ZYC-RISK-001 Risk Management Policy

(Applies to all Zeyro staff, directors, contractors, and consultants — Updated October 2025)

Background

Zeyro is authorised by the FCA and must maintain sound risk-management systems under SYSC 4.1.1R and Principle 3 (Management and Control). Our approach to risk management is proportionate to the scale and complexity of our business. We do not hold client money or assets, but we do carry conduct, operational, and financial-crime risks arising from our activities in financial promotion approval and arranging services.

This policy works alongside the ZYC-GOV-001 Governance Framework and the Business-Wide Risk Assessment (BWRA), which together form Zeyro’s system of internal control.

Purpose

To ensure Zeyro:

  • Identifies, assesses, and monitors risks that could affect the firm, its clients, or consumers.

  • Maintains proportionate systems and controls to mitigate those risks.

  • Embeds a culture of accountability and transparency in risk ownership.

Scope

Applies to all business lines and functions, including:

  • Financial promotion approvals (cryptoassets and OFR funds);

  • Facilities (arranging) services; and

  • Supporting functions such as compliance, operations, and governance.

Key Principles

1. Governance and Responsibility

  • The Board has ultimate responsibility for risk management.

  • The MLRO / Compliance Officer maintains the BWRA, oversees risk reporting, and ensures controls remain effective.

  • Wayne Green manages operational and staff-related risks.

  • Giles Swan (NED) provides independent oversight and challenge to the Board’s risk decisions.

Controls risk by ensuring accountability and independent challenge are embedded at governance level.

2. Risk Framework

Zeyro’s risk framework is built on four pillars:

  1. Identification – recognising risks through the BWRA, client feedback, and ongoing monitoring.

  2. Assessment – rating risks using likelihood and impact scales (Low, Medium, High).

  3. Mitigation – implementing proportionate controls (policies, systems, oversight).

  4. Monitoring – reviewing risk effectiveness via the BWRA and Board reports.

Controls risk by creating a structured, repeatable process that aligns to FCA expectations.

3. Risk Categories

Zeyro’s primary risk types include:

  • Regulatory Risk: Breach of FCA rules, particularly around financial promotions or AML controls.

  • Conduct Risk: Poor client behaviour leading to consumer harm or reputational damage.

  • Financial Crime Risk: Exposure to money laundering, terrorist financing, or fraud.

  • Operational Risk: Failures in systems, technology, or human error.

  • Reputational Risk: Public, media, or stakeholder criticism due to client misconduct.

Controls risk by ensuring all material risks are visible and categorised consistently in the BWRA.

4. Business-Wide Risk Assessment (BWRA)

  • The BWRA is reviewed at least annually and after any major business or regulatory change.

  • Each risk entry includes:

    • Description and category

    • Likelihood and impact

    • Mitigation / controls

    • Residual risk rating

    • Responsible owner

  • The MLRO updates the BWRA and presents it to the Board for approval each quarter.

  • The Board minutes the discussion and any agreed actions.

Controls risk by maintaining a live, Board-owned view of the firm’s risk profile.

5. Escalation and Incident Management

  • Any control failure, breach, or near miss must be reported to the MLRO immediately.

  • The MLRO assesses severity and reports significant incidents to the Board.

  • Material breaches or risks with consumer impact are reported to the FCA without delay.

Controls risk by ensuring rapid escalation and compliance with Principle 11 (Relations with Regulators).

6. Risk Appetite

  • The Board defines and reviews Zeyro’s risk appetite annually.

  • Current appetite:

    • Zero tolerance for regulatory breaches or financial-crime facilitation.

    • Low tolerance for operational disruption or reputational harm.

    • Moderate tolerance for innovation and client onboarding risk, provided controls are effective.

Controls risk by aligning operational decisions with clear Board-approved limits.

7. Monitoring and Reporting

  • Risk indicators (e.g., number of promotion withdrawals, compliance breaches, or control exceptions) are tracked quarterly.

  • The MLRO reports to the Board using the BWRA as the primary tool for review.

  • The Board confirms whether residual risks remain within appetite.

Controls risk by linking risk data directly to Board oversight and decision-making.

8. Continuous Improvement

  • Lessons learned from incidents are documented and built into the BWRA.

  • Policies and controls are updated to reflect new risks or regulatory developments.

  • The MLRO ensures training incorporates relevant case studies and updates.

Controls risk by closing the loop between lessons, controls, and behaviour.

Document Control

Field

Details

Policy Code

ZYC-RISK-001

Policy Title

Risk Management Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Last Reviewed By

Gareth Malna

Change History

v 1.0 (Oct 2025): Initial creation defining Zeyro’s proportionate risk-management framework integrated with the BWRA and SMCR governance structure.

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousZYC-GOV-001 Governance FrameworkNextZYC-COM-001 Compliance Oversight Policy

Last updated