Through Enterprise Risk Management - CREATe.org · Effective risk management should not increase bureaucra- cy at the expense of corporate flexibility and profitability. Quite the

PROTECTING INTELLECTUAL PROPERTYThrough Enterprise Risk Management

The Center for Responsible Enterprise And Trade (CREATe.org) is a non-governmental organization (NGO) helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption.

Our mission is to make leading practices in IP protection and anti-corruption achievable for all companies.

To achieve this mission, we have developed CREATe Leading Practices for IP Protection and CREATe Leading Practices for Anti-Corruption, two services based on best practices drawn from multinational companies, academics, international and business organizations.

Building on decades of work across the business community on quality assurance, health and safety and other issues, CREATe takes a management systems approach to helping companies implement the internal business processes they need to effectively protect intellectual property and prevent corruption.

Companies around the world are using CREATe Leading Practices to benchmark and improve systems for IP protection and anti-corruption. The services are available in Chinese, English, Portuguese and Spanish.

For More Information

Please visit www.CREATe.org, via email at [email protected] or follow us on Twitter @CREATe_org.

TABLE OF CONTENTS02 OVERVIEW

04 USING ERM TO MANAGE INTELLECTUAL PROPERTY (IP) RELATED RISKS

- Step 1: IDENTIFY: What risks does the company face?

- Resource: Sample Intellectual Property Inventory

- Resource: Sample Risk Identification Worksheet

- STEP 2: ASSESS: How serious are those risks?

- Resource: Sample IP Risk Assessment Form

- Step 3: MANAGE: What steps should the company take to manage risks?

27 A MANAGEMENT-SYSTEM FRAMEWORK FOR MANAGING IP RISKS

1. Policies, procedures and records

2. Compliance team

3. Risk assessment

4. Supply chain management

5. Security and confidentiality management

6. Training and capacity building

7. Monitoring and measuring

8. Corrective actions and improvements

29 APPENDIX A: COMPARISON OF RISK MANAGEMENT STANDARDS

31 ENDNOTES

CREATe.org

www.CREATe.org

mailto:[email protected]

AN INTRODUCTION

OVERVIEW

Intellectual property – innovative product designs, brand names and logos, patented new technology and trade secrets such as formulas, processes and strategic business information – is central to the success of every company. Indeed, 75% of the asset value of most companies is directly tied to its intellectual property (IP).

But in today’s highly dynamic, global and connected marketplace with different cultural, regulatory and operating models, protecting IP is particularly daunting. With the sending of an email, valuable trade secrets can be shared with compet-itors. A complex supply chain can open the door for counterfeit parts to enter products and result in health and safety risks to consumers. A coveted new technology can be copied and immediately distributed around the world.

Traditionally, the vulnerabilities of IP theft and infringement are addressed in companies by specific groups – legal, sup-ply chain, information technology – however increasingly, the threats associated with IP are considered as key corporate risks. And for good reason - as an Economist Intelligence Unit survey noted, ‘Among 269 senior risk managers, 53% said that loss or theft of intellectual property had inflicted damage on their company’s financial performance –14% reported this as “major” damage.’

This whitepaper describes how to use Enterprise Risk Management (ERM) to manage intellectual property related risks. It examines how companies can use ERM more effectively to “identify, assess and manage” IP-related risks, including risks that arise in the closely related areas of information technology (IT) security and supply-chain compliance.

Additionally, the whitepaper outlines the elements of an effective management-system framework for addressing IP risks; and provides several resources to guide companies in identifying key intellectual property and assessing associated risks.

The Center for Responsible Enterprise and Trade (CREATe.org) has produced this whitepaper to provide practical guid-ance for companies and their supply chain and business partners to improve and share leading practices for intellectual property protection.

To learn more about CREATe, please visit www.CREATe.org.

November, 2014

Enterprise risk management (ERM) is a useful tool to protect the value of a company’s intellectual property (IP), including its trademarks, designs, copyrights, patents and trade secrets. Given that IP and other intangible assets now make up a major part of the wealth of many compa-nies—as much 75% of Fortune 500 companies’ value is comprised of these assets, for example1—risks involving the intellectual property that a company owns or manages on behalf of others can raise the specter of lost business, lost competitiveness, damaged reputation, disrupted sup-ply, legal risks and high costs of resolution.

Companies are increasingly implementing ERM as a corpo-rate function to help identify and assess the wide variety of risks that their businesses face, and then to implement specific plans to manage these corporate risks. Risk man-agement properly focuses both on internal risk factors as well as risks that arise externally—particularly those posed in the supply chain among a company’s suppliers, distribu-tors, sales agents and other business partners.

Companies can face any number of strategic, financial, operational, compliance and reputational risks. Particular issues such as financial stability, quality control, health and safety, environmental and labor issues often are included in companies’ ERM programs; IP-related risks are sometimes also identified and managed using ERM. Companies increasingly are finding that a common approach, implemented through the company’s management systems and business processes, can help deal with a range of very different risks in an organized and integrated way.

