Part 3 in the “Deloitte Blockchain Adoption” series
Risk practitioners across industries are excited about blockchain’s potential to help organizations manage risks posed by current systems. However, organizations should understand that while blockchain may drive efficiency in business processes and mitigate certain existing risks, it poses new risks broadly classified under three categories: common risks, value transfer risks, and smart contract risks.
Blockchain technology exposes institutions to similar risks associated with current business processes—such as strategic, regulatory, and supplier risks—but introduces nuances for which entities need to account. Organizations that adopt blockchain should evaluate both the participating entities and the underlying platform; the choice of the latter could pose limitations on the services or products delivered, both now and in the future. From an infrastructure perspective, blockchain technology is part of the enterprise’s core, so it should integrate seamlessly with back-end legacy systems. Additionally, firms may be exposed to third-party risks, as some of the technology might be sourced from external vendors. For example, the typical risks of cloud implementation apply here for cases in which cloud-based infrastructure is part of the underlying technology for blockchain.
Value transfer risks
Because blockchain enables peer-to-peer transfer of value, the interacting parties should protect themselves against risks previously managed by central intermediaries. In the case of a blockchain framework, evaluate the choice of the protocol used to achieve consensus among participant nodes in the context of the framework, the use case, and network participant requirements. While the consensus protocol immutably seals a blockchain ledger, and no corruption of past transactions is possible, it remains susceptible to private key theft and the takeover of assets associated with public addresses. For example, if there is fraud on the value-transfer network, and a malicious actor takes over a noncompliant entity, then that actor can transfer and siphon value off of the network.
Smart contract risks
Smart contracts can encode complex business, financial, and legal arrangements on the blockchain, so there is risk associated with the one-to-one mapping of these arrangements from the physical to the digital framework. Additionally, cyber risks increase as smart contracts rely on “oracles” (data from outside entities) to trigger contract execution. Smart contracts apply consistently to all participant nodes across the network; they should be capable of exception handling that adheres to business and legal arrangements and complies with regulations. Like other software code, smart contracts require robust testing and adequate controls to mitigate potential risks to blockchain-based business processes. For example, smart contracts allow for straight-through processing (contractual clauses may be made partially or fully self-executing, self-enforcing, or both) as they directly interact with other smart contracts. One corrupted smart contract could cause a chain reaction that paralyzes the network.
The successful adoption of any new technology is dependent on the appropriate management of the associated risks. This is especially true when that technology is part of the organization’s core infrastructure, as is the case with blockchain. Additionally, it’s important to understand the evolution of regulatory guidance and its implications. For example, the Financial Industry Regulatory Authority has shared operational and regulatory considerations for developing use cases within capital markets. Organizations should work to address these regulatory requirements in their blockchain-based business models and establish a robust risk-management strategy, governance, and controls framework.
The final blog in this series will explore the global impact and expected time frame for adoption across different regions, with a few suggestions for devising your own strategy.
This article originally appeared on Deloitte Insights and is republished by permission.