In mainstream media, the blockchain has been celebrated as the solution, celebrated as the digital chain that will link business practices to the future.
But why should GRC professionals care? Is it the ultimate solution? Or are businesses just chaining themselves to new problems?
The GRC Professional got an opportunity to chat with three members of the Forensic and Technology Services team at innovative law firm, Clayton Utz—Director Meg McKechnie and managers Sid Mylavarapu and Shengshi Zhao. In reviewing the developments of blockchain technology, they have been asking themselves critical questions from multiple perspectives - through the lens of investigation, regulation, and risk. All three will be presenting at the GRC Institute’s up-coming Investigating Blockchain event that will look at what the blockchain could mean for GRC going forward.
Clayton Utz is the first law firm to have a practice group that involves forensic accounting, forensic investigation, forensic technology and forensic transactions. This allows the firm to bring a different focus through a multidisciplinary approach from a team comprised of accountants, lawyers, data scientists, and actuaries, just to name a few.
McKechnie herself is a forensic accountant. She has worked in the ‘big four’ environment, as well as with enforcement teams for the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA).
Sid Mylavarapu is a lawyer and investigator by trade who has also spent time in the public sector, including the Australian Tax Office (ATO) and ASIC. His roles have focused largely on enforcement and investigation.
Shengshi Zhao has an actuary background, as well as a law degree. She has spent the past few years working in the area of legal technology. Zhao has always been passionate about bringing data science and law together and thus for her, Clayton Utz provides the ideal integrated space.
Why is blockchain important?
MM: It’s a new technology and we’re a team who uses technology-based tools to support our clients' needs. We’re interested in innovation and constantly seeking new ways to go about our business. Primarily, that involves an investigation focus with a risk part to that.
The media have been focusing on how blockchain works and all the benefits of this technology.
However, as an investigator, my natural thinking leads me to ask the question "What would happen if that technology was in place - how would I investigate that? How would I get the data? Which then leads on to considering ‘If I was investigating it and there was misconduct, how does that misconduct occur?’ There has to be a breakdown in internal controls, and that led us to thinking 'we need to look at this - one day it is going to impact our work'.
One day, there is going to be a ledger system being used to record transactions, and so we started thinking, ‘Let’s look at that and let’s see how we can help clients in that way’. That’s how it came about.
SM: For me, having been in government, especially at ASIC, there is a lot in terms of regulation that can be done in this space. I guess it’s more about the regulatory landscape and how the regulators will react to a new technology. Essentially, it’s about how can we foster that—that is, how we can foster innovation while at the same time making sure there is a framework in place.
SZ: I think the only thing I want to add is that, at this point in time, we just can’t overlook any new piece of technology. For example, the Cloud was a kind of the buzzword before, and now there are a lot of applications in the Cloud. Before that, it was mobile technology, and certainly, there are now many mobile applications. So, I guess the blockchain is really the next new technology we need to understand and analyse.
Why is it important to risk and compliance professionals?
MM: It’s important because it is another way that a business records information—especially considering the recording of information still has to comply with the legal framework or the regulatory framework. So, it’s important to risk and compliance professionals to ensure it integrates with the whole of the business. That’s it in a nutshell. It’s just another system that needs to integrate and comply.
So, it’s about looking at the privacy frameworks for all those different things?
MM: All regulatory frameworks. Sometimes there is a ‘flavour’ out there—you know, that the blockchain solves all these problems. But at the end of the day, it solves problems, many problems, but it also creates new risks. You need to understand where it fits and what these new risks are. And then there are still some of the same risks, as well.
Could you provide a quick example of what these new risks might be?
SZ: I think that one would be the lack of standards at the moment. People haven’t fully appreciated how the technology works. All the organisations are doing the ISO certification, but there is no standard stipulated in the ISO syndicated standards. So, there are a lot of cyber-risk concerns and a general lack of standardisation. What do you call a piece of technology like the blockchain? What defines it?
SM: Just going on from what Shengshi is saying about this lack of specificity over what constitutes a blockchain, there is a real issue posed from a regulatory perspective. There is a great deal of regulatory risk because the technology itself has not yet been settled, how will it be regulated in different jurisdictions, if at all?
Potentially, blockchain solutions can include participants from across the world. If it’s regulated differently in different jurisdictions, then how do we begin to reconcile that? It will certainly be an interesting space to see what happens!
That brings us to the question of the blockchain being a ‘catch-all’ solution. I remember Blythe Master at the ASIC conference saying, ‘Oh wow, this could be the future of reporting’ and how it might make things cheaper. Similarly, Nick Giurietto from ADCA said that, when we are talking in the digital identity context, the blockchain has to be the centre of digital identity. I guess I was interested to know what could go wrong.
MM: Well, there is the obvious one—and that is, of course, having everything in one place. I mean, if somebody stole your identity, then they have everything. If your identity is spread across various places, however, it makes it harder. People who steal identities can still pull together the various components, but if you have a centralised system, then the potential always exists for someone to take your key and go with it.
Of course, there are advantages, as well. So again, it comes down to the controls put in place around it.
SZ: Government systems can be hacked as well—MyGov data, for example. It really comes down to how you balance the risk, which is why we just need to have a think about what risks there are and what’s appropriate in managing this new technology.
MM: Which is why it is important to have these conversations with people in the risk area. Nobody knows all the answers. What it will come down to is continuing to have the conversation, because the more people talk about it, the quicker the solutions will come.
For more information
Join Meg, Shengshi,and Sid to continue the conversation on the blockchain technology - assessing how the technology will impact your business from the perspective of regulation and risk, and examine some of the common misunderstandings of blockchain technology.
The seminar will be held on Wednesday 1 August. To join the discussion, please register to attend the GRC Institute’s Investigating Blockchain event.