Jay Clayton SEC chairman mentioned in recent news that ICOs will be treated as securities. Crypto exchanges are being placed in increased scrutiny by the regulators.
A good enterprise risk management approach is one that is proactive and not reactive after the damage has occurred. What will set crypto exchanges apart will be the ability to have a robust risk management function setup to their competitive advantage. Below are some of the risks that can pose threats to the crypto exchanges and various mitigation actions that can be taken if there is a strong Enterprise Risk management framework.
1. Financial risk: If a risk management framework is not established, the volatility in the market can cause losses resulting from the movements in market prices and liquidity.
For eg: changes in interest rate, exchange rates and inflations can affect the business plan cash flows, net monetary assets, and total account receivables. Ongoing calculation of such exposures helps reduce the likelihood of failures.
2. Customer and Third party risk: It becomes really important to know the customer/counterparty you are transacting with or conducting the business. Not thoroughly knowing your customers can lead a firm to be associated with a high risk counter party who is on the sanctions list ultimately causing a lot of reputation damage. Additionally it is also important to monitor the credit exposures and to gauge the ability of the clients being able to meet the financial obligations.
3. Market risk: This is the most crucial category of risk in the crypto world. With increasing amount of negative news the trust of the investors is dwindling.
Ongoing monitoring of the external adverse media and negative publicity provides data that is required to mitigate this. Additionally sociopolitical risk that involves impact on the market in response to the political and social events such as terrorist attacks or a change in the government of a foreign country in which investment or a registration of the exchange is made can pose restrictions on the investments made or the continued business operations.
4. Regulatory compliance risk: Without internal controls, policies, procedures set up it becomes hard to comply to various regulations. Not being able to comply to regulations will lead to fines as well as cause reputation damage and inability to retain top talent. This becomes even more important now that SEC has declared that ICOs will be considered as securities, CFTC has declared that ICOs will be considered as commodities and IRS considers ICOs as property.
5. Enterprise risk: This category of risk pertains to “systems” not being able to handle certain amount of transactions, “cyber attacks”, phishing for data, or “operational” errors or a case of “natural disasters” that causes disruption in normal business operations. It is important to consider this in risk management and plan for business continuity and disaster recovery. Several steps can be taken to set up a framework for this for eg: Governance for Business continuity and disaster recovery planning, implementing strong internal audit procedures to help mitigate losses arising from internal processes or operational errors and safe guarding the systems against the cyber threats.
6. Corporate governance and internal controls : Having an enterprise wide view of the organization is very important for the board and investors. It provides transparency and consistency and thus strengthens the trust of the investors. Additionally there should be processes set up to conduct ongoing monitoring, ongoing policy updates rather than a one off project to document policies. This captures current changes in market as well as regulations. Evidences such as record keeping of decision making trail in cases where escalations were made for high risk customers, ongoing monitoring and enhanced due diligence for those high risk customers, evidence that employees are trained on regular basis for regulatory compliance, setting up centralized risk monitoring and control thereby increasing organizational efficiency.
Enterprise Risk management development in Crypto exchanges should not be just viewed as a function that helps avoid regulatory fines and comply to regulations. It is prudent to have ERM for a sound business that is proactive in assessing various unforeseen circumstances and built robust enough to be capable of sustaining any environmental shocks