Crypto risk management

Crypto treasury risk management is the practice of mitigating money-related risks in DAOs, Foundations, or any organization using crypto in its operations, or holding substantial amounts on their balance sheet.

Examples of such risks include liquidity, investments, FX and interest exposures, and payments. We have examined some of these risks in earlier chapters on the other two pillars of managing a crypto treasury: liquidity and funding.

This chapter will focus on how Web3 CFOs can examine the different risks they may be exposed to from various treasury activities and develop appropriate response plans ahead of time to reduce potential downsides. This typically includes activities such as cash flow forecasts, liquidity planning, hedging investments, and setting up treasury policies.

Main types of risks to crypto treasuries

‍Web3 CFOs managing crypto treasuries face many risks that need to be properly managed. The most common types of risks are: liquidity, market, operational, and counterparty risks. Note that many of these risks are highly correlated especially in the crypto markets.

1. Liquidity risk

Liquidity risks are events that reduce an organization’s ability to pay its obligations on time. This can arise from unforeseen increases in liabilities, or drops in revenue collections that can slash the cash ratio of its crypto treasury. For instance, in crypto winters, exchange trading volumes plummet along with revenues from fees.

Web3 CFOs need to continuously monitor whether enough cash, or stablecoins are available in a crypto treasury to access when needed. It is the duty of every DAO, Foundation, or crypto company to carefully monitor liquidity risk at regular intervals.

2. Market risk

Virtually all crypto treasuries are exposed to market risks. Market risk derives from volatility in prices like interest rates, and currency exchange rates. A change in any of these market factors can significantly impact your company’s cash flows, and treasury risk levels.

For instance, this could be asset price corrections due to a general macroeconomic downturn, a hack that sends a token’s price spiraling downwards, or the bursting of the NFT art bubble in 2021. Note that the causes of these price movements can vary widely from proximate factors like hacks, or second-order effects like contagion from defaulting counterparties.

In traditional finance, commodity prices are also a critical source of market risk as they affect the cost of critical inputs in the value chain such as energy, food, and raw materials. In DeFi, one of the other less-talked about market risks is also blockchain network transaction fees, or “gas” prices.

Particularly during the bull market, or times of high network demand, gas fees on Layer 1 blockchains like Ethereum can skyrocket to prohibitive levels. Particularly for low value transactions, gas fees can sometimes be higher than the transaction value itself.

3. Operational risk

Operational risk includes various risks related to day-to-day activities, such as treasury processes, key man risks, legal & compliance, governance failures, payments, or cybersecurity breaches. When business interruptions or costly errors occur in any of these activities, they can severely impact your crypto treasury’s cash flows and business continuity.

For instance, in September 2021, during Grape Protocol’s initial DEX offering on Raydium, bots generated transactions that flooded the network, causing many validators to crash, which kept investors’ money locked for as long as 17 hours. Following the disruption, SOL prices fell by 5.06 percent.

Other operational risks can be far more mundane, though equally serious. Key management is a challenge especially if some authorized signatories in a multi-signature wallet’s quorum leave the organization. Also, poor governance policies around spend management can limit visibility on how a treasury’s funds are being spent. In October 2022, Harmony DAO caused a stir over allegations of related-party transactions between a co-founder and her husband. Notoriously, FTX’s bankruptcy filings revealed “a complete failure of corporate controls and such a complete absence of trustworthy financial information”.

‍

‍

4. Counterparty risk

Getting rugged is unfortunately not an uncommon phenomena in crypto. But needless to say, getting your treasury funds rugged can be fatal to the organization as a going concern. Examples of this abound throughout 2022. Notably, much of these often have to do either with lending to, or depositing funds with a centralized custodian like an exchange, or lending platform.

If a centralized exchange, or lender defaults on their contractual obligations, by freezing withdrawals, or filing for bankruptcy - it can severely impact cash inflows, and might leave your company vulnerable because it also needs to pay its creditors.

For instance, Bankrupt crypto lender BlockFi was discovered to have had over $1.2 billion in assets tied up with Sam Bankman-Fried’s FTX and Alameda Research Galois Capital, a hedge fund, had half of its capital stuck at the collapsed crypto exchange, as well as Genesis Trading which had about $175 million locked on FTX. Multicoin Capital, the crypto venture capital firm, had nearly 10% of its assets under management trapped.

Nigerian DeFi startup Nestcoin announced that it raised $6.45 million in February 2022, before losing an estimated $4 million in November from using the now-defunct crypto exchange “as a custodian to store a significant proportion of the stablecoin investment we raised, i.e., our day-to-day operational budget”.

But counterparty risks can also stem from phishing attacks. One of your employees might also execute payments to sanctioned or fraudulent beneficiaries, which can result in significant losses.The FBI estimates American companies have been defrauded this way of about $2 billion dollars in 2020 alone.

