can a five-to-ten day engagement deliver depth against a multi-year programme design? The answer is precision. SITG-Consulting does not perform discovery. It does not catalogue the estate. It tests the consultancy's claims against the consultancy's own evidence base, and against industry standards the consultancy is supposed to have followed. Depth comes from knowing where to look. The work is already in the room. The question is whether it survives challenge.


The decision moment

Findings are graded. Each grade carries a consequence.


Green. The programme is structurally sound. Proceed to mobilisation.


Amber. Material weakness identified. Revise and re-test before mobilisation.


Red. Structural failure identified. Pause until addressed, or terminate.


Findings are presented to the CIO, CISO, and board sponsor in a stripped, evidence-led briefing. There is no advisory padding. Each finding is traced to source documents, evidenced against industry standards, and presented with reproduction steps. The briefing is the artefact a director can defend in a fiduciary inquiry.


The decision window is fourteen days from the briefing. After fourteen days the engagement closes regardless of decision, because drift at this stage is itself a programme risk.


Red findings cannot be carried into mobilisation without named executive risk acceptance recorded in board minutes. If the client proceeds against red findings, SITG-Consulting closes the engagement. Continued advisory is not offered against rejected findings. The position is consistent: if the evidence is rejected, the relationship is the wrong instrument.


This is the moment that decides whether the programme is funded, fixed, or stopped. It is the most expensive decision the board will make on the entire programme. It deserves more than a slide deck from the firm that wrote the strategy.


Article content

The execution review

If the design challenge surfaces material findings and the consultancy is instructed to revise, the engagement continues into the execution review. Up to fifteen days. The revised plan is tested against execution viability:


Migration path integrity. Does the proposed rollout avoid downgrade paths, mixed-mode exposure, and irreversible lock-in?


Operational feasibility. Are the proposed processes for key management, certificate issuance, signing ceremonies, and governance viable at scale?


Boundary conditions. Do the proposed architectures behave correctly across cloud, on-premise, sovereign, and legacy boundaries?


Failure-mode modelling. Has the consultancy modelled entropy collapse, HSM throttling, certificate-chain failures, and state-management errors, or have these been assumed away?


Operational readiness. Are the people and processes that will execute the programme actually capable of doing so at scale, or has organisational capability been assumed?


Reversibility. If the programme needs to pivot, downgrade, or replace an algorithm, is the path reversible, or does the design trap the organisation?


Programmes do not fail because the architecture was wrong on paper. They fail because no one in the organisation could execute it. Execution review tests both.


The Qualification Statement

At the end of the engagement, SITG-Consulting issues the Qualification Statement.


This is not a recommendation. It is the artefact the board uses to release budget. It states whether the programme is qualified to proceed to mobilisation, the conditions under which the qualification holds, the risks that remain even after revision, and the trigger events that require re-validation during execution.


The Qualification Statement is decision infrastructure. It enters the board record. It is referenced in audit. It can be defended in regulatory inquiry. It carries the name of the firm that issued it and the standards against which the programme was tested.


Without the Qualification Statement, the board is approving a multi-year cryptographic transformation programme without independent evidence. The approval is valid. It is not defensible.


A director asked in inquiry "what independent evidence supported the decision to fund this programme" cannot point to the consultancy's own deck. That is not evidence. It is the case for the prosecution.


The Qualification Statement is the answer to that question. It is the only artefact in the engagement that exists outside the commercial interest of the firm that designed the programme.


Illustrative scenario

The following scenario reflects patterns SITG-Consulting has encountered in cryptographic transformation programmes across regulated environments. It is not a redacted account of a specific client engagement.


A regulated financial-services organisation has a consultancy-designed PQC roadmap ready for mobilisation. Multi-year delivery team, cloud-first architecture, heavy tooling footprint, eight-figure budget. The board is being asked to approve.


The CIO engages SITG-Consulting.


The design challenge surfaces five findings.


