Intellectual Property Risk Assessment - Top Down vs Bottom Up
By its very nature, there are both rewards and risks associated with intellectual property (IP). Given the growing importance of IP across most industry sectors, many organizations are facing a diverse range of IP related risks.
Of course, not all IP risks are the same and they may be broken down into a variety of different categories, such as the form of IP involved (e.g. patents, trademarks, copyright, etc.), the source or origin of the IP related risk, the impact and probability of the IP risk, the geographical nature of the IP risk, whether they are generic or specific in nature, etc.
IP risk management:
IP risk management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit or organization. It is initially about the identification, assessment, and prioritization of IP related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP related risks to the organization.
The two basic components of IP risk management are IP risk assessment and IP risk mitigation. Risk assessment is about the identification, quantification and prioritization of IP related risks facing an organization.
Once the exposure to IP related risk has been identified, quantified and prioritized, IP risk mitigation actions for the organization’s exposure to risk can be devised. There are different methods which organizations employ to mitigate IP related risks - contingency, avoidance, reduction, prevention, etc.
The IP risk management process may be segmented further into the following five phases:
Identify, characterize, and gauge IP related threats to the organization.
Review the vulnerability of critical assets to specific IP related threats.
Determine the expected consequences of specific IP related threats.
Determine ways and means to reduce each of these IP related risks.
Implement IP risk mitigation measures based on the overall IP strategy.
This paper focuses on the IP risk assessment component and the approaches organizations take to identifying, quantifying and prioritizing their IP related risks.
Top down versus bottom up:
In the top-down approach, IP risk management begins at the highest conceptual level and works down to the details, with the major IP related risks being identified by senior management.
In the bottom up approach, it begins down with the details and works up to the highest conceptual level, with IP related risks being identified by middle managers and individual contributors, and with the higher probability and/or impact IP related risks then being passed up to senior management.
Top down and bottom up are both strategies of information processing and knowledge ordering, used in a diverse range of fields, including in the area of IP risk management.
The two approaches may be seen as a style of thinking. Processing here is just a simpler way to say taking in IP related risk information, analyzing it, and drawing conclusions or taking action.
In a top down approach, an overview is formulated, with the details beyond that overview specified but not delved into. A bottom up approach is the piercing together of different details.
Before looking any further at the differences between top down and bottom up approaches, it should be stressed that both have the same goal, namely to ferret out the key IP related risks facing the organization.
Top down approach:
The broad objective of the top down approach is to distill insights and provide clarity of the key IP related risks facing the organization, support IP risk informed decision making at senior level, ensure an IP risk dialogue takes place at senior management level and enable proper IP risk oversight.
Top down is focused on keeping the analysis and decision making in the hands of senior management. With top down IP risk management, these senior folks involved must choose the techniques to be utilized to help identify the key IP risks facing the organization and prioritize these risks.
The top down approach calls for the senior managers of the organization, typically business, technical and legal senior managers working together, to determine the key IP related risks they are facing. This approach confers a great deal of control over the IP risk management process. In those cases where these senior managers have high levels of IP maturity and sophistication plus extensive IP knowledge of the industry sector, then this approach can limit wasted time and resources.
The top down approach to IP risk management tends to emphasize the imperatives and vision of senior management. Most small businesses automatically use the top down approach because they are apt to have only two layers: managers and individual contributors, and with a closeness between these two layers.
The top down approach to IP risk management may be referred to as the 'crime scene analysis' approach, as it is often based on past experiences and case studies of IP related risks in the same way that the police categorize crimes, crimes scenes and offenders.
In the top down approach, knowledge and/or expectations are used to guide processing. Top-down approaches are usually good at highlighting the challenges in a historical context but the results need to be adjusted when applied to a changing IP environment.
A top down approach can work against an organization when middle management and individual contributors possess critical IP related knowledge and insights that do not filter up to key decision makers.
Top down approach can also sometimes under estimate the IP risks facing an organization as unexpected IP related risks tend to get over looked.
