IP Risk Management 101
Q/ What is the connection between IP and risk?
Risk is the chance of something going wrong, and the danger that damage or loss will occur. By its very nature, there are both rewards and risks associated with IP. For anyone involved in IP, then IP related risks are part of working life. However many ignore the risks associated with IP or only react when the risk has materialised, which is most times too late.
Q/ What are some examples of IP related risks?
The obvious IP related risk is that a business may infringe the IP rights of a 3rd party. However, there may also be IP related risks associated with for example:
Having too narrow a definition of IP, and ignoring potentially valuable IP assets
The IP terms and conditions in some development or commercial agreements with 3rd parties
The publishing activities of the business
Embracing open source software
Being involved in certain interoperability standardisation activities
Getting involved in some open innovation initiatives
The use of subcontractors
One's own IP out-licensing program
Employees stealing IP from the company
The scourge of Counterfeit products
Trademark disputes with 3rd parties
Trade secrets not being properly managed
Q/ Are IP related risks a significant issue?
Any business professor will tell you that the value of companies has been shifting markedly from tangible assets, "bricks and mortar", to intangible assets like intellectual property in recent years. Research has indicated that intangibles now account for about 80% of the total value of many companies.
There is no data available on the scale of the risks associated with IP but one can assume that it is significant, and probably around this 80% mark.
There is indeed some data available on the size of the problem associated with certain specific types of IP related risks such as counterfeit products, patent litigation, trademark disputes, data hacking and so forth.
The bottom line is that IP related risks are a significant issue for many companies.
Q/ Are all IP related risks generally the same or not?
All IP risks are not the same, far from it. Not all IP risks are the same and they may be broken down into a variety of different categories, such as the form of IP involved (e.g. patents, trademarks, copyright, etc.), the source or origin of the IP related risk, the impact and probability of the IP risk, the date when the risk is likely to materialise, the geographical nature of the IP risk, whether they are generic or specific in nature, the group or sub-group most impacted by this risk in the organisation, etc.
Q/ Where do IP risks originate?
Many mistakenly assume that all IP risks originate from competitors, but IP related risks may originate from a variety of sources:
The activities of one’s own company and its people
The activities of entities within one’s own eco-system (suppliers, partners, distributors, customers)
The activities of one’s competitors
The activities of other entities such as NPEs
Changes to Government policies related to IP
The activities of illegitimate entities such as hackers and counterfeiters
Q/ What is IP risk management?
IP risk management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit or organization. It is initially about the identification, assessment, and prioritization of IP related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP related risks to the organization.
IP risk management involves understanding, analyzing and addressing IP related risks to make sure organizations achieve their objectives. So it must be proportionate to the complexity and type of organization involved. Proper IP risk management is an integrated and joined up approach to managing IP related risks across an organization and its extended networks.
IP risk management is about ensuring that the business really understands its IP related risks, and then mitigates pro-actively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.
The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial measures.
Q/ What are the key steps in the IP risk management process?
A process is an interrelated set of activities designed to transform inputs into outputs, which should accomplish your pre-defined business objectives. Processes produce an output of value, they very often span across organisational and functional boundaries and they exist whether you choose to document them or not.
A process can be seen as an agreement to do certain things in a certain way and the larger your organisation, the greater the need for agreements on ways of working. Processes are the memory of your organisation, and without them a lot of effort can be wasted by starting every procedure and process from scratch each time and possibly repeating the same mistakes.
At a very top level, the IP risk management process involves the following key phases:
Q/ Which approach, top down or bottom up, is best for IP risk assessment?
The two ‘halves’ of IP risk management are IP risk assessment and IP risk mitigation. Risk assessment is about the identification, quantification and prioritization of IP related risks facing an organization.
In the top-down approach, IP risk management begins at the highest conceptual level and works down to the details, with the major IP related risks being identified by senior management.
In the bottom up approach, it begins down with the details and works up to the highest conceptual level, with IP related risks being identified by middle managers and individual contributors, and with the higher probability and/or impact IP related risks then being passed up to senior management.
Top down and bottom up are both strategies of information processing and knowledge ordering, used in a diverse range of fields, including in the area of IP risk management. The two approaches may be seen as a style of thinking. Processing here is just a simpler way to say taking in IP related risk information, analysing it, and drawing conclusions or taking action. In a top down approach, an overview is formulated, with the details beyond that overview specified but not delved into. A bottom up approach is the piercing together of different details. It should be stressed that both have the same goal, namely to ferret out the key IP related risks facing the organization.
Success depends on using a combination of top down and bottom up approaches to first identify, classify and prioritize the IP risks facing the organization.
Combining top-down with bottom-up approach is especially needed when the IP environment is continuously changing and consequently, the organization’s IP risk map is shifting. In such circumstances, the top-down approach gives IP risk management the necessary strong foundations whereas the bottom-up approach give it some flexibility. The combined approach also keeps everybody in the organization involved in the IP risk management process and ensures accountability and improves compliance.
For organizations tackling IP related risk management for the first time, it is recommended to start initially with a top down approach but then to roll out a bottom up approach to reach out across the entire organization over time. The bottom up approach may for example become an annual exercise conducted across the organization.
Q/ How does one mitigate IP related risks?
There are a variety of IP risk mitigation techniques available, but of course their effectiveness will vary from one particular IP risk to another, on timing, and from business to another.