Billing fraud is a critical vulnerability, especially for larger teams. In 2019, a Lithuanian man pleaded guilty to fleecing Google and Facebook out of more than $100 million in an elaborate scheme involving fake emails, and fake invoices. In 2020, the e-commerce giant, Amazon fell victim to invoice fraud, paying over $19 million for items that were never purchased.

Using tools to manage your crypto treasury operations like Request Finance, allows Web3 CFOs to benefit from guardrails against crypto invoice fraud in its crypto invoicing application.

Strategies to reduce treasury risk

Web3 CFOs should take note of key differences between these instruments. The downsides of using derivatives such as futures contracts and options, is that they are more complicated and require more management than perpetual futures. Both futures and options contracts have expiration dates, so these contracts have to be rolled over to keep a hedge in place. In contrast, a perpetual position is basically equivalent to a continuous hedge over time.

A second factor to consider is the funding rate. A short position may receive funding payments from, or pay funding fees to, traders who are long. The funding rate mechanism is in place to keep the price of the perpetual futures contract in line with the price of the underlying asset.

Risk management frameworks and processes
‍
‍Web3 CFOs should have processes or frameworks in place to mitigate the various risks as much as possible. Some of these specific risk mitigation measures have been explored at length in the earlier chapters on liquidity and funding management. Nevertheless, no risk mitigation plan is completely foolproof. Thus, Web3 CFOs should also establish procedures for when things go wrong.

In this regard, Web3 CFOs can draw inspiration from the processes developed in TradFi. The Association of Corporate Treasurers (ACT) proposes a five-step risk management framework: risk identification, risk assessment, risk evaluation, risk response, and risk reporting - with a feedback loop that returns to the first step. We present a simplified, four-step version of this below:

Identify the risks
‍Risks may arise from external influences (such as volatile exchange rates) or from internal influences (such as governance failures). Although the consequences are primarily financial, risks may arise from almost any (financial or non-financial) activity within the organization.

Identify and classify your organization's exposure to risk as laid out above (Table 10). Once identified, risks may be classified according to whether they are liquidity, market, operational, or counterparty risks, and logged in a risk register.

‍Evaluate the risks
‍An initial assessment that enables risks to be prioritized, so that those risks with the highest expected damage (probability times cost) to the organization are addressed first.

A useful way of quantifying the risk is to plot each on a matrix according to the likelihood of each risk occurring. Risks must then be quantified in order of priority to establish the potential loss or materiality (financial cost). Evaluation techniques, such as scenario analysis, stress testing, sensitivity analysis and value-at-risk (VaR), are used to calculate probabilities and potential impacts, both for single risks and groups of risks combined.

‍Respond to the risks
‍Once the risks have been evaluated, responses can be planned and implemented. There are four possible responses to each risk: (i) accept, (ii) avoid, (iii) transfer, or (iv) control.

‍Avoid or accept?
Firstly, risks can either be avoided or accepted. Avoidance means not taking the risk altogether. This might mean canceling a new product or market entry, refusing a customer because of their credit risk, refusing to deal in a currency or token that cannot be effectively hedged, etc.

Acceptance means taking the risk. At times, the potential rewards justify taking risk, so businesses take a conscious decision to accept risk. Commercially, this might mean going ahead with a risky but essential new product or market, or dealing in a risky currency because expected profits vastly exceed expected loss, etc.

The decision to accept, or avoid a risk depends on whether (i) the risk is within the organization’s expected circle of competence, and (ii) if the expected value calculation outweighs the expected cost. Both conditions should be satisfied before accepting a risk.

The second condition is somewhat intuitive for most. If the probable benefits outweigh the probable costs, the risk is worth taking. However, Web3 CFOs should also bear in mind that they may find it difficult to justify taking risks beyond their expected circle of competence.

Few would consider it appropriate for an exchange like FTX, or stablecoin issuer like Circle to be investing their treasury’s investible surplus in a fast food franchise, or entertainment business.

Transfer or control?
‍The risks that are deemed acceptable can be controlled, or transferred/transformed. The organization is expected to take core business risks, so these risks are accepted, but have to be mitigated anyway.

Control means managing the risk. Commercially, this might mean putting limits on investment into a new product or market entry, allowing limited exposure to a new token type on a different chain, or engaging regular cybersecurity audits like smart contract audits, etc.

Transfer means passing on the risk to another party. Commercially, this might mean developing a new product or entering a new market in a risk-sharing arrangement with another party, purchasing smart contract insurance against hacks, using a trusted agent like a custodian or compliance agent to manage customer risk, selling exchange rate risk through forwards or options, etc.

Risks peripheral to the core business risks can be reduced (through internal methods of diversification, control or business tactics), or transferred to external parties (through the use of derivatives (as in hedging), insurance or subcontractors).

In practice, risks are transformed, frequently into counterparty risk (which may be more acceptable to the organization), rather than transferred completely.In practice, risks are often handled with mixed treatments. This applies especially to the last two treatments – control, and transfer. For example, there may be extra internal controls around risky currencies, partial risk acceptance within strict policy and delegation limit; and partial hedging (hedging for difficult currencies tends to be expensive).

‍Report the risks
‍Ensures that risks are being managed as agreed upon. Deviations between targets and actual performance are analyzed to identify the causes and information is fed back into the risk management process.

The feedback loop – the reviewing of risk management outcomes compared to plan – is vital within the risk management framework so that risk management practice evolves to keep pace with internal and external developments.

Whatever framework you use, the importance of identifying risks, assessing them, and responding in an appropriate manner is vital. And the monetary impact of risks should ultimately be reported on and represented in your cash flow data.

‍Enhance cash visibility
‍One way to minimize crypto treasury management risk is to enhance cash visibility. As discussed in the earlier chapter on liquidity management, this means assessing your organization’s stock, and flows of stablecoins or cash and cash equivalents.

Improving cash visibility can be done by using portfolio tracking tools that can centrally consolidate data from various wallets and exchanges. For example, manual data collection in Excel sheets across different wallet addresses is often too slow and erroneous, which decreases the treasury’s ability to respond promptly to risk.  

‍Implement exchange rate exposure strategies
‍Typically, currency exchange risks occur when transactions are done in a variety of different token types and chains, or when treasury analyses are done with currency rates that are relevant at that specific point in time. Nonetheless, companies can adopt various strategies to mitigate exchange rate risk.

Another solution is to only transact in your preferred currency like USDC, or your own native token which transfers exchange rate risk onto the counterparty. Sometimes, it is also possible to add clauses to contracts (e.g. service level agreements, employment contracts, investment term sheets) where any significant exchange rate deviations are to be covered by the counterparty.

Another strategy is a form of natural exchange rate hedging, by relocating your organization’s members according to where your counterparties are located. For example, by accepting payments in EURe if a large proportion of your payroll is disbursed in Euros. This is especially relevant for remote-first teams and DAOs that have such flexibility.

Natural currency hedging is a hedging technique that does not require the use of financial derivatives. While theoretically attractive —because of the implied lower transaction costs that it entails—, natural hedging is much less precise than hedging with forward contracts. Besides, such a technique may not be always fully ‘natural’ but forced, i.e. the company would end up subordinating business decisions to risk management decisions.

Another common way of hedging is through forward exchange contracts or currency options. In a forward exchange contract, both parties agree to buy or sell an amount of a token at a certain point in the future. As a result, the initiating party is protected from any future currency fluctuations.

Currency options are similar to forward exchange contracts but eliminate the mandatory transaction when the contract expires. With currency options, companies have the right to buy or sell a token at a decided rate on or before a specific date. You can either exercise options when rates are favorable or let them expire if the market is less favorable. The flexibility of currency options does come at a premium price.

‍Run frequent cash flow forecasts
‍One way to mitigate your crypto treasury risk is by staying on top of your cash flow projections. You can effectively reduce risk by knowing what future cash flows will look like, based on historical as well as outstanding AR/AP data like crypto invoices, expense claims, or payroll items.

For example, cash flow forecasting helps you identify cash shortages that may require additional funding. On the other hand, it can also help reveal cash surpluses that can be allocated to optimizing processes that further reduce risk.

Crypto AR/AP processing tools like Request Finance can provide dashboard reports of your organization’s crypto transaction history across categories like crypto invoices, payroll, and expenses. Some advanced cash flow forecasting tools can even include market risk factors, industry trends, or even seasonality indicators. Preparedness for what is coming in the future provides the best foundation to manage treasury risk.

‍Regularly check liquidity positions
‍Liquidity positions must be checked regularly because they can reveal your company's financial health. With proper liquidity management analysis methods in place, you can mitigate most risk types associated with poor liquidity, such as the inability to pay creditors, challenges to attract additional financing, liquidity visibility challenges, low cash conversion cycles, working capital ratios, and fraud.

A best practice is to centralize liquidity management with a system that automatically gathers all the relevant data needed for liquidity analyses. By doing so, you can quickly analyze liquidity risk exposure and see which possible risks require further attention.

