Board-Level PQC Risk Governance: How Directors Oversee a Migration They Don’t Technically Understand

Introduction

A board member at a European bank asked me recently whether she needed to understand lattice-based cryptography to oversee her organization’s PQC migration program. She had read enough about quantum computing to be concerned, enough about post-quantum cryptography to know the migration was necessary, and enough about her own limitations to worry that she could not provide meaningful oversight of something she did not technically understand.

Her question was the wrong question, and it is the wrong question that most boards are asking right now. The right question is: do we have the governance architecture to oversee this program using the same mechanisms we use to oversee every other technical risk we cannot personally assess?

The answer, in most organizations, is that they do, but they have not yet applied those mechanisms to PQC. This article explains how to do it.

This is part of the PQC Program Delivery Deep Dive series. The PQC governance overview covers the full governance model: who leads the program, how the steering committee operates, what the accountable executive needs, and how programs fail. This article goes deeper on a single question: how does the board discharge its oversight duty for a multi-year cryptographic transformation?

Boards Have Done This Before

Most board members cannot evaluate a credit model, stress-test an actuarial assumption, audit a derivatives book, or assess whether an AI system’s training data is biased. They govern these risks competently anyway. Not by becoming domain experts, but by building governance architectures that translate technical risk into the language boards already work with: risk appetite statements, risk tolerance thresholds, and key risk indicators that tell directors whether things are on track or off track without requiring them to understand the underlying mechanics.

PQC migration is no different in kind. It is different in one specific way that matters: most boards have never governed a cryptographic transformation before, so they do not have the existing risk taxonomy, appetite statements, or KRIs for this domain. The infrastructure must be built. But it is the same type of infrastructure they already maintain for credit risk, market risk, operational risk, and (increasingly) cyber risk.

The NACD’s 2026 Cyber Risk Handbook now includes a dedicated quantum computing discussion guide for board members, and KPMG’s May 2026 board guidance on quantum cyber risk explicitly recommends integrating quantum risk into existing board oversight of cyber and enterprise risk management. Both confirm the direction: PQC governance belongs inside existing risk oversight frameworks, not in some new structure the board has to learn from scratch.

The Regulatory Context: Why Boards Cannot Defer

Three regulatory developments have made board-level PQC oversight a fiduciary obligation rather than a strategic option.

The SEC’s cybersecurity disclosure rules, fully enforced since late 2023, require public companies to describe the board’s oversight of cybersecurity risks in annual 10-K filings, identify which committee holds oversight responsibility, and explain how that committee receives information about cyber threats. Courts are increasingly aligning cybersecurity governance with the Caremark standard of fiduciary duties, under which directors face personal liability if they fail to implement reporting systems for material risks or consciously fail to monitor existing systems. PQC migration is becoming a material cybersecurity risk as regulatory deadlines approach. A board that cannot describe how it oversees PQC preparation may face the same disclosure and liability exposure that boards now face for cyber risk generally.

In the EU, DORA’s ICT risk management requirements explicitly require financial entities to address cryptographic threats from quantum advancements, and the proposed NIS2 amendment (COM(2026) 13) would add PQC transition planning to national cybersecurity strategies. These are compliance obligations that flow through to board-level oversight.

And regulatory deadlines are already set: CNSA 2.0’s January 2027 deadline for new National Security Systems acquisitions, NIST’s FIPS 140-2 deprecation in September 2026, and the EU’s target of high-risk system migration by 2030. A board that defers PQC oversight until “the technology matures” is deferring past deadlines that have already been published.

The practical consequence: PQC needs to appear in the board’s risk oversight architecture now. Not as a standing agenda item that consumes 45 minutes of every meeting, but as a governed risk with defined appetite, measurable indicators, and clear accountability.

Risk Appetite Statements for PQC

A risk appetite statement translates the board’s risk tolerance into language that the organization can operationalize. For PQC, the board needs to approve a small number of outcome-oriented statements that establish boundaries for the migration program.

