What are better means to explain what IP Risk Management is than to take a Question & Answer tour, so here we go. Anything about one of the most challenging of tasks for an IP department of any technology-driven company: IP Risk Management.
Q – What is Risk?
Risk is the potential of gaining or losing something of value by something going wrong
Q- What is “IP”?
IP is “Intellectual Property”, resulting from technological development, creation of a brand, development of new medicine or treatment, trade secrets, creating a song, book, artwork, performing arts, design work, development of new plant varieties, etc., so basically all creations of the “mind” or intellect, protected by (international) IP Laws.
Q – Why is IP important for an organization?
Whether it is physical or digital, customer data or operational information, trade secrets or business strategies, product development, pharma R&D, brand development, artwork creation, intellectual property (IP) is often the main driver of revenue for any organization.
Q – What is the connection between IP and Risk?
IP represents value for any creator, organization, or company. The risk of losing IP or the control over it is “IP risks”.
Q – Why should I take IP Risks seriously?
By its very nature, there are both rewards as well as risks associated with IP. IP-related risks are part of working life. However many ignore the risks associated with IP or only react when the risk has materialized, which is often too late. IP risks can be the most serious risks facing an organization.
Q – What are examples of IP Risks?
The most obvious IP risk is that in the course of doing business you may infringe the IP rights of a third party. However, there are many more IP risks associated with doing business, they come in different forms and shapes. Just to name a few:
- Use of mobile devices by employees containing company secrets
- Crucial product developments are not protected property or adequately
- Having too narrow a definition of IP, and ignoring potentially valuable IP assets
- Overlooking license opportunities under existing patents
- Monitoring and administration of IP terms & conditions in development or commercial agreements with third parties
- risks relating to publishing activities of the business
- Embracing open source software
- Being involved in certain interoperability standardisation activities
- Getting involved in some open innovation initiatives
- The use of subcontractors
- One’s own IP out-licensing program
- Employees stealing IP from the company
- presentations marketing people at conferences workshops, endangering patenting
- appearance of counterfeit products on the market
- Trademark disputes with third parties
- Trade secrets not being properly managed
- Data ownership and usage
Q – What is IP Risk Management?
IP Risk Management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit, or organization. It is initially about the identification, assessment, and prioritization of IP-related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP-related risks to the organization.
Q – What does proper IP Risk Management entail?
IP Risk Management involves understanding, analyzing, and addressing IP risks to make sure organizations achieve their objectives. So it must be proportionate to the complexity and type of organization involved. Proper IP Risk Management is an integrated and joined-up approach to managing IP-related risks across an organization and its extended networks.
Q – Why utilize an IP risk management tool?
A good IP risk management tool helps ensure that the process is an efficient and effective one. It can improve data integrity as well as better support how IP risks are articulated and reported. It should be easy to install, easy to configure, easy to take into use, and secure, otherwise, there is a great danger that the system becomes a ‘white elephant. IPEG offers its new IP Risk Management Tool, called “Alder Tool”. For more information email us using the contact form on the IP|EG website.
Q – Are all IP-related risks generally the same or not?
Not all IP risks are the same, far from it. Risks can be broken down into a variety of different categories, such as the form of IP involved (e.g. patents, trademarks, copyright, etc.), the source or origin of the IP related risk, the impact and probability of the IP risk, the date when the risk is likely to materialize, the geographical nature of the IP risk, whether they are generic or specific in nature, the group or sub-group most impacted by this risk in the organization, etc.
Q – Are IP risks a significant issue?
Anyone following markets and business developments notices that the value of organizations has been shifting markedly from tangible assets, “bricks and mortar”, to intangible assets like intellectual property. Research has indicated that intangibles now account for about 80% of the total value of many organizations and companies.
Q -Are there any data showing the importance of addressing IP risks?
Although there are data available on the size of the problems associated with certain specific types of IP-related risks such as counterfeit products, patent litigation, trademark disputes, data hacking, and so forth, scientific data on the scale associated with IP risks are not (yet) available. The bottom line is that IP risks are a significant issue for many organizations.
Q – Where do IP risks originate?
It is often assumed that IP risks originate from competitors. However IP risks may originate from a variety of sources:
• The activities of one’s own company and its people
• The activities of entities within one’s own eco-system (suppliers, partners, distributors, customers)
• The activities of one’s competitors
• The activities of other entities such as NPEs
• Changes to Government policies related to IP
• The activities of illegitimate entities such as hackers and counterfeiters
Q – What is the role of a IP Risk Manager?