Risk assessment and risk management are not always carried out holistically, however. Nor do they necessarily address all of the risks companies face in today’s global, information-driven economy. Companies do not often examine intellectual property risks in any detail, or they simply consider them in isolation without reference to other related types of security or compliance risks. Some companies fail to consider how to manage the IP-related risks in their supply chain—a vital element for shifting from a reactive to a preventative approach.

Following the approach of the major ERM standards and frameworks that companies use, this paper examines how companies can use ERM more effectively to “identify, assess and manage” IP-related risks, including risks that arise in the closely related areas of information technology (IT) security and supply-chain compliance. It describes how management-system approaches that companies may already have in place for addressing other types of risks can be adapted to mitigate IP-related risks as well, without “reinventing the wheel,” and provides some practical tem-plates and checklists designed to be useful for both small and large companies as they seek to identify, assess and manage IP-related risks.

022014//CREATe.org012014//CREATe.org

CREATe.org

www.CREATe.org

CREATe.org

CREATe.org

WHAT IS ENTERPRISE RISK MANAGEMENT? Enterprise risk management has grown substantially since the mid-1990s as a way for companies to identify, assess and manage var-ious types of risks, with the goal of protecting and growing the company’s value. The insurance business and various financial markets have been engaged in certain kinds of risk management as far back as the 1950s. But attention to risk

management has expanded and become more sophisticated with the appearance of more corporate-wide risks such as the “Y2K bug” in 1999, the increase in regulation requiring companies to perform specific types of risk management in different areas, and the globalization of sourcing and sales for many companies. This has led to the move by companies across business sectors toward more holistic management of their corporate objectives and risks.

What was once viewed simply as contingency or insurance planning has developed more broadly into integrated pro-grams of enterprise risk management involving an “ongoing process, in which objectives, risks, risk response measures, and controls are regularly re-evaluated.”2

Effective risk management should not increase bureaucra-cy at the expense of corporate flexibility and profitability. Quite the opposite—its overriding goal should be to protect and grow the value of a company. As the Committee of Sponsoring Organizations (COSO), an accounting industry consortium that has published an influential framework for

developing and carrying out enterprise risk management, has noted,

[E]very entity exists to provide value for its stakehold-ers. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertain-ty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertain-ty and associated risk and opportunity, enhancing the capacity to build value.3

HOW DOES ENTERPRISE RISK MANAGEMENT WORK? Different companies face many different kinds of risks. Rather than simply dealing with these risks ad hoc when

they have gone from being a potential risk to an urgent problem, companies use enterprise risk management to try to identify, assess and manage them before they arise and over time, in a comprehensive and intelligent way that takes into consideration all relevant factors. ERM is thus a funda-mental tool for helping a company shift from dealing with negative events reactively to taking a proactive, preventa-tive approach to the risks that it faces, and for strategically allocating resources to reduce the company’s risks internally and in its end-to-end supply chain.

There are several frameworks that different industry and standards bodies have developed to structure the ERM pro-cess, but they all follow the basic approach that a company should identify, assess and then manage its risks. These steps are explained in more detail in the rest of this paper, with particular application to intellectual-property risks and the related areas of IT and supply chain risks that can result in the loss or misuse of IP.

THE BASICS OF ERM

042014//CREATe.org

“[E]very entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.”

1. 2. 3. IDENTIFYWhat risks does the company face?

ASSESSHow serious are those risks?

MANAGEWhat steps should the company take to manage those risks?

CREATe.org

USING ERM TO MANAGE INTELLECTUAL-PROPERTY- RELATED RISKS Establishing the context

In order to promote holistic assessment of a company’s risks, the major ERM frameworks and standards call for looking first at the relevant context—identifying the com-pany’s objectives, and its business, environment and other factors that affect the business risks that it faces.4

At this stage, it is useful to understand the following types of factors:

• the company’s business objectives, and its ethical and other values,

• the legal, social, political and cultural environment in which the company operates,

• its overall structure and its divisions, businesses, subsidiaries, and staff that are responsible for or otherwise deal with particular issues and risks,

• its relationship with and dependence on its supply chain and other business partners to carry out particular activities and functions,

• the company’s management, budgeting and reporting systems, and

• its risk management philosophy, and its risk tolerance (i.e., the company’s view of its “salient risks”).

IDENTIFYING RISKS Once this context is well understood, the next step in a typical ERM program is to generate a detailed list of the company’s potential risks. In many companies, identifying risks focuses on issues such as financial stability, quality control, health and safety, environmental and labor issues. However, as the value of intangible assets such as IP increases as a proportion of companies’ overall value and business, the trend is for the risk identification process also to include the particular business and compliance issues related to IP. The best ERM programs include in their risk identification both their company’s own internal risks as well as the risks that arise in the company’s supply chain that could affect the company.

