Building an IP risk management framework for innovation leaders

In the era of digital business, markets, organisations and consumers are being transformed as the physical and virtual worlds blur into one another. The continuous evolution of digital business models which exploit new technologies is aligning the physical and digital worlds more closely than ever before, leading to tighter integration between people, devices, content and services – what Gartner has termed “intelligent digital mesh”, part of the so-called ‘fourth industrial revolution’. This transformation will reshape the nature of future IT investment, spurring continuous innovation in products and services, which will in turn result in the creation of significant amounts of new intellectual property.

Intellectual property – patents, trademarks, copyrights and trade secrets – is now central to the success of any business. According to current research, the value associated with intellectual property can account for as much as 75% of most companies’ worth. As per Ocean Tomo’s findings on the components of S&P market value data for 2015, the implied intangible asset value of the S&P 500 grew to an average of 84%. According to the US Department of Commerce’s “Report on Intellectual Property and the US Economy: 2016”, at least 45 million US jobs and more than $6 trillion or 38.2% of US gross domestic product are supported by IP-intensive industries.

However, today’s highly connected digital world is still formed of a patchwork of cultural, regulatory and operating environments. This makes IP protection a formidable challenge for any innovation-driven, IP-led organisation. A valuable trade secret can be leaked through a simple email, while a company’s major R&D investment can be completely wasted if the concepts and outcome are copied and passed along to the competition. According to the “Report of the Commission on the Theft of American Intellectual Property”, the annual cost to the US economy of several categories of IP theft exceeds $225 billion, with the unknown cost of other types of IP theft almost certainly exceeding that amount and possibly being as high as $600 billion annually. In another survey on stolen corporate intellectual property conducted by security industry body ASIS International, IP theft was estimated to be worth $300 billion for the United States alone and $1 trillion worldwide.

To protect intellectual property from the risk associated with theft and infringement, a company needs a robust and versatile IP risk management framework and methodology to identify, analyse and respond to risk factors throughout the life of an IP right. Proper IP risk management implies the control of possible future events and is proactive rather than reactive. It will reduce not only the likelihood of an adverse event occurring but also the magnitude of its impact. Only if IP risk management is set up as a continuous, disciplined process of identifying threats and vulnerabilities and deciding on resolutions can a business properly protect its intellectual property.

This article outlines an IP risk management framework, methodology, process and governance model across the entire lifecycle of intellectual property and is particularly relevant for innovation-led organisations.

Objective

The aim of IP risk management is to ensure that every effort is made by all the units within an organisation dealing with any aspect of intellectual property to manage risk appropriately. The identification and management of IP risk should be continuous and must be linked to achieving the organisation’s business objective.

The need therefore is for an objective and comprehensive IP risk management framework and governance model that will help:

• business leaders to understand and assess the current state of IP threats, vulnerabilities and corresponding business impacts holistically and from multiple stakeholder perspectives;
• the corporate IP community and IP management team to establish IP risk policies and justify mitigation initiatives aligned to the organisational IP strategy and constraints; and
• the corporate body and policymakers to make stakeholders accountable at all levels, as well as to establish effective and efficient governance mechanisms for the continuous monitoring, tracking and recalibrating of IP risk parameters with a changing technology and business landscape.

A number of aspects need to be appropriately covered to establish an effective IP risk management environment, including framework and methodology, risk assessment, risk mitigation, risk management process and governance.

Tata Consultancy Services has therefore created a comprehensive IP risk management model so as to have a model that covers all aspects of IP risk management, covers all relevant stakeholder perspectives, is aligned with corporate IP strategy and corporate enterprise risk management and is neutral with regard to products, platforms, technologies, business domains, geographies and regulations.

Framework

IP risks cannot be managed in isolation. Enterprise-level IP risk management requires a comprehensive approach in order to take account of various perspectives and stakeholders in the IP lifecycle. It must also be aligned with the enterprise’s risk management strategy and framework.

The IP risk management framework (Figure 1) sets out the various influencing levers and core activities across the IP lifecycle that need to be considered and synchronised in order to manage risks efficiently and effectively.

In order to assess the impact of IP risk on a business and its operations and to strategise corresponding mitigation actions, it is necessary to first carry out an IP risk assessment. In addition, an IP risk treatment would be needed for strategising mitigation plans and actions in order to prevent or counter risks, as necessary.

A governance model – which is essential for driving these core activities towards achieving an effective IP risk prevention mechanism – can be established through IP risk governance. Participation is necessary from stakeholders at various levels, as highlighted in the stakeholder involvement tower in Figure 1.

