The Global Association of Risk Professionals (GARP) interviewed Mauritz Kop for David Weldon's article Full-Scale Quantum Computing May Be Years Away. Risk Mitigation Can't Wait.—bringing quantum governance to the desks of risk professionals worldwide.
Q-Day is the wrong question
Kop's message to the risk profession inverts the usual timeline anxiety. The immediate danger is not a cinematic moment when encryption falls; it is the quiet accumulation of harvested data—financial records, identity data, health and government archives—collected today for decryption tomorrow, compounded by weak vendor oversight and a lack of crypto-agility. Records that outlive their cryptography may already face that exposure, whatever the hardware roadmaps say.
Five must-haves for a quantum governance strategy
The strategy Kop laid out is deliberately operational: a PQC migration roadmap anchored in asset classification and harvest-now-decrypt-later exposure; board-level ownership; integration with existing cyber, model, and operational risk frameworks; vendor due diligence on quantum-safety claims; and independent testing and benchmarking instead of marketing trust. Layered across architecture, algorithms, and operations, it treats quantum as an extension of disciplines risk professionals already command—the same principles-to-practice arc as the global quantum policy brief he co-authored at CIGI.
From the trading floor to the boardroom
Quantum, Kop argues, is both threat and tool for finance: it endangers the confidentiality of everything archived, and it is being explored for better simulation, optimization, and risk discovery. His benchmark for the U.S.: core post-quantum migration substantially done before 2030 for long-lived data and critical systems. The institutions that will meet that deadline are the ones whose boards treat quantum readiness as governance, not as someone else's research project.
Meer lezen