Bottom up approach:
The broad objective of the bottom up approach is to ensure a comprehensive identification and prioritization of all IP related risks, to define IP risk processes and policies throughout the organization and to ensure a robust IP risk culture company wide.
A bottom up approach works to tap into the collective IP knowledge and expertise of the entire organization. It encourages middle managers and individual contributors to submit information on IP related risks. Those of high impact and probability get passed up the line to senior management.
Such a bottom up approach can help the senior management team to avoid tunnel vision regarding IP related risks. This is important given the diversity of IP risks an organization may face.
Bottom-up approaches are good at capturing the IP related risks when there is great diversity and variety across the product / services roadmap of the organization, when there is some complexity to its core technology, when there is turmoil in the market place and/or when the organization operates in an interesting environment.
Bottom up approach is like structuralism, piercing together data until a bigger picture is arrived at. The bottom up approach is sometimes called the 'small chunks' approach focusing attention on specific projects, functions or business units, and then repeating this process across all projects, functions and business units. By its very nature, the bottom up approach entails a thorough review of the IP risks across the entire organization.
Bottom up approach however may be more challenging for large complex organizations, unless there is some agreement initially on the definition of IP, some maturity and sophistication as far as IP is concerned, plus some means to calibrate the levels for risk impact and probability in order to guarantee some consistency.
In the absence of an effective screening mechanism, such as well calibrated IP risk impact and probability levels, to weed out invalid IP related risks, the influx of IP risks may outstrip the ability of those tasks to manage IP risks to sort through them and analyze all of them properly and professionally.
Bottom up approach tend to be more resource intensive and thus more expensive. That said, for organizations with diverse business activities, then a regular bottom up assessment of IP related risks is recommended.
Which approach is better?
These two paradigms are often used at the start of the IP risk management process to help create a list of the IP related risks facing the organization, and then to plan the work to be done to try to mitigate these risks.
While they are often used concurrently, there are specific drawbacks and benefits to each, and balancing this is key to successful IP risk management.
There is no definite answer to which approach is better.
Benchmark data suggests that more companies opt for the top down approach, namely that IP risk management is performed at the organizational level.
This however may be due to a number of factors related to in-house IP
IP functional structures within organizations,
IP portfolios being owned and managed centrally
The need to comply with new regulatory and governance requirements
The very nature of certain IP related risks
The limited resources allocated to IP risk management
Success depends on using a combination of top down and bottom up approaches to first identify, classify and prioritize the IP risks facing the organization.
Combining top-down with bottom-up approach is especially needed when the IP environment is continuously changing and consequently, the organization’s IP risk map is shifting. In such circumstances, the top-down approach gives IP risk management the necessary strong foundations whereas the bottom-up approach give it some flexibility. The combined approach also keeps everybody in the organization involved in the IP risk management process and ensures accountability and improves compliance.
For organizations tackling IP related risk management for the first time, it is recommended to start initially with a top down approach but then to roll out a bottom up approach to reach out across the entire organization over time. The bottom up approach may for example become an annual exercise conducted across the organization.
Utilizing a combined top down and bottom up approach to IP risk assessment is only part of the total solution to proper and professional IP risk management.
Any organization, especially one serious about IP, should develop and maintain a comprehensive IP risk management 'tool kit' consisting of the following elements …
An IP risk management process, including IP risk assessment and IP risk mitigation.
An IP risk register.
A comprehensive list of the IP risk mitigation techniques available.
IP risk mitigation education material.
A small rapid reaction force.
A network of 3rd party IP risk mitigation solution providers.
It is most important that business is aware of the full range of techniques available to recognize, manage and mitigate IP related risks. Workshops may be needed to determine the suitability of these techniques to a particular business and the creation of a plan to implement these within the business. There should be specific focus on the short, medium and long term vulnerability to IP related risks as it may be that these three phases can be addressed differently.
As started earlier, top down and bottom up approaches may be seen as a style of thinking. It should be stressed that both have the same goal, namely to ferret out the key IP related risks facing the organization.