Risk Management in Web3
Swish | 13 February, 2023
Web3 from a Risk Manager’s Perspective
Andeed Ma first sets the tone of the webinar by defining Web3, and what this new innovation means from a risk manager’s perspective.
Web3, also known as the ‘semantic web’, has been conceptualised as a potential future internet, granting users greater control over how their personal data is integrated into their user experience. Web3 is powered by a blockchain on the back-end, allowing users to bypass service providers (think Google or Meta). Users can execute various transactions, such as buying/selling cryptocurrency, or accessing various decentralised applications, without the help of an intermediary or a service provider. Coupled with artificial intelligence/machine learning technology, Web3 is able provide users with a seamless and customised experience based on the personal credentials stored within their individual wallet or account.
Web3 has its upsides, most notably by getting rid of the central authority or middleman, hence creating a permission-less or trust-less experience. In such an environment, an intermediary is not required for virtual transactions to take place between two or more parties, allowing financial transactions in decentralised finance (among other use cases) to occur seamlessly.
Emergent risk depends on an organisation’s risk appetite
Andeed next identifies 7 key areas where risk can emerge in Web3, based on how Web3 deviates from our current internet – namely the use of 3D graphics, the type of advertising strategy employed, the driving technologies employed on the backend, the method of data storage and recall used, the types of applications available, the focal/unique selling point of the product and the target reach of Web3.
Based on these 7 key areas, the risk an organisation may face depends on the amount of risk an organisation is willing to expose themselves to. Through proper risk assessment, a tolerable deviation from an organisation’s risk appetite should also be identified, which guides the maximum tolerable downside an organisation can stomach when embarking on a web3-focused strategy.
Types of risk in Web3 – what can go wrong?
Andeed also provided us with a brief run-down of the highest-risk areas which organisations should collectively work against, namely –
- Cybersecurity threats – as the web gets more interconnected, the surface of attack of cyber assaults and data breaches gets larger. Trust, privacy and security issues become more pertinent than ever.
- Reputation risks – in a decentralized setting, it becomes harder to restrict defamatory information that may be propagated against an organisation.
- Regulatory risks – new regulatory frameworks are constantly being developed as Web3 evolves, which require agile compliance frameworks to mitigate regulatory risk.
- Technology risks – Web3 may make use of cutting-edge technology (e.g. ChatGPT), which are susceptible to backdoors or vulnerabilities that perpetrators can take advantage of.
Safeguarding against risk through proper risk management
Based on the ISO 31000 consensus, risk management refers to ‘coordinated activities that direct and control an organisation with regard to risk’. Risk management should start from translating one’s business principles into risk principles, which forms the basis for various risk frameworks to be developed. These frameworks should then guide processes to manage inherent risks – or the maximum risk that any organization will be exposed to.
Additionally, robust risk assessments are also required to identify residual risks that cannot be predicted (e.g. property damage), where proper forms of risk treatment (such as getting the appropriate insurance coverage) can be adopted.
As risk is continually evolving, risk governance must be put in place, which entails the continuous mapping, measuring and management of resources to manage risk. Agile risk management strategies (top-down and bottom-up approaches to risk management happening in tandem while organizations and individuals are learning and evolving) should also be implemented.
The Takeaway : Don’t Trust, Verify
A key takeaway from the webinar is the zero-trust initiative, which Andeed describes as a need for organizations to start with zero trust towards any party or system.
What this means is that when adopting new technologies (e.g. Web3 protocol layers), organisations should employ a security-first approach, granting these new layers the lowest privilege of access into existing devices, applications, infrastructure or networks. Gradually, access privileges should only be elevated based on new organisational, group or job-scope needs. In doing so, organisations will be able to minimise the damage caused from emerging risks.
Swish is your gateway to insightful events featuring industry leaders like Andeed Ma. Stay up to date on the latest technologies and get first-hand updates on upcoming events by requesting an invite to Swish here.