ZYC-RSK-001 - Business-Wide Risk Assessment (BWRA) Policy

Version: 1.0

Owner: Compliance Officer (SMF16)

Reviewer: Zeyro Board

Next Review: Oct 2026

1. Purpose

This policy explains how Zeyro identifies, analyses, and mitigates risks across the business. It sets out:

  • how we conduct our Business-Wide Risk Assessment (BWRA)

  • the principles that inform our thinking

  • the scoring and prioritisation model

  • the role of fragility in shaping risk interpretation

  • how the BWRA evolves as the business, clients, markets, and regulations change

The BWRA is a living assessment of Zeyro’s risk exposure.

2. Scope

This policy applies across all Zeyro services, including:

  • cryptoasset financial promotion approvals

  • OFR fund financial promotion approvals

  • facilities services and MiFID-related activity

It covers risks relating to:

  • people and governance

  • client and market integrity

  • financial crime

  • financial promotions

  • regulatory compliance

  • data protection and information security

  • technology and outsourcing

  • operational processes

  • business continuity and resilience

  • strategic and business model risk

The BWRA is updated whenever new risks arise or existing risks change.

3. Risk Philosophy

Zeyro’s risk framework recognises that the world is not predictable, linear, or stable. Instead:

  • rare events dominate outcomes

  • risks often interact and reinforce one another

  • some failures are sudden and irreversible

  • regulatory and market conditions shift rapidly

  • human behaviour is difficult to model

  • technology evolves faster than governance

Given this environment, Zeyro emphasises:

3.1 Exposure rather than probability

Probabilities of rare events are unreliable.

Exposure to harm is measurable and controllable.

3.2 Fragility instead of simple impact

Fragility describes how sharply the business deteriorates under stress.

Some systems fail gradually; others fail suddenly.

3.3 Correlation & cascading behaviour

Risks rarely occur in isolation.

A small incident can cascade across domains (e.g., operational → regulatory → reputational).

3.4 Opacity & unknowns

We distinguish between:

  • known risks

  • uncertainties with unclear boundaries

  • unknown unknowns where exposure must be reduced because prediction is impossible

3.5 Optionality & antifragility

Some processes improve under stress.

Monitoring, incidents, and feedback loops strengthen the firm.

The BWRA is therefore a tool for resilience, not prediction.

4. BWRA Structure

The BWRA is organised into modules, rather than constrained to a rigid checklist.

This approach ensures cross-domain risks are captured properly.

Modules include:

  1. People & Governance

  2. Client & Market Integrity

  3. Financial Crime (AML/CTF/PF)

  4. Financial Promotions

  5. Regulatory Compliance

  6. Data Protection & Information Security

  7. Technology & Outsourcing

  8. Operational Process Risk

  9. Business Continuity & Resilience

  10. Strategic & Business Model Risk

Each module contains:

  • identified risks

  • exposure & severity analysis

  • fragility classification

  • mitigation maturity

  • a final scored rating and prioritisation

5. Risk Identification

Zeyro identifies risks through:

  • operational experience

  • onboarding findings

  • finprom reviews

  • monitoring outputs (web, app, social, vendor, incident logs)

  • breaches, near-misses, and lessons learned

  • regulatory changes and horizon scanning

  • market events and industry failures

  • client behavioural signals

  • staff feedback

  • governance discussions

New risks are added as they arise, not only at annual review.

6. Risk Assessment Model

Each risk is assessed across four dimensions:

6.1 Exposure (E)

The degree to which Zeyro is exposed to the risk.

Range: 1–5

6.2 Severity (S)

Impact if the risk crystallises, including regulatory, operational, commercial, and reputational harm.

Range: 1–5

6.3 Mitigation Maturity (M)

Effectiveness of controls and resilience measures:

  • Weak

  • Adequate

  • Strong

  • Antifragile

Converted to a 1–5 score.

A qualitative judgement describing how the business responds to stress:

  • Fragile — small shocks cause large or irreversible harm

  • Robust — absorbs stress with limited degradation

  • Antifragile — stress improves processes or resilience

Fragility is not numerically scored; it is a modifier applied after the numerical score.

7. Scoring Model

To meet FCA expectations, a numerical model is retained:

This provides a consistent framework while allowing for judgement.

7.1 Risk Bands

Final scores fall into the following bands:

Band

Score Range

Interpretation

Low

1 – 4

Routine operational risk; existing controls are sufficient.

Medium

5 – 9

Elevated risk requiring periodic monitoring or targeted mitigation.

High

10 – 14

Significant risk requiring proactive management attention.

Critical

15+ or any “Fragile + High”

Material risk that may threaten business stability; Board visibility required.

Risk bands guide prioritisation and monitoring frequency.

7.2 Fragility Modifier

After scoring, the fragility classification adjusts how the score is interpreted:

  • Fragile: treat the risk as one band higher than its numerical score.

  • Robust: no modification.

  • Antifragile: record optionality, but do not reduce the score.

Fragility avoids false precision while ensuring that nonlinear exposures are accounted for.

8. Mitigation Strategy

Mitigations fall into five classes:

8.1 Removal

Eliminating the exposure entirely (e.g., refusing prohibited assets).

8.2 Reduction

Lowering exposure, fragility, or dependency.

8.3 Detection

Early identification of emerging risks (monitoring, surveillance, audit sampling).

8.4 Buffering

Capacity to absorb shocks (redundancy, backup systems, multi-skilling).

8.5 Optionality

Creating situations where variation or stress improves the system.

Mitigations focus on resilience rather than prediction.

9. Review & Governance

  • BWRA is updated continuously as risks evolve.

  • Full formal review annually.

  • Compliance Officer (SMF16) owns the BWRA.

  • Board reviews and challenges the assessment.

  • NED provides independent oversight.

  • Updates triggered by:

    • regulatory changes

    • incidents or near misses

    • new services or clients

    • vendor or technology changes

    • emerging threats or patterns

The BWRA is stored in Confluence.

10. Document & Record Keeping

All BWRA materials — including methodology, historic versions, working notes, and updated tables — are retained in accordance with ZYC-DATA-001 (Information Security & Data Protection Policy).

11. Document Control

Version: 1.0

Change Notes: Introduction of fragility modifier and enhanced exposure–severity–mitigation model.

Owner: Compliance Officer (SMF16)

Reviewer: Zeyro Board

Next Review: Oct 2026

PreviousZYC-DOC-001 – Policy Governance & Publication PolicyNextConduct & Governance

Last updated