Author: Kevin Spiers: Head of Professional Services |
The benefits of using technology to manage third-party risk are not lost on compliance professionals. When you consider the growing size, complexity and geographic diversity of companies’ third-party ecosystems, it’s easy to see why. 60% of organizations now work with more than 1,000 third parties and managing the risks of doing business with them is both costly and cumbersome.
Big data, AI, robotic process automation and machine learning are just some of the technologies compliance teams are using to rise to the challenge. But there’s another much-feted kid on the block that’s causing quite a stir: blockchain.
Described by Bill Gates as a “technological tour de force”, blockchain has its origins in cryptocurrency but its application extends far beyond. “Blockchain will be transformational across most industries within five to ten years,” says Gartner.
Here we ask: Is compliance one of the industries that will benefit? And when it comes to third-party risk management, does the reality live up to the hype?
Blockchain: What is it and Where did it Come From?
A blockchain is a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems on the blockchain. Each block in the chain contains a number of transactions, and every time a new transaction is made, a record of that transaction is added to every participant’s ledger. This makes it difficult or impossible to change, hack, or cheat the system, which is one of the aspects that makes it so appealing.
Blockchain was originally implemented as the public ledger for transactions made using bitcoin, the decentralized digital currency. However, since its cryptocurrency beginnings, blockchain has gone on to make its mark in many other industries and in many different ways.
Brad Robertson, the founder and CEO of Polyient Labs, an early-stage blockchain incubator, sums up just how widespread and diverse the uptake of blockchain has been. “Right now, blockchain is being used by a variety of multi-billion-dollar organisations to meet a myriad of needs – everything from marketing and identity protection to supply chain management, cannabis funding and mitigating world hunger.”
So, what’s to stop the compliance sector benefitting, too?
The Blockchain Promise
There’s good reason to believe that blockchain could help resolve some of the biggest challenges posed by third-party risk management. Key benefits include data transparency and immutability, real-time access to data, as well as enhanced security and improved automation of repetitive tasks, ultimately leading to greater efficiencies.
With blockchain, compliance teams would have easy access to up-to-date background information on third parties. Imagine how much time that would save on research, making it quicker and easier to shortlist the right vendor in the first-place.
Exhaustive, time-consuming risk assessment questionnaires would also become a thing of the past. These documents can be several hundred pages long and put a massive strain on resources, arduous for third parties to complete and organisations to administer and verify. Instead of completing one-off assessments, blockchain would make it possible for organisations to track compliance benchmarks on a decentralized ledger in real-time. In fact, all the information required for screening an individual or firm could be held on the blockchain – created once and used many times.
The integrity of the data is another massive plus point. The fact that the data on the blockchain can’t be modified or tampered with, either by external parties or the vendor themselves, means that compliance professionals can put their trust in it. The data, or digital ledger, could also act as a secure, immutable, time-stamped audit trail to evidence compliance activities, all saved in a single place.
Also worthy of attention is blockchain’s ability to execute smart contracts, which promises greater transparency and efficiency for third-party relationships. While traditional contracts are reliant on people and are open to error and interpretation, smart contracts rely on data and data alone. The terms and penalties agreed at the start are clear and accessible to all parties, and the contract is automatically enforced, without the need for a middleman. And because versions of the contract are distributed across the network, there’s no danger of losing it.
For smaller vendors looking to do business with enterprise companies, blockchain could be a game-changer. These firms typically spend thousands of dollars in their quest to meet the exacting compliance requirements of the large enterprises they partner with. Sometimes the cost and effort mean that they’re forced to walk away from more lucrative contracts, says Polyient’s Robertson. The good news is that blockchain could help level the playing field, allowing smaller players to keep up with the big guys. Exhaustive questionnaires, which third parties have to complete every year for every enterprise they work with, would be consigned to history, replaced with a robust digital ledger. Every time there’s a change or an update, say a new security certification earned or new HR policy introduced, this would be updated in the ledger for everyone on the blockchain to see.
Blockchain & Third-Party Risk: The Barriers
Clearly blockchain has a lot going for it, but using a nascent technology isn’t going to be problem-free.
Gartner sees long-term potential in the technology, but in its seven mistakes to avoid in blockchain use, it highlights that most blockchain offerings today are too immature for large-scale production.
While data security is supposedly one of the key benefits of blockchain, the technology isn’t risk-free. One of the most recognized security issues are so-called 51% attacks, which occur when one, or several, malicious entities gains majority control of a blockchain’s nodes. The entity then has the power to both prevent valid transactions from taking place as well as reverse transactions that have already happened on the blockchain.
Speed and scalability are also cited as a problem. Basically, the more people that join the network the slower it becomes. And there’s the skills aspect to think about, too. Robertson says that it wouldn’t be necessary for every member of the compliance team to understand blockchain technology in depth, but project managers and internal developers would need to have specialist knowledge of whichever blockchain their organisation selects as well as any of the chains used by their third parties.
For large enterprises, the biggest challenge is likely to be getting buy-in from the business. According to Robertson, “Enterprises embrace change slowly. For blockchain to gain traction in a large enterprise, a VP-level compliance officer will need to convince the CISO or CFO that blockchain can more cost-effectively manage risk.”
When it comes to smaller organisations, the biggest barrier to adoption is prioritisation. If the average start-up spends $83,000 in compliance costs in the first year, how can it prioritize blockchain above other compliance costs?
What’s Next?
Perhaps it isn’t the panacea many would have us believe, or certainly not yet, but the potential benefits of blockchain for third-party risk management are compelling. What could be more valuable than a single source of truth on your vendors and other third parties that is both up-to-date and accessible in real-time, not to mention an indelible record of all your third-party compliance activity, all saved in one place?
It’s unlikely that we’ll see wholesale adoption of blockchain straight away. But if Gartner and other experts are to be believed, blockchain will be mainstream in the compliance industry in around five years’ time. Between now and then we can expect the various issues and vulnerabilities to be ironed out and addressed, and as more businesses experiment with the technology it is likely that our understanding of its true potential will increase.
In many ways, we have been in this situation before. As Cathy Mulligan, Expert and Fellow, World Economic Forum Blockchain Council, says, we have seen many other technologies such as IOT and mobile telephony, even the Internet itself, go through various iterations before gaining acceptance. “It is useful, therefore, to approach emerging technologies with some depth of thought—not by expecting them to act immediately as a fully functional solution but rather as a lens on the possible.”
And when it comes to blockchain, there’s no denying the possibilities.
