Tech Perspectives

The Reawakening of Blockchain – and Its Impact on Risk Management

A series of large blockchain projects from the like of JPMorgan Chase and the LSEG have recently grabbed headlines, once again placing the spotlight of the risks and potential benefits of this disruptive technology. Exactly how safe and secure is blockchain, and what are its pros and cons for risk managers?

Friday, September 22, 2023

By Aaron Brown


Risk managers involved in cryptocurrencies or niche blockchain applications have had to think about both the positive and negative novel risks of blockchain for 15 years now, but we seem to be entering a period where blockchains will affect everything.

The London Stock Exchange Group (LSEG), JPMorgan Chase, Swift and Visa all announced major blockchain projects within a one-week period in early September. Moreover, a 2023 Citi Global Perspectives & Solutions (GPS) report estimated that up to $5 trillion in blockchain driven central bank digital currencies could be circulating in global economies by 2030, with tokenization of traditional assets potentially skyrocketing to $4 trillion that same year.

So, it now seems as good a time as ever to revisit the pros and cons of blockchain for risk managers. First, though, let’s take a quick look at the most recent initiatives:

These are not newly-initiated ideas, but projects that have been developing quietly for years and are now in late-stage testing or near implementation. Importantly, though, they do represent a revival, of sorts, for blockchain.

From 2017 to 2019, there were many announcements of ambitious blockchain initiatives outside cryptocurrencies to revolutionize sectors like financial settlement, supply-chain management, trading of non-fungible assets, and environmental monitoring. Then things went quiet. Many projects were implemented and run in niche applications, but no revolution occurred, and other projects were dropped.

Most technological innovations develop piecemeal as many different people come up with components, which are individually implemented before someone — usually multiple claimants — assembles them into a revolutionary product. Blockchain is the opposite. It was born fully mature in 2008 with Bitcoin, by a single anonymous person or group.

The recent announcements are not additions to the 2008 idea, but components removed from it to function independently. It’s as if the Wright Brothers had come up with their airplane first, and later people took the engine out to power cars — or copied the wings to make gliders.

The Tokenization Effect

One major blockchain issue is tokenization. In general terms, this is older than history, at least if clay figurines of assets from ancient Mesopotamia were in fact used as trading counters, as many people believe. It’s often easier to trade tokens or paper representing assets than to handle the assets themselves. This is the idea behind gold-backed paper money, common stock and futures contracts.

a2r1W000000x3uDQAQ_Aaron-BrownAaron Brown

In traditional finance, this is more commonly referred to as “securitization,” but the modern idea of tokenization is more specific. Rather than using a clay figurine or piece of paper or ledger entry in a futures clearinghouse, blockchain tokenization refers to using an encoded string to represent ownership. Whoever knows the private key to unlock the encoded string can take possession of the asset, or transfer ownership to whomever she likes.

On the positive side, cryptographic tokenization replaces the sometimes porous security of signatures, passwords, biometric tests and other technologies. It’s mathematically secure and instant.

On the negative side, it’s irreversible. Mistaken transfers cannot be undone; when errors occur, the recipient must be persuaded to return the transferred value. If the private key is forgotten, moreover, ownership is gone forever. If the private key is hacked or accidentally exposed or used by a rogue employee, the value can vanish instantly and untraceably.

The LSEG, JPMorgan Chase and Swift blockchain implementations – along with, probably, most of the large-scale, general blockchain implementations scheduled outside of cryptocurrencies over the next few years – do not allow full tokenization. All of them are managed by central institutions that will retain the ability to reverse transactions, reset forgotten keys and block suspicious transactions – even if they are accompanied by the correct private key.

Moreover, their exchanges will be limited to a trusted pool of users, and asset ownership can always be traced within the pool. Tokenization at the LSEG, JPMorgan Chase and Swift will therefore add a strong extra layer of security, and improve speed and efficiency of verification, without losing the fallback traditional security.