‍Work on preventing fraud
‍Financial fraud comes in many forms but is most associated with payment fraud for Web3 CFOs. Fraud is a substantial risk to mitigate because it can result in significant company losses. Billing fraud is a critical vulnerability, especially for larger teams. In 2019, a Lithuanian man pleaded guilty to fleecing Google and Facebook out of more than $100 million in an elaborate scheme involving fake emails, and fake invoices. In 2020, the e-commerce giant, Amazon fell victim to invoice fraud, paying over $19 million for items that were never purchased. The FBI estimates American companies have been defrauded this way of about $2 billion dollars in 2020 alone.

There are different types of payment fraud out there that should be closely watched by treasurers and security teams, such as phishing, kickbacks, identity theft, fake reimbursements, malware, or duplicate payments. 

Using tools to manage your crypto treasury operations like Request Finance, allows Web3 CFOs to benefit from guardrails against crypto invoice fraud, or preventing duplicate payments. Other crypto revenue collection applications like Suberra, have guardrails designed to prevent malicious contracts, or application-level exploits from draining wallets by imposing renewable limits on token allowances.

There are several strategies to tackle fraud. It starts with setting up the right processes to eliminate most risks. But it also requires training staff and increasing their awareness of possible fraudulent techniques criminals may use against them. Sanctions screening can also help avoid payments from being processed to unwanted beneficiaries. In addition, continuously auditing payment processes can reveal improvement points, or anomalous activity.

‍Monitor market risks
‍The best way to be prepared for shifting market risks is to stay on top of what is happening in the industry, and the broader world that could impact stablecoin price pegs, crypto asset prices (often highly correlated), and interest rates. Often, regulatory moves can already affect all three elements. Other causes like economic booms or recessions can also impact market risk. Contagion from exposure to counterparty risk across different large players in the crypto ecosystem can also transform into market risks, especially in a post Terra/Luna/FTX environment.

Broadly, speaking there are three approaches to dealing with a crypto treasury’s exposure to market risks like exchange rate movements: diversifiers, hedges, and safe havens. Baur and Lucey (2010) were the first to define testable definitions of a diversifier, hedge, and safe haven, making it possible to explore and identify the capabilities of an asset. Various researchers have successfully applied tests based on these definitions to various cryptocurrencies and stablecoins.

Table 3- Instruments to mitigate market risks for crypto treasuries

Diversification has proven to be one of the most important lessons for Web3 CFOs managing on-chain treasuries in crypto assets. Limiting your treasury’s exposure to any one particular platform, asset, jurisdiction, or currency - has been shown time and again to be a literal life-saver.

The recent events surrounding the collapse of Silvergate and Silicon Valley Bank, which caused Circle’s USDC stablecoin to suffer a temprary depeg, in addition to the troubles around the SEC action against Paxos’ BUSD drive the importance of diversification home. For instance, it is not sufficient to hold stablecoins, but rather high-quality stablecoins in different jurisdictions, across different currencies. For instance, a basket of fiat-backed stablecoins like USDC, XSGD, EURe would have fared better than holding USDC alone.

In addition, strategic hedging techniques, such as working with derivatives, currency exchange hedging, and interest rate risk management, can all help lessen your company's market risk exposure. For example, many larger companies use interest rate swaps, caps, or corridors to lower their risk profile.

‍Have external auditors or consultants check financials
‍One way to guarantee that your treasury risk will not have any drastic consequences is to go over your financial statements with an external auditor or consultant. These experts can give you valuable input or identify potential risks you may not have seen yourself. Auditors can also be hired to mitigate risks associated with compliance or regulations.

‍Use crypto treasury management tools
‍Crypto treasury management tools are designed to help Web3 CFOs achieve their primary goals while mitigating key risks. They automate error-prone and manual tasks, and enhance actionable insights by centralizing data across different sources. Using the appropriate set of treasury management tools can be an invaluable asset for Web3 CFOs to manage treasury risk, especially as they scale, and have to manage more wallets, platforms, and counterparties.

For DAOs or companies holding crypto, there are several categories of key operational pieces of a crypto treasury management stack that may be required: (i) wallets & custody, (ii) governance and voting, (iii) portfolio analytics, and (iv) financial operations tools.

At a minimum, a secure wallet setup is necessary to ensure assets are always safely custodied. This is particularly relevant any time assets are being deployed into other protocols or otherwise moving on-chain. Options range from traditional custodians such as Anchorage or Coinbase to decentralized or multi-sig options, like Entropy or Gnosis.

Beyond custody, DAOs will typically also need some form of governance approval from tokenholders before executing a treasury management strategy. Tools like Snapshot and Tally can be used for voting, while forums like Discourse and Commonwealth can help facilitate community discussion.

DAOs can also tap into the emerging suite of on-chain analytics products to monitor the state of their strategy over time, including Nansen, Dune and Flipside Crypto. Payroll and operations-related tools like Request Finance can also be used to manage budgets and track spending over time.

‍