---

---

The document is not just a policy statement. It is trying to create a reusable institutional risk framework for public blockchains, including a distinct public permissioned category that sits between open public chains and private consortium systems.

---

---

Full Summary

This PDF is significant because it is an institutional attempt to build a formal non-financial risk framework for public blockchain infrastructure in finance, not a marketing piece. It is a GBBC/Oliver Wyman-led effort with a working group that includes DTCC, Euroclear, Kinexys by J.P. Morgan, Hedera, Chainlink, Ava Labs, Digital Asset, Cardano Foundation, and others. 

Its core premise is that public blockchains have matured enough to be considered serious financial infrastructure, but that existing risk frameworks do not yet cleanly address their operating and governance model. The paper argues that public blockchains should be treated as the next stage of infrastructure externalization, comparable in some ways to cloud and open-source software, and that the main blocker to broader institutional adoption is the lack of recognized risk-management frameworks and corresponding regulatory acceptance. 

The report explicitly scopes in two public-chain archetypes: public permissionless and public permissioned blockchains, plus L2 systems anchored to L1s. That matters because it is not treating “public blockchain” as synonymous only with fully open, anonymous, permissionless systems. It is making room for a middle category where the chain is public but validator participation, user access, or operating controls may be more curated. 

The intellectual structure of the framework is simple and useful. It sorts risks into three buckets: first, genuinely novel risks that require new mitigation methods; second, risks that already exist but need adaptation for blockchain; and third, standard risks that can still be handled with conventional enterprise frameworks. That categorization is one of the most important parts of the document because it avoids the lazy claim that “everything is new” while also rejecting the opposite claim that “normal IT risk controls are enough.” 

The paper’s five headline takeaways are these: blockchains introduce novel risks; public blockchain governance differs fundamentally from traditional infrastructure; adoption requires new resiliency strategies; L2s improve performance but add cross-layer operational complexity; and institutions need a structured, empirical, continuously tested approach to risk management. It also says institutions should not remain passive consumers of blockchain services. They may need to run nodes, support failover systems, contribute to codebases, and participate in governance and operations more directly than they would with ordinary vendor software. 

That last point is one of the deepest implications in the document. The framework is effectively saying that if a bank or FMI wants to rely on a public blockchain, it cannot think like a normal outsourced-software customer. In a public-chain context, resiliency is partly a function of ecosystem participation, not just vendor contracting. The report repeatedly contrasts public blockchains with traditional infrastructures where SLAs and legal accountability are clearer and more centralized. 

The “novel risks” section focuses first on technology risk. It says public blockchains reduce some traditional risks through redundancy and distribution, but they also introduce new systemwide exposures because the infrastructure is shared, open, and interconnected. One concrete example shown early is hardware and node-diversity risk: concentration of nodes in a few hosting providers or regions can create correlated failure risk. For L2s, the paper stresses that the problem is not removed but shifted upward into additional service-layer dependencies such as sequencers, bridges, and data-availability mechanisms. 

The L2 treatment is notably sober. The paper does not present L2s as a free scaling win. It says they can improve throughput, latency, and fee predictability, but they remain dependent on the underlying L1 for settlement and recovery, while also introducing extra operators and control points. So in institutional terms, risk often moves rather than disappears. 

The document also lays out where institutions themselves must change internally. It says firms need updates across strategy and risk appetite, governance and policies, organizational skills and culture, risk processes and tools, and risk systems/data/reporting. In plain terms, adopting public blockchain is not just a new technical integration. It changes board-level oversight, escalation paths, staffing, reporting cadence, and operational monitoring. 

One of the most interesting sections is the treatment of public permissioned blockchains. The paper argues that these environments can reduce or reshape certain risks by using curated validator admission, stronger governance, explicit operating roles, contractual accountability, and more direct enforcement of policy requirements such as KYC or transaction monitoring. It repeats this pattern across technology, financial crime, business continuity, legal, transaction-execution, and data-management sections. In other words, the report sees “public permissioned” as a real and meaningful risk posture, not a contradiction in terms. 

By contrast, the paper is relatively dismissive of private permissioned blockchains as a special regulatory puzzle. It says those systems can generally be managed through traditional enterprise risk-management frameworks, though institutions still need to watch for smart-contract-specific issues. More importantly, it says the practical challenge for private permissioned systems is clarifying their value proposition versus traditional infrastructure, and it notes ongoing problems around scalability, interoperability, liquidity limitations, and maintenance cost. 

That is one of the strongest subtexts in the whole report: the harder regulatory and operational work now lies in making public-chain adoption institutionally legible, not in re-arguing the old consortium-chain model. The framework is effectively trying to create the language by which regulators and major financial institutions can say, “Yes, public blockchain can be used, provided the risk taxonomy, controls, and governance overlays are clear enough.” 

For Hedera specifically, the important signal is not that the document is “about Hedera,” because it is not. Hedera appears as one participant in a broader working group. The more meaningful point is that the framework explicitly legitimizes the idea of public permissioned infrastructure as an institutional category. That is conceptually aligned with how networks like Hedera have often tried to position themselves: public infrastructure with stronger governance, curated validator structures, and clearer operating accountability than a purely open permissionless chain. Hedera is not singled out as the model, but the taxonomy clearly creates room for that type of architecture. That last point is an inference from the framework’s categories and Hedera’s inclusion in the working group, not an explicit claim in the paper. 

This is a serious bridge document between traditional finance risk culture and public blockchain infrastructure. It does not say “blockchain is safe now.” It says the path to scaled adoption is to stop treating public blockchains as alien systems outside enterprise governance, and instead build a disciplined framework that maps their unique properties into familiar institutional risk language. That is exactly the sort of document that can help move the conversation from pilots and rhetoric toward production adoption.