A risk advisor point of view on Blockchain
Jun 14th, 2017
A risk advisor point of view on Blockchain is the result of recent readings in specialized news outlets. Some boldly stated “… and just hope you jumped on time on the bandwagon as such solutions will likely represent a deadly competitive threat to those who do not have them.”
Why is that statement so bold and enthusiastic? The idea is indeed extremely enticing:
imagine having solutions capable of replacing many of the most onerous processes in contracts and transactions. For example imagine most transactions’ steps and all intermediaries. We call those entities “writers” and “readers”. They would be unnecessary, without increasing risks for the parties using the new solution. That’s the promise, as it stands today.
This certainly looks promising and appealing. However, like most readers, we had our fair share of snake oil technology and felt compelled to present our risk adviser point of view.
We will start by assuming that as candidate early adopter you did your homework and already made sure the solution make sense for your needs. This includes noting that when multiple mutually mistrusting entities want to interact and change the state of a system, and are not willing to agree on an online trusted third party, a Blockchain solution could make sense. However, if, for example, the writers all mutually trust each other, meaning they assume no participant is malicious, a database with shared write access is likely the best solution. Furthermore the trade off between decentralization, i.e. the scalability toward a large number of writers without mutual trust, and throughput, i.e. how many state updates a system can handle per time unit has to be considered when making the decision of whether to use a Blockchain system or not.
A risk advisor point of view on Blockchain
The new solution is based on disintermediation and automation between entities, i.e. writers/readers. It should cover business areas that are generally slow, have low margin and require lots of resources. That is particularly efficient in processes with many similar steps, where writing errors generate, requiring painstaking verification and reconciliation. It is supposed to reduce risks for all parties involved.
The bandwagon has already moved forward and many companies, at this time particularly in the financial sector, show interest in joining this “revolution”. Given the simplifications adoption will bring, benefits and competitive edge will be immense for successful “early” adopters, provided they do not make any missteps.
We have heard lots of opinion on how un-quantifiable the risks are and here is how we would approach a risk assessment for a candidate adopter willing to evaluate their risks.
Just like any other new technology or system under consideration for risk assessment we would define the system and derive a success metric (which will give the RA its dimensions). We do that routinely for startups
Then we would look at the hazards (Hazard Identification), followed by the system’s interdependencies, and finally the consequences of the hazard hits on the system’s elements.
Below is a short preliminary synopsis of the generalized Blockchain technology in term of risk approach for a candidate adopter. Obviously each venture, business have their peculiarities and intricacies. Therefore we have simplified the the success metric to the core. We left out the interdependencies discussion for the sake of this blogpost discussion. We present a risk advisor point of view on Blockchain.
Success criteria. Implementing changes (using Blockchain) which have positive and lasting impacts for the adopter in terms of reputation, revenue, leadership. One can quantify all those impacts and then either blend them together in a multi-dimensional metric. Another option is to separate them to compare them individually. That is similar to what we would do for operational risks metrics such as Health and Safety, Environmental damages and Business Interruption.
When looking at Hazard Identification, we can tackle the job for the candidate adopter with Threats-from and Threats-to scenarios:
- competitors adoption (candidate adopter does not),
- technology (inoperable or not suited for the task at hand),
- technology (costs too much to run, to implement),
- users snob the technology
- obsolescence (candidate adopter services),
- lost opportunities (for the candidate adopter),
- errors and omissions (in candidate adopter jobs),
- resistance of trained personnel,
- useless training.
all those scenarios in Threats-from, Threats-to impact the metrics such as reputation, revenue, leadership. Of course that occurs in a way that is specific to the candidate adopter.
A way of looking at Supply Chain Management
A Supply Chain Management (SCM) constitutes an interesting example of hazard identification. Indeed the flow of resources and services to manufacture a given product is complex. It includes various intermediate storage and process cycles until the final point of consumption. It remains unclear why Blockchain would be a suitable technical solution in a SCM context. That despite numerous claims made by technology providers about optimized flows and optimal production decisions. As a matter of fact, for most supply chains management features a single source of truth would likely be sufficient. That would exclude the Blockchain solution, while maintaining a certain risk level due to pertinent hazards.
SCM has a inherent interface problem between the digital and the physical world. One requires a human, or a machine controlled by a single writer to register the delivery of a certain good at a warehouse. Quality compliance follows the same procedure. If there is no trust in that record, one can assume a technically compromised situation. Indeed a malicious writer (hazards) could supply data. If, in the opposite case, writers are all trustworthy, a Blockchain is not needed. One can use a regular database with shared write access. However if through some technical means, one could realize the connection between the digital and physical world in a secure manner, then the previous reasoning might change (hazards, hence risk reduction).
There are more examples but the supply chain is sufficient to show how absurd or misused the Blockchain technique could be, like for any other innovation.
The supply chain is sufficient to show how absurd or misused the Blockchain technique could be
Some of those hazard impacts (or consequences) paired with their likelihood might be above the candidate adopter’s risk tolerance criteria. Obviously, as we are dealing with new technologies, the uncertainties range are wide on both the likelihood and consequences and should be explicitly included in the analyses.
We can then look at the effect of possible mitigations on each scenario to interpret which risks are strategic. A strategic risk is a risk that remains above the tolerance threshold even if unlimited funds are devoted to its mitigation, in the realm of credibility (above say a probability of 10-5 to 10-6). When confronted with strategic risks candidate adopters have to decide to exit the activity generating that risk or operate a strategic shift.
So, at the end of the day:
- One has to cyce the risk assessment through every phase of the development project, from pre-feasibility to final implementation.
- It has to include uncertainties and interdependencies. The have to cover other aspects of the business that are independent from the solution.
- Merging Thick data and big data will help immensely in terms of how the public/users will react and cooperate.
Opportunities, competitive advantage, potential impacts. Indeed we all know those words. They are always the same and some lure candidate adopters into decisions that can be far from optimal for them.
Thus a risk advisor point of view on Blockchain of course ends with a strong reminder. Those companies who consider adoption should evaluate the quantified interdependent risks (upward and downward ones).
Only then candidate adopters will know if the neighbour grass (i.e. the Blockchain solution) is really greener.
Using best practices, it is possible for any company to prioritize business areas in terms of risk and opportunities generated by early adoption. That is done for other more known/usual technologies. Then it is possible to compare plans to maximize RoI while controlling (mitigating) risks.
The difference with known/usual technologies is the range of uncertainties on the likelihood and consequences. That is not a reason to alter the approach.
Tagged with: address, bank, block-chain, cryptography, currencies, cyber security, decentralization, digital currency., open source, payment system, privacy, regulation, Satoshi Nakamoto, security, transaction fees, virtual currency
Category: Consequences, Hazard, Probabilities, Risk analysis