Board-level governance and risk specialist working across regulated and public-interest systems, with particular focus on digital, cyber and AI oversight. Research focuses on why formal assurance processes systematically underperform at scale – and what boards can do differently.
Experience includes senior responsibility for large technology and security functions in regulated environments where formal assurance processes can create a misleading sense of control.
Focus on how boards maintain visibility of emerging risk in complex organisations. Examines how reporting structures, layered controls and compliance frameworks can unintentionally delay action or mask accumulating systemic exposure.
Oversight of cyber security, AI deployment and digital transformation risk in regulated environments. Addresses control limits, operational resilience, and the governance challenges that arise when technology change outpaces institutional decision cycles.
Experience in environments subject to intensive supervision and public scrutiny. Focus on how scale, regulatory pressure and organisational design shape decision timing, accountability and risk appetite at board level. Sectors include NHS and health system governance, policing and public safety, regulated financial services, and central and local government.
A structural research programme examining why governance architectures designed to manage risk systematically reproduce the conditions for failure – even in organisations that are formally compliant, well-resourced, and operating in good faith. The programme traces a causal sequence: compliance metrics that measure the wrong thing, reporting hierarchies that suppress signal, designer assumptions that mistake transparency for accountability, and coordination costs that overwhelm capacity at scale. Its prescriptive counterpart is that these failures share a single remedy – the capacity to learn faster than the environment degrades, designed into the architecture through institutional memory, an honest incident record, and shared visibility – rather than bolted on as another control.
Empirical work draws on cross-sectional analysis of 171 NHS trusts and Freedom of Information data across health, policing, fire and local government. A consistent finding is that resource scale does not predict security compliance – the highest-resourced trusts underperform the lowest-resourced on mandatory security assessments (p=0.88). This points to coordination costs that grow faster than defensive capability as organisations scale. A parallel strand applies the same structural logic to infrastructure investment governance under deep uncertainty.
Published in the Financial Times, I by IMD, LSE Business Review, HSJ, BMJ Leader Blog, Civil Service World, Public Technology, ISC2 Insights, Policing Insight, European Law Blog, and Political Theology Network. Working papers via SSRN.
Boards often invite external challenge when governance systems appear formally sound but underlying risk exposure continues to grow. Situations where this work is particularly relevant include:
Engagement takes two broad forms. As a Non-Executive Director, the contribution is sustained board-level oversight. As an adviser, it is the reverse of the research programme: the programme sets out general frameworks for why assurance underperforms at scale; advisory work lands one of them on a single organisation's actual setup – its real asset register, its real capacity constraints, its real reporting lines. The frameworks are published; the value is in applying one for the first time in an environment where the first mistake is expensive.
The forms differ in one respect that matters: a board appointment needs an open seat and a standing commitment; advisory needs neither – a live question is enough. The legislative and regulatory responses show the advisory move applied publicly to policy cases; the private version does the same for a board. Engagement also extends to visiting lectures and executive education.
A separate strand of advisory supports product startups selling into large regulated enterprises – read from the supplier's side of the same governance gate.
Writing covers governance failure in digital and cyber risk, cognitive bias in board-level assurance, AI accountability, and infrastructure investment. Venues include peer-reviewed journals, NHS and public-sector practitioner media, and policy platforms.
Full writing record is available via the external profiles below.
Public Money & Management (peer-reviewed)
"The Architecture of Focus: How Governments Resist Initiative Overload" (forthcoming)Financial Times
LetterLSE Business Review
ArticleI by IMD
Author pageHealth Service Journal
Author pageThe BMJ (Rapid Response)
Rapid responsesBMJ Leader Blog
ArticlesBMJ Leader (Rapid Response)
Rapid responsePublic Technology
ArticlesISC2 Insights
ArticlePolicing Insight
Author pageSSRN
Author pageEuropean Law Blog
Author pagePolitical Theology Network
Author pageUK Parliament (Written Evidence)
Written submissionsFor advisory enquiries, a short note describing the question the board is facing is the best starting point.
Email: vshabad@vshabad.com
LinkedIn: linkedin.com/in/vshabad
ORCID: orcid.org/0009-0001-9332-6688
University of Liverpool · BT Group · former CIO and CISO roles