By Editor

Stanford, CA, December 19, 2025—The Global Association of Risk Professionals (GARP) has published Full-Scale Quantum Computing May Be Years Away. Risk Mitigation Can't Wait., a members-only article by David Weldon for which Mauritz Kop was interviewed. GARP—the not-for-profit association behind the FRM certification and a global membership of risk managers—is precisely the audience Kop has long argued quantum governance must reach: the professionals who decide, institution by institution, which risks get inventoried, owned, and mitigated before they mature.

Q-Day is the wrong question

The article opens where risk management should: not with science fiction, but with exposure. "The most immediate risk is not a science fiction Q-Day," Kop tells GARP, referring to the anticipated moment when quantum systems can break the encryption that safeguards modern communications and commerce. The real, present-tense risk lives in long-lived assets: "I worry about long-lived assets – financial records, identity data, health and government archives," which could fall victim to "a lack of crypto-agility and weak vendor oversight." Data harvested today under the harvest-now, decrypt-later strategy does not need a working quantum computer to become a liability—only time. For financial institutions, whose records routinely outlive every system that created them, the asymmetry is structural.

Three pillars, five must-haves

In the interview underpinning the article, Kop set out the quantum governance strategy he builds with institutions. It rests on three pillars: securing the quantum transition through post-quantum cryptography (PQC) and crypto-agility; steering high-impact use cases toward safety, equity, and alignment—his SEA framework; and embedding quantum into existing risk and compliance structures rather than treating it as a separate universe. From those pillars follow the five elements he calls must-haves for any serious strategy: a PQC migration roadmap anchored in asset classification and harvest-now-decrypt-later exposure; clear board-level ownership and reporting; integration with the cyber, model, and operational risk frameworks the institution already runs; vendor and cloud due diligence focused on quantum-safety claims; and a testing and assurance regime—red-teaming and independent benchmarking included—rather than blind trust in marketing.

The strategy works in layers. At the architectural layer: hardware choices, network topology, data classification, key management, crypto-agility. At the algorithmic layer: what quantum or quantum-inspired models actually do—objectives, explainability, performance benchmarks for finance-relevant tasks such as portfolio optimization and risk simulation. At the operational layer: roles, change management, access controls, incident response, and audit trails, so quantum capabilities are governed like any other high-risk technology.

Anticipatory, standards-driven, tied to real applications

Kop's advice to risk professionals is to start from what they already know how to govern—treat quantum as an extension of cybersecurity, data protection, and model risk, not as a mystical outlier—and then participate in shaping the standards rather than passively consuming them. The blueprints he points to run through his published work: the Columbia Law study Towards a European Quantum Act, the PQC-focused Bletchley Park framework for the quantum age, and self-regulatory Quantum Technology Impact Assessments that give boards a governance instrument they can own and iterate. In the U.S., he argues, core PQC migration should be treated as critical-infrastructure work and substantially completed before 2030, especially for long-lived data and critical financial and national-security systems.

There is also an opportunity side. Through the Stanford Quantum Incubator, Kop's teams stress-test governance concepts against real quantum and quantum-AI applications in finance, healthcare, materials science, and cybersecurity—the "governed experimentation" phase, in which quantum-inspired methods run on classical hardware while the devices mature. For risk professionals, quantum is both threat and tool: it can undermine today's security assumptions, and it can strengthen resilience, improve simulation, and reveal hidden concentrations of risk.

The closing thought Kop offered in the interview reframes the entire timeline debate: the question is not when quantum computers will break today's cryptography, but whether our governance, infrastructure, and talent will be ready when they do. Institutions that answer with artificial intelligence (AI)-era reflexes—wait for the breakthrough, then regulate the wreckage—will be answering after their archives have already been harvested. The ones that treat readiness as a present-tense discipline will find that most of what quantum demands, good risk management already knows how to do.

Last updated: June 5, 2026.