Different industry and standards groups divide corporate risks into different categories,5 but these are summarized here as strategic risks, operational risks, compliance risks, financial risks and reputational risks. These categories are not necessarily “set in stone,” and any particular risk may fall into one or more of these categories.

• Strategic risks are those “big ticket items” that can affect a company’s overall mission, business objectives and strategy, market acceptance, future growth and/or shareholder value. These can arise externally or internally—from changes in the overall market situation or competitors’ activities to internal product and project difficulties and brand risks. For example, defective product designs or intellectual property challenges to a company’s use of its key technologies or components can rise to the level of strategic risks at many companies.

• Operational risks involve problems and hazards that can arise in the day-to-day running of a company’s business and have a negative effect on the company’s income, profits and expenses. Disruptions and other operational damage to a company’s business can arise anywhere in the end-to-end design, production and delivery of products and services, whether internally at the company or among its suppliers, customers and other business partners. With the globalization of business, supply chain continuity and supply chain sustainability have become increasingly critical areas of operational risk, putting the compliance of third parties in the supply chain under more scrutiny. This

is causing leading multinationals to push towards a more holistic risk assessment that includes identification of risks among such third parties. Another of the big operational risks that has high visibility at many companies at present is security, particularly the security of information technology (IT) systems against breaches of privacy and theft of data and trade secrets.

• Compliance risks arise in areas covered by government regulation, industry standards or other undertakings. Failure to comply, for example, with product safety regulations, anti-bribery laws, anti-fraud rules, labor standards, environmental regulations or intellectual property rules are common compliance risks that companies and their supply chain face.

• Financial risks are the other major area where companies can face potential damage. These arise in such areas of financial statement reporting, financial controls, internal audits, credit problems, currency and interest rate fluctuation, and liquidity and similar risks.

• Reputational risks are broadly defined as exposure to the risk of events that undermine public trust in a company or its products or services. More formally, the United States Federal Reserve has issued the following definition: “Reputational risk is the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions.”6 A company can suffer severe reputational damage from the actions taken by its own employees and third parties in its supply chain.

IDENTIFYING OVERALL IP-RELATED RISKS Intellectual property issues are increasingly understood to raise various types of risks for small and large companies alike. At the highest level, IP may protect a company’s core technologies and know-how. Brand protection (trademarks), registered designs, copyrights, patents and trade secrets come into play in many different ways at most companies,

whether as part of the company’s own assets or as the intellectual property of others that the company must manage effectively.

In looking at the “context” for identifying risks, therefore, a company may find that its business objectives, company value and legal compliance may depend heavily upon its in-tellectual property protection, monetization and compliance. In a survey conducted by the Economist Intelligence Unit among 269 senior risk managers, 53% said that loss or theft of intellectual property had inflicted damage on their company’s financial performance—14% reported this as “major” damage.7 The PriceWaterhouseCooper (PwC) 2013 State of Compliance survey of chief compliance offers found that intellectual property risks ranked among the top three risks faced both by manufacturing and technology compa-nies, and these risks were perceived to be increasing.8

Risks can also arise where a company’s business involves managing or dealing with the intellectual property of others—whether in manufacturing on another company’s behalf, dealing with trademarked or design-protected materials in developing products and packaging, or using

copyrighted items like software and published materials in its day-to-day business. Intellectual property risks can likewise arise where a company’s suppliers or other business partners deal with the company’s own or others’ IP, wheth-er on an outsourced basis or otherwise, in ways that could damage the company, raise liabilities or costs, or lead to business disruption.

It is therefore no small wonder that there is a growing trend for companies and other organizations to identify and deal with intellectual property risks as part their ERM programs. Philips NV, for example, considers IP-related issues among the strategic and operational risks that it evaluates as part of the company’s “business control framework,” developed on the basis of the COSO risk-management framework.9 As Philips describes its overall approach to risk management:

Risk management forms an integral part of the business planning and review cycle. The company’s risk and control policy is designed to provide reasonable assurance that objectives are met by integrating

IDENTIFY: WHAT RISKS DOES THE COMPANY FACE?1.

IDENTIFYWhat risks does the company face?

Establishing context

Identifying risks

1. Structure and

StrategyStructure and

StrategyDesign MarketingManufacture SalesQCCompliance Support

Fig 1. Operational risks can arise internally and in the end-to-end supply chain


CREATe.org

CREATe.org

management control into the daily operations, by ensuring compliance with legal requirements and by safeguarding the integrity of the company’s financial reporting and its related disclosures.10

Philips identifies certain intellectual-property-related risks as “strategic”—potentially affecting the company’s over-all ambitions. These include risks related to securing or maintaining IP rights, as well as those involving third-party licenses covering its products and design and manufactur-ing processes.11 Other IP-related risks are designated as “operational” at Philips, such as the potential leakage of confidential information or the theft of intellectual property or sensitive data through unauthorized access to, or cyber-attacks on, its IT systems.12

