Resilience and risk professionals, particularly those from a non-IT background, need to develop their overall understanding of emerging technologies says Luke Bird, FBCI. How else are they going to be able to fully appreciate the magnitude of risks potentially facing their business? In this article Luke gives a backgrounder on cryptocurrency and blockchain in the context of risk.
Many resilience and risk pros who are less in touch with the world of technology will say, “My IT folks will tell me,” but beyond the ‘techy’ descriptions you’re only ever getting their individual and specialist perspective. Are your IT specialists aware of all the business processes that rely on that technology and in different ways? Or perhaps even the possible impact to customer experience if the technology was lost? Or, how it might impact the long-term leadership strategy as to why they have the technology in the first place?
To help contextualise the risk it is therefore vital for resilience and risk professionals, who face off to a range of senior stakeholders, to have a basic understanding of the technology that has been implemented in their organization.
This article is going to try and look at the incredibly popular but highly confusing world of cryptocurrency and blockchain technology but from a risk lens. However, before that can be done, one needs to try to understand what it is…
And therein lies the challenge. Let’s give it a shot!
Cryptocurrency and non-financial risk
Cryptocurrency is now everywhere you look. It’s in the news; it’s online and your friends and family are probably discussing it and are possibly investing in it.
In a recent article, the European Central Bank reported that the crypto market is now larger than the sub-prime mortgage market was when worth USD 1.3 trillion (before the crash). It’s therefore no surprise that some parts of financial services are beginning to look at how they might get involved.
As resilience and risk professionals, we need to have an awareness of what this is, where it came from and where it’s potentially going. The challenge, as with anything new, is that it’s covered in jargon and mystery!
Where did it come from?
The origins of cryptocurrency, when it was invented, and who it was that made the discovery are still up for some debate. However, it’s original rise in popularity is in no doubt attributed to the creator of a type of cryptocurrency called Bitcoin in 2009, by someone called Satoshi Nakamoto (or rather the software developers using that pseudonym because nobody knows who this person is!).
This is already too complicated for me - what is it? where do I start?
Without going down too deeply down into the rabbit holes of the mechanics behind cryptocurrency and losing you with words like cipher text and asymmetric cryptography (which is an article in its own right). Where should one find the basics?
There are endless streams of books, podcasts, YouTube and academic content online that cover the basics and origins of cryptocurrency right through to highly technical cryptographic detail.
However, a YouTuber by the name of ‘Crypto Casey’ has kindly and clearly put together a 30-minute explanation for anyone wanting to understand the basics, using Bitcoin as an example. She even goes one further to make comparisons to the current global financial system, which for many will help join the dots.
Another very useful and easy to understand article was also published by Forbes in April 2022 which says:
“Cryptocurrencies are likened to a digital form of an asset such as gold, where a perceived store of value is then subject to the laws of supply and demand.”
Supply and demand of the digital asset (in this case Bitcoin, which is essentially a string of numbers and letters that give each Bitcoin a unique identity) requires a secure transaction and record of that transaction but without the involvement of a central party.
How is Bitcoin transferred securely between buyers and sellers?
The clue is in the title – ‘crypto’ currency referring to cryptography, which is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. This is achieved via an exchange of public and private encrypted ‘keys’. Keys are mathematically generated codes, developed in such an overly complicated way that it is virtually impossible to replicate. Once the intended user receives that key it can be used to decrypt the message.
Ultimately, this is only part of the secure process behind transferring ‘coins’. The transaction needs to be recorded on some kind of ledger and this is where Blockchain technology comes in.
Blockchain is ultimately a shared database. Each user has a live copy of the database which can be updated and distributed live, providing the credentials of the user making the change can be verified by the majority of the other users. Blockchain isn’t checking the content being updated but rather the integrity of the user who is doing the updating. This is done using what they call a consensus algorithm. This is achieved via encryption i.e., checking the appropriate combination of public and private encryption keys.
One such widely used blockchain platform that is described as a digital ledger for crypto currency (at the moment at least) is the Ethereum.
You may also have heard of Bitcoin mining. This is essentially those individuals who perform the aforementioned authentication to the ledger (i.e., solving highly complex mathematical puzzles using their computational power) and as such are rewarded with Bitcoin payments.
Why would banks want to get involved in cryptocurrency?
There are a number of reasons why financial services might be looking at cryptocurrency and blockchain. Not least because of its movement and value in the market with the likes of Bitcoin.
Also, the financial market is held up by something called financial market infrastructure. These are central organizations that perform essential functions as part of the financial ecosystem. So, clearing houses and exchanges, for example.
One such use case for blockchain would be that it removes those central bodies for a number of activities which would allow for transactions to be performed in other ways which are potentially more competitive. The access to this data could have major commercial advantages to circumvent a mandatory part of a trade’s journey.
Examples of non-financial risks to consider
Tech, data, and cyber risk – the earlier referenced podcasts talk about how blockchain is really good at authenticating a user and validating a change but not so good at the specific thing being changed. This evolution brings with it new data, hardware, software, and access requirements and with that comes vulnerability and risk.
Climate risk - the possible non-financial risks are much wider than some might consider. For instance, blockchain technology poses some significant climate risk give the sheer amount of computing power it takes. There are plenty of articles out there but this one from the Columbia Climate School talks about how Bitcoin now consumes more electricity in a year than the entire nation of Argentina!
Regulatory risk - there is undoubtedly a growing regulatory focus in this space. In Europe for example, the Markets in Crypto-assets (MiCA) Regulation is currently in the proposal stage and thought to be live in the coming year or two. This represents the significant growth regionally in this space. There is a really good HSBC 10-minute digi-talk podcast on this exact topic. A ‘Dear CEO’ letter came out in March 2022 from the UK Prudential Regulatory Authority (PRA) - Existing or planned exposure to cryptoassets. The letter is a follow up from a high-level positioning letter in 2018 about managing risk in this space. It points to a newly published 40-page focus document from the BoE on Cryptoassets and decentralised finance and more specifically the BoE’s responses from the discussion paper on new forms of digital money. There is so much of content to digest but a few initial observations:
- Greater Focus – a two page letter in 2018 compared to 86 pages of content in 2022 – the PRA is recognising the rapid growth in the space and that banks are beginning to make a meaningful movement.
- Greater risk management - the PRA do not formally endorse crypto assets but where firms do have exposures, they have expectations around risk management and measurement against the existing prudential framework. Banks are expected to take full account of their total risk and adapt existing risk management strategies and risk management systems to suit the varying risk profiles of crypto activities.
- International policy still outstanding – e.g., BCBS are yet to release finalised position on crypto assets which may alter the PRA position in due course.
- Operational risk vs resilience – there is only one mention of resilience specifically in the letter with a greater focus on operational risk as a key area to address. “Operational risks are particularly relevant to certain crypto-related activities. For instance, some activities will expose firms to greater levels of fraud or cyber risks.”
You don’t need to be a technology wizard or an active investor in Bitcoin to appreciate the possible risk here. In essence, you have a new currency that circumvents global financial infrastructure and is rapidly becoming one of the most valuable markets on the planet. How will this now eventually become a risk to your organization?
If you think this is just a banking-world thing, then think again. This is just where it starts. Every organization may soon be utilising crypto assets or distributed ledger technology (blockchain). There are so many use-cases for non-financial sectors. If you listen to the podcasts referenced earlier you will hear a few: from title deeds registers to vulnerable persons logs. This is really scalable so take note!
Luke Bird FBCI CRISC is a global award-winning continuity and resilience professional with 12 years’ experience of risk management in public sector and financial services. He is currently focusing on technology. Read Luke’s blog at https://resiliencerewire.co.uk