A sequencing fault places cryptographic-agility workstreams after cloud migration. The consequence is an eighteen-to-twenty-four month period during which the organisation is locked into a non-agile state. Cost of remediation if discovered post-mobilisation: seven figures.


An architectural blind spot. The design assumes uniform support for hybrid key exchange. It is wrong. The blind spot covers an estimated thirty per cent of the cryptographic estate.


A tooling misalignment. The proposed visibility tooling cannot interrogate critical systems. Coverage assumed, not evidenced.


The risk model is generic. Sovereign exposure ignored. Long-lived data classes ignored. Harvest-now-decrypt-later mentioned in passing rather than modelled against actual data shelf-life.


And the procurement drift. The RFP is written in language only one vendor's documentation uses.


Two findings are graded red. The board pauses mobilisation. The consultancy is instructed to revise. Budget approval is withheld until the execution review confirms the revised plan can survive deployment.


The organisation does not commit eight figures to a programme that would have collapsed in year two. The cost of the SITG-Consulting engagement is a fraction of one per cent of the programme it protected.


The independence commitment

SITG-Consulting will not bid for, deliver, sub-contract on, or accept any role within any remediation programme arising from a finding for the same client within twenty-four months of the engagement's completion. Independence is preserved through commercial separation, not just stated through positioning. A waiver mechanism exists in extremis, requires named board-level sign-off from the client, and is published annually in anonymised form.


The commitment is structural. The engagement fee is the only fee. There is no downstream revenue line, by design. SITG-Consulting has no vendor partnerships, no delivery incentives, and no interest in programme inflation.


This is the structural commitment that defines the service. The reviewer has nothing to gain from the answer.


A direct question

You are a CIO, a CISO, or a board sponsor. There is a cryptographic transformation programme on your desk. The consultancy that designed it is the consultancy that hopes to deliver it.


You have already decided whether the design will be challenged.


That decision will sit in the board minutes alongside the approval. It will be the first thing examined when the programme fails.


For Stage 0 enquiries: brian.couzens@sitg-consulting.com


SITG-Consulting. Strategy. Intelligence. Technology. Growth.


Evidence over assumption. Control over narrative.


Article content

Copyright and Legal Notice

Copyright


© 2026 SITG-Consulting Ltd. All rights reserved.


This article and its contents, including the Independent Validation and Pre-Implementation Review methodology, the Qualification Statement framework, and the Independence Commitment, are the intellectual property of SITG-Consulting Ltd. Reproduction, redistribution, or adaptation in whole or in part is prohibited without the prior written consent of SITG-Consulting Ltd, except for short quotations used in commentary, critique, or review with attribution.


Trademarks


SITG-Consulting and the SITG-Consulting logo are trademarks of SITG-Consulting Ltd. The terms "Qualification Statement" and "Independent Validation and Pre-Implementation Review" as used in this article describe proprietary engagement instruments developed by SITG-Consulting Ltd.


Disclaimer


The content of this article is provided for general information and professional discussion. It does not constitute legal, financial, regulatory, or technical advice. Organisations should obtain independent professional advice before acting on any information contained in this article.


The illustrative scenario described in this article reflects patterns SITG-Consulting has encountered in cryptographic transformation programmes across regulated environments. It is not a description of any specific client engagement, and any resemblance to a particular organisation is coincidental.


Statements about industry practice, including references to global systems integrators, Big Four advisory firms, and unscrupulous third parties, describe structural patterns observed in the market and are not directed at any named organisation.


Independence Commitment


The Independence Commitment described in this article is a binding operational policy of SITG-Consulting Ltd. The terms of the commitment, including the 24-month commercial separation and the waiver mechanism, are recorded in the firm's engagement contracts and governance documentation.


Contact


For enquiries, permissions, or commercial discussions:


SITG-Consulting Ltd info@sitg-consulting.com


 
 
 

Recent Posts

See All

Comments


bottom of page