Select Page

A new risk matrix, “Blockchain Risk: Considerations for Professionals,” aims to describe and contextualize several specific risks associated with the implementation and operation of blockchain. It was developed jointly by a working group comprised of the ISACA, the American Institute of Certified Public Accountants (AICPA), and the Chartered Institute of Management Accountants (CIMA).

The matrix is organized under five risk domains—governance, infrastructure, data, key management, and smart contracts—and their relevant subdomains.

“Many enterprises are eager to harness the power of blockchain to transform their businesses or operations,” said Dustin Brewer, ISACA senior director, emerging technology and innovation, in a press release. “While there are great benefits to using blockchain, practitioners should ensure they fully understand all types of risk to avoid potentially exposing their business to vulnerabilities, attack vectors or other issues before implementing—or even retroactively, if needed.”

Below is a brief description of each domain risk, as described in greater detail in the risk matrix:

  • Governance “encompasses blockchain design, including specific parameters, protocols or algorithms, and regulatory and management oversight guidelines or requirements,” according to the risk matrix. An example would be policies and procedures that “include regulatory and management oversight guidelines or requirements of the blockchain.”
  • Infrastructure is “any blockchain functionality or capability independent of a data transaction on the blockchain.” Software vulnerabilities are one example.
  • Data is defined as “off-chain information that is stored or transmitted in a computer-legible format and used to transact or interact on a blockchain network, or on-chain data that are sourced from a blockchain network and treated as a source of truth for a business purpose.” The risk matrix describes seven subcategories of this domain, including data integrity, access rights, blockchain bloat, nonstandard transactions, data output, out-of-range-data, and orphan addresses.
  • Key management describes the “management of public and private keys” and contains 19 different examples of risks posed by keys.
  • Smart contracts are “blockchain networks and other distributed-ledger technology that run virtual machines and decentralized code, and allow for programmatic value transfer and recording of state and other transaction data.” The risk matrix describes four subdomains under this category: governance risk, design risk, external interaction risk, and manipulation/denial of service risk.

“Decisions to implement blockchain technology should be made only after carefully assessing the risk,” the joint working group stated. “If blockchain has already been implemented, enterprises should perform retrospective reviews to identify risk related to governance, infrastructure, data, key management, and smart contracts, as applicable, and surface any control gaps that may jeopardize enterprise objectives.”