Other companies and groups also focus on the “compliance” risks that can be associated with their management or use of intellectual property. The UK body JISC, which supports post-16 and higher-education bodies on the use of informa-tion and communications technology, recommends that these institutions do risk assessments on the copyright and other issues that can arise as they develop and use such IP-protect-ed material. JISC has developed a detailed checklist for its members that includes potential risks of noncompliance with IP laws and third-party contracts, such as “unauthorized use of third-party materials,” “exceeding use of permissions granted by third parties,” and “theft of copyright material by third parties.”13

IP issues can obviously raise “financial” risks—infringement lawsuits or the loss of a vital intellectual property registration can result in lost sales, large compensation payments and/or fines, and other business disruption. IP-related problems also can raise “reputation” risks for a company, either with the public generally or with potential business partners, when for example a key IP right is misappropriated or misused.

It is important that companies identify all of the possible types of strategic, operational, compliance, financial and reputation risks associated with IP in a risk assessment. In the past, some companies have focused only on the very biggest-picture strategic risks associated with IP, such as the possible inability to monetize a product without more patents, or the threat of expensive litigation over a company’s core IP, to the exclusion of any other risks. Effective risk assessment and risk man-agement should include all other IP-related issues that pose significant risks for the company as well, including those

that overlap with other risk areas of the company, such as IT security and supply-chain risks, as discussed further below.

IDENTIFYING IT-RELATED RISKS RELEVANT TO IPA company’s security risks, particularly those involving its in-formation and communications technology systems, are closely aligned and interact with its IP-related risks. If a company has a security problem, one of the first things likely to be stolen is the company’s confidential and proprietary technical or business data that has competitive value—“trade secrets,” as they are known in IP parlance. Security is thus one of the risks that is rightly clustered, identified and assessed with IP issues. A major security risk tends to make IP-related risks both more likely to occur and more damaging. Owning trade secrets and other valuable IP can make attacks on a company’s security system more likely.

Daily newspaper headlines about IT security breaches resulting in the theft of a company’s or its customers’ confidential information make it obvious that identifying and managing security-related risks has become a primary objective of many companies’ ERM programs. Compliance officers named data privacy, confidentiality and security among their top risks in PwC’s 2013 survey.14

Data security and trade secret protection are two critical areas where current risk identification and mitigation prac-tices need improvement. A January 2014 report issued by World Economic Forum and McKinsey & Company reported that “Large institutions lack the facts and processes to make effective decisions about cybersecurity. Of the more than 60 institutions whose practices we surveyed in detail, 34 percent had a ‘nascent’ level of maturity and another 60 percent were ‘developing.’”15

Government concern about the potential damage to com-panies from IT security breaches has even led the U.S. Securities and Exchange Commission to issue guidelines to publicly traded companies requiring them specifically to disclose cyber-attacks that could be material to their financial condition or future operating results. These include cyber-attacks on a company’s intellectual property:

For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material. Alternatively, if the attack did not result in the loss of intellectual property, but it prompted the registrant to materially increase its cyber-security protection expenditures, the registrant should note those increased expenditures.16

IT risks are a “well developed and specific branch of risk management,”17 with international standards including ISO 2700118 and industry standards such as COBIT19 estab-lishing frameworks and methodologies for assessing and addressing a whole raft of potential IT problems. The US National Institute of Standards and Technology (NIST) has released the first version of its own Framework for Improv-ing Critical Infrastructure Cybersecurity, a set of voluntary industry standards and practices to help organizations man-age cybersecurity risks.20 However, as ISO itself has noted, “the establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security require-ments, the organizational processes used and the size and structure of the organization.”21 In other words, security will only do the things it is designed to do.

Because IP protection and risk management have not been included among the objectives of many IT systems, it is possible to comply formally with these sorts of IT standards and still have inadequate security in the IT system

to protect a company’s IP.22 It is thus important that any company ERM process that examines and seeks to identify IT and other security risks include trade-secret theft and other IP-related risks specifically. As NIST has recognized, it is also vital to include the supply chain in any such assessment of a company’s IT risks, and not to “leav[e] the weakest links susceptible to penetration and disruption.”23

The largest US companies increasingly acknowl-edge that intellectual property and IT-security issues (including the possible loss of trade secrets and other proprietary information) are corporate risks that could seriously affect their business.

Nearly all of the top 20 Fortune 500 companies’ annual 10-K securities filings with the US Securi-ties and Exchange Commission during the past 12 months listed cybersecurity or intellectual property is-sues—or both—among their material business risks.

