Our Risk Management Approach

Date: 26th September 2024

Version: 1.0

We have a Risk Management Framework approved at the Board of Directors level. This covers how we apply our risk management approaches with target Risk Appetite statements, risk identification and assessment to determine the inherent risk level, how controls are designed and the determining of the residual risk level resulting from the risk modification from the control execution. Risk treatments are also categorised and action plans arising determined for management tracking. If a risk is assessed to be outside of appetite and a risk acceptance is required this is brought to the attention of Senior Management for their approval and then up to the Board of Directors for their review and approval.

We have developed an innovative approach to risk assessment that integrates predefined non-financial impact ranges, sourced across various domains such as Business Continuity, Operational Risk, Compliance, and Information Security. This integration allows for a holistic view of potential impacts. Financial loss impacts are considered alongside these non-financial impacts, providing a comprehensive assessment of potential risks. Our likelihood assessment is based on statistical data from the last two years, ensuring an evidence-based approach to risk management.

We use multiple operational risk tools to assess our operational risks covering new initiatives in line with principle 7 of the Basel Principles of Operational Risk. This allows us to maintain our risk profile understanding arising from change. We have conducted a Risk Control Self Assessment to determine our inherent risks for our business processes which were sourced from our business impact analysis, the inherent risk level was then determined using our risk assessment matrix. From this we have considered appropriate controls to modify the likelihood and impact levels with consideration to the operational and design effectiveness of the control, Residual risks are then assessed for potential risk treatment with action plans to bring the risk level back within our risk appetite. We conduct a control test of the risks with controls using a sample technique. Operational risk events which disrupt our operations are also assessed with root cause determined and both correctional and preventative actions defined and tracked for Management awareness.  

Our supply chain is assessed using a third-party risk assessment approach that considers the legal risks of contracts, the potential impact of service disruptions, the security arrangements in place, and the availability of alternative suppliers. This comprehensive approach ensures that our supply chain remains robust and resilient, capable of supporting our operational needs without introducing undue risk.

We consider emerging risks using a threat risk assessment. We identify through horizon scanning emerging risks and assess them at the inherent level using our risk assessment approach. Potential threats which are risks are then taken forward further with controls and residual risk. 

We also consider Fraud risks and Technology risks using the same method of risk assessment. Fraud Risks are considered in an internal and external context. We support the Association of Certified Fraud Examiners’ (ACFE) and participated in their annual Fraud Awareness Week campaign in November 2023 and will do so again in November 2024. In supporting this association, we are able to leverage professional collateral relating to Fraud and Fraud Risk, which we have, in turn, used in our internal campaigns and also to inform our clients. 

In the realm of information security, we identify vulnerabilities and threats to our information assets, implementing controls based on ISO 27001:2022 standards for information security management. Our ISO 27001:2022 accreditation validates our commitment to maintaining high standards of information security, cybersecurity, and privacy protection. We also consider potential opportunities arising from identified risks, ensuring a balanced approach to risk management.

The performance of our Risk Management Framework is reported monthly to our Audit Risk and Compliance Committee, which includes the Chief Executive Officer, Compliance Officer, Risk Officer, and Internal Audit. This focused forum reviews performance metrics related to operational risk events, new initiative risk assessments, third-party risk assessments, and the overall risk management program. Additionally, quarterly performance reports are presented to our Board of Directors, ensuring ongoing oversight and accountability.

Client Engagement

Assessing the risks associated with client activities involves applying business risk methodologies to determine AML and CTF risks. Each transaction undergoes scrutiny using the ‘know your transaction’ technique, supported by specialist tools like Eliptic, which traces the last five transactions of a cryptocurrency. This thorough approach helps us identify potential risks related to the source of funds and client sanctions, positioning us to manage these risks effectively within the broader cryptocurrency financial system. Suspected transactions are reportable to the Central Bank UAE, ensuring compliance with regulatory requirements.

Client Risk Disclosure

To ensure clients are fully informed about the specific risks associated with cryptocurrency usage, Tungsten provides a Risk Disclosure Statement. This statement details the potential risks, including capital loss due to value depreciation and possible thefts arising from technology vulnerabilities. By informing clients of these risks upfront, we foster transparency and trust.

Sales and Marketing Integration

Our Risk Management approach is integrated into our sales collateral, providing prospective clients with a comprehensive overview of our risk management processes. This information helps clients understand how they will interact with our risk management framework and what it means for their relationship with Tungsten. Feedback from prospective clients is used to refine our approach and benchmark against industry standards, ensuring continuous improvement and alignment with client expectations.

Internal Training and Awareness

Staff education and awareness are critical components of our risk management strategy. We share monthly fraud risk articles with staff, covering topics such as automated payment fraud, one-time password vulnerabilities, and mobile phone security concerns. These personal articles help cultivate a risk-aware culture within Tungsten. Additionally, staff receive direct training on information security risks and our operational risk management tools, including operational risk event reporting, third-party risk assessment, risk control self-assessment, and control testing.

External Accreditation

Tungsten’s commitment to excellence is reflected in our ISO 27001:2022 accreditation for information security management systems and our SOC 2 Type 2 accreditation. These certifications, which required rigorous external audits, affirm the effectiveness of our enterprise risk management approach and our adherence to high standards of security and operational integrity.

info@tungsten.ae

©2024 Tungsten Custody Solutions Ltd. All rights reserved.

Tungsten provides no legal, tax, investment, or other advice. Please consult your legal/tax/investment professional for questions about your specific circumstances. Virtual asset holdings involve a high degree of risk and can fluctuate greatly on any given day. Accordingly, your virtual asset holdings may be subject to large swings in value and may even become worthless.

Tungsten Custody Solutions Ltd is Regulated by the ADGM Financial Services Regulatory Authority with Financial Services Permission Number 220129.

Privacy Policy Risk Disclosure Ethics Policy