GIP 32 - Goldfinch Risk Appetite Statement

Authors : CRobins, General Counsel of Warbler Labs

Summary : The Goldfinch Risk Appetite Statement outlines the level of risk that the Goldfinch community is willing to take on. The proposed statement identifies five categories of risk: credit risk; treasury risk; legal and regulatory risk; protocol/smart contract risk; and reputational risk.

Motivation : As described in the GIP-31 (Goldfinch Risk Management Framework), a risk appetite statement is an integral part of a robust risk management framework. A risk appetite statement will help the Goldfinch community make risk-informed decisions regarding the allocation of protocol resources and protocol risk management controls.

Specification & Requirements : GOLDFINCH RISK APPETITE STATEMENT

  1. Introduction

Since the inception of decentralized finance (“DeFi”), developers of various protocols have devoted a significant amount of time and resources to risk management. Driven largely by the perception that smart contract risk is the most significant risk a DeFi protocol will face, most risk management efforts have focused primarily on lengthy and expensive smart contract audits. These smart contract audits are without a doubt necessary and valuable tools to scrutinize code and identify potential vulnerabilities; however, as DeFi matures and continues to evolve, it is becoming increasingly important for DeFi protocols to take a more holistic approach to risk management. Although there are significant inefficiencies in traditional finance (“TradFi”) that DeFi endeavors to improve upon, there is also an opportunity for DeFi to leverage decades of risk management tools to best protect DeFi protocols and their users.

One of those tools is the development and use of an enterprise risk management (“ERM”) framework. ERM is a defined process to (i) identify, (ii) measure, (iii) monitor and report, and (iv) mitigate risk. The inherent nature of being decentralized, however, means there is no “enterprise” in the traditional sense. The absence of a centralized enterprise does not alleviate the need for the Goldfinch community to maintain sound controls to mitigate risk. In lieu of a traditional ERM, the Goldfinch community can and should develop a Goldfinch risk management (“GRM”) framework that draws upon key ERM principles, but is tailored for a decentralized set of actors and risks. The development of the GRM will allow the Goldfinch community to align on key risk terms, assess appropriate roles and responsibilities, and develop policies, procedures, and processes for risk identification, measurement, monitoring, reporting, and mitigation.

There is no “one size fits all” solution to risk management - controls must be tailored to mitigate specific risks, especially in DeFi. Goldfinch’s risk profile is distinct from most other DeFi protocols. The terms of Goldfinch loans are generally longer than other DeFi protocols (typically two to four years), and all of the loans are secured by off-chain assets such as loan receivables from end-borrowers or physical assets. While the Goldfinch community generally views these as features of the Goldfinch protocol that provide additional protection to lenders, they do introduce certain risks that must be managed—namely credit risk and operational risk in the event of a default. Participants in traditional debt markets are very familiar with these risks.

As an initial first step in building the GRM, the Goldfinch community has adopted this risk appetite statement. A risk appetite statement is an agreed-upon statement describing the risk that stakeholders are willing to take on in order to achieve their strategic objectives. Risk appetite statements are integral components of ERMs.

  1. Culture of Compliance and Risk Management

Within TradFi Compliance and Audit functions, the term “Tone at the Top ‘’ is commonly used when discussing the cultural and ethical standards that an organization’s Board of Directors and management commit to upholding. The concept is useful in assessing how the standards and expectations that senior leadership establish trickle down throughout an organization and are ingrained in its day-to-day operations. Organizations with a strong tone at the top tend to place an emphasis on regulatory compliance and effective risk management, while those with a poor tone at the top are less likely to have effective controls to ensure regulatory compliance and risk management. As the name implies, in most organizations, the “tone” starts at the top. While this concept is quite useful in centralized organizations, there is no direct parallel in decentralized communities because there is no Board of Directors or senior leadership. Nonetheless, the principles behind “Tone at the Top” should not be lost on the Goldfinch community.

Instead of focusing on a “Tone at the Top” since there is no centralized leadership, Goldfinch and its community members are committed to establishing and maintaining a “Tone Throughout” that promotes a culture of integrity, compliance, and risk management. The Goldfinch community fosters a strong Tone Throughout by (i) ensuring transparency in all aspects of the protocol, (ii) encouraging all community members to identify and discuss risks, (iii) and relying on well-established risk management principles to protect the Goldfinch protocol, as well as its community members and borrowers.

  1. Risk Appetite Statements

Goldfinch and its community members will act in accordance with the community-approved risk appetite statement to achieve its strategic goals of protocol growth. Sound risk management practices will enable Goldfinch to operate effectively while managing its risk.

Each risk category receives a designation of low, medium, or high.

