Holding bitcoin and ether on a corporate balance sheet is no longer a fringe move — it's a strategic decision for many modern treasuries. As CFOs, our responsibility is to preserve shareholder value while enabling the business to act quickly when opportunities or obligations arise. That tension between protection and liquidity is real, but it can be managed. Below I share a pragmatic, experience-driven approach to designing crypto treasury controls that reduce custody and operational risk without turning your digital assets into inert vaults.

Start with a clear treasury policy

The first control isn't technical: it's governance. You need a written crypto treasury policy that covers purpose (strategic reserve, working capital, payroll), risk appetite, acceptable counterparties, segregation rules, and escalation paths. Without that guardrail, decisions get made ad hoc and risk increases.

Key policy elements I insist on:

  • Designation of roles (treasury lead, CFO sign-off, security officer, operations).
  • Clear allocation between hot (liquidity) and cold (reserve) holdings.
  • Limits on single-counterparty exposure and daily transfer caps.
  • Approval thresholds tied to dollar/Z-score amounts, not just token counts.

    • Choose custody with the right security/liquidity trade-off

    Custody strategy determines most downstream controls. I typically evaluate three models: fully self-custodial, third-party institutional custody, and hybrid (MPC providers + third-party insurance). Each has pros and cons.

    Model Security Liquidity Operational complexity
    Self-custody (Hardware wallets, multisig) High (if executed correctly) Moderate (slower for large on-chain moves) High (ops, key management)
    Institutional custody (Coinbase Custody, BitGo, Anchorage) High (insured options available) High (built-in liquidity integrations) Low–Moderate
    MPC/web3-native (Fireblocks, Copper, Gnosis Safe for multisig) High (no single seed) High (API integrations) Moderate

    In practice I prefer institutional custody or MPC for material balances because they balance security with operational speed and offer integrations with exchanges and OTC desks. For core reserves that should only be moved in exceptional circumstances, a geographically distributed multisig with time locks and cold storage still makes sense.

    Implement a layered custody architecture

    Think in layers rather than a single bucket:

  • Reserve layer (cold storage, multisig or air-gapped signers, long time-locks).
  • Operational layer (MPC or custodial accounts for payroll, payables, or market-making).
  • Liquidity buffer (exchange or custodial hot wallets sized for expected 30–90 day needs).

    • This structure protects the bulk of assets while keeping a predictable amount available for business operations. The operational layer should be sized proactively by treasury forecasting — not by whims.

    Use multisig/MPC, time-locks and spending rules

    Technical controls that I require:

  • Multisig or MPC: No single person can move funds. Use a 2-of-3 or 3-of-5 multisig for cold storage, and consider 3-of-5 with geographically and organizationally separated signatories.
  • Time-locks: For high-value transfers, enforce on-chain timelocks or administrative delays to allow cancellation if compromise is suspected.
  • Spending limits and velocity controls: Per-wallet daily limits and cumulative monthly limits; infra to block transfers above thresholds pending CFO sign-off.

    • Providers like Gnosis Safe (for multisig) and Fireblocks (for MPC + granular policy controls) make implementing these patterns significantly easier.

    Approve workflows that mirror traditional treasury

    The approval flow should be as formal as wire transfers: requests originate from business owners, treasury validates counterparty and purpose, operations initiate transfer proposal, security vets signers, and CFO or delegated officer authorizes. Maintain an auditable ticket for every movement.

  • Use systems (Jira, ServiceNow, or dedicated treasury ops platforms) to document requests.
  • Require dual approval for any transfer outside pre-authorized patterns.

    • Counterparty and liquidity management

    Liquidity doesn't only mean on-chain hot wallets. It includes relationships:

  • Pre-approved exchanges and OTC desks with legal agreements and KYC/AML coverage.
  • Lines with market makers to access immediate fiat conversion without slippage.
  • On-chain DEX integrations only with whitelisted smart contracts after security review.

    • Negotiate admittance criteria for counterparties — minimum insurance, proof of reserves, and settlement guarantees. Large, frequent conversions should go through regulated custodians/exchanges to limit settlement risk.

    Accounting, reconciliation and reporting

    Crypto introduces volatility and technical complexity for accounting. Implement daily reconciliation between wallet balances, exchange statements, and general ledger entries. Use tools like CoinLedger, Lukka, or internal tooling integrated with custodians’ APIs.

  • Record acquisition cost, realized/unrealized P&L, and provenance of tokens.
  • Reconcile chain-level transactions to custodial reports weekly.
  • Run stress scenarios showing how much fiat would be obtained if you needed to liquidate X% of holdings.

    • Insurance, legal & compliance

    Insurance can reduce risk but rarely covers all loss scenarios. Aim for layered protections:

  • Custodian-provided insurance for operational compromise.
  • Standalone corporate crypto insurance policies for theft or internal fraud.
  • Legal opinions around custody model to support auditors and regulators.

    • Ensure KYC/AML programs are robust — especially for counterparties. Establish playbooks for subpoenas, regulatory inquiries, and forensic investigations.

    Monitoring, alerts and rapid response

    Continuous monitoring is essential. Key items to monitor:

  • Unusual outbound transfers or changes in signer behavior.
  • New on-chain approvals or contracts interacting with treasury-controlled addresses.
  • Price and liquidity shocks affecting the ability to execute conversions.

    • Set up automated alerts and a response RACI: who freezes assets, who contacts the custodian, who liaises with legal, and who informs the board. Regular tabletop exercises improve readiness.

    Smart contract and staking risk

    If you stake ETH or interact with DeFi, treat those exposures separately. Staking introduces lock-up, slashing, and counterparty risk. Controls I apply to DeFi activities:

  • Dedicated DeFi policy with approvals from CFO and CRO.
  • Small, phased tests on new protocols and third-party audits as prerequisites.
  • Cap the percentage of treasury allocated to staking or yield strategies.

    • Key management, succession and disaster recovery

    Key management plans must cover employee turnover, lost devices, and catastrophic events. Document key roles, replacement processes, and key rotation schedules. For multisig, ensure signatories are diverse across geography and legal entities.

  • Store recovery data (encrypted) in multiple secure locations with escrowed access.
  • Practice recovery annually — ensure you can reconstruct a signing quorum under stress.

    • When you combine governance, layered custody, clear workflows, counterparty diligence, and active monitoring, you create a treasury posture that both protects the company and preserves the agility needed for operations. Practicality matters: controls should be tested under real operational scenarios and iterated as technologies evolve.