Figure 1. IP risk management framework

Core activities should then follow the corporate IP strategies and policies, and be aligned with the enterprise’s risk management.

IP risk management is thus enabled by appropriate methodology, process, policy and tools. Proper valuation input for a specific piece of intellectual property is also necessary for prioritisation and budgeting.

Methodology

Any IP risk management framework must be enabled by an adequate methodology. Table 1 sets out the various steps of this.

Figure 2. IP risk assessment approach

IP risk profiling and assessment

IP risk profiling and assessment (Figure 2) is designed to qualify the IP risks to be considered for further treatment and to prioritise mitigation plans for these, along with appropriate resourcing.

IP threats are identified, followed by IP vulnerabilities corresponding to each threat. IP risk exposures and the corresponding business impacts can then be abstracted from this.

The following questions can be helpful when exploring IP threats:

• What might go wrong or what might prevent the establishment of legitimate IP rights over a piece of intellectual property?
• What events might threaten the organisation’s intellectual property or IP portfolio?
• What events or circumstances could mislead the overall IP strategy?

IP threats are identified and endorsed through a governance structure comprising representatives from the organisation’s IP management unit and its respective business units. The risk tolerance threshold for a specific IP threat is finalised with the respective business unit head, or his or her nominee.

IP vulnerabilities (ie, the weakness that exposes the organisation to the threat) should be identified for each and any IP threat.

The following questions can be useful when exploring IP vulnerabilities:

• What lapse in the IP management system or process might allow this particular IP threat to occur?
• Is the threat likely to occur in any environment or place, or does it depend on the location or on specific activities?
• What factors need to be present for the threat to re-occur?

The next step is to examine IP risk exposures and business impact. Each threat may lead to a different type of IP risk exposure (eg, loss of IP monetisation or litigation costs). Eventually each of these threats and exposures may affect businesses in different ways (eg, financially or affecting a business’s brand, reputation, market share or business operation).

Once the IP risk profiling has been carried out, the strengths and weaknesses of any existing mitigation techniques must be scrutinised. Knowing what controls are already in place and whether these are effective can help to identify what, if any, further action is needed.

Finally, an assessment should be carried out with regard to the likelihood of the threat occurring and what impact this would have.

Following these steps will result in an accurate, albeit qualitative, assessment of the level of inherent risk – otherwise known as the risk rating.

Assess likelihood

The likelihood of a risk occurring is classed as “rare”, “unlikely”, “possible”, “probable” or “almost certain” (Table 2).

Typical considerations include:

• the experience and statistics of threat likelihood;
• exposure to the probable harmful entity;
• the motivation and capabilities of the harmful entity;
• human error and system malfunctions;
• individual and aggregate vulnerabilities; and
• the effectiveness of existing mitigation systems.

The consequences or potential impact if the risk event does occur are classed as “severe”, “large”, “moderate”, “small” and “insignificant” (Table 3).

Rate level of IP risk

Based on the likelihood of occurrence and business impact, the decision matrix set out in Table 4 is used to determine the level of inherent IP risk for a specific threat.

The levels are described as “extreme”, “high”, “medium”, “low” and “minute”, as set out in Table 5.

Table 4. Decision matrix

Table 5. IP risk level definitions

Assess IP risk tolerance for business units

After the IP risk level is assessed, business unit-level acceptability of this risk level needs to be captured so that an appropriate mitigation strategy can be decided. This should be done through a workshop with the stakeholders of the specific business unit, since the likelihood and impact of a specific IP threat and corresponding vulnerability are relative to a specific unit’s existing risk control and mitigation mechanism, as well as its business priority.

Typical circumstances that might be considered for an IP threat to be acceptable or tolerable include:

• no treatment is available;
• treatment costs are prohibitive (this is particularly relevant for lower-ranked risks);
• the level of risk is low and does not warrant the resources needed to treat it;
• the opportunities involved significantly outweigh the threats or may require more attention; and
• the current mitigation mechanisms which the business unit has in place.

The IP risk tolerance is then assessed following the same approach taken to assess the inherent IP risk, as explained above.

The outcome of this assessment is the overall risk rating, considering both the inherent risk rating and specific business unit’s risk tolerance. This then forms the input for the IP risk treatment.

IP risk treatment

Once the assessment is complete and IP threats are identified with different risk levels, appropriate mitigation options (Figure 3) must be adopted. One of the five different mitigation options (set out in Table 6) can be adopted to mitigate a specific IP threat considering its risk level: “accept”, “avoid”, “control”, “reduce” and “contingency”.

Figure 3. IP risk mitigation options and courses of action

Specific courses of action can be decided once a mitigation option has been chosen. If the mitigation option is to accept, the IP risk threshold has been decided and must be controlled within that threshold.

If the mitigation option is to avoid, the IP policy must be formulated or modified to avoid or eliminate the specific threat and corresponding vulnerability.

If the mitigation option is to control, the appropriate solution should be identified and implemented. This option also requires a custodian to manage and own the solution. A proper feasibility study should be carried out before any solutions are implemented. This should cover at least the following aspects:

• Does the solution selected appear to have the desired treatment effect (ie, will it stop or reduce what it is meant to stop or reduce)?
• Will the controls trigger any other risks?
• Are the controls beneficial or cost efficient? Does the cost of implementing the control outweigh the cost that would flow from the event occurring without the control in place? Overall, is the cost of implementing the control reasonable for this risk?

If the mitigation option decided is reduce or share, a decision needs to be made as to whether to procure an appropriate insurance policy or to share this with a partner or a customer. In the case of the latter, an appropriate contract or agreement should be prepared. If IP insurance is chosen, the financial impact of risk with regard to the cost of this should be analysed.

Sharing the risk or opting for insurance does not remove an organisation’s obligations and will not prevent it from suffering consequential damage if something unexpected happens or something goes wrong.

If the mitigation option decided is contingency, appropriate contingency measures should be identified for each of the risks identified under the options of “control” and “avoid”. Periodic reviews and tests of the actions and solutions planned for contingency should be carried out.

IP risk governance

Effective IP risk governance should address the following key aspects in managing IP risk efficiently:

• the balance between risk impact and the probability of occurrence, considering current business priorities, with an appropriate mitigation strategy decided accordingly;
• the trade-off between the cost of mitigation and the cost of carrying the risk;
• conflict resolution between stakeholders regarding the classification, assessment and mitigation for a specific IP threat or risk;
• indecision management for appropriate risk treatment;
• revisiting the risk decision in the light of new knowledge; and
• stakeholder-specific socialisation.

Governance model

As indicated in Figure 4, IP risk governance should primarily cover the following key functions.

First, IP risk events and mitigation monitoring. Given the diverse and dynamic nature of the contemporary business environment, it is crucial to be alert to emerging risks as well as to monitor known risks. Once risks have been identified, recorded and analysed, and the agreed treatments have been implemented, appropriate monitoring should be established to provide assurance that the mitigation techniques are effective. Some IP risk mitigation techniques will have to be embedded into daily practices and methods of work.

Figure 4. IP risk governance model

The frequency of review will depend on the risk rating, the strength of the controls and the ability to effectively treat the risk. Each employee has a role to play in continually monitoring known or emerging risks and regularly checking or ensuring that controls are in place and are being used.

Second, stakeholder and custodian management. The success of IP risk management depends on ensuring the appropriate participation of stakeholders and custodians for all aspects of IP risk governance. Appropriate stakeholders should get involved in all aspects of the IP risk assessment and mitigation. Custodians also need to be identified who can own and realise the mitigation actions.

Third is periodic reporting. Formal risk reporting is a vital part of being able to demonstrate the effectiveness of a risk management programme. It should take place via the company’s IP risk register or some other appropriate formal reporting process. Formal reports should identify new risks, detail progress made with treating existing IP risks and report outcomes from the monitoring and review process. They should also highlight whether any best practices have been identified during this period.

Annual risk reporting should confirm that all risks relevant to the area of responsibility are being adequately and appropriately managed.

Having a formal structured reporting process enables the organisation to confirm that the IP risk management framework is effective, that all involved individuals are doing what they should and that those accountable are answerable for IP risk management.

Fourth is process and parameters recalibration. The continuous evolution of digital business models to exploit new technologies is best realised through the continuous innovation and generation of a significant volume of intellectual property involving people, devices, content and services. To cope with this rapid pace of change, all associated processes must be agile and adaptive. IP risk management must also be adaptive. Accordingly, the judicious modification of processes, parameters, techniques and metrics must be undertaken and recalibrated with new risk events and mitigation mechanisms as and when necessary.

Fifth is best practice adoption. It is expected that a considerable number of unique and efficient methods of managing IP risk will evolve across all business units. These can be recorded in the risk register and best practices then adopted across the organisation.

Sixth is communication and socialisation. Effective communication and socialisation with regard to the various perspectives and concepts of IP risk management are essential to ensure that those responsible for implementing it and those with a vested interest understand the basis on which decisions are made and the reasons why a particular mitigation strategy is selected. IP risk management is enhanced through effective communication and consultation when all parties understand one another’s perspectives and, where appropriate, are actively involved in decision making.

Methods of communication and consultation might include:

• meetings and the distribution of minutes;
• reports;
• online communication systems and training; and
• the sharing of requisite tools and templates.

IP risk metrics

Although this article has focused on qualitative methods of assessing IP risk, an effort has been made to provide an indication of quantitative methods through the introduction of the IP risk index (Table 7) – which sets out the quantitative consequences of IP risk events. For simplicity and consistency, the metrics are defined as simple measures and normalised as percentages which reflect greater risk as they increase. An index can provide a relatively accurate image of IP risk in order to help stakeholders to understand the seriousness of the situation – this in turn can be helpful when it comes to mobilising resources during the prioritisation of mitigation action and selecting appropriate solutions.

IP risk management policy

The objective of an IP risk management policy is to ensure that all significant IP risks to the organisation are identified, assessed and, where necessary, treated and reported to the business unit leadership and subsequently to the board. A few typical IP risk management policies are highlighted, along with their purpose, in Table 8.

IP risk register

To ensure that IP risk management is effective – and to provide evidence of a demonstrable IP risk management system – it is important to have a documented formal record of the IP risk management process and its outcomes. This should be carried out using an IP risk register – a documented record of the identified risks, their significance or rating, and how they are being managed or treated. All business units should maintain their own register. The corporate IP management team can then selectively consolidate all IP risk events and update the corporate risk register accordingly.

It can be useful to record the following:

• a description of the IP threat (to establish the context);
• causes or contributing factors (ie, the IP vulnerability);
• consequences of the IP threat, whether actual or potential;
• the business impact due to the consequence on intellectual property;
• an assessment of the inherent risk based on the likelihood of the risk occurring and the impact on the business if it does;
• an assessment of the IP risk tolerance of a specific business unit based on current or existing controls as well as the respective business unit’s business priority, to rate each risk for that specific business unit;
• current controls in place that help to manage the risk;
• further actions or treatments needed to address the risk;
• any progress updates as treatments are implemented; and
• the results of the monitoring and review, including the effectiveness of controls and best practices.

Figure 5. IP risk management process flow

IP risk management process flow

The IP risk management process flow (Figure 5) involves interaction between multiple teams in order to complete various activities as envisaged in the IP risk management framework and methodology. As per the process flow schematic, the head of the business or business unit, the corporate IP management team and the IP risk governance team must all be involved to complete various activities at different stages.

For any IP threat or risk:

• all decisions pertaining to business impact, tolerance and resource mobilisation should be taken by the head of the business or business unit;
• all executions pertaining to IP risk assessment and mitigation should be carried out by the IP management team for the respective business unit;
• all actions pertaining to IP risk governance (eg, recording and reporting) should be executed by the governance team for the respective business unit; and
• every decision and outcome across the process flow for all IP threats or risks should be recorded in an IP risk register.

Significance of IP valuation

To quantitatively assess the impact of a specific IP risk – in order to appropriately mobilise the resources to mitigate it – it is critical to consider the value of the intellectual property at issue. The due diligence process for analysing and attaching a specific monetary value to a piece of intellectual property can provide valuable input towards assessing various aspects of IP risks. Such a process should include clearly identifying the intellectual property and ascertaining an unambiguous title to it, as well as establishing its qualitative and quantitative characteristics. It should also determine how the intellectual property is being used in the organisation’s products and services business, the earnings capacity and profitability relating to it. In addition, it can be helpful to look into any legal rights and restrictions related to the intellectual property, what competition it faces and barriers to leveraging it, along with historical growth and prospects for the future. Finally, it can be helpful to analyse the potential financial impact of damaged intellectual property on the organisation’s financial performance.

An IP valuation should analyse the degree of importance of various IP risk management activities, as well as the cost-benefit of various mitigation options. This should lead to higher-value intellectual property having more resources allocated to protect it.

While IP valuation exercises are complex and tedious, the dynamics of contemporary innovation-led business necessitate robust IP valuation as well as IP risk management efforts.

Going forward

IP risk management is designed to sensitise businesses about IP-related risks within their ecosystem and the consequences of these. In the current technology-driven disruptive business environment, the risk landscape is changing rapidly, which is having a profound effect on IP-related risks. The aim of IP risk management is to analyse risks in a specific environment and to prevent them before they happen.

By its very nature, every risk has pros and cons. When a risk relates to intellectual property, it becomes more sensitive because it also relates to innovation and creativity. Every IP risk must be analysed and judged by taking account of the specific nature of the relevant business environment without bias.