Some of the IP risk mitigation techniques are listed here, but this list if not exhaustive by any means:
Raising awareness of the importance of IP across the organisation
Leveraging technical cooperation with others
Using Standards with fit for purpose IP policies
Participating in patent pools
Finding prior art to invalidate 3rd party IP
Taking out IP insurance
It is important that a company builds up a good understanding and appreciation of the various IP risk mitigation solutions which exist, and if and when they should be deployed. There are a growing number of specialist external IP risk mitigation solution providers which should also be considered.
Q/ What are the components of a good IP risk management solution?
IP risk management is not easy and a number of components need to be in place for a company to truly master this aspect of IP. I strongly suggest that the following components are needed:
Good IP and IP related Risk awareness and education
A robust fit for purpose IP Risk Management process
IP Risk Management system / tool
Data (IP related risks, actions, documents, reports)
A variety of IP Risk Mitigation solutions
IP Risk Management resourcing (people, budget)
Proper IP Risk Management governance
Q/ Why utilise an IP risk management tool?
A good IP risk management tool helps ensure that the process is an efficient and effective one. It can improve data integrity as well as better support how IP risks are articulated and reported. It should be easy to install, easy to configure and easy to take into use, otherwise there is a great danger that the system become a ‘white elephant’.
A risk management tool is commonly used in business in such areas as project management and organisational risk assessments. It acts as a central repository for all risks identified and, for each risk, includes information such as risk probability, impact, counter-measures, and risk owner and so on. It can sometimes be referred to as a ‘risk register' or a 'risk log'.
An IP risk management tool is no different and is an essential tool to be able to manage this particular risk area. It initially provides a way to articulate the various IP related risks in a very structured manner. It then acts as an important tool for the ongoing management of these IP risks.
Typically an IP risk management tool will contain:
A description of the IP related risk
The impact should this event actually occur
The probability of its occurrence
Risk score (the multiplication of probability and impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
Links to any associated documentation
In a ‘qualitative’ risk tool descriptive terms are used: for example a risk might have a ‘High’ impact and a ‘Medium’ probability. In a ‘quantitative’ risk tool the descriptions are enumerated: for example a risk might have a ‘$1 Million’ impact and ‘10%’ probability.
A clever feature is to allow some calibration of the tool as different levels of impact and probability will differ from one company to another.
Q/ What is an IP risk heat map?
An IP risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way. It is a simple yet extremely powerful tool.
Heat maps are a way of representing the resulting qualitative and quantitative evaluations of the probability of risk occurrence and the impact on the organisation in the event that a particular risk is experienced.
The development of an effective heat map has several critical elements – a common understanding of the risk appetite of the company, the level of impact that would be material to the company, and a common language for assigning probabilities and potential impacts.
An IP risk heat map diagram provides an illustration of how organizations can map probability ranges to common qualitative characterizations of IP risk event likelihood, and a ranking scheme for potential impacts. They can also rank impacts on the basis of what is material in financial terms, or in relation to the achievement of strategic objectives.
IP risk heat maps provide a number of benefits:
A visual, big picture, holistic view to share while making strategic decisions
Improved management of IP risks and governance of the IP risk management process
Increased focus on the IP risk appetite and IP risk tolerance of the company
More precision in the IP risk assessment process
Identification of gaps in the IP risk management and control process
Greater integration of IP risk management across the organization and embedding of risk management in operations.
Q/ Why is IP risk data important?
IP risk management is important, so it is therefore imperative that the associated data is also treated with the respect that it deserves, and that data integrity is maintained.
A number of best practices exist to help address data integrity issues within an IP risk management system:
Control the data entry
Define mandatory and optional data fields properly
Assign rights and roles for with access to the system
Assign personal responsibility
Keep a change history
Design 'intelligent' data fields
Use tools to measure and clean the data on a regular basis
Make data management a living process
Measure, measure, measure!!!
The best approach is to make data management an on-going process and an integral part of IP risk management.
Managing the associated data as a resource is an important function of IP risk management. Accurate and relevant data is the source of valuable information. By managing data efficiently, proper informed sound management decisions can be made.
Data is only as good as the process and system that collects it. Analysis is only as good as the data on which it is based and the skills and experience of the analyst. Without data, it is simply an opinion.
Q/ Who should be interested in IP risk management?
Anyone interests in IP should take IP risk management seriously. It should be of particular interest to anyone:
Operating in an IP litigious environment
Coming up for exit or listing
Anxious to get IP risk management under control
Whose executive management team are demanding visibility of IP related risks
Experiencing major business changes
Facing a major IP risk and realising that they are unprepared
Interested in proper governance of IP
Regardless of why one is interested, it is best to master IP risk management when things are calm rather than when one is tackling a major IP risk, when pressure is intense and everything seems chaotic and dis-organized. This is not the right time for a GC, CIPO or IP Manager to have to go to the Board and explain that the IP risk management process is to ‘panic widely and run away’.
Q/ What are the keys to success in IP risk management?
I suggest that IP awareness and IP governance are like the bookends, keeping everything else in proper order. Governance here is about management putting IP risk on their agenda and regularly asking themselves whether they have the right culture, people and processes in place.
The skills needed to succeed with IP risk management do not match exactly those needed to be successful with the other key IP processes, such as IP creation, IP portfolio management, IP exploitation and IP enforcement. The mind-set is just different for those charged with IP risk management.
Q/ Any final thoughts?
It is important not to underestimate or exaggerate the risks associated with IP. As IP relates to innovation and creativity, it can sometimes be an emotive subject and some care is needed.