Risk Framework
Abstract
This document covers the outline of risk framework documents that are required in order to run Endaoment.Finance operations. These documents outline a process for risk management that is scalable and can adjust as we grow the organization. Each risk type will be paired with a policy document that outlines policy, operations, and controls implemented for limiting risk.
Risk Framework Development Assets/Examples
All assets, images, documents, and other files presented in this section are meant to be examples of ways to manage risk and write policies to do so. These items do not represent how Endaoment handles or manages risk nor should they be confused with Endaoment’s specific risk management policies.
The writing of this policy documentation relied partially on preexisting documentation on guidelines concerning risk framework creation. These resources included a guide to policy framework creation under the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM Framework). A number of helpful resources from that guide can be found below and should be reviewed alongside Endaoment’s policy framework.
20 Principles of risk management, to develop risk policy framework and guide operations concerning risk:
Guide to determining risk impact and evaluating alongside likelihood of occurrence, to pair critical responses with high severity issues:
Risk Types
Bribery and Corruption Risk
Bribery and Corruption risk encompasses the likelihood of Endaoment or individuals associated with Endaoment engaging in unethical or illegal practices, including bribery and corruption in both onchain and offchain interactions. This risk involves the offering, giving, receiving, or soliciting anything of value to influence the actions of an official or other person in a position of trust. It also includes acts of embezzlement, fraud, and other corrupt practices that might occur either within Endaoment’s internal operations or through its external interactions.
Continuity Risk
Continuity risk refers to the potential for disruption of business operations for any reason, including system failures, staff changes, and organizational dissolution. This risk also encompasses the inherent expectation for blockchain products to be perpetually accessible, requiring robust and resilient systems capable of delivering consistent service.
Counterparty + Anti-Corruption Risk
Counterparty + Anti-Corruption risk refers to the potential for a counterparty Endaoment interacts with (whether on or offchain) to not fulfill their end of an agreement or transaction. Counterparty + Anti-Corruption risk also refers to the potential for a third party to do something illegal on Endaoment’s behalf and without Endaoment’s knowledge, or otherwise act in a corrupt manner.
Custodial Risk
Custodial risk refers to the potential for assets, both digital and physical to be mishandled, lost or stolen. This is especially important to monitor when overseeing Endaoment’s use of private keys and digital wallets that control the Endaoment ecosystem of smart contracts. Endaoment must maintain stringent custodial requirements to ensure these keys, or any assets, are not lost, misplaced, or fall into the hands of a malicious actor. Given the irrevocable nature of onchain transactions, safeguarding these keys is paramount to the security and integrity of the system.
Data Privacy Risk
Data Privacy Risk refers to the potential for a user’s personally identifiable information (PII) to be shared non-compliantly with external parties, as well as the process for allowing users to request that their data be deleted. Given that Endaoment handles sensitive information about both individual taxpayers and corporation, in conjunction with the fact that blockchain transactions cannot be altered or changed after the fact, it is crucial to ensure that PII or other private data remains safe, and is not published onchain in any form.
Finance & Accounting Risk
Finance & Accounting risk refers to the potential for errors or discrepancies in financial management, bookkeeping, and reporting. As we operate in the web3 space, we will use the blockchain as the single source of truth here, and compare all financial measurements with onchain data.
Fraud Risk
Fraud risk refers to the potential for malicious actors to scam, thieve, or otherwise issue unauthorized transactions. Given the irreversible nature of onchain transactions, an extreme emphasis on re-verification (KYC) for withdrawals is necessary to ensure the authenticity of transactions and mitigate the potential risks.
Investment Risk
Investment risk refers to the potential negative performance of invested assets, either onchain or traditional. Given the volatile nature of alternative assets (including cryptocurrencies and other onchain assets), price changes (AUM changes) are not out of the question and should be expected to some degree, and therefore shall be planned for.
Legal Compliance + Regulatory Risk
Legal Compliance + Regulatory risk refers to the potential for non-compliance in terms of adhering to relevant laws and regulations in charitable giving, wealth management, or retirement account spaces. This includes financial regulations, data protection regulations, consumer protection regulations, etc.
Market Liquidity Risk
Market Liquidity risk refers to the potential impediments being introduced into the buy/sell flow for assets. Given that many onchain assets have low and fluctuating liquidity, price impacts at the moment of trade execution are possible and must be avoided wherever possible. At minimum, this risk should be surfaced to users so that they can make informed decisions. This risk includes but is not limited to slippage, price impact, and “minimum extractable value” (MEV) attacks.
Sanctions/KYC/AML Risk
Sanctions/KYC/AML risk refers to the potential for non-compliance with KYC/AML regulations and is related to potential exposure to sanctioned entities or countries, including those on OFAC’s SDN list. Given the open nature of the blockchain space, we will need a clear process for adhering to KYC/AML policies as well as how to deal with erroneous or maliciously broadcast blockchain transactions.
Smart Contract + Technology Risk
Smart Contract + Technology risk refers to potential vulnerabilities/failures that could occur because of the smart contracts we use to underpin the blockchain ecosystem we operate within. Smart contract risks include but are not limited to bugs in the code as well as faulty logic. In either case, depending on the severity of the issue, this can lead to exploits conducted by malicious parties and loss of value or assets. This risk also includes the risks associated with operating in a space that is rapidly growing and changing (with specific respect to the tech stack), as technological changes can potentially impact operations.
Stablecoin De-Peg Risk
Stablecoin De-Peg risk refers to the potential for stablecoins fail to maintain their peg and fluctuate in value beyond a minute percentage on the open market. As all cash is held as USDC when idle, this risk is associated with potential losses.