IP risk management is about ensuring that the business really understands its IP related risks, and then mitigates pro-actively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.
Q- Where to focus on in IP Risk Management?
The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial or legal measures.
Q – What are the key steps in an IP Risk Management Process?
A process is an interrelated set of activities designed to transform inputs into outputs, which should accomplish your pre-defined business objectives. Processes produce an output of value, they very often span across organisational and functional boundaries and they exist whether you choose to document them or not.
Q – What is the importance of Due Process in Risk Management?
A due process in IP Risk Management can be seen as an agreement to do certain things in a certain way. The larger the organisation, the greater the need for agreements on ways of working. Processes are the memory of the organisation, and without them a lot of effort can be wasted by starting every procedure and process from scratch each time, possibly repeating the same mistakes, every time a (potential) risk arises.
Q – Which stages in the IP Risk Management Process are there?
At a very top level, the IP risk management process involves the following key phases
Q – Which approaches are possible, top-down or bottom up?
The two ‘halves’ of IP risk management are IP risk assessment and IP risk mitigation. Risk assessment is about the identification, quantification and prioritization of IP related risks facing an organization. In the top-down approach, IP risk management begins at the highest conceptual level and works down to the details, with the major IP related risks being identified by senior management.
In the bottom-up approach, it begins down with the details and works up to the highest conceptual level, with IP related risks being identified by middle managers and individual contributors, and with the higher probability and/or impact IP related risks then being passed up to senior management.
Q – Top-Down or Bottom-Up, which approach is preferable?
Top-down and bottom-up are both strategies of information processing and knowledge ordering, used in a diverse range of fields, including in the area of IP risk management. The two approaches may be seen as a style of thinking. Processing here is just a simpler way to say taking in IP-related risk information, analyze it, and draw conclusions or taking action. In a top-down approach, an overview is formulated, with the details beyond that overview specified but not delved into. A bottom-up approach is the piecing together of different details. It should be stressed that both have the same goal, namely to ferret out the key IP-related risks facing the organization.
Q – Which approach is more likely to succeed?
Success depends on using a combination of top-down and bottom-up approaches to first identify, classify and prioritize the IP risks facing the organization.
Combining top-down with the bottom-up approach is especially needed when the IP environment is continuously changing and consequently, the organization’s IP risk map is shifting. In such circumstances, the top-down approach gives IP risk management the necessary strong foundations whereas the bottom-up approach gives it some flexibility. The combined approach also keeps everybody in the organization involved in the IP risk management process and ensures accountability and improves compliance.
Q – What approach is best for a Beginner in IP Risk Management?
For organizations tackling IP-related risk management for the first time, it is recommended to start initially with a top-down approach but then to roll out a bottom-up approach to reach out across the entire organization over time. The bottom-up approach may for example become an annual exercise conducted across the organization.
Q – How can IP risks be mitigated?
There are a variety of IP risk mitigation techniques available, but of course, their effectiveness will vary from one particular IP risk to another, on timing, and from business to another.
Some of the IP risk mitigation techniques are listed here, but this list is not exhaustive by any means:
- Raising awareness of the importance of IP across the organisation
- Leveraging technical cooperation with others
- Using Standards with fit for purpose IP policies
- Obtaining indemnities
- Participating in patent pools
- Licensing IP
- Designing around
- Finding prior art to invalidate 3rd party IP
- IP acquisition
- Taking out IP insurance
Q – Is IP knowledge necessary all over the organization?
No, knowledge of IP, what it does, and how it works is not needed to be present all over the organization. However, it is important that a company builds up a good understanding and appreciation of the various IP rights, their importance of them and which IP risk mitigation solutions which exist, and if and when they should be deployed. There are a growing number of specialist external IP risk mitigation solution providers that should also be considered.
Q – What are the components of a good IP risk management solution?
IP risk management is not easy and a number of components need to be in place for a company to truly master this aspect of IP. I strongly suggest that the following components are needed:
- Good IP and IP related Risk awareness and education
- A robust fit for purpose IP Risk Management process
- IP Risk Management system / tool
- Data (IP related risks, actions, documents, reports)
- A variety of IP Risk Mitigation solutions
- IP Risk Management resourcing (people, budget)
- Proper IP Risk Management governance
Q – Who is using IP Risk Management tools?
IP Risk Management tools are commonly used in business like project management and organizational risk assessments. It acts as a central repository for all risks identified and, for each risk, includes information such as risk probability, impact, counter-measures, risk owner, and so on. It can sometimes be referred to as a ‘risk register’ or a ‘risk log’.
