How GRC programs can best leverage blockchain technology

Originally designed for cryptocurrency transport, the blockchain has become of major interest to the business world for its distributed ledger that promises trust and transparency in transactions between multiple parties. Companies are taking advantage of the immutable characteristics of blockchain technology to create a set of internal controls and greater visibility.

Governments, too, are showing interest. In the UK, the Parliament recently introduced a bill that would see all official documents relating to the UK’s £1.3 trillion trade industry digitized and stored on the blockchain, in an effort to lessen its reliance on paper. If passed, the UK could be the first major economy to “go paperless” with its bureaucratic process.

From a Governance, Risk and Compliance (GRC) perspective, the implementation of blockchain technology presents an unprecedented opportunity for multiple business units within an enterprise or multiple organizations to work together, securely sharing data to build trust and transparency.

Third-Party identity management and promotion of ESG principles 

Blockchain promotes transparency. Companies can leverage it to create visibility around third-party identity management. The permissioned blockchain can empower the GRC solution by allowing third parties to submit relevant data – viewable by all participants – which may include applicable certifications and fourth-party transactions.

This ensures that organizations working with third parties can trust the complete partnership chain. For example, this can address scenarios where big fashion houses have visibility only until third parties but have partnerships with fourth parties that are manufacturing products from a sweatshop located in a developing country.

Using blockchain-based GRC solutions, organizations will have more confidence to onboard third parties that meet GRC guidance. For example, if an ESG program specifies working only with third parties that meet a set of standards like, a low-carbon footprint or good work ethics, the blockchain will clearly show "for the record" which parties a company can work with to enforce its principles.

A successful GRC program must first establish these standards of certification. Third-party information is stored according to enterprise requirements. To have this information transparently made available to a group of enterprises, it must be added to the permissioned blockchain. Third parties should be ready to share information like certifications, associations, fourth-party connections, and other aspects within the supply chain network.

Part of the GRC strategy for the implementation of blockchain will also mean standardizing input of the above information. It will be essential to identify the drivers that will encourage third parties to share this information transparently.

Challenges to standardization

With the rise of Decentralized Autonomous Organizations (DAO), enterprises should be open about having partnerships with third parties running their business using DAO principles where blockchain, AI, and IoT intersect. Another area where enterprises will gradually adopt is a collaboration with philanthropy DAOs for charities, where there is a concurrent risk of money getting injected from illegitimate sources. Both need GRC programs to be robust in risk identification and must have the right controls in place to ensure minimum impact while working with the third- and fourth-party ecosystem.

Now, blockchain is a decentralized environment with limited administration and governance as to how the technology should be leveraged using best practices. Every organization has its way of managing its blockchain stack. Because blockchain is not an interconnected technology, communication between blockchains can be complex.

Blockchain technology is not without data security issues. Faulty implementation can allow hackers to intercept data and reroute it from its intended destination. Participants face risk outside the system, too: Hackers can phish for a user's blockchain credentials (their "key") with a simple convincing email, thus gaining outsider access to the network.

The core business logic is written in the piece of code called Smart Contracts and may have unintended programming errors, and loopholes that hackers can exploit to bypass the system checks. This is where a strong GRC program should consider auditing smart contracts to minimize the risk created by these digital contracts.

As standards evolve, risk professionals will continue to query how best to manage GRC programs running on the products and platforms powered by the blockchain, so they comply with laws. With the right framework, the complexity of intentional governance design can be simplified and mapped over the technology. Regulation of risk will be the leading consideration for blockchain adoption as businesses seek new ways to meet increasing organizational demands.

Prasad Sabbineni

---

Prasad Sabbineni is the co-CEO of MetricStream.