A new risk matrix for blockchain implementation

The AICPA & CIMA have partnered with ISACA to release a new joint publication that identifies risks organizations should consider when evaluating whether to implement blockchain technology.

In a white paper titled Blockchain Risk: Considerations for Professionals, the ISACA-AICPA & CIMA Joint Blockchain Working Group documents, describes, and provides context around specific risk related to blockchain implementation and operation. The risks are categorized into five key domains — governance, infrastructure, data, key management, and smart contracts. 

“Many enterprises are eager to harness the power of blockchain to transform their businesses or operations,” said Dustin Brewer, ISACA senior director, emerging technology and innovation, and a member of the ISACA-AICPA & CIMA Joint Blockchain Working Group, which focuses on identifying and documenting risk associated with private blockchains.

“While there are great benefits to using blockchain, practitioners should ensure they fully understand all types of risk to avoid potentially exposing their business to vulnerabilities, attack vectors, or other issues before implementing — or even retroactively, if needed.”

Organized as a risk matrix, the publication emphasizes that a broad array of practitioners — from CPAs and IT auditors to cybersecurity professionals and those in management roles — should gain an understanding of blockchain risks, including:

  • Governance/design risk: Lack of protocols for unconfirmed transactions can allow processing of fraudulent transactions that were previously rejected, posing a threat to the network.
  • Infrastructure/protocol management risk: Conditional instructions in protocol or smart contract code can allow infinite loops that put the ongoing operation and integrity of the network at risk.
  • Key management: Creating a key/seed with insufficient entropy can place all future use of the keys for storing and transacting in crypto assets at risk. The keys can be brute-forced or guessed, resulting in a loss of assets.

“It is important for any entity using blockchain technology to understand that there are unique risks in this space, and it is imperative to identify those risks quickly,” said Diana Krupica, CPA, AICPA & CIMA lead manager–Emerging Assurance Technologies, Assurance and Advisory Innovation. “Using a resource such as this risk matrix means entities will be alerted to issues in order to design the necessary processes and controls to mitigate such risks and enable success.”

To download a complimentary copy of Blockchain Risk, visit isaca.org/bookstore/bookstore-wht_papers-digital/whpbrc or future.aicpa.org/resources/download/blockchain-risk-considerations-for-professionals. Additionally, join online discussions around blockchain and other emerging technology topics within the ISACA Emerging Technologies Engage Community.

Jeff Drew (jeff.drew@aicpa-cima.com) is a JofA senior editor.