Turbo charge your Ecosystem’s Compliance with RegDefy's Comprehensive Risk Management Solution
As the decentralized finance (DeFi) landscape continues to evolve, managing risks associated with DLT-based ecosystems has become more crucial than ever. Each DLT based ecosystem faces a set of risks with a large overlap between projects.
These may be technical risks like network takeover; or legal risks such as non-compliance to regulations; or business risks where the project needs to standout from the 80 or so other blockchains that have traction.
Staying within the Ecosystem’s risk appetite
For a DeFi ecosystem to be stable and perform well, all ecosystem participants must manage their risks. This is a significant part of what a regulator is looking for – see DORA (in the EU) or Operational Resilience (in the UK) regulations as examples. Fundamentally this means considering what unexpected events may affect your ecosystem’s objectives followed by how to reduce both the likelihood of those events happening and the impact if they do.
Deriving from this concept comes the question relevant to any ecosystem: is the ecosystem operating within the risk appetite set by the ecosystem’s governance? That means each organisation in the ecosystem should be operating within the appetite set by its board. This is important as if they are then any investment can be spent on profit enhancements; but if not then there should be investments in controls to mitigate those risks.
Central to the management of an ecosystem’s risks is a taxonomy that rolls up the risk. This tree structure allows the board to operate at one level, the senior management team at another and finally the first & second line of defence to manage at the lowest level.
RegDefy manages all these components of the Risk Management System. The outcomes for each organisation or department; the risk appetite set by the organisation’s board; and the risks that the ecosystem is currently running. These are then rolled up through the taxonomy giving the ecosystem a consistent view yet one that is appropriate for their level in the organisation.
Inherent v. Residual Ratings
When assessing risks usually the probability of the unexpected event happening and the impact caused if it does are considered. However, to better understand what is under our control and what isn’t, we assess each risk twice: firstly, in its “bare” or Inherent state and once in its controlled or residual state.
Controls can be:
People
For example, the support team.
Processess
For example, the Incident management process
Technology
For example, a firewall or other non-technical assets such as an insurance contract.
Controls can be applied in the ecosystem as either a Preventative Control which reduces the probability of the event; Detective Control which indicates whether the event is happening or about to happen; or Corrective Control which reduces the impact if the event does happen. The application of these controls across all risks in the register reduce the Residual rating from the Inherent rating. The comparison with the organisation’s risk appetite is therefore done against the Residual risk.
RegDefy not only maintains both ratings but also keeps track of which controls are used to mitigate which risks and how effective they are at mitigating. In a typical implementation every risk should have 4 or 5 preventative controls as prevention is better than cure. However, corrective controls should be used where possible, especially where the Inherent has a high impact.
RegDefy displays these ratings as customisable heatmaps at different levels in the taxonomy, the control efficacies on an efficiency grid and the Key Risk Indicators (KRIs) on customisable dashboards so that all lines of defence have a consistent view on the organisations risk.
Managing 2nd Line of Defence Workload
Ideally the second line of defence would spend their time challenging the first line’s management of the organisations risk; providing in depth opinions; and horizon scanning for unexpected events encountered equivalent organisations. Unfortunately, sometimes the 2nd line ends up managing the risk of the first line reducing the 2nd line’s ability to think more deeply about risk for the organisation. Taken to extreme the first line may complain about risk management being done to them!
The key to solving this problem is firstly to ensure all risks or areas of the taxonomy have clear and distributed owners. After that the establishment of a risk assessment cycle e.g. monthly or quarterly gets each organisation in the ecosystem into the habit of regularly updating it’s risk assessment.
Once the risks, controls and KRIs are modelled in RegDefy, every risk assessment period each risk, control and metric owner performs three tasks:
Up-to Date Readings
Provide an up to date reading for each KRI – This gives a quantitative and therefore more objective view on the state of risks.
01
Update Control Status
Update the status and efficiency of each control – This gives an assessment of which controls have been created, changed or removed in this period and how well they are performing on the risks they are mitigating.
02
Update Risk Ratings
Update the Inherent and Residual risk ratings – Based on the updated KRIs and control efficiencies, the inherent rating is updated to reflect any external change (often picked up by a KRI) and the residual rating is updated to reflect the effect of the updated controls.
03
As these steps are completed, 2nd line is notified and able to chase / challenge risk owners on their opinions. Once complete the risk information is automatically rolled up, using the taxonomy, for reporting to the senior levels in the ecosystem.
Want to know more?
Using RegDefy to manage your ecosystem’s risk means that the risk appetite, taxonomy, register, control library, KRIs, 2nd line opinions and incidents are all managed and assessed in an integrated way to ensure that scarce resources are used to generate more business only when the ecosystem is operating within appetite.
If you have any further questions, speak to an expert today.