A risk advisor point of view on Blockchain

A risk advisor point of view on Blockchain

Jun 14th, 2017

A risk advisor point of view on Blockchain is the result of recent readings in specialized news outlets which boldly stated “… and just hope you jumped on time on the bandwagon as such solutions will likely represent a deadly competitive threat to those who do not have them.”

A risk advisor point of view on Blockchain

Why is that statement so bold and enthusiastic? The idea is indeed extremely enticing:
imagine having solutions capable of replacing many of the most onerous processes in contracts and transactions. For example imagine most transactions’ steps and all intermediaries (entities generally called “writers” and “readers”) would be made unnecessary, without increasing risks for the parties (that’s the promise, as it stands today), using a new solution.

This certainly looks promising and appealing, however like most reader we had our fair share of snake oil technology and felt compelled to present our risk advisor point of view.

We will start by assuming that as candidate early adopter you did your homework and already made sure the solution make sense for your needs. This includes noting that when multiple mutually mistrusting entities want to interact and change the state of a system, and are not willing to agree on an online trusted third party a Blockchain solution could make sense. However, if, for example, the writers all mutually trust each other, meaning they assume no participant is malicious, a database with shared write access is likely the best solution. Furthermore the trade off between decentralization, i.e. the scalability toward a large number of writers without mutual trust, and throughput, i.e. how many state updates a system can handle per time unit has to be considered when making the decision of whether to use a Blockchain system or not.

A risk advisor point of view on Blockchain

The new solution is based on disintermediation and automation between entities (writers/readers) and should cover business areas that are generally slow, have low margin and require lots of resources: it is particularly efficient where many similar steps are required, where writing errors are easily generated, painstaking verification and reconciliation are needed. It is supposed to reduce risks for all parties involved.

The bandwagon has already moved forward and many companies, at this time particularly in the financial sector, show interest in joining this “revolution”. Given the simplifications adoption will bring, benefits and competitive edge will be immense for successful “early” adopters, provided they do not make any missteps.

We have heard lots of opinion on how un-quantifiable the risks are and here is how we would approach a risk assessment for a candidate adopter willing to evaluate their risks.

Risk Assessments

Just like any other new technology or system under consideration for risk assessment we would define the system and derive a success metric (which will give the RA its dimensions). We do that routinely for startups 
Then we would look at the hazards (Hazard Identification), followed by the system’s interdependencies, and finally the consequences of the hazard hits on the system’s elements.

A risk advisor point of view on Blockchain

Below is a short preliminary synopsis of the generalized Blockchain technology in term of risk approach for a candidate adopter. Obviously each venture, business have their peculiarities and intricacies, and therefore we have simplified the the success metric to the core and left out of the interdependencies discussion for the sake of this blogpost discussion which is a risk advisor point of view on Blockchain.

Success criteria: implementing changes (using Blockchain) which have positive and lasting impacts for the adopter in terms of reputation, revenue, leadership. All those impacts can be quantified and then either blended together in a multi-dimensional metric or kept separated to compare them individually, just like we would do for operational risks metrics such as Health and Safety, Environmental damages and Business Interruption.

When looking at Hazard Identification, we can tackle the job for the candidate adopter with Threats-from and Threats-to scenarios:


  • competitors adoption (candidate adopter does not),
  • technology (does not work or is not suited for the task at hand),
  • technology (costs too much to run, to implement),
  • users snob the technology


  • obsolescence (candidate adopter services),
  • lost opportunities (for the candidate adopter),
  • errors and omissions (in candidate adopter jobs),
  • resistance of trained personnel,
  • useless training.

all those scenarios in Threats-from, Threats-to impact the metrics (reputation, revenue, leadership…) in it their own way that is specific to the candidate adopter.

A Supply Chain Management (SCM) constitutes an interesting example of hazard identification as the flow of resources and services to manufacture a given product includes various intermediate storage and process cycles until the final point of consumption. Beside numerous claims made by technology providers about optimized flows and optimal production decisions it remains unclear why Blockchain would be a suitable technical solution in a SCM context. As a matter of fact, for most supply chains management features a single source of truth (a single trusted database) would likely be sufficient, thus excluding the Blockchain solution, while maintaining a certain risk level due to pertinent hazards.

SCM has a inherent interface problem between the digital and the physical world. A human, or a machine controlled by a single writer, is typically required to register that a certain good is delivered at a warehouse, and its quality is compliant. If there is no trust in that record, one can assume a technically compromised situation as data could be supplied by a malicious writer (hazards). If, in the opposite case, writers are all trusted, a Blockchain is not needed as a regular database with shared write access can be used instead. However if through some technical means, the connection between the digital and physical world could be realized in a secure manner, then the previous reasoning might change (hazards, hence risk reduction).

There are more examples but the supply chain is sufficient to show how absurd or misused the Blockchain technique could be, like for any other innovation.

Some of those hazard impacts (or consequences) paired with their likelihood might be above the candidate adopter’s risk tolerance criteria. Obviously, as we are dealing with new technologies, the uncertainties range are wide on both the likelihood and consequences and should be explicitly included in the analyses.

We can then look at the effect of possible mitigations on each scenario to interpret which risks are strategic. A strategic risk is a risk that remains above the tolerance threshold even if unlimited funds are devoted to its mitigation, in the realm of credibility (above say a probability of 10-5 to 10-6). When confronted with strategic risks candidate adopters have to decide to exit the activity generating that risk or operate a strategic shift.

So, at the end of the day:

  • The risk assessment has to be “cycled” through every phase of the development project, from pre-feasibility to final implementation.
  • It has to include uncertainties and interdependencies (with other aspects of the business that are not going to be directly impacted by the solution).
  • Merging Thick data and big data will help immensely in terms of how the public/users will react and cooperate.


Opportunities, competitive advantage, potential impacts… the words are known, they are always the same and some lure candidate adopters into decisions that can be far from optimal for them.
Thus a risk advisor point of view on Blockchain of course ends with a strong reminder for those companies who consider adoption to evaluate the quantified interdependent risks (upward and downward ones).
Only then candidate adopters will know if the neighbour grass (i.e. the Blockchain solution) is really greener.

Using best practices, it is possible for any company to prioritize business areas in terms of risk and opportunities generated by early adoption, like it is done for other more known/usual technologies and then compare plans to maximize RoI while controlling (mitigating) risks.
The difference with known/usual technologies is the range of uncertainties on the likelihood and consequences. That is not a reason to alter the approach.

Tagged with: , , , , , , , , , , , , , , ,

Category: Consequences, Hazard, Probabilities, Risk analysis

Leave a Reply

Your email address will not be published. Required fields are marked *

Riskope Blog

  • Johari window application in risk management is an exploration of possible corporate application of a therapeutic tool developed back in…
  • Read More

More Info

  • Get in Touch
  • Learn more about our services by contacting us today
  • t +1 604-341-4485
  • +39 347-700-7420

Vancouver Digital Creative Agency Ballistic Arts Media Studios.