Blockchain To Blockchains: Broad Adoption Enters The Realm Of The Possible, Part 3

David Mapgaonkar and Prakash Santhana

Part 3 in the “Deloitte Blockchain Adoption” series

Risk practitioners across industries are excited about blockchain’s potential to help organizations manage risks posed by current systems. However, organizations should understand that while blockchain may drive efficiency in business processes and mitigate certain existing risks, it poses new risks broadly classified under three categories: common risks, value transfer risks, and smart contract risks.

Common risks

Blockchain technology exposes institutions to similar risks associated with current business processes—such as strategic, regulatory, and supplier risks—but introduces nuances for which entities need to account. Organizations that adopt blockchain should evaluate both the participating entities and the underlying platform; the choice of the latter could pose limitations on the services or products delivered, both now and in the future. From an infrastructure perspective, blockchain technology is part of the enterprise’s core, so it should integrate seamlessly with back-end legacy systems. Additionally, firms may be exposed to third-party risks, as some of the technology might be sourced from external vendors. For example, the typical risks of cloud implementation apply here for cases in which cloud-based infrastructure is part of the underlying technology for blockchain.

Value transfer risks

Because blockchain enables peer-to-peer transfer of value, the interacting parties should protect themselves against risks previously managed by central intermediaries. In the case of a blockchain framework, evaluate the choice of the protocol used to achieve consensus among participant nodes in the context of the framework, the use case, and network participant requirements. While the consensus protocol immutably seals a blockchain ledger, and no corruption of past transactions is possible, it remains susceptible to private key theft and the takeover of assets associated with public addresses. For example, if there is fraud on the value-transfer network, and a malicious actor takes over a noncompliant entity, then that actor can transfer and siphon value off of the network.

Smart contract risks

Smart contracts can encode complex business, financial, and legal arrangements on the blockchain, so there is risk associated with the one-to-one mapping of these arrangements from the physical to the digital framework. Additionally, cyber risks increase as smart contracts rely on “oracles” (data from outside entities) to trigger contract execution. Smart contracts apply consistently to all participant nodes across the network; they should be capable of exception handling that adheres to business and legal arrangements and complies with regulations. Like other software code, smart contracts require robust testing and adequate controls to mitigate potential risks to blockchain-based business processes. For example, smart contracts allow for straight-through processing (contractual clauses may be made partially or fully self-executing, self-enforcing, or both) as they directly interact with other smart contracts. One corrupted smart contract could cause a chain reaction that paralyzes the network.

The successful adoption of any new technology is dependent on the appropriate management of the associated risks. This is especially true when that technology is part of the organization’s core infrastructure, as is the case with blockchain. Additionally, it’s important to understand the evolution of regulatory guidance and its implications. For example, the Financial Industry Regulatory Authority has shared operational and regulatory considerations for developing use cases within capital markets. Organizations should work to address these regulatory requirements in their blockchain-based business models and establish a robust risk-management strategy, governance, and controls framework.

The final blog in this series will explore the global impact and expected time frame for adoption across different regions, with a few suggestions for devising your own strategy.

Contact David Mapgaonkar at Contact Prakash Santhana at


This article originally appeared on Deloitte Insights and is republished by permission.

David Mapgaonkar

About David Mapgaonkar

David Mapgaonkar is a principal with Deloitte & Touche LLP's Cyber Risk Services practice. He leads the U.S. Technology, Media & Telecommunications industry for the Cyber Risk Services practice and also leads the Privilege Access Management offering. With more than 18 years of experience, he has been shaped by the opportunity to work with some of the world's most innovative companies. He has led dozens of cyber risk engagements for Fortune 500 clients ranging from strategy to technology implementation to managed services. He has advised and served clients across various industries on cybersecurity-related challenges.

Prakash Santhana

About Prakash Santhana

Prakash Santhana is a managing director in Deloitte Transactions and Business Analytics LLP and leads Payments Risk & Integrity for financial services, retailers, and service providers. He also co-leads the Deloitte blockchain and cryptocurrency community. For more than 20 years, he has worked in the fraud/risk management groups of large credit card issuers and payment startups. He has extensive experience in mitigating fraud across payment types and channels, including mobile and online, and is currently working on a big data/machine learning framework to detect cyber, criminal activities targeting banks and financial institutions. He also focuses on deploying the blockchain infrastructure for entities across different sectors and is the inventor of an "out-of-band" mobile fraud prevention solution to help card-issuers combat non-face-to-face fraud worldwide.