A new risk matrix, “Blockchain Risk: Considerations for Professionals,” aims to describe and contextualize several specific risks associated with the implementation and operation of blockchain. It was developed jointly by a working group comprised of the ISACA, the American Institute of Certified Public Accountants (AICPA), and the Chartered Institute of Management Accountants (CIMA).
The matrix is organized under five risk domains—governance, infrastructure, data, key management, and smart contracts—and their relevant subdomains.
“Many enterprises are eager to harness the power of blockchain to transform their businesses or operations,” said Dustin Brewer, ISACA senior director, emerging technology and innovation, in a press release. “While there are great benefits to using blockchain, practitioners should ensure they fully understand all types of risk to avoid potentially exposing their business to vulnerabilities, attack vectors or other issues before implementing—or even retroactively, if needed.”
Below is a brief description of each domain risk, as described in greater detail in the risk matrix:
- Governance “encompasses blockchain design, including specific parameters, protocols or algorithms, and regulatory and management oversight guidelines or requirements,” according to the risk matrix. An example would be policies and procedures that “include regulatory and management oversight guidelines or requirements of the blockchain.”
- Infrastructure is “any blockchain functionality or capability independent of a data transaction on the blockchain.” Software vulnerabilities are one example.
- Data is defined as “off-chain information that is stored or transmitted in a computer-legible format and used to transact or interact on a blockchain network, or on-chain data that are sourced