Manny Khan outlines custody, governance, and architecture decisions that must come before tools. A practical risk framework for businesses entering digital assets.
Alpha Score of 56 reflects moderate overall profile with strong momentum, poor value, weak quality, moderate sentiment.
BitGo Deputy CISO Manny Khan published a framework in Forbes arguing that most businesses entering the digital asset economy start with tools instead of building the right foundation. Writing in Forbes, Khan argues that the sequence of decisions matters more than the technology itself. His framework centers on three pillars: custody, governance, and architecture decisions tailored to each business model.
Khan stresses that organizations must honestly assess whether they are ready to hold digital assets internally. Handing this responsibility to an IT team without proper preparation can lead to irreversible losses. History has shown that preventable mistakes in this area carry serious consequences.
For businesses handling meaningful value, partnering with a regulated, institutional-grade provider may be more appropriate. This does not mean all companies should follow the same path. Each organization must weigh its internal maturity against external options realistically. Security and control are not mutually exclusive. Achieving both requires the right fiduciary relationships.
A clear custody policy defined before any transaction reduces the chance of misallocation or theft. Companies should categorize digital assets by usage and liquidity profiles. Forcing all use cases into one mold typically increases risk rather than reducing it.
Wallet architecture decisions should be driven by purpose, not convention. Hot wallets suit speed and operational availability. Cold wallets prioritize long-term asset protection. Neither option is universally superior. The right choice depends entirely on liquidity needs and intended usage.
Multi-sig and MPC technologies carry real operational consequences. They affect accountability, transparency, and resilience across the organization. A trading firm has different liquidity needs than a corporate treasury function. A fintech business requires secure API integration. A B2B2B provider may need shared-control models. Architecture decisions should always work backward from the customer profile and operating model.
Starting with tools before establishing a governance framework amplifies exposure. Silos between compliance, security, finance, and operations create misalignment and increase the chance of a preventable loss. Treating digital asset readiness as a simple infrastructure project misses the real challenge entirely.
Governance must be established before a company begins transacting in digital assets. Khan's framework covers people, process, and technology, with disciplined vigilance at the center. Teams need a clear understanding of the stakes involved at every level. Processes must define approvals, controls, and accountability from the start.
Not every company requires the same level of urgency. Businesses operating locally or within narrow geographic footprints may not need immediate action. Cross-border activity and settlement friction are pushing global companies in this direction. Any digital asset held on a balance sheet – Bitcoin, Ethereum, tokenized securities, or stablecoins – is exposed if custody and governance are not aligned with the business model.
A company that first defines its custody provider, then its wallet architecture, then its governance controls is following the correct sequence. A company that buys a hardware wallet or signs up for an exchange before setting internal approval processes is following the backwards path Khan describes. The difference shows up in audit readiness and incident response speed.
For traders and risk managers evaluating counterparty exposure, the framework offers a checklist:
If the answer to these questions is unclear, the counterparty carries unmeasured operational risk.
For related context on digital asset market structure, see AlphaScala's analysis of Kraken's $507m Quarter Shows Derivatives Dependence Risk and the broader crypto market analysis. The same custody and governance principles apply whether the business is an exchange, a treasury, or a fintech app.
Leaders must approach this space with clear eyes, sound controls, and architectures that fit their specific business. The cost of getting the sequence wrong is not a theoretical loss. It is the difference between a recoverable incident and an irreversible one.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.