Q – Does a IP Risk Management tool differ from other existing management tools?
An IP risk management tool is no different than existing Management tools other than that it merely focuses on risks associated with (the use of) intellectual property rights. The tool is an essential tool to be able to manage this particular risk area. It initially provides a way to articulate the various IP-related risks in a very structured manner. It then acts as an important tool for the ongoing management of these IP risks.
Q – What should an IP Risk Management tool contain?
Typically an IP risk management tool should contain:
- A description of the IP related risk
- The impact should this event actually occur
- The probability of its occurrence
- Risk score (the multiplication of probability and impact)
- A summary of the planned response should the event occur
- A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
- Links to any associated documentation
Q – What is the difference between a “Qualitative” and a “Quantitative” Risk Tool?
In a ‘qualitative’ risk tool descriptive terms are used: for example, a risk might have a ‘High’ impact and a ‘Medium’ probability. In a ‘quantitative’ risk tool the descriptions are enumerated: for example, a risk might have a ‘$1 Million’ impact and a ‘10%’ probability. A clever feature is to allow some calibration of the tool as different levels of impact and probability will differ from one company to another.
Q – What is an IP risk “Heat Map”?
An IP risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way. It is a simple yet extremely powerful tool. Heat maps are a way of representing the resulting qualitative and quantitative evaluations of the probability of risk occurrence and the impact on the organization in the event that a particular risk is experienced.
The development of an effective heat map has several critical elements – a common understanding of the risk appetite of the company, the level of impact that would be material to the company, and a common language for assigning probabilities and potential impacts.
Q – What is a “Heat Map Diagram”?
An IP risk heat map diagram provides an illustration of how organizations can map probability ranges to common qualitative characterizations of IP risk event likelihood, and a ranking scheme for potential impacts. They can also rank impacts on the basis of what is material in financial terms, or in relation to the achievement of strategic objectives.
Q- What benefits do “Heat Maps” provide?
IP risk heat maps provide a number of benefits:
- A visual, big picture, holistic view to share while making strategic decisions
- Improved management of IP risks and governance of the IP risk management process
- Increased focus on the IP risk appetite and IP risk tolerance of the company
- More precision in the IP risk assessment process
- Identification of gaps in the IP risk management and control process
- Greater integration of IP risk management across the organization and embedding of risk management in operations.
Q – What is the role of “Data Integrity”?
We already saw how important IP risk management is, so it is therefore imperative that the associated data are also carefully maintained (“data integrity”). A number of best practices exist to help address data integrity issues within an IP risk management system:
• Control the data entry
• Define mandatory and optional data fields properly
• Assign rights and roles with access to the system
• Assign personal responsibility
• Keep a change history
• Design ‘intelligent’ data fields
• Use tools to measure and clean the data on a regular basis
• Make data management a living process
• Measure, measure, measure
Q -How to make Risk Management an ongoing process?
The best approach is to make data management an ongoing process and an integral part of IP risk management. Managing the associated data as a resource is an important function of IP risk management. Accurate and relevant data is the source of valuable information. By managing data efficiently, properly informed sound management decisions can be made. Data are only as good as the process and system that collects it. The analysis is only as good as the data on which it is based and the skills and experience of the analyst. Without data, it is simply an opinion.
Q – Who should be interested in IP risk management?
Anyone interested in IP should take IP risk management seriously. It should be of particular interest to anyone:
- Operating in an IP litigious environment
- Coming up for exit or listing
- Anxious to get IP risk management under control
- Whose executive management team are demanding visibility of IP related risks
- Experiencing major business changes
- Facing a major IP risk and realising that they are unprepared
- Interested in proper governance of IP
Q -What is the best time to master Risk Management?
Regardless of why one is interested, it is best to master IP risk management when things are calm rather than when one is tackling a major IP risk when pressure is intense and everything seems chaotic and disorganized. This is not the right time for a GC, CIPO, or IP Manager to have to go to the Board and explain that the IP risk management process is to ‘panic widely and run away.
Q- What are the keys to success in IP risk management?
IP awareness and IP governance are like the bookends, keeping everything else in proper order. Governance here is about management putting IP risk on their agenda and regularly asking themselves whether they have the right culture, people, and processes in place. The skills needed to succeed with IP risk management do not match exactly those needed to be successful with the other key IP processes, such as IP creation, IP portfolio management, IP exploitation, and IP enforcement. The mindset is just different for those charged with IP risk management.