Dr. Denise McCurdy, Blockchain Governance Advisor at Grove Gate Consulting along with Tom Fuhrman, Blockchain & Cybersecurity Consultant at Vector MV, join us in this podcast to discuss the challenges of adopting blockchain from a governance and risk standpoint.
Denise is a blockchain governance advisor who has written a doctoral dissertation on blockchain with a special focus on supply chain and governance. She’s also the VP of blockchain governance for a supply chain and logistics startup.
Tom Fuhrman is a blockchain & cybersecurity consultant specialised in cybersecurity consulting for the last 25 years. Recently he has extended his scope into blockchain consulting, where he focuses on strategy, governance, risk management, and specifically looks at the intersections between blockchain and cybersecurity.
What is blockchain?
For Denise, blockchain is a database shared across a network of computers. As a record or block gets added to that database the blocks are chained together. Records on the blockchain are very difficult to change because each block has a hash which refers to the previous block. So, any change of a block requires a change of the entire chain. It is this attribute of blockchain which makes it very secure.
For Tom, blockchain is a shared, continuously updated immutable database. It represents a single source of truth amongst trustless participants. As Tom is a cybersecurity expert he believes that blockchain inherently has two of the three attributes that cybersecurity requires:
- Integrity because of its immutably nature
- Availability because it is distributed
- Confidentiality isn’t something that blockchain has inherently but it can be added with encryption
Tom also reminds us that blockchain exists in two basic design philosophies: public permissionless and private permissioned. Permissionless is most famously known via Bitcoin where anyone can participate at any level. Everything is decentralised and transparent in a trustless environment.
A permissioned blockchain has a restricted access. It isn’t as decentralised and they require a certain degree of trust.
What is governance and its impact on blockchain and its members?
Governance is about agreeing upfront the rules and the processes and what to do when things go wrong. It’s a system of rules that helps govern an ecosystem of players in how they can interact.
Whilst working on her dissertation Denise started to interview supply chain business people who were trying to deploy a blockchain solution. During her interview she kept hearing that it isn’t about the technology but instead, a real lack of clarity around how firms need to work together much more closely than they’re used to doing due to the nature of blockchain. What her interviewees were expressing was the need for a governance framework, or playbook.
Blockchain impacts its members because they now have to share business processes, confidential information and intellectual property. It’s synonymous to them having to expose the underbelly of their organisation in ways that they haven’t had to do before.
This closeness of sharing sometimes blurs the lines in their eyes of where their company ends and others begins. For many this is a cultural shift which many companies are not used to.
For Denise one of the key governance challenges is understanding the amount of changes that people and firms are going to have to do.
Collaborative governance as a key mechanism to removing obstacles
Collaborative governance is a particular type of governance that in Denise’s point of view is quite well suited for blockchain as it addresses many of the common issues at the beginning of blockchain such as: information asymmetry, incentives, prehistory of cooperation or conflict of members.
These are starting conditions that have to be addressed at the very beginning. This then flows into an agreement on how to make decisions, what is equitable, how is trust maintained and what is the shared understanding of good governance. With good collaborative governance you can avoid a lot of the pitfalls that usually come out later.
There are a number of design principles that need to be looked at when building a governance structure. Need to include a node to an agnostic party. In the case of the MOBI consortium that was down to MIT. Another design principle is who gets to vote and what happens under special circumstances. For example, what happens when one voting firm acquires another voting firm do they get a majority?
Consortiums, set up as a for profit company or not for profit?
According to Tom there are two points that comes to mind when looking at the implications of a profit versus not for profit consortium:
- Membership in the governance body. In a for profit consortium there could be a need or desire to restrict the membership or set up different classes of membership with different authorities and voting rights.
- Intellectual property. Intellectual property rights may be easier to be managed in a for profit entity that was created by investment from stakeholders.
Ecosystems as a form of competitive advantage
Supplier excellence leads to competitive advantage. Firms who do this well are known to be good at what they do as it means that their up and downstream suppliers are faster, better, less expensive, etc, with the firm reaping the benefits of that operational excellence.
Denise explains that there are some schools of thought that believe that pods of ecosystems can become more competitive than other po ds. That’s because members within a blockchain ecosystem have access to new customers and have the ability to monetize stranded assets.
What makes a good governance?
Enterprises that have done a good job in implementing effective governance are the ones that have been very clear in expressing what Denise calls, WIFM (What’s in it for me). Every player within an ecosystem needs to be able to get something out of it. It needs to be transparent and there are mechanisms in place to hold entities accountable.
Is blockchain a plug and play technology?
In Tom’s opinion whilst blockchain has clearly improved and matured over the years it hasn’t reached a level equal to a plug and play technology. Blockchain platforms such as Hedera Hashgraph, Hyperledger Fabric, Ethereum, Corda, EOSIO and others now have large development communities as part of their ecosystem with many tools for implementing solutions. These are big steps forward.
Now there are a number of companies such as IBM, T-Systems, Amazon, Microsoft and many more offering blockchain as a service which helps organisations jumpstart blockchain implementation.
But blockchain is a complicated technology to implement as an enterprise grade software system. A blockchain that implements a business model usually depends on a range of external components such as external data storage, resources like oracles and notaries. Architectures can get pretty complicated and smart contracts too. However, once these complexities are ironed out and put under the hood future blockchain implements can adopt those learnings and build on that baseline.
Main risks associated with blockchain platform
For Tom, the categories of risk are the same as for other IT systems but they all have a blockchain flavour. These include:
- Technology risk – risk that something could go wrong with the platform that affects the organization’s ability to function. This can be due to a programming error or an implantation error.
- Cybersecurity risk – risk that a cyber-attack on a blockchain could disrupt an organization’s operations.
- Liability risk – risk associated with the liabilities of distributed peer-to-peer data sharing and processing.
- Data privacy risk – risk that personal data protected by law or regulation, protected health information, proprietary corporate data, or other sensitive data could be compromised.
- Compliance risk – risk that a blockchain-enabled operation could violate compliance requirements (e.g., anti-money laundering in cross-border payments)
Tom believes there needs to be more maturity and understanding the risks. There needs to be a formal way to manage the risk at the enterprise level and to add blockchain risks to the enterprise risk register. The problem is that many companies don’t have an enterprise risk register that identifies the main risks categorises and what to do about them.
Tom would advise companies to identify the perils specifically associated with blockchain. To map them into the above categories. They then should ask themselves the following questions:
- What is the likelihood and impact of those perils?
- What if they happened?
- What impact would it have financially or otherwise?
- What is the chance of it happening?
One way to mitigate those risks is considering risk transfer through insurance including general liability policies, directors’ and officers’ policies, and cyber policies.