Regdefy

Linkedin

Learn More
Home > Blog > Operations > ‘O’ is for Operations
CategoriesOperations, Programme Management
By

‘O’ is for Operations

Building the operations for a DLT based ecosystem

In a previous post, we introduced the BOLT framework—a strategic model for building a regulated business through four interlocking workstreams: Business, Operations, Legal, and Technical. Each of these pillars is essential in creating a compliant, efficient, and ultimately successful organisation. Today, we’re taking a deeper dive into Operations, and what it really means to build DLT operations from scratch.

The Dual Nature of Operations

In any regulated organisation, the Operations function performs a balancing act between value delivery and value protection. This is a useful lens to organise the work:

  1. Value delivery: These are the processes that directly support the functioning of the business and customer outcomes—such as onboarding new clients, settling payments, or completing end-of-day procedures.
  2. Value protection: These are the checks, controls, and oversight activities that safeguard the business against loss, fraud, regulatory breach, or operational failure. Reconciliations, control testing, exception monitoring, and incident management all sit in this category.

Let’s explore how to approach each stream, and how together they can help you build a scalable, risk-sensitive operating model from the ground up.

Delivering Value: Start Small and Learn Fast

When building value delivery capabilities, the emphasis should be on speed, feedback, and iteration. In this area, your goal is not perfection—your goal is learning. That’s why we advocate for endless build-test loops to hone the operating model as quickly as possible.

The best way to do this is by deploying a Minimum Viable Process (MVP). And sometimes, even that might be too much. Instead, think in terms of “Minimum Learnable Process”—what is the smallest set of actions you can take to deliver some value and gain insight into your assumptions? This approach of “build fast, break safely” ensures you’re not gold-plating an imaginary process, but instead crafting real-world solutions grounded in practical learning.

Protecting Value: A Risk-Based, Just-Enough Approach

In contrast to value delivery, value protection must be intentional and risk-informed. Every control costs time and resources. Over-engineering your controls stack can waste effort; under-engineering can leave the business exposed. The art lies in implementing “just enough” protection—no more, no less.

So, what is just enough? And how do you know when you’ve done enough?

The answer lies in combining a top-down and bottom-up approach to risk management.

Top-Down: Risk Appetite from the Board

At the top level, the board sets the risk appetite—a formal expression of how much risk the organisation is willing to tolerate in pursuit of its goals. This sets the tone for operational design. Appetite may vary by domain; for example, a payments firm may have a higher tolerance for minor reconciliation delays, but very low appetite for regulatory breaches or cyber threats.

Appetite statements are usually articulated in qualitative form—for instance:

  • “We have no appetite for loss of customer funds.”
  • “We accept a low level of operational risk in routine business-as-usual processes.”

RegDefy then provides a scale to quantify these statements allowing you to answer the question “Are we operating within appetite?”

Bottom-Up: Risk Taxonomy, Register & Assessment

Meanwhile, the first line of defence—typically Operations and frontline teams—define the risk taxonomy: a structured view of all the risks the organisation faces. This includes:

  • Risk register: The list of identified risks, such as fraud, system downtime, erroneous payments, or data leakage.
  • Inherent risk exposure: What would happen in the absence of any controls.
  • Residual risk exposure: The risk level that remains after all existing controls are applied.
Combining the two for a rolled up view

Once each risk has been evaluated, results can be rolled up through the taxonomy. This gives leadership a clear view of risk exposure vs. appetite.

Here’s the crucial insight:

  • If your residual risk exposure is within appetite, then no additional mitigation is needed. Resources can be reallocated to value-creating activities.
  • If exposure exceeds appetite, then it’s a red flag. Resources must be deployed to design and implement additional controls, reducing residual risk to acceptable levels.

This risk-informed allocation ensures every resource is being deployed where it has the greatest return—whether that’s enabling more customer growth, or defending against threats. This is the essence of a risk based approach.

Example: Enterprise IT Risk

Let’s make this real with an simplified example.

Say your organisation faces the risk of criminal action through IT compromise. This would sit under the domain of cybersecurity.

  • The board, recognising the severe implications of such an incident, sets a low appetite for this risk category.
  • The inherent risk assessment flags this as highly probable and high impact, as this is evaluated without controls in place.
  • The residual risk is, initially, the same as the inherent as there are actually no controls—placing it outside the board’s appetite.

To bring it back within appetite, the Operations and IT teams propose the implementation of three controls:

  1. Mobile Device Management (MDM) software to ensure only secure devices can access internal systems.
  2. Firewalls and endpoint protection to prevent unauthorised intrusions.
  3. Least privilege access, ensuring users only have access to the data and systems required for their role.

Once these controls are implemented and assessed for effectiveness, the residual risk drops significantly— potentially bringing overall exposure within appetite. In the beginning this approach defines the scope of the operations workstream. Implement the controls to bring the residual risk within appetite and you are complete.

This means the organisation can safely stop here—no need to deploy more controls or consume more resources unnecessarily.

RegDefy: Your Operational Risk Management Toolkit

Managing all of this—risk appetite, taxonomy, register, assessments, and control design—is complex. That’s where RegDefy comes in.

RegDefy is purpose-built to handle the entire risk lifecycle, allowing you to:

  • Define board-level appetites against organisation objectives.
  • Build a detailed and dynamic risk taxonomy.
  • Maintain a central register of risks and controls.
  • Automate risk assessments and exposure analysis.
  • Tie operational decisions directly to board expectations.

With RegDefy, every operational investment—whether it’s a new reconciliation report, control framework, or process redesign—can be aligned with strategic risk posture. In other words, it helps you answer the critical question: Where should we deploy available resources?

Final Thoughts

Building a regulated operation from scratch is no small feat. But with a clear framework like BOLT, and a structured approach to both value delivery and value protection, you can move quickly and securely. The secret is to stay dynamic: test, learn, adjust, and let risk appetite guide your efforts.

Just enough is never a guess. It’s a discipline.

Regdefy

Regulated DeFi Compliance, Simplefied.