Adding Bitcoin or Ether to a corporate treasury is more than a headline-grabbing decision — it’s a shift in risk profile, accounting treatment, operational processes and governance. Having guided leaders through strategic decisions, I’ve seen companies move too quickly without sufficient controls in place. Below are the concrete risk controls I recommend every CFO implement before allocating corporate capital to cryptocurrency.
Governance and policy framework
First, set the guardrails. I always start with a formal treasury cryptocurrency policy that is approved by the board (or relevant committee). This policy should clearly define:
Objectives: Why hold crypto? (hedge, store of value, liquidity management, strategic investment)Permitted assets: Which tokens are allowed (e.g., BTC, ETH) and under what circumstancesAllocation limits: Max percent of total cash or total assets that can be allocatedTime horizons: Minimum holding periods, rebalancing triggers, and exit conditionsRoles and responsibilities: Who approves trades, signs custody instructions, and monitors exposuresDocumenting this ensures decisions are repeatable and auditable — and prevents ad-hoc bets disguised as “treasury diversification.”
Legal, regulatory and tax review
Before any buy, I insist on a legal assessment. Crypto regulations and tax treatments vary by jurisdiction and evolve rapidly.
Regulatory compliance: Confirm whether the company needs licensing to custody, transact, or advertise holdings in each operating jurisdiction.Tax implications: Clarify whether holdings are treated as financial assets, inventory, or property — this affects timing of gains recognition and reporting requirements.Contract review: Evaluate terms of custody agreements, prime brokerage arrangements, and counterparty contracts for insolvency and dispute resolution clauses.Custody and operational security
Custody is the single most consequential operational decision. I recommend a tiered custody model with multiple controls:
Institutional custody providers: For most corporates, using regulated custodians like Coinbase Custody, BitGo, or a bank offering custody reduces operational risk.Multi-signature wallets: If self-custody, implement robust multisig (e.g., 2-of-3 or 3-of-5) with geographically separated signers and hardware security modules (HSMs).Key management policies: Define key generation, backup, rotation and destruction procedures. Store backups in secure, air-gapped locations.Access controls: Enforce least privilege, MFA, segregated duties, and periodic access reviews.Incident response: Have a tested playbook and vendor contacts for suspected compromise, theft, or network-related issues.Accounting, reporting and auditability
Accounting treatment directly influences reported earnings and balance sheet presentation. Work with external auditors early.
Accounting policy: Decide whether crypto will be classified as intangible assets, inventory, or financial instruments according to applicable GAAP/IFRS.Valuation and impairments: Establish mark-to-market or impairment recognition rules, frequency of valuation and disclosure templates.Internal controls: Implement transaction logging, reconciliation processes between custody provider reports and general ledger, and reconciliation cadence.Audit trails: Ensure custodians can provide transaction histories, proof-of-reserve (when applicable), and attestations for auditors.Risk management and exposure controls
Crypto introduces unique market and liquidity risks. Translate those into measurable limits and triggers.
Concentration limits: Cap exposure by asset (BTC vs ETH), by counterparty (custodian), and by network (smart-contract risk for tokens).Volatility buffers: Hold a liquidity buffer or maintain hedges to cover margin or cash-flow volatility.Stress testing: Run scenarios for price shocks (e.g., 30-50% drawdowns), custodial failure, or on-chain congestion to quantify potential balance sheet and cash impacts.Stop-loss and rebalancing rules: Define objective, pre-approved triggers for rebalancing or de-risking positions.Liquidity and settlement controls
Unlike cash, crypto liquidity and settlement characteristics vary by exchange and market conditions.
Access to liquidity: Maintain relationships with multiple liquidity providers/exchanges for execution and redemption.Settlement risk: Define acceptable settlement windows, and prefer on-chain settlement with custody confirmations over derivative promise-only exposures.Cash management integration: Ensure the treasury system recognizes crypto positions and their FX implications for consolidated cash forecasting.Counterparty and custody due diligence
I treat counterparty selection like bank selection — due diligence is non-negotiable.
Operational resilience: Review the custodian’s SOC reports, insurance coverage, and proof-of-reserves practices.Financial health and regulatory standing: Check capitalization, licensing, and any enforcement history.Service-level agreements: Negotiate SLAs for transaction times, recovery, and escalation.Insurance and third-party protections
Insurance won't cover every scenario, but it reduces tail risk.
Crime insurance: Seek policies that cover private key theft, employee theft and third-party fraud.Custodian coverage: Verify what portion of assets held by custodians are insured and under what conditions.Policy limits and exclusions: Confirm deductibles, territorial limits and exclusions related to crypto-specific incidents.AML/KYC and sanctions screening
Treasury-held crypto must meet the same compliance standards as fiat holdings.
Source-of-funds verification: Establish procedures to validate provenance for material deposits.Sanctions and transaction monitoring: Use vendors and on-chain analytics (Chainalysis, TRM Labs, Elliptic) to screen counterparties and monitor inflows/outflows for illicit activity.Hedging and treasury operations
Hedging capabilities can protect balance sheet and cash flow. I prefer strategies that are transparent and governed.
Derivatives: Use futures, options or forwards via regulated venues to hedge price exposure where appropriate.Hedge documentation: Tie hedging activity to the treasury policy with clear objectives, not speculative trading.Collateral management: Understand margin and collateral mechanics to avoid liquidity traps in stressed markets.Monitoring, reporting and KPIs
Ongoing visibility is the only way to know whether controls are effective.
Daily reconciliation: Cash and token balances between custodian reports and treasury ledger.Risk dashboard: Track exposure by asset, counterparty, liquidity, realized/unrealized P&L and stress-test outcomes.Board reporting: Provide periodic, concise reports to the board outlining position sizes, compliance status and any incidents.Training, culture and vendor management
People make or break security programs. Invest in training and vendor governance.
Staff training: Regularly train treasury, finance and security teams on operational procedures and phishing/OPSEC risks.Vendor oversight: Conduct periodic vendor audits, renew due diligence and rotate counterparties if concentration becomes a risk.Practical checklist
| Control | Implemented (Y/N) | Owner |
| Board-approved crypto treasury policy | | Finance / Legal |
| Legal/regulatory sign-off | | Legal |
| Institutional custody contract | | Treasury |
| Accounting treatment agreed with auditors | | Accounting |
| Multisig/HSM key management | | Security Ops |
| Insurance coverage reviewed | | Risk |
| AML/KYC and screening tools in place | | Compliance |
| Hedging plan (if applicable) | | Treasury |
Bringing crypto into the corporate treasury can make strategic sense, but only if you build the right controls first. Treat it like any material financial innovation — carefully documented policy, legal clearance, rigorous custody and operational practices, and continuous oversight. When you do this work up front, you transform what could be a risky headline into a well-governed strategic asset.
