A bear market can be a clear test of resiliency. We are seeing some blockchain projects struggling to pass that stress test. Celsius halts withdrawals; Rari goodbye & nod to predatory tactics; Babel suspends redemptions & withdrawals But we also see successful white hat hacks that raise the potential for more holistic resilience across web3 projects. DeFi Attack Averted Surprisingly, these ethical hacks resemble risk and compliance controls in heavily-regulated businesses, but they are more effective because of timing. Instead of a centralized gatekeeper trying to cajole a team’s commitment to risk mitigation, the power of wide engagement in DAOs allows behavioral incentives to be more intuitive and effective with less resistance.
For sustainable growth in web3, let’s adopt a behavioral incentive approach for all governance, risk and compliance (GRC) matters, not just cyber security. Incentivizing self-reporting by aligning everyone with the interests of the community (a “white hat approach”), at a minimum, will more clearly separate the bad actors and innovators. A framework for DAOs is crucial in order to align behavioral incentives, so web3 projects do not repeat the inherent dysfunction of traditional GRC programs. Action is needed now to ensure the framework fits the new ethos and can refute increasing claims by regulators and litigants that a layer of traditional controls should be mandated for web3 projects. One recent example is the debate about how to regulate Tether. Let’s use decentralized consensus and collaboration to incentivize better business conduct.
II. Perils of Traditional GRC and Wait and See Strategy
Once there is a decision about business priorities and the legal entities to support them, the next step is to decide if a project will build a GRC program. After funding is secured, regardless of the size of a project or its potential treatment as a financial product, it’s time to understand threats to the project’s viability. Viability threats can be vast, from operational risks that cause errors or difficulty recruiting and retaining talent, to regulatory and legal risks that impact whether the project could be halted or distracted with government inquiries. Yet, most projects do not proactively address regulatory and operational risks after establishing their legal and business framework. With a bear market and increasing concerns about protection of users, many regulators and legislators are considering how to regulate web3, particularly how to retrofit traditional GRC requirements. SEC Chair Gensler speech; Sec Yellen remarks; New EU-wide regulation; New crypto framework in Brazil; New Singapore crypto law
A Web3 project has at least two choices:
- Wait and see whether government requirements apply and build a framework then, taking on all the material civil and criminal risks that comes along with a wait and see strategy, or
- Build a tailored framework that uses the same ethos as ethical hackers and permits the ecosystem to choose its priorities.
If the majority of the web3 projects opt for the wait and see approach, web3 would arguably lose an opportunity to build a better GRC paradigm. Businesses would accept the heightened risk that they need to build a traditional GRC program into the DAO and/or that they are not prepared for inevitable changes to tax, legal and regulatory requirements.
The traditional GRC framework has a mixed record on effectiveness. The transparency international corruption perception index (CPI) indicates that despite all the money and effort to adhere to legal and regulatory requirements designed to fight fraud, traditional GRC programs are failing to eliminate fraud. With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach is not delivering a ROI. Transparency International CPI Instead, many compliance officers struggle to align incentives & gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies. FCPA Violation 120 mil in fines; Retirement Account Fraud; Fraudulent Bond Sale
The new GRC paradigm is poised to leverage the power of decentralization and incentives. For example, compare white hat (ethical) hackers protecting against cyber threats to whistleblowers allegedly fighting corruption and theft. Whistleblower reporting is required under several existing regulatory regimes to incentivize self-policing. EU Whistleblower Directive; SEC Whistleblower and Bounty Program; Anti-corruption Whistleblower Cases However, whistleblower reporting within businesses is notoriously ineffective at preventing corruption before it occurs and instead is reserved for bringing the problem to the public after the fact. Facebook Whistleblower
There is a strong rationale for not waiting for new regulatory mandates and instead building a Web3 GRC framework that uses the same ethos as ethical hackers to proactively self-govern. This will allow the ecosystem to choose its own priorities and make its own decisions.
III. New GRC Framework
In order to maintain a sustainable peer-to-peer ecosystem, the members need to build trust and deliver on transparent governance. A sustainable GRC program will incentivize addressing conflicts and issues before they threaten the viability of the project. SushiSwap CTO Resigns; SushiSwap Feud
Guiding principles for sustainable governance are:
- Agile & Iterative — Expect changes, build in flexibility and a modular approach that can be adjusted when new risks surface
- Disclosures & Transparency — Assume conflicts and risks should be known, so users are informed
- Anti-Fraud & Consumer Protection — Prioritize well-being of users and adopt a guardian lens
- Caution & Escalate — Create the white hat approach, build in self-reporting incentives and avoid whistleblower pitfalls
A sustainable GRC program should adopt 5 pillars
- Know the environment and prepare
As with pen testing or hackathons — expect inquiries from government authorities and litigants. Prepare with an advisory bench and narrative of the project. The narrative should include in and out of scope features to tell the project’s story before being asked to defend the story to the government or litigants. Hire a “white hat” advisor to audit your performance against these pillars and guiding principles.
2. Create and manage a road map
Create a practical risk inventory based on current developments and maintain it. Assess the relevance of the risks to the project and prioritize drafting a project list to address the top risks. Use the inventory as a confidential road map with use cases and examples to size risks.
3. Create escalate and questions forum
Create a GRC private Slack channel, Discord, Team meetings and Q/A. Make it easy to ask questions and escalate concerns. Consider building a path where reporting is anonymous to remove any hesitancy. Set a record retention policy to make sure you retain documents you need and create a rational destruction schedule to balance data sharing with security risks. For instance, corporate documents should be retained for the life of the organization, whereby Slack and text messages may contain personal information and should have a short retention period to prevent data breaches.
4. Have a public relations & communications strategy
Set standards for community, project and personal opinions. Set guidelines to avoid shilling and conflicts of interest and provide examples of balanced communications. Consider
- creating an understandable risk mantra/disclosure on public communications such as “Be informed & accept the risks”, “Consider before you act”, “Read our forum and blogs for more info” and then create an FAQ,
- the experience of the target audience as you write,
- sourcing a third party, when making projections or promissory statements,
- avoiding investment terms unless there’s an expectation of investment oversight from the government.
5. Develop protocols for managing GRC
Rather than creating protective traditional legal documents, create short, accessible standards for the team to follow. Be strategic about accepting certain risks, create a risk plan to address short, medium and longer-term issues.
Expect to change the GRC program and adopt 4 north star attributes
- Global Approach: Adopt a borderless strategy, but focus on the jurisdiction of a concentration of users, prevent criminal liability & rely on jurisdictions with guidance — DOJ Criminal Division — Evaluation of a Compliance Program
- Tech Company Policies: Orient your GRC efforts for a technology company. Draft a Sanctions, Privacy and Cookies policy and procedures
- Anti-Fraud Efforts: Include an anti-fraud mindset within product development perhaps as part of user experience efforts. Mitigate risks with a consistent focus on serving the interests of users, community and ecosystem. Draft listing standards, implement user protection with bad actor blocking, focus on cyber security, follow a marketing/business development review process before content is posted on public forums.
Resilience of a web3 project will not just entail fighting TradeFi and the government’s perception of risks, it is also addressing concerns from within the community. “Most crypto projects are designed with extremely predatory tactics that hurt retail. Most crypto projects have 0 intention of doing anything besides dumping on retail.” Founder Rari Capital
Proactive GRC shows a commitment to responsible growth, rejecting the narrative that predatory tactics are pervasive. The Association of Digital Asset Markets code; Coindesk self-imposed code of ethics Adopting the five pillars of a GRC framework now is a low friction way to build resiliency and position your project for growth. Current opportunities for web3 are boundless which makes a GRC framework even more crucial. 300 million valuation for the metaverse’s largest construction company.
Reach out if you are interested in a confidential GRC assessment. Warburton offers assessment services including advice on options and best practices and a set of template documents.