“Nearly every day,” writes tech journalist Madhurjya Chowdhury, “it seems like we come across more and more applications for blockchain technology. More and more sectors are discovering that the blockchain will either push them to another level or will become their greatest threat.”[1] The World Economic Forum (WEF) staff notes, “New technologies carry potential downsides that need to be identified and managed. This is especially true when that technology is not merely an overlaying application but rather a core part of the organization’s underlying IT infrastructure, as is often the case with blockchain.”[2]
The WEF staff suggests there are a significant number of risks companies should consider before they adopt a blockchain technology solution. They indicate those risks fall into six categories: technology risks; security risks; operational risks; legal & regulatory risks; financial risks; and strategic risks. With so many risks associated with blockchain technology, you might why would a company implement a blockchain technology solution? There is an upside. Deloitte analysts explain, “Risk practitioners across industries are very excited about blockchain’s promise to help organizations minimize — and in some cases eliminate — the risks posed by current systems. Blockchain is being viewed as the foundational technology for the future of risk management.”[3]
Nevertheless, they add, “Blockchain technology will transform business models from a human-based trust model to an algorithm-based trust model, which might expose firms to risks that they have not encountered before. In order to respond to such risks, firms should consider establishing a robust risk management strategy, governance, and controls framework.” Like the WEF staff, they group blockchain risks into several categories: strategic risks; business continuity risks; reputational risks; information security risks; regulatory risks; operations & IT risks; contractual risks; and supplier risks. Below, I have combined the WEF and Deloitte lists for further discussion.
Blockchain Risks
As noted above, there are a number of risks associated with any new technology and blockchain is no exception. Below are some of the risks identified by technology experts of which companies should be aware before implementing any blockchain solution.
TECHNOLOGY RISKS
The WEF staff notes, “Effective development and deployment of blockchain-based solutions require the identification and addressing of a list of technological risks and challenges. The list includes privacy of data and transactions on the blockchain, security risks, performance-related limitations of the underlying blockchain platform, and integration-related issues with other enterprise systems.” Some of those risks are discussed in more detail below.
• Performance-related Risks. Blockchain only works when all stakeholders involved in the blockchain abide by strict protocols. Deloitte analysts add, “Existing policies and procedures will need to be updated to reflect new business processes. Additional technology concerns could include speed, scalability, and interface with legacy systems in implementing the technology.”
• Integration-related Risks. Any new technology risks conflicts with legacy technologies. The WEF staff recommends companies ask a few questions before implementing a blockchain solution: “Will there be integration issues with any mission-critical legacy systems used within the organization? Are there standards available for integration of blockchain applications with enterprise systems? Is there appropriate integration testing at both the participating entities and the blockchain consortium entity? Could lack of common data architecture and data directory lead to enterprise systems feeding misaligned data to the blockchain system?”
SECURITY RISKS
The WEF staff writes, “Like other technology-enabled system, blockchain systems also need to be assessed for a variety of cyber security risks, such as confidentiality of users, security of private keys that secure access to digital assets, and endpoint protection.”
• Security Risks. Sudhir Pai (@sudhirpai2), Chief Technology Officer for Financial Services at Capgemini, writes, “Blockchain is only as strong as its weakest link. Despite the hails surrounding blockchain’s immutable security, there are still risks surrounding it that organizations must be aware of — and mitigate — prior to implementation.”[4] He adds, “For true security, organizations must focus on the last mile connection between a physical event and the digitized record of this event. If these points of entry to the platform are tampered with, the blockchain is rendered worthless. It is therefore imperative that organizations secure all points of entry, and assess the risks, before they consider deploying blockchain on a broad scale.”
• Data Privacy Risks. More and more governments (national, state, and local) are enacting data privacy regulations that blockchain data could violate. The WEF staff suggests companies ask the following question, “Could flaws in the blockchain-based system design lead to non-compliance with regulations or confidentiality agreements governing data?”
• Information Security Risks. The Deloitte analysts caution, “While blockchain technology provides
transaction security, it does not provide account/wallet security. The distributed database and the cryptographically sealed ledger prevents any corruption of data. However, value stored in any account
is still susceptible for account takeover. Additionally, there are cyber security risks to the blockchain network if a malicious actor takes over 51 percent of the network nodes for a duration of time, especially in a closed permissioned framework.”
OPERATIONAL RISKS
The WEF Staff notes, “Implementation of blockchain-based applications, especially in a consortium of several organizations, is complex and involves addressing a number of operational risk issues such as governance, controls, auditability of blockchain transactions, and proof of assets ownership.”
• Business Continuity Risks. The Deloitte analysts note, “Blockchain technologies are generally resilient due to the redundancy resulting from the distributed nature of the technology. However, the business processes built on blockchains may be vulnerable to technology and operational failures as well as cyberattacks. Firms need to have a robust business continuity plan and governance framework to mitigate such risks.”