Only the Visa application interacts with fully tokenized cryptocurrency. Vis will control transactions by sender and recipient of funds, but funds in transit will exist only on the Solana and Ethereum blockchain networks, which are interconnected with all crypto.

Risk Advantages and Disadvantages

Until we have a solid handle on cryptocurrency risk management in general, risk managers will have to get comfortable by limiting amounts of funds in transit for limited periods of time.

The other major risk consideration is the blockchain itself. In a conventional centralized relational database, ledgers amount to lists of accounts and balances. There is one golden copy of the ledger that all other applications use to validate data. It is updated by one trusted central authority in one place.

Typically, important financial applications have a built-in audit trail, but this is added on to the ledger, rather than being an inherent part of the database. For applications that don’t have an audit trail, it is physically possible (though still unlikely) for an authorized or malicious or careless user to change data.

A blockchain database, in contrast to databases for other types of financial applications, can exist in multiple places (“distributed ledger”) and be updated anywhere. The updates are propagated to all copies using clever cryptographic schemes to ensure there can be no inconsistencies — like the same funds in one account being spent twice.

Data are never erased; the ledger can only be changed by adding a new block chained to all the older blocks. Consequently, an immutable audit trail is embedded in the blockchain database itself, and no one – regardless of authorization, malice or carelessness – can modify it after the fact.

The blockchain has obvious risk management advantages due to built-in immutable audit trail, cryptographically-guaranteed consistency and faster updates. Changes don’t have to be delivered to a central location to wait in line to be validated and entered.

One non-risk disadvantage is greater expense and complexity to maintain. The main risk disadvantage is the consensus, consistent database exists only as of the last accepted update time — transactions since then are in a state of suspension. (They are like trades that have been submitted but not confirmed.)   

The Bitcoin blockchain is updated every 10 minutes with a one-megabyte block size. Presumably, commercial blockchains will be designed with size and frequency considerations that make them applicable during normal times. Unexpected events, however, could leave the blockchain database in an ambiguous state that disrupts operations.

The same issue exists with conventional centralized relational databases that can be overloaded with transactions, either due to high volume usage or hacks like denial-of-service attacks. However, with a centralized point of congestion, processing remains consistent with these databases – if slowed – under such conditions. (The 1987 stock market crash, when NYSE transactions ran many hours behind, is a good example.)  

The situation is more complex with a blockchain database, since it’s getting updates from many places. A centralized relational database overload is like a major highway intersection being blocked, while a blockchain breakdown is like a weather event that shuts down many airports and potentially leaves airplanes in the air with no place to land within the range of their fuel reserves; the latter would result in great confusion, because some airplanes would not be able to land, some would not be able to take off, and crews and planes would be in different places.

Parting Thoughts

The science-fiction writer Arthur C. Clarke worked on microwave glide-path radar during WWII to help RAF plans forced to land in weather conditions that would ground civilian transport. In one early test, his system tried to land the plane of a skeptical American general in the Atlantic ocean, 200 miles from the airport. While Clarke’s technology was a major safety improvement overall, it did create new kinds of disasters that stood out because they were different from earlier mistakes.

Like microwave glide-path radar, blockchain is a good idea: a clearly useful technological tool that will help risk management, among other fields. But it does create the possibility for new kinds of disasters. Over the next few years, risk managers — even those with no responsibilities in cryptocurrency — will have to prepare for them.

We’ve touched on two major areas of risk, but there are others. So, when a new blockchain does the financial equivalent of drowning a general, be sure you’ve learned enough about the technology to explain the failure and design precautions against repeats.


Aaron Brown worked on Wall Street since the early 1980s as a trader, portfolio manager, head of mortgage securities and risk manager for several global financial institutions. Most recently he served for 10 years as chief risk officer of the large hedge fund AQR Capital Management. He was named the 2011 GARP Risk Manager of the Year. His books on risk management include The Poker Face of Wall Street, Red-Blooded Risk, Financial Risk Management for Dummies and A World of Chance (with Reuven and Gabriel Brenner). He currently teaches finance and mathematics as an adjunct and writes columns for Bloomberg.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals