20 February 2023
Originally designed for cryptocurrency transport, the blockchain has become of great interest to the business community for its distributed ledger that promises trust and transparency in transactions between multiple parties. Businesses leverage the immutable properties of blockchain technology to create a set of internal controls and greater visibility.
Governments are also showing interest. In the UK, parliament recently introduced a bill that would see all official documents relating to the UK’s £1.3 trillion trading industry digitized and stored on the blockchain, in a bid to reduce reliance on paper. If passed, the UK could become the first major economy to “go paperless” with its bureaucratic process.
From a GRC (Governance, Risk and Compliance) perspective, the implementation of blockchain technology presents an unprecedented opportunity for multiple business units within a company or multiple organizations to work together and share data securely to build trust and transparency.
Third party identity management and promotion of ESG principles
Blockchain promotes transparency. Companies can use it to create visibility around third-party identity management. The permissioned blockchain can strengthen the GRC solution by allowing third parties to submit relevant data – visible to all participants – which may include applicable certifications and fourth-party transactions.
This ensures that organizations working with third parties can trust the entire partnership chain. This can, for example, address scenarios where large fashion houses only have visibility to third parties, but have partnerships with fourth parties who produce products from a sweatshop in a developing country.
By using blockchain-based GRC solutions, organizations will have more confidence in bringing in third parties that meet the GRC guidance. For example, if an ESG program specifies only working with third parties that meet a set of standards such as a low carbon footprint or good work ethics, the blockchain will clearly show “for the record” which parties a company can work with to enforce its principles.
A successful GRC program must first establish these certification standards. Third-party information is stored in accordance with the company’s requirements. To make this information transparently available to a group of companies, it must be added to the permissioned blockchain. Third parties should be ready to share information such as certifications, associations, fourth-party connections and other aspects within the supply chain network.
Part of the GRC strategy for implementing blockchain will also mean standardizing the input of the above information. It will be important to identify the drivers that will encourage third parties to share this information in a transparent manner.
Challenges to standardization
With the rise of decentralized autonomous organizations (DAOs), businesses should be open to partnering with third parties that run their business using DAO principles where blockchain, AI and IoT intersect. Another area where companies will gradually adopt is a collaboration with philanthropic DAOs for charities, where at the same time there is a risk of money being injected from illegitimate sources. Both need GRC programs to be robust in terms of risk identification and need to have the right controls in place to ensure minimal impact while working with the third-party ecosystem.
Now blockchain is a decentralized environment with limited administration and control of how the technology is to be utilized using best practices. Each organization has its own way of managing its blockchain stack. Because blockchain is not an interconnected technology, communication between blockchains can be complex.
Blockchain technology is not without data security issues. Improper implementation can allow hackers to intercept data and redirect it from its intended destination. Participants also face risks outside the system: Hackers can phish for a user’s blockchain credentials (their “key”) with a simple convincing email, thereby gaining access to the network outsiders.
The core business logic is written in code called Smart Contracts and can have unintended programming errors and loopholes that hackers can exploit to bypass the system checks. This is where a strong GRC program should consider auditing smart contracts to minimize the risks created by these digital contracts.
As standards evolve, risk professionals will continue to ask how best to manage GRC programs running on the products and platforms powered by the blockchain so that they comply with laws. With the right framework, the complexity of intentional control design can be simplified and mapped across the technology. Regulation of risk will be the leading consideration for blockchain adoption as businesses seek new ways to meet increasing organizational demands.