Low Events may result in little or no reduction of protocol activity and/or users, with little or no reputational or economic damage.
Medium Events may result in a reduction of protocol activity and/or users, but the effects would not result in significant reputational or economic damage.
High Events would likely cause a significant reduction in protocol activity and users, and the protocol would likely not be able to recover from the reputational and/or economic damage.

A. Credit Risk

Credit Risk refers to the risk of default on a loan (or in the Goldfinch protocol’s case - a Borrower Pool) that may arise from a borrower’s failure to repay a loan. Goldfinch relies on lending practices that provide significant assurance that Borrower Pools will be repaid. However, Goldfinch endeavors to continue providing Borrowers, who are traditionally underserved by TradFi lenders, with access to credit. Goldfinch has a MEDIUM risk appetite for Credit Risk.

B. Treasury (Medium Risk Appetite)

The Goldfinch Foundation’s treasury (the “Goldfinch Treasury”) (i) enables the growth of the Goldfinch protocol and its community, and (ii) provides financial support for various efforts to ensure compliance with generally applicable laws and regulations. Treasury Risk refers to the risk that the Goldfinch Treasury’s financial resources will be impaired due to adverse economic conditions, reduction in assets within the Goldfinch Treasury, inefficient resource utilization, or increasing expenditures reducing the ability to successfully enable the growth of the Goldfinch protocol and its community. Goldfinch has a MEDIUM risk appetite for Treasury Risk.

C. Legal and Regulatory Risk

Legal Risk refers to the risk that the Goldfinch Foundation and its community members do not satisfy their obligations under applicable laws, regulations, global directives, or mandates. Although there is uncertainty regarding the legal and regulatory obligations of DAOs and DeFi participants, there are several activities, which impose strict liability that the protocol will not facilitate (e.g., sanctions violations). Goldfinch has a LOW risk appetite for Legal and Regulatory Risk.

D. Protocol/Smart Contract Risk

Protocol and Smart Contract (“PSC”) Risk refers to the risk that a design flaw or vulnerability in the protocol’s code or smart contracts could result in an attack or exploit that could cause financial harm to the Goldfinch Treasury, Goldfinch community members, or Goldfinch borrowers. A smart contract exploit could result in significant financial loss to the community. Goldfinch has a LOW risk appetite for PSC Risk.

E. Reputational Risk

Reputational Risk refers to the risk that negative perceptions jeopardize Goldfinch’s credibility, achievement of its mission and strategic objectives, or ability to maintain the protocol. Goldfinch is somewhat unique in the DeFi community given its strategic objective to serve as a bridge between TradFi and crypto. As Goldfinch continues to onboard TradFi participants such as banks, broker-dealers, hedge funds, and family offices, it must maintain a strong reputation focused on risk management and compliance. Goldfinch has a LOW risk appetite for Reputational Risk.

Benefits :

  • Helps the Goldfinch community better manage and understand its risk exposure;
  • Helps the Goldfinch community make informed risk-based decisions;
  • Helps the Goldfinch community allocate resources and understand risk/benefit trade-offs; and
  • Increases transparency for investors, stakeholders, regulators, and policymakers.

Downside : I do not believe there is a material downside to approving a Risk Appetite Statement.

Voting : A “yes” means that you support the approval of the Risk Appetite Statement. A “no” means that you do not support the approval of the Risk Appetite Statement.

Resources : None

1 Like

The proposal is quite good aiming to establish proper culture of complaince and risk management. In my opinion, the outlined risk categories are good enough for now.

Although “MEDIUM” gives here a sense, I am of a opinion that this should be quantified for each categories of risks if possible. For example, identifying the measurable metrics for credit risk appetite statement and what metric level constitutes low, medium and high profile.

As I understand Risk Management and Compliance normally falls under second line of defense in organizational framework and usually overseen by board audit/risk committee. Question remains who will oversee the risk management framework in protocol, although we are yet to establish risk mannagement framework :slightly_smiling_face:

All in all this is a good start.

1 Like

We should add macroeconomic risk given the current downturn of various economies. How can Goldfinch survive a bank run, if there would be? How can Goldfinch and its borrowers survive economic downturn?

1 Like

@decollation Thanks for your comment and your participation in the convo around governance! Trully appreciate it. Don’t you think that macroeconomic risks fall under a Credit Risk category, cause in case of deep recession there will be a higher probability of default on loan. This is actually what a Credit Risk is about!:slight_smile:

I would vote “yes” for this proposal, fully approving the Risk Appetite Statement.

This is great! I will vote “Yes”

Got it! Just want to make sure that the macroeconomic risks are covered as well!

1 Like

Sure, thanks!
Let’s vote! @decollation

Will vote “Yes” as well!

Council has approved the proposal.