Corporate Governance

RISK MANAGEMENT
FRAMEWORK

RISK MANAGEMENT FRAMEWORK 

BITCOIN CAPITAL RESERVE LIMITED 
ACN 689 640 266 

Document Version: 1.0 
Effective Date: 8 October 2025 
Review Date: 8 October 2026 
Approved by: Board of Directors 

 

  1. PURPOSE AND SCOPE

1.1 Purpose 

This Risk Management Framework establishes the approach for identifying, assessing, managing and monitoring risks faced by Bitcoin Capital Reserve Limited (Company or BCR) as a Bitcoin treasury company listed on NSX. 

1.2 Application 

This Framework applies to all operations, decisions, and personnel of the Company. 

1.3 Risk Philosophy 

The Company: 

(a) Accepts high Bitcoin price volatility as inherent to its business model; 

(b) Has zero tolerance for risks that could result in permanent loss of Bitcoin through security breaches, fraud or operational failures; and 

(c) Maintains a disciplined approach to leverage and liquidity management. 

 

  1. GOVERNANCE STRUCTURE

2.1 Board Responsibilities 

The Board is ultimately responsible for: 

(a) Approving this Framework and risk appetite; 

(b) Approving major risk decisions (leverage, custody arrangements); 

(c) Monitoring risk exposures and effectiveness of controls; 

(d) Receiving quarterly risk reports from management. 

2.2 CEO Responsibilities 

The CEO is responsible for: 

(a) Implementing this Framework; 

(b) Day-to-day risk management; 

(c) Ensuring adequate resources for risk management; 

(d) Reporting material risks to the Board immediately; 

(e) Coordinating risk management across the team. 

2.3 CIO Responsibilities 

The CIO focuses on: 

(a) Bitcoin market and price risks; 

(b) Investment execution risks; 

(c) Custody and counterparty risks; 

(d) Portfolio monitoring and reporting. 

2.4 CTO Responsibilities 

The CTO focuses on: 

(a) Cybersecurity risks; 

(b) Technology infrastructure risks; 

(c) Operational technology controls; 

(d) Business continuity and disaster recovery. 

 

  1. KEY RISK CATEGORIES

The Board will establish and update risk categories from time to time to support effective risk mitigation. 

Risk Category 

Impact 

Likelihood 

Priority 

Bitcoin Price Volatility 

Very High 

Very High 

High 

Custody & Security 

Critical 

Medium 

Critical 

Cybersecurity 

Critical 

Medium 

Critical 

Regulatory Compliance 

High 

Medium 

High 

Leverage & Liquidity 

Very High 

Low-Medium 

High 

Operational 

Medium-High 

Medium 

Medium 

Key Person 

Medium 

Medium 

Medium 

 

  1. 4. INCIDENT MANAGEMENT

4.1 Incident Response 

For any risk incident: 

  1. Contain – Immediate action to limit impact
     
    2. Assess – Determine scope and severity 
       ↓ 
    3. Report – Notify CEO, Board (if material) 
       ↓ 
    4. Investigate – Root cause analysis 
       ↓ 
    5. Remediate – Fix issue and improve controls 
       ↓ 
    6. Document – Record incident and lessons learned 
       ↓ 
    7. Review – Update risk assessments and controls 
     

4.2 Business Continuity 

Critical Functions: 

  • Bitcoin custody access 
  • Financial reporting 
  • Regulatory compliance 
  • Stakeholder communication 

Recovery Time Objectives: 

  • Bitcoin transactions: 24 hours 
  • Financial systems: 48 hours 
  • Other operations: 5 business days 

Business Continuity Plans maintained for: 

  • Key personnel unavailability 
  • Office/system unavailability 
  • Custodian failure 
  • Major cybersecurity incident 

 

  1. 5. FRAMEWORK REVIEW

5.1 Review Frequency 

This Framework reviewed: 

  • Annually by Board 
  • Following material incidents 
  • When business model changes 
  • When regulatory requirements change 

5.2 Continuous Improvement 

Framework updated based on: 

  • Incident lessons learned 
  • Industry best practices 
  • Regulatory developments 
  • Stakeholder feedback 
  • Effectiveness of controls 

 

  1. 6. ROLES AND RESPONSIBILITIES SUMMARY

Role 

Responsibilities 

Board 

• Approve Framework and risk appetite 

• Monitor risk exposures 

• Approve major risk decisions 

• Receive quarterly reports 

CEO 

• Implement Framework • Day-to-day risk management • Report to Board • Coordinate risk activities 

CIO 

• Bitcoin market and investment risks • Custody and counterparty risks • Portfolio monitoring 

CTO 

• Cybersecurity • Technology infrastructure • Business continuity • Security audits 

All Personnel 

• Follow procedures • Report incidents • Maintain awareness • Complete training