The following “risk factor” listed by Ford Motor Company in its February 2014 10-K filing with the SEC is typical of those reported by many of the top publicly traded companies:

“We are at risk for interruptions, outages, and breaches of: (i) operational systems (including business, financial, accounting, product devel-opment, consumer receivables, data processing, or manufacturing processes); (ii) facility security systems; and/or (iii) in-vehicle systems or mobile devices. Such cyber incidents could material-ly disrupt operational systems; result in loss of trade secrets or other proprietary or competitively sensitive information; compromise personally identifiable information of customers, employees, or others; jeopardize the security of our facili-ties; and/or affect the performance of in-vehicle systems. A cyber incident could be caused by malicious outsiders using sophisticated, targeted methods to circumvent firewalls, encryption, and other security defences. An incident might not be detected in time to prevent a breach of these systems. Such incident could harm our reputation and subject us to regulatory actions or litigation.”

http://www.sec.gov/Archives/edgar/data/37996/000003799614000010/f1231201310k.htm#sF9FBED1941F08BA7A1C-C649613E193A5

Public Companies Highlight IP and IT Risks


In implementing ISO 27001 for IT security for a global digital services company, the responsible lead recognized that the standard itself did not necessarily cover all aspects of IP protection, which was central to the business and its custom-ers. The company engaged in CREATe Leading Practices for IP Protection to help broaden its approach. As described further below, the service outlines the elements of an effective IP protection program and provides guidance on improving IT and other management systems in ways with spe-cific relevance to IP.

Extending IT Security to Cover IP

http://www.sec.gov/Archives/edgar/data/37996/000003799614000010/f1231201310k.htm



CREATe.org

CREATe.org

The PwC/CREATe.org report Economic Impact of Trade Secret Theft24 lays out helpful examples and tools for identifying IP-related IT risks, which includes ensuring that “context” issues such as the particular inventory of a company’s trade secrets are examined in identifying IT-related risks.

IDENTIFYING SUPPLY-CHAIN RISKS RELEVANT TO IPThe other area that warrants particular attention in doing IP-related risk identification involves the risks that can arise in a company’s supply chain as suppliers use the company’s (and others’) IP in manufacturing or carrying out other func-tions related to the company’s products and services, and as joint venture partners and even customers co-manage, perform value-added functions and otherwise use such IP. With the level of global sourcing and distribution expected to increase, the importance of identifying and dealing with the risk of IP infringement and theft in the supply chain will rise.

Suppliers and other business partners can raise many different types of risks for a business. One leading study summarized these as follows: “Broadly categorized, potential supply-chain risks include delays, disruptions, forecast inaccuracies, sys-tems breakdowns, intellectual property breaches, procurement failures, inventory problems and capacity issues.”25 Supply

chain problems can disrupt key deliveries or cut off payments, thereby damaging sales and increasing costs.

While the risks of dramatic disruptions often attract the most attention of risk managers, “because profitability—and often business models as well—depend on keeping a competitive edge, intellectual property risk [in the supply chain] has dra-matic, long-term implications.”26

PRACTICAL GUIDANCE ON IDENTIFYING IP-RELATED RISKSAs mentioned, the types of risks that IP-related issues can pose for a company can vary widely depending on its business. These risks can be strategic, operational, compliance, finan-cial and/or reputational, can be internal or external, and may involve IT or any number of other management systems.

Despite the variety of risks that different companies face, it can be good practice for any company seeking to identify IP-related risks as part of its ERM program to take—at a mini-mum—the following two practical steps:

• Take an inventory of relevant intellectual property, including both the IP that the company itself owns and the relevant third-party IP that the company or its supply chain manages or uses. It is helpful as part of this step to identify each department or area within the company and each supply chain partner that deals with each element of IP in the inventory.

• Develop a risk-identification worksheet that lists all of the potential risks that the company faces, both internally and among its supply chain, in relation to IP protection, compliance and management.

A sample inventory form and a sample risk identification worksheet listing a number of IP-related risks that companies commonly face are provided on the following pages. These are intended to be sufficiently straightforward so as to be used even by small and medium-sized compa-nies. Larger companies with broader IP portfolios and more varied IP-related activities can build more detail into these frameworks as needed.

102014//CREATe.org

“Broadly categorized, potential supply-chain risks include delays, disruptions, forecast inaccuracies, systems breakdowns, intellectual property breaches, procurement failures, inventory problems and capacity issues.”

Recent real-world examples underscore the importance of ongoing identification and management of IP-related risks in a company’s supply chain: • unreported “back door” sales of a company’s branded clothing products by its manufacturing supplier,27 • departure of a supplier’s employees to another company that soon began producing directly competing products using company’s secret manufacturing process,28 and • alleged theft of a wind turbine company’s software source code by its customer and two former employees and inclusion of that technology in competing turbines manufactured by the former customer (at a claimed loss to the company of $800 million in sales and 500 jobs).29

CREATe.org

CREATe.org

122014//CREATe.org

SAMPLE INTELLECTUAL PROPERTY INVENTORYGuidance: An important part of identifying IP-related risks is to have a clear understanding of the company and third-party IP that a company and its suppliers are dealing with, and who is dealing with that IP. This sample form provides a framework for developing such an inventory.

