In our previous blog post, we explored how every Decentralised Finance (DeFi) project functions as part of an interconnected ecosystem. We discussed how creating a digital twin of this ecosystem offers a detailed, dynamic representation of the project, which can be invaluable in communicating with regulators and investors. A digital twin also enhances the day-to-day operations of the ecosystem, particularly in the area of risk management.
Risk management is essential to the success of any DeFi project. This is ironic as DLT itself is a control to mitigate the risk of multiple parties having different versions of the truth. Introducing DLT brings with it new risks for each organisation and new risks between organisations.
If the project falls under regulatory scrutiny, effective risk management is not just a requirement, but also a strategic asset. Understanding how to mitigate risks can build trust with both regulators and stakeholders, paving the way for long-term sustainability. In this post, we’ll focus on two fundamental questions in the risk management of DeFi ecosystems:
- A. Who is accountable for the risk management of the ecosystem?
- B. What does risk management actually mean in the context of DeFi?
A. Who Is Accountable for Managing Risk?
For any organisation, especially those navigating regulatory frameworks, accountability for risk management is crucial. Regulators often want “one throat to choke” — a single entity they can turn to for answers, and, if necessary, responsibility. In DeFi ecosystems, this accountability can differ depending on whether the project operates with centralised or decentralised governance.
Centralised Governance
In a project with centralised governance, such as those using public permissioned Distributed Ledger Technology (DLT), risk management accountability usually lies with the operator or gatekeeper of the system. This entity holds control over the network’s functioning and is directly responsible for overseeing risk within the ecosystem. Centralised structures lend themselves to clearer lines of responsibility, which regulators often prefer, as they can easily identify the party responsible for ensuring compliance and risk mitigation.
Decentralised Governance
On the other hand, in decentralised ecosystems, the question of who is responsible for risk management becomes more complex. If governance is decentralised, who can regulators or stakeholders hold accountable? Is it the foundation behind the technology? Or is risk management not conducted systematically at all? This ambiguity has contributed to the slower adoption of truly decentralised institutional DeFi, as regulatory bodies and institutional investors hesitate without clear accountability structures.
In decentralised models, some projects try to bridge this gap by creating a foundation that acts as the overseer of risk management. Others rely on distributed governance mechanisms through decentralised autonomous organisations (DAOs), but even here, identifying responsibility can be challenging.
B. So what Is Risk Management in DeFi?
Understanding who is responsible for risk is one side of the coin; the other is understanding what risk management entails in the context of DeFi. Generally, the risk management of an organisation can be categorised into at least five areas:
1. Financial Risk Management
This is the risk of not having the required funds to operate the project or continue delivering services.
2. Governance Risk Management
This category covers everything from controlling the organisation’s operations to ensuring regulatory compliance. For DeFi projects, governance risk includes the possibility of governance proposals leading to instability or litigation.
3. Operational Risk Management
This involves identifying risks that could disrupt the internal machinery of the project, including technical failures, cyber threats, and service outages. It also addresses the risks posed to customers or users of the DeFi platform, such as vulnerabilities in smart contracts.
4. Business Risk Management
Business risk refers to the broader external factors that can impact the success of a project, including competition, market volatility, and strategic missteps. For DeFi projects, this could also include reputational risks or shifts in user sentiment.
5. Model and Forecast Risk Management
In a DeFi context, this risk area is to do with how the value on the platform behaves. E.g. liquidity risks, fluctuations in token value, and the availability of capital to sustain decentralised applications (dApps). For example, if a DeFi project underestimates the amount of liquidity required to support its ecosystem, it risks collapse during market stress.
For a project to operate effectively, it needs to be able to identify, assess, and control these risks. Whether through centralised or decentralised governance, the ecosystem must operate within the risk appetites set by its governing body—either a board in centralised projects or the community in decentralised projects.
The Impact of Regulation: A Look at DORA
An example of upcoming regulatory influence on DeFi ecosystems is the Digital Operational Resilience Act (DORA) in the European Union. DORA incorporates elements of operational resilience and third-party risk management, similar to the Bank of England’s and FCA’s regulations. One key requirement under DORA is for each entity within an ecosystem to implement an effective risk management system, including vendor risk management.
This means that organisations must not only manage their own risks but also ensure that other participants in the ecosystem are adhering to specific risk management practices. In a centralised ecosystem, this might take the form of a multilateral contract or Rulebook that defines the behaviour and obligations of participants. In decentralised ecosystems, these rules can be encapsulated within smart contracts.
The Role of the Digital Twin in Risk Management
This is where a Digital Twin of the DeFi ecosystem becomes highly beneficial. Integrating risk management into a digital twin can help projects meet regulatory requirements while streamlining operations. Here’s how:
- Transparency: All lines of defence—those responsible for risk identification, assessment, and mitigation—gain equal visibility into the ecosystem. This transparency and using a common model reduces misunderstandings and miscommunications.
- Concrete Risk Sources: Risks are mapped to specific parts of the digital model, making it easier to pinpoint where hazards originate and how to address them.
- Control Integration: Risk controls can be directly mapped to corresponding elements in the digital twin, making it easier to evaluate the effectiveness of risk mitigation measures and working out where to spend scarce resources.
- Risk Appetite Alignment: Leadership objectives can be integrated into the risk management system so that decision-makers can ensure their actions are aligned with the overall risk appetite.
Key Takeaways for Ecosystem Risk Management
At the end of the day, the two core questions any DeFi project must answer about risk management are:
- 1. Is the ecosystem operating within the risk appetite set by its governance function?
- 2. Is the risk management system operating efficiently, especially in terms of delegation to the first line of defence?
By using a solution like RegDefy to manage the digital twin of your ecosystem, you can ensure these questions are answered, giving regulators, investors, and participants the confidence needed for success.
