The CFO's role in blockchain governance

Governance of a blockchain-enabled business is shared. It belongs to the board, to the audit committee, to the legal and compliance teams, to the technology function, and to the finance function. None of these can govern alone. The CFO is one of the authors, not the only author, and not the absent author.

What follows is the working definition of the CFO's contribution: the parts she owns, the parts she co-owns, and the parts she signals about but does not decide.

What governance means in this context

Governance is the structure that makes the entity's actions legible to the parties that have a legitimate interest in them — shareholders, regulators, auditors, customers, employees. It is not the same as risk management, though risk management is one of its components. It is not the same as compliance, though compliance is another. Governance is the architecture in which both operate.

For a blockchain-enabled business, the governance question is sharper than for a conventional one. The asset class is new. The control environment is new. The disclosure expectations are still being calibrated. The regulators are still calibrating their own expectations. A governance architecture that does not actively address each of these is a governance architecture that will fail at one of them, usually at the worst possible moment.

Five domains where the CFO is one of the authors

The CFO's contribution to blockchain governance concentrates in five domains.

• Treasury policy. The framework that specifies what the entity may hold, in what form, with what custody, under what limits. The CFO drafts it, the board approves it, the audit committee monitors compliance with it.
• Accounting and disclosure policy. The classification of crypto-assets, the valuation methodology, the disclosure of exposure and sensitivity. The CFO owns the policy, supported by the auditors and aligned with the standards.
• Regulatory perimeter. The mapping of the entity's activities to the applicable regulatory regimes — MiCA in the EU, the equivalent regimes elsewhere. The CFO co-owns this with the chief legal officer.
• Control environment. The controls that prevent, detect, and respond to errors and incidents in the crypto-asset operations. The CFO co-owns this with the CISO and the head of operations.
• Reporting to the board and audit committee. The cadence, format, and content of the reports that allow the oversight bodies to perform their function. The CFO authors these.

The audit committee's working papers

An audit committee overseeing a blockchain-enabled business needs a defined set of working papers that the CFO is responsible for producing or sourcing. The minimum useful set:

• The entity's treasury policy and any changes to it.
• The current position in each material crypto-asset, with classification, custody, and valuation source.
• The smart contract audit reports for each material contract dependency, with remediation status.
• The proof-of-reserves output, where published, with the validator and the methodology.
• The regulatory perimeter analysis and any changes to it.
• The list of incidents in the period, with root cause, financial impact, and remediation.
• The stress sensitivities at the calibrated price levels.
• The next-period regulatory deadlines and the entity's readiness for each.

Producing this pack consistently is the work that makes the audit committee functional. Absent it, the committee is overseeing by anecdote.

Where the CFO's authority ends

The CFO is not the right person to decide the technical architecture of the blockchain layer. She is not the right person to decide whether the entity should issue a token, or to set the tokenomics if it does. Those decisions belong to the board, supported by the appropriate executive functions.

The CFO's authority ends at the financial and control consequences of those decisions. She is entitled to insist that the financial consequences are understood, that the control consequences are managed, and that the disclosure consequences are met. She is not entitled to overrule a strategic decision on technical grounds, nor to delegate her responsibility for the financial consequences once the decision is made.

This boundary is uncomfortable but clarifying. A CFO who attempts to make strategic crypto decisions is overreaching. A CFO who declines to engage with the financial consequences of strategic crypto decisions is underreaching. The job is in between.

A practical sequence for the first 90 days

For a CFO arriving into a blockchain-enabled business, or assuming responsibility for a function that has acquired blockchain exposure, the first 90 days have a defensible pattern.

• Days 1-30. Inventory. What does the entity hold? Where? Under whose control? Under what policy? With what audit relationship? Documented, not anecdotal.
• Days 31-60. Policy gap analysis. Where does the existing policy match the actual position? Where does it lag? Where does it fail to address material risk? Draft the remediation.
• Days 61-90. Governance proposal to the audit committee. The remediation plan, the reporting pack, the cadence of review, the resourcing requirement. The first audit committee conversation sets the tone of the next several years.

None of this is exotic work. It is the work of any new CFO arriving in any complex function. The asset class is new. The discipline is not.

Two failure modes to plan against

Two failure modes are common enough in blockchain governance that the CFO should plan against them deliberately, rather than discovering them in incident review.

The first is governance by exception. The policy exists, the framework is documented, but the practical decisions are made outside the framework because the framework is too slow, too restrictive, or perceived as not fitting the case. Over time, the exceptions accumulate to the point where the policy describes a function that no longer exists. The remediation is to make the framework more usable, not to allow more exceptions. A policy that cannot survive its own application has the wrong content, not the wrong volume of permitted exceptions.

The second is governance by aspiration. The documentation describes controls that are not, in fact, operating. The audit reveals that the model exists on paper and not in practice. The remediation is to test the controls — by internal audit, by management self-assessment, by walkthrough — and to confirm that the framework's claims are met by the function's behaviour. Discovering the gap in audit is the most expensive way to discover it.

Both failure modes are preventable. Neither prevents itself. The CFO who builds in periodic governance review, who tests the framework against actual practice, and who escalates the gaps before they become findings is the CFO who keeps the governance functional.

This piece sits inside the CFO in blockchain framework. See also smart contract risk and on-chain treasury framework. Lorna writes from practice at IMPT. The verified page records what is and isn't published here.