SAMPLE INTELLECTUAL PROPERTY INVENTORY AND RISK IDENTIFICATION WORKSHEET

Internal usage(specify Company departments or areas dealing with this IP)

IP owner (Company or specified third party)

Protected materialIP right

Trademarks

Reg. Designs

Copyrights

Patents

Trade Secrets

Supplier usage (specify suppliers dealing with this IP)

Customers/business partner usage (specify those dealing with this IP)

CREATe.org

132014//CREATe.org 142014//CREATe.org

• Company installs and uses third-party copyrighted software on Company’s computer systems or those of its customers without authorization

• Company employees or contractors download or upload unauthorized copyrighted material on Company computer systems

- Loss of business- Inability to use materials- Disruption of business or supply- Litigation- Litigation costs, money damages, injunctions - Security risks

- Inability to use materials challenged or supplied- Disruption of business or supply- Litigation- Litigation costs, money damages, injunctions - Management diversion

• Supply chain partner exceeds the number or type of uses authorized by Company’s license for copyrighted material, or breaches any conditions on its use

Supply chain partners or other third parties use or disseminate Company’s or other copyrighted materials without authorization.

• Supply chain partner or its employees or contractors install and use third-party copyrighted software on its computer systems without authorization

• Company exceeds the number or type of uses authorized by a third party’s license for copyrighted material, or breaches any conditions on its use

• Supply chain partner’s physical or IT security is inadequate to protect masters, inventory or other copyright items from unauthorized use or dissemination

• Company supply chain agreements do not adequately define authorized and unauthorized uses of Company copyrighted material

• Company suppliers or other business partners supply unauthorized copies of Company copyrighted materials to the market

• Third parties manufacture or make available Company copyrighted materials to the public without authorization via counterfeiting or unauthorized internet distribution

• Defects in the legal system or common practices in the relevant country(ies) encourage misappropriation of copyright material

A third party claims that Company or its supply chain partner infringes the third party’s patents in its products, services or other activities.

• Company fails to investigate such patent claims

• Supply chain partner fails to investigate such patent claims or report them to Company

SAMPLE RISK IDENTIFICATION WORKSHEETGuidance: This worksheet provides a list of some of the IP-related risks that companies often face. This can be used as a (non-exhaustive) checklist for identifying a company’s own potential IP risks. The risks identified in this form would then be inserted into the Risk Assessment Worksheet and evaluated according to their potential likelihood and severity.

PATENTS

RISK FACTORS

COPYRIGHTS Cont.

RISK FOR MY COMPANY POTENTIAL NEGATIVE IMPACTS


RISK FOR MY COMPANYRISK FACTORS

Company misuses a third party’s trademarks in its products, services or communications.

• Company uses a third-party trademark in connection with Company products, services or components without authorization

- Loss of business- Disruption of business or supply- Returns and warranty claims- Health, safety and quality risks- Damage to brand and reputation- Litigation- Litigation costs, money damages, injunctions

- Loss of business- Inability to use materials- Disruption of business or supply- Litigation- Litigation costs, money damages, injunctions - Security risks

Supply chain partners or other third parties supply counterfeit versions of trademarked or design-protected components or products.

Company products or packaging infringe a third party’s design rights.

• Company suppliers or other business partners supply counterfeit/unauthorized products or components of Company to the market

Company uses or disseminates third parties’ copyrighted materials without authorization.

• Company uses a third-party trademark in Company advertising, marketing materials or on website without authorization or otherwise improperly

• Company’s suppliers supply counterfeit components or products to Company

COPYRIGHTS

• Company products or packaging are exact copies or overly similar to the registered or protected unregistered designs of a third party

• Third parties manufacture and make available to the public Company trademarked or design-protected materials without authorization (counterfeiting)

• Defects in the legal system or common practices in the relevant country(ies) encourage misappropriation of trademark and design rights

• Company incorporates third-party copyrighted materials into Company products or services without authorization

• Company uses third-party copyrighted materials in Company advertising, marketing materials or on website without authorization

POTENTIAL NEGATIVE IMPACTS

TRADEMARKS AND REGISTERED DESIGNS

CREATe.org

CREATe.org

152014//CREATe.org 162014//CREATe.org

• Company due-diligence or risk management does not evaluate capability of supply chain partners to protect trade secrets against unauthorized use or disclosure

- Loss of business- Loss of competitive advantage and business value- Litigation- Litigation costs, money damages, injunctions - Conflicts of interest and compromising of staff and suppliers- Loss of legal protection of trade secrets

• Company agreements with supply chain partners do not adequately protect against unauthorized use or disclosure of trade secrets

• Supply chain partner’s employee or contractor agreements do not adequately protect against unauthorized use or disclosure of trade secrets

• Supply chain partner’s policies and procedures do not adequately protect against unauthorized use or disclosure of trade secrets by its employees and contractors

• Supply chain partner’s IT security is inadequate to prevent or discourage unauthorized use or disclosure of trade secrets by employees, contractors or others

• Supply chain partner’s physical or IT security does not have trade-secret protection as one of its specific objectives

• Supply chain partner does not segregate trade secrets from other non-confidential information and restrict physical and IT access to those with “need to know”

• Supply chain partner’s physical security is inadequate to prevent or discourage unauthorized use or disclosure of trade secrets by employees, contractors or others

• Defects in the legal system or common practices in the relevant country(ies) encourage misappropriation of trade secrets

Third parties misappropriate Company’s or others’ trade secrets.