These statements should be expressed in terms the board already works with. They should not reference specific algorithms, key sizes, or protocol versions. They should reference business outcomes, regulatory compliance, and time horizons.

Here are examples calibrated to different organizational contexts. Boards should select and adapt the statements relevant to their sector, regulatory environment, and risk profile.

For organizations with long-sensitivity data (financial services, healthcare, defense, government): “The organization shall complete migration of all Tier 1 systems (those processing or storing data with confidentiality requirements exceeding 10 years) to NIST-approved post-quantum cryptographic standards no later than [date], and shall maintain the capability to accelerate migration of remaining systems within [X] months of a credible CRQC threat assessment.”

For organizations in regulated sectors with explicit PQC mandates: “The organization shall maintain continuous compliance with all applicable PQC migration deadlines issued by [specific regulators: NIST/CNSA 2.0, DORA RTS, MAS TRM], and shall report compliance status to the board risk committee quarterly.”

For organizations with significant Harvest Now, Decrypt Later exposure: “No more than [Y]% of data classified as long-sensitivity shall transit infrastructure using exclusively pre-quantum cryptography after [date].”

For organizations focused on vendor and supply chain risk: “All Tier 1 and Tier 2 vendors shall demonstrate PQC migration readiness or provide a documented migration roadmap aligned with the organization’s transition timeline by [date]. The organization shall not renew or enter contracts with critical vendors who cannot demonstrate PQC readiness after [date].”

The accountable executive (typically the CISO, as I argued in the governance overview) develops these statements in collaboration with the board risk committee, with input from the cryptographic engineering team on what is achievable and from the enterprise risk function on how to align with existing risk taxonomy. The board approves and monitors. It does not draft.

The Three-Tier KRI Cascade

Risk appetite statements set the boundaries. Key risk indicators (KRIs) tell the board whether the organization is operating within those boundaries. For PQC, KRIs must cascade across three tiers, with each tier providing the right level of detail for its audience.

Board Level: 4-6 Aggregate KRIs, Reported Quarterly

The board sees a small number of outcome-oriented indicators, each mapped to a risk appetite statement and a tolerance threshold (green/amber/red). These indicators tell the board whether the program is on track without requiring directors to interpret technical data.

Leading indicators (measuring program inputs and momentum):

Cryptographic estate visibility. Percentage of the organization’s IT and OT asset estate that has been scanned for cryptographic usage and incorporated into the cryptographic inventory (the Cryptographic Bill of Materials, or CBOM). This tells the board whether the program is building the foundational visibility it needs. A program that has been running for twelve months and has inventoried only 30% of the estate is behind, regardless of what else it has accomplished.

Vendor PQC readiness coverage. Percentage of Tier 1 and Tier 2 vendors who have provided a documented PQC migration roadmap or demonstrated PQC capability. This tells the board about supply chain risk: if 60% of critical vendors have no PQC roadmap, the organization faces migration dependencies it cannot control.

Lagging indicators (measuring program outcomes):

Tier 1 system migration progress. Percentage of Tier 1 systems (those processing the organization’s most sensitive or longest-lived data) operating in hybrid or fully post-quantum cryptographic mode. This is the indicator that most directly measures whether migration is actually happening.

Regulatory compliance posture. A composite indicator tracking the organization’s alignment with applicable PQC deadlines. Green means on track for all deadlines. Amber means at risk of missing one or more deadlines without intervention. Red means a deadline has been missed or will be missed without exception approval.

Contextual indicators (providing decision-relevant background):

Program budget variance. Actual spend against planned spend, expressed as a percentage variance. Significant underspend may indicate a program that is not executing; significant overspend may indicate scope cascade (a consistent pattern in PQC programs).

External threat assessment. A qualitative indicator (updated semi-annually or when material developments occur) reflecting the accountable executive’s assessment of the quantum threat timeline based on the CRQC Quantum Capability Framework and published expert assessments. This is not a prediction. It is a structured judgment that helps the board calibrate urgency.

Four to six KRIs at this level, reported quarterly, are sufficient. More than that and the board drowns in operational detail it cannot evaluate and should not be evaluating.

Management Level: The Steering Committee’s View

At the Steering Committee level, the board’s aggregate KRIs decompose into a richer set that supports operational decision-making.

The board sees “Tier 1 system migration progress: 45%.” The Steering Committee sees that same 45% broken down by business unit, by system criticality tier, by migration phase (discovery complete, assessment complete, remediation in progress, validation complete, production deployment). They see which business units are ahead of plan and which are behind. They see the specific dependency blockers: the HSM vendor who is six months late on delivery, the ERP module that cannot be upgraded without a major release, the business unit that has not allocated change windows for migration testing.

The Steering Committee also tracks program health indicators that the board does not need: budget burn rate by workstream, staffing levels against the plan, contractor utilization rates, test environment availability, and the migration pod status across each business unit. This is where the accountable executive makes trade-off decisions (accelerate one workstream, defer another, request additional funding for a scope expansion) and where the Steering Committee exercises its approval authority over scope changes and risk acceptance.

Operational Level: The PMO’s View

At the program office level, the management KRIs further expand into detailed technical and project metrics: individual system migration status, cryptographic library upgrade completion rates, certificate rotation progress per CA, HSM deployment timelines by data center, test environment readiness scores, regression test pass rates, vendor deliverable tracking.

The PMO tracks hundreds of these. The board never sees them. The Steering Committee sees selected subsets when a specific issue requires escalation. The PMO’s job is to manage the program at this granularity and surface exceptions upward through the KRI cascade when a metric at the operational level threatens a KRI at the management or board level.

What Boards Should Ask

The risk appetite statements and KRI cascade give the board a structured governance mechanism. But the board’s oversight is only as good as the questions directors ask when the indicators move. Here are the questions that matter at each stage of the program.

At Program Launch

When the accountable executive presents the PQC program for board mandate approval (as described in the governance overview), the board should ask: Which regulatory deadlines apply to us, and what are the consequences of missing them? How large is our estimated cryptographic estate, and how confident are we in that estimate? What is the discovery phase budget, timeline, and deliverable? Who is the single accountable executive, and do they have the mandate, budget, and cross-functional authority to deliver? How will we measure progress (which KRIs, at what cadence, with what tolerance thresholds)?

During Quarterly Reviews

When KRIs are green: Is our visibility into the cryptographic estate growing on the trajectory we planned? Are vendors delivering on their PQC roadmap commitments? Are there early indicators that any KRI may shift to amber in the next quarter?

When a KRI shifts to amber: What caused the shift? Is this a temporary delay or a structural problem? What is the recovery plan, and does it require additional resources or scope change? Does this affect our ability to meet any regulatory deadline?

When a KRI turns red: What is the business impact if this KRI remains red? What escalation actions are recommended (budget increase, timeline extension, scope reduction, risk acceptance)? Does this require disclosure or regulatory notification?

At Stage Gates

At each major program milestone (discovery complete, first Tier 1 system migrated, infrastructure migration complete), the board should ask: What did we learn that changes our estimate of the remaining program? Should the risk appetite statements be updated based on what discovery revealed? Do any KRI tolerances need adjustment?

What Boards Should Not Do

Two patterns consistently undermine board PQC oversight.

The first is attempting to become quantum experts. Directors who try to evaluate lattice-based key exchange mechanisms or debate the relative merits of ML-KEM versus ML-DSA are operating at the wrong level of abstraction. That expertise belongs with the cryptographic engineering team and the accountable executive. The board’s job is to govern, not to engineer. When a board member spends 20 minutes of a risk committee meeting asking about quantum gate fidelity, that is 20 minutes not spent asking whether the program is on track to meet its regulatory deadlines. Columbia Law School research found that fewer than 15% of US public companies disclose having a board member with cybersecurity expertise. That 85% still have to govern cyber risk competently. They do it through governance mechanisms, not through individual director expertise, and PQC is no different.