• Governance & Controls Risks. When considering governance and control, the WEF recommends companies answer the following questions, “Is the legal entity structure of the blockchain consortium appropriate for tax implications and benefits of the participants? Could decision making within a consortium be suboptimal due to lack of proper structure and processes? Are there appropriate controls to mitigate conflicts stemming from decentralized accountability and shared ownership? Is there a lack of structure and policy in the consortium to onboard new members and accept new use cases? Have the smart contracts been audited to avoid incorrect implementation of business or legal arrangements?”
• Auditability Risks. Big businesses, especially transnational businesses, are under constant scrutiny and companies running afoul of national regulations can be hit with large fines. In order to protect themselves, companies need to ensure their transactions are auditable. The WEF staff recommends companies ask the following questions about auditability: “Is there enough technical experience or capability in conducting IT/technology audit of the blockchain application or platform? Will management and/or auditors be able to obtain information required to support financial statement disclosures? Will management be able to value digital assets in accordance with relevant accounting policies? Is there risk of a ‘hard fork’ of the blockchain to modify past transactions, allow previously disallowed transactions, or bring about other structural changes to the blockchain?”
• Asset Ownership Risks. As the Deloitte analysts noted above, accounts are susceptible to takeover. That why the WEF staff suggests answering the following questions: “Is there a risk of theft or loss of digital assets because of the irreversible nature of transactions in the blockchain protocol? How is the real-world change of ownership of assets made consistent with the change reflected on-chain? Can real-world identity be adequately confirmed to establish ownership of assets when required? Is there additional complexity due to the potential anonymity of participants on the blockchain protocol? Are adequate industry standards available for designing interoperable blockchain-based tokens?”
LEGAL & REGULATORY RISKS
The WEF staff writes, “Blockchain as a technology may not be regulated, but applications built using blockchain technology will need to adhere to relevant regulations, such as the European Union’s General Data Protection Regulation (GDPR) relating to data protection and privacy. Legal and regulatory risks include uncertainty around cross-jurisdictional regulations, anti-trust violations, smart contract enforceability, anti-money laundering (AML) and know-your-customer (KYC), and intellectual property (IP) protection.”
The Deloitte analysts add, “Currently, across the globe there’s uncertainty around the regulatory requirements related to blockchain applications. Additionally, there may be regulatory risks associated with each use case, the type of participants in the network, and whether the framework allows domestic or cross-border transactions.”
FINANCIAL RISKS
The WEF staff writes, “A common aim of blockchain deployment is to facilitate transfers of value. A variety of financial risks need to be considered while designing such blockchain applications, platforms, and infrastructure, such as potential for financial loss, transaction settlement finality, consortium funding-related risks, and intellectual property protection issues. In addition, there are a number of accounting and reporting challenges that should be considered when depending on blockchain-based applications for financial transactions and for information used in financial reporting.” The Deloitte analysts add, “There will likely be several service-level agreements (SLAs) between participating nodes and the administrator of the network, in addition to SLAs with service providers that will need to be monitored for compliance.”
STRATEGIC RISKS
The WEF staff writes, “Adoption of blockchain technologies and business models is a strategic bet for organizations. It thus entails a range of strategic questions, such as defining the applicable value proposition, brand and reputation management, and handling change management.” The Deloitte analysts agree there is a fair amount of strategic risk involved in implementing a blockchain solution. They explain, “First, firms need to evaluate whether they want to be at the leading edge of adoption or wait to adopt until the technology matures. Each of these options have varying levels of risks to business strategy. Second, given the peer-to-peer nature of this technology, it’s important for entities to determine the right network to participate in, as their business strategy could be impacted by the different entities participating on the chain. Third, the choice of the underlying platform could pose limitations in the services or products that can be delivered via this platform.”
Both the WEF staff and Deloitte analysts discuss reputational risks. The Deloitte staff writes, “Unlike fintech applications, blockchain technology is part of core infrastructure and will have to work seamlessly with legacy infrastructure. Failure to do so could result in poor client experience and regulatory issues.” The WEF staff suggests companies consider the following questions, “Could there be lawsuits from breach of contract, compromise of data, or other incidents if stakeholder expectations aren’t met? Who is responsible for external communications in the consortium? How will credit be attributed for accomplishments of joint efforts within the consortium?”
Concluding Thoughts
The Deloitte analysts conclude, “While the benefits [of blockchain technology] are clear, there are myriad risks that may be imposed by this nascent technology.” Every company needs to weigh the benefits against the risks before they implement any blockchain technology solution. The WEF staff concludes, “You should keep in mind a range of factors, many of which may be organization- or project-specific, to evaluate the risk profile of your project.”
Footnotes
[1] Madhurjya Chowdhury, “Big data and blockchain technology is changing dynamics in 2022,” Analytics Insight, 17 January 2022.
[2] Staff, “Risk Factors,” World Economic Forum.
[3] Prakash Santhana and Abhishek Biswas, “Blockchain risk management,” Deloitte, 2017
[4] Sudhir Pai, “Is there a weak link in blockchain security?” Help Net Security, 10 June 2019.