• Company’s physical or IT security does not have trade-secret protection as one of its specific objectives

• Company’s physical security is inadequate to prevent or discourage misappropriation, use or disclosure of trade secrets by third parties

• Company’s IT security is inadequate to prevent or discourage misappropriation, use or disclosure of trade secrets by third parties

• Company does not segregate trade secrets from other non-confidential information and restrict physical and IT access to those with “need to know”


RISK FACTORS

TRADE SECRETS cont.


TRADE SECRETS

• Company agreements with supply chain partners do not adequately protect against partners’ patent infringements

Company or its supply chain partner deliberately copies or otherwise uses the invention of a third party knowing it is patented.

- Inability to use materials challenged or supplied- Disruption of business or supply- Litigation- Litigation costs, money damages, injunctions - Management diversion

- Loss of business- Loss of competitive advantage and business value- Litigation- Litigation costs, money damages, injunctions - Conflicts of interest and compromising of staff and suppliers- Loss of legal protection of trade secrets

Employees or contractors misappropriate Company’s or others’ trade secrets, and misuse them or disclose them to competitors.

• Company due-diligence or risk management does not evaluate court or other public records of any pattern or practice of patent infringement by supply chain partners

• Company policies and procedures do not adequately protect against unauthorized receipt, use or disclosure of trade secrets by employees and contractors

• Company or its supply chain partner’s policies and procedures do not adequately prohibit knowing patent infringements

• Company does not maintain an inventory of its own and third parties’ trade secrets as to which it needs to maintain confidentiality

• Company employee or contractor agreements do not adequately protect against unauthorized receipt, use or disclosure of trade secrets

• Company’s physical or IT security does not have trade-secret protection as one of its specific objectives

• Company’s physical security is inadequate to prevent or discourage unauthorized use or disclosure of trade secrets by employees or contractors

• Company does not segregate trade secrets from other non-confidential information and restrict physical and IT access to those with “need to know”

• Defects in the legal system or common practices in the relevant country(ies) encourage misappropriation of trade secrets

• Company’s IT security is inadequate to prevent or discourage unauthorized use or disclosure of trade secrets by employees or contractors

Suppliers, customers or other business partners misappropriate Company’s or others’ trade secrets for their own or someone else’s benefit, or fail to protect these adequately against misappropriation by others


RISK FACTORS

PATENTS cont.


CREATe.org

CREATe.org

Once potential risks have been identified, the next step in enterprise risk management is to evaluate both the proba-bility or likelihood that a risk will actually be realized, and the relative severity or consequences that this would have on the company if it happened. Different standards and industry ERM frameworks divide this into different numbers of steps and sub-steps, and give these different names,30 but this is the heart of the “risk assessment” process.

One growing trend in this area is for a company to narrow its risk assessment to a more manageable set of issues by looking not just at every conceivable risk or at probability models, but at a more experience-based set of “salient risks.” Salient risks are those most likely to occur given the industry and business operations of a company and the third parties with which it contracts in its supply chain. Identifying and focusing on salient risks can be a useful preliminary assessment to help inform more detailed analy-sis of the likelihood and consequence of risks.

Depending on a company’s business and IP assets, IP-re-lated risks can be very likely to occur and can potentially cause major damage to the company’s business and com-petitiveness. CREATe’s report Building on IT Security for Effective IP Protection notes that 39% of global firms believe that “attacks from data thieves” are a threat to their corporate information, which of course includes companies’ vital trade secrets. Potential corporate losses from data breaches opened up through the use of counterfeit software

on company computers were estimated to have reached as much as $350 billion worldwide in 2013.31

In the particular case of trade-secret risks, the PwC-CRE-ATe.org report Economic Impact of Trade Secret Theft 32 provides a useful model for how a company can evaluate the probability and likelihood of such risks by considering which particular “threat actors” may have incentives to misap-propriate the company’s proprietary information; assessing the relative importance to the company of particular trade secrets; and estimating the potential financial impact if these are lost.

LIKELIHOOD OF OCCURRENCE Determining how likely each individual identified risk is to occur is obviously an important step in determining whether and how that risk should be addressed. This is not a strict-ly scientific process—predicting the future never is—but depending on the risk in question, its likelihood can often be determined at least in part based on objective elements such as the controls currently in place, previous incidents, equipment or system tolerances or failure rates, industry data, benchmarking, or probability models.

Many of the risks inside a company or in a supply chain are directly linked to human behavior, which is not always predictable, so subjective experience and judgments also come into play.