The second is oscillating between panic and indifference based on the latest quantum computing headline. Q-Day predictions shift regularly as new research is published, new quantum hardware is demonstrated, and new algorithmic improvements are announced. A board that funds PQC aggressively after a Google quantum announcement and then quietly deprioritizes it six months later when the news cycle moves on will produce a program with no sustained momentum. The risk appetite statements and KRI thresholds exist precisely to insulate governance from news-cycle volatility. Once the board has approved the appetite and tolerances, the program executes against those parameters. The external threat assessment KRI (updated semi-annually) provides a structured mechanism for incorporating new information without triggering reactive oscillation.

Integration with Existing Risk Dashboards

PQC risk reporting should not create a parallel governance structure. It should integrate into whatever risk dashboard the board already uses.

If the board receives a quarterly enterprise risk report with a standard format (risk category, appetite statement, KRI, current status, trend, escalation actions), PQC should appear as a line in that report. If the risk committee reviews a heat map of enterprise risks, PQC migration should appear on it, positioned by likelihood and impact like any other risk. If the audit committee tracks compliance deadlines, PQC regulatory deadlines should be in the same tracker.

The accountable executive and the enterprise risk function should collaborate on this integration during the program’s first quarter. The goal is zero incremental governance overhead for the board: PQC appears in the same reports, in the same format, at the same cadence as every other risk they oversee. The board reads it the same way they read everything else. No special quantum briefing required.

One practical note: many enterprise risk functions will need to add quantum/cryptographic risk as a new category in their risk taxonomy. This is a one-time taxonomy update, not a structural change. Work with the enterprise risk team to define where PQC fits (typically under technology risk or cybersecurity risk, depending on the organization’s taxonomy), add the risk appetite statements and KRIs, and surface them through the existing reporting pipeline.

When to Escalate to the Board

Not every PQC development requires board attention. The Steering Committee and accountable executive handle operational decisions. The board engages on three types of events.

KRI threshold breaches. When a board-level KRI moves from green to amber or amber to red, the board risk committee should receive a briefing from the accountable executive: what happened, what is the impact, and what is the recommended response.

Material scope changes. If discovery reveals a cryptographic estate substantially larger than estimated, if a major vendor announces they cannot deliver PQC-capable products on the planned timeline, or if a new regulatory deadline is announced, the board may need to approve a revised risk appetite statement, additional budget, or an extended timeline.

External threat shifts. If a credible quantum computing development materially changes the CRQC timeline assessment (a major advance in quantum error correction, a new algorithmic breakthrough that reduces resource estimates for breaking current cryptography, or a national intelligence assessment indicating accelerated state-level quantum capability), the accountable executive should brief the board and recommend whether the program pace should change.

Everything else stays with the Steering Committee. The board’s job is to govern, not to manage. The KRI cascade ensures they have the information they need to do the former without being dragged into the latter.

Getting Started

For boards that have not yet established PQC risk oversight, the sequence is straightforward and can be completed within one board cycle (typically one quarter):

Board risk committee agenda item. The accountable executive (or CISO) presents a 30-minute PQC briefing covering three things: the regulatory deadlines that apply to the organization, the Harvest Now, Decrypt Later threat and why data exfiltrated today cannot be protected retroactively, and the proposed risk appetite statements and KRIs. This briefing is the board education that Vijay asked about in the governance discussion: it takes 30 minutes, not a quantum literacy program.

Approval. The board approves the risk appetite statements, KRI definitions and tolerance thresholds, reporting cadence, and the accountable executive’s mandate and initial budget.

Integration. The enterprise risk function adds PQC to the risk taxonomy and reporting pipeline. KRIs appear in the next quarterly risk report alongside every other risk the board oversees.

Ongoing oversight. The board monitors KRIs quarterly, asks the questions outlined above when indicators shift, and approves escalation actions when thresholds are breached.

The governance infrastructure does the work. The board provides the oversight. The accountable executive and program office deliver the migration. Each role operates at the right level of abstraction.

The PQC Migration Framework provides the full methodology that sits beneath this governance architecture. For organizational leaders who want a comprehensive resource on readiness strategy, Quantum Ready covers the complete picture from board mandate through operational crypto-agility.