The latest enterprise risk management news from around the world

What does the future hold for blockchain within third-party risk management?

Is risk and compliance one of the organizational areas that will benefit from the emergence of blockchain? Kevin Spiers looks at blockchain opportunities within third-party risk management and asks whether the reality lives up to the hype?

The benefits of using technology to manage third-party risk are not lost on compliance professionals. When you consider the growing size, complexity and geographic diversity of companies’ third-party ecosystems, it’s easy to see why. 60 percent of organizations now work with more than 1,000 third parties and managing the risks of doing business with them is both costly and cumbersome.

Big data, AI, robotic process automation, and machine learning are just some of the technologies compliance teams are using to rise to the challenge. But there’s another much-feted new kid on the block that’s causing quite a stir: blockchain.

Described by Bill Gates as a “technological tour de force”, blockchain has its origins in cryptocurrency but its application extends far beyond.  “Blockchain will be transformational across most industries,” says Gartner.

Blockchain: what is it and where did it come from?

A blockchain is a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems on the blockchain. Each block in the chain contains a number of transactions, and every time a new transaction is made, a record of that transaction is added to every participant’s ledger. This makes it difficult or impossible to change, hack, or cheat the system, which is one of the aspects that makes it so appealing.

Blockchain was originally implemented as the public ledger for transactions made using Bitcoin, the decentralised digital currency. However, since its cryptocurrency beginnings, blockchain has gone on to make its mark in many other industries and in many different ways.

So, what’s to stop the risk and compliance sector benefitting, too?

Third-party risk management: the blockchain advantage

There’s good reason to believe that blockchain could help resolve some of the biggest challenges posed by third-party risk management. Key benefits include data transparency and immutability, real-time access to data, as well as enhanced security and improved automation of repetitive tasks, ultimately leading to greater efficiencies.

With blockchain, compliance teams would have easy access to up-to-date background information on third parties. Imagine how much time that would save on research, making it quicker and easier to shortlist the right vendor in the first-place.

Exhaustive, time-consuming risk assessment questionnaires would also become a thing of the past. These documents can be several hundred pages long and put a massive strain on resources, arduous for third parties to complete and organizations to administer and verify. Instead of completing one-off assessments, blockchain would make it possible for organizations to track compliance benchmarks on a decentralised ledger in real-time. In fact, all the information required for screening an individual or firm could be held on the blockchain – created once and used many times.

The integrity of the data is another massive plus point. The fact that the data on the blockchain can’t be modified or tampered with, either by external parties or the vendor themselves, means that compliance professionals can put their trust in it. The data, or digital ledger, could also act as a secure, immutable, time-stamped audit trail to evidence compliance activities, all saved in a single place.

Also worthy of attention is blockchain’s ability to execute smart contracts, which promises greater transparency and efficiency for third-party relationships. While traditional contracts are reliant on people and are open to error and interpretation, smart contracts rely on data and data alone. The terms and penalties agreed at the start are clear and accessible to all parties, and the contract is automatically enforced, without the need for a middleman. And because versions of the contract are distributed across the network, there’s no danger of losing it.

For smaller vendors looking to do business with enterprise companies, blockchain could be a game-changer. These firms typically spend thousands of dollars in their quest to meet the exacting compliance requirements of the large enterprises they partner with. Sometimes the cost and effort mean that they’re forced to walk away from contracts. The good news is that blockchain could help level the playing field, allowing smaller players to keep up with the big guys. Exhaustive questionnaires, which third parties have to complete every year for every enterprise they work with, would be consigned to history, replaced with a robust digital ledger. Every time there’s a change or an update, say a new security certification earned or new HR policy introduced, this would be updated in the ledger for everyone on the blockchain to see.

Blockchain and third-party risk: the barriers

Clearly blockchain has a lot going for it, but using a nascent technology isn’t going to be problem-free.

Gartner sees long-term potential in the technology, but in its seven mistakes to avoid in blockchain use, it highlights that most blockchain offerings today are too immature for large-scale production.

While data security is supposedly one of the key benefits of blockchain, the technology isn’t risk-free. One of the most recognised security issues are so-called 51 percent attacks, which occur when one, or several, malicious entities gains majority control of a blockchain’s nodes. The entity then has the power to both prevent valid transactions from taking place as well as reverse transactions that have already happened on the blockchain.

Speed and scalability are also cited as a problem. Basically, the more people that join the network the slower it becomes. And there’s the skills aspect to think about, too. Robertson says that it wouldn’t be necessary for every member of the compliance team to understand blockchain technology in depth, but project managers and internal developers would need to have specialist knowledge of whichever blockchain their organization selects as well as any of the chains used by their third parties.

For large enterprises, the biggest challenge is likely to be getting buy-in from the business.
When it comes to smaller organizations, the biggest barrier to adoption is prioritisation. If the average start-up spends $83,000 in compliance costs in the first year, how can it prioritise blockchain above other compliance costs?

What’s next?

Perhaps it isn’t the panacea many would have us believe, or certainly not yet, but the potential benefits of blockchain for third-party risk management are compelling. What could be more valuable than a single source of truth on your vendors and other third parties that is both up-to-date and accessible in real-time, not to mention an indelible record of all your third-party compliance activity, all saved in one place?

It’s unlikely that we’ll see wholesale adoption of blockchain straight away. But if Gartner and other experts are to be believed, blockchain will be mainstream in the compliance industry in around five years’ time. Between now and then we can expect the various issues and vulnerabilities to be ironed out and addressed, and as more businesses experiment with the technology it is likely that our understanding of its true potential will increase.

When it comes to blockchain, there’s no denying the possibilities.

The author

Kevin Spiers, Head of Professional Services, ethiXbase.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.