It is important to recognize that there will always be some uncertainty in estimating the likelihood of any particular risk happening. ERM systems thus tend to categorize the likelihood of risk in fairly broad categories, such as low, medium or high; or on a scale of one to four, or one to five; or in terms of a probability percentage.

CONSEQUENCE OF OCCURRENCE The other major element of risk assessment is estimating how serious the damage or negative impact on the business would be if the risk were actually realized. A company may be far more concerned about a low probability risk that could put the company out of business if it became a reali-ty, than it might be in the case of a risk that is highly likely to occur but would have very little impact on the business.

As with predicting the likelihood of occurrence, estimating the consequence of a risk occurring is typically a mix of quantitative and qualitative, or objective and subjective,

factors. ERM assessments again use designations such as low, medium or high, or a scale of one to four or five, in categorizing the potential consequences of a risk.

It is important also to note that different risks may be related and thus have cumulative effects on the likelihood of other risks occurring, or resulting implications for the consequences of other risks. It can be very helpful to identify where this may be the case—both as part of the risk assessment and in the next step of managing the company’s risks.

IP AND SUPPLY CHAIN RISK ASSESSMENT Many companies do some sort of supply-chain risk assessment, but the scope and sophistication of such assessments can vary greatly. Risk assessments are some-times overly general (e.g. determining risk likelihood only on the basis of the particular country in which a supplier is located), done only as one-off investigations when a supplier is appointed, or done without any specific con-sideration of IP-related risks.

It is telling that 68% of companies responding to a 2012 Conference Board survey deemed their risk of trade-se-cret theft in emerging markets “extensive,” but only 36% rated their company’s compliance program as “very effec-tive” in managing these risks.33 Similarly, CREATe’s 2013 pilot study found that even though 40% of the participating

companies believed that their supply chain risk assessments included such issues as the possible misuse of others’ IP, such as software, only 10% of such companies in fact did such a comprehensive IP-related risk assessment. According to the CREATe evaluators, 45% of companies were com-pletely reactive and conducted a risk assessment only if they suspected there might be an IP protection problem.34

The Roche pharmaceutical company is a good exam-ple of a company that has integrated the assessment of intellectual property risks into its ongoing supply chain risk management program. In its program, a number of internal groups at the company—including Group Safety, Security, Health and Environmental Protection, Pharma Partnering and other functions—work with Roche’s Global Procurement Compliance team to assess and monitor supplier-related risks and performance.35

Roche’s risk-management process covers identifica-tion, assessment as well as mitigation of all operational risks in Roche’s supply chain, focused on three primary categories of economic risks (including bribery, business interruption, insolvency and theft), environmental risks, and social risks (such as labor, human rights, and data privacy issues). As to IP-related risks in particular, Roche specifically includes counterfeiting as one of the poten-tial economic risks it assesses with respect to its supply chain, and also examines “innovation risk from the loss of intellectual property” as one of the category-specific risk assessments it conducts on “critical” suppliers.36

PRACTICAL TOOL FOR EVALUATING LIKELIHOOD AND CONSEQUENCE OF RISKS A sample risk-assessment matrix form is provided on the following pages. The risks listed previously in the “risk identification” stage can be plugged into this form and then ranked according to their likelihood and consequences, on a scale of low, medium and high. Again, this template is designed to be simple enough for smaller companies to use, but can be expanded to include more information and details as needed by larger enterprises.

ASSESS: HOW SERIOUS ARE THOSE RISKS?2.



Likelihood of occurrence

Consequences of occurrence

2.

Fig 2. Risk Likelihood and Consequences. Analyzing the likelihood and consequences of IP and other corporate risks in a holistic way is vital for ranking risks and informing how risks should be managed.

LIKE

LIHO

OD

CONSEQUENCES

Low

Low

Med

.

Med.

High

High

RISK RAN

KING

PwC-CREATe.org

PwC-CREATe.org

CREATe.org

CREATe.org

202014//CREATe.org

SAMPLE IP RISK ASSESSMENT FORMGuidance: This worksheet provides a simple template in which the risks listed in the “risk identification” stage can be inserted into the form, and the likelihood and consequences of each of these risks ranked (low, medium, high). The company’s decisions about managing these risks would then follow.

SAMPLE IP RISK ASSESSMENT FORM

Likelihood of occurring (low, medium, high)

Supply chain partners

Company departments or areas

Risk Consequence if occurred (low, medium, high)

Risk response / management(reduce, avoid, share or accept risk—listing specific actions to be taken)

CREATe.org

RISK MANAGEMENT GENERALLY Having identified and assessed the company’s potential risks, the next step in enterprise risk management is to develop a risk mitigation plan for managing those risks. The purpose of the risk mitigation plan is to systematically re-duce risk by decreasing the likelihood of the negative event occurring and the negative impact if it does occur. A com-monly used approach is for companies to seek to “Avoid, Minimize and/or Offