Work with me · Speaking
Speaking & panels.
A regulator who builds what he advises — I speak in plain language to audiences that need to understand risk, not just hear about it.
What I bring to a stage
I speak on subjects I have lived. Every recommendation I give from a platform has been tested in my own laboratory or formed through direct regulatory experience reviewing real firms in real difficulty. I do not speak from slides — I speak from evidence.
I aim for clarity: if I cannot explain a concept in 60 seconds, I have not understood it well enough. My sessions are structured for maximum Q&A — I typically finish my prepared remarks in under half the allotted time and use the rest for conversation. Audiences consistently find this more useful than a polished deck.
Speaking topics
Operational & Cyber Resilience
Resilience after PS7/26 — what boards should ask next
The 31 March 2025 milestone is behind us. This session explores what the PRA's ongoing expectations mean for governance, third-party management and testing — drawing on 150+ firm reviews.
Operational & Cyber Resilience
What we have learned from 150+ operational resilience reviews
A candid account of recurring failures, common misconceptions and what genuinely resilient firms do differently. Practical, specific and grounded in direct regulatory experience.
Operational & Cyber Resilience
Crisis management in cyber — from incident to board communication
How to manage a major cyber incident from detection to regulatory notification to board briefing, based on direct experience across hundreds of live incidents.
Operational & Cyber Resilience
DORA and beyond — navigating the UK–EU digital resilience landscape
A comparative view of the UK's SS1/21 framework and the EU's Digital Operational Resilience Act, for firms operating — or wishing to operate — across both jurisdictions.
Post-Quantum Transition
Don't ignore, don't panic — the realistic post-quantum journey
A plain-language assessment of the quantum threat, when it actually matters, and what a regulated firm should do in the next 12 months. Based on hands-on implementation experience.
Post-Quantum Transition
Cryptoagility — turning a compliance deadline into a programme
How to build an organisation-wide capability to swap cryptographic algorithms, rather than treating post-quantum as a one-time upgrade. Includes the technology stack assessment framework.
Post-Quantum Transition
Are you quantum ready? A practical assessment
A structured walkthrough of the quantum readiness of a typical financial-services technology stack — from TLS and SSH to email, DNS and backup encryption — with honest risk ratings.
AI in Financial Services
Five pillars for agentic AI success in regulated firms
Why Gartner predicts 40%+ of agentic AI projects will be cancelled, and the five disciplines — vision, grounded ambition, leadership, customer focus, transparency — that separate those that succeed.
AI in Financial Services
AI you can govern — accountability, oversight and the limits of automation
A board-level framework for AI risk: what to demand of AI systems, how to maintain human accountability, and when to say no. Illustrated with specific failure cases.
Technology Risk & Strategy
The next decade of technology risk — from DORA to quantum to AI agents
A strategic view of how technology risk will evolve to 2035, and what it means for boards, risk functions and regulators. Draws on the forthcoming book Cyber Landscape in 2035.
Formats
I am comfortable in any format: keynote (30–60 minutes), fireside chat (20–40 minutes with a host), panel (as panellist or moderator), roundtable (for up to 20 senior participants), masterclass (half-day, hands-on), and in-house board briefing (a private session for a firm's board or executive committee).
In-house board briefings are the format I find most valuable — a candid conversation with your board, under Chatham House Rules, focused on your firm's specific questions. Typically two hours.
Selected recent engagements
-
Jun 2026
IIAG — Technology Risk, Regulation and Internal Audit: The Next Decade
-
Feb 2026
ABI — Panel: Quantum Computing — Are You Ready for the Shift?
-
Nov 2025
PRA — Operational Risk and Resilience
-
Oct 2025
CCBS — What have we learned from 150+ operational resilience reviews?
-
Oct 2025
MFSA — The Future of Financial Services 2025–45 (Cyber Finance Summit)
-
Sep 2025
QA Financial Forum — The Future of Software Risk Management 2025–35
-
Sep 2025
IIAG — Operational Risk and Resilience / Planning an Assurance Cycle
-
Apr 2025
Cyber Leaders Summit — Ask Me Anything: What's next in cyber risk?
-
Apr 2025
Crowe — Fireside Chat: Operational Resilience / Post-transition Phase
-
Jan 2025
ABI — How Risk talks to Resilience (Cyber Conference 2025)
Practical information
Geography: Global. In-person anywhere for the right engagement; virtual for shorter formats or preliminary conversations.
Lead time: For keynotes and panels at public conferences, a minimum of six weeks is appreciated. For in-house board briefings, two weeks is usually sufficient once the topic is agreed.
Fees: Available on request. Arrangements vary by format, audience and geography.
Chatham House Rule: I am comfortable operating under Chatham House Rule for sensitive board or roundtable discussions.
To discuss a speaking engagement, please get in touch with the topic, format and date in mind.
Enquire about speaking →