Operational risk
8.17 Surface
Operational risk comes from authority custody, decision concentration, external-service continuity, network liveness, and incident-management processes.
| Surface | Technical impact | Public control principle |
|---|---|---|
| Authority custody | Treasury or program authorities are targeted | Multi-approval class and authority separation |
| Decision concentration | Product, economic, or security decisions depend on a narrow operation | Staged governance and public authority-migration record |
| External-service continuity | Document processing, data plane, or chain access is delayed | Queue state, alternative operating rail, and user visibility |
| Network liveness | On-chain settlement is delayed | Ledger commitments and replayable event model |
| Incident management | Response quality affects user experience and trust | Auditable incident trail and versioned disclosure discipline |
8.18 Control model
The public model explains control classes: authority separation, multi-approval, delayed execution, auditable record, post-incident disclosure, and staged governance maturity. Signers, thresholds, tools, alarms, response times, and runbook steps are managed in the internal operations layer.
Social engineering and targeted authority attacks are handled inside the operational-risk class. The technical paper defines the technical surface; implementation details stay inside security operations.
8.19 Evolution
As authority-migration steps advance, operational decisions move from the corporate team toward broader governance processes. This transition is tracked through the public record model described in 00 §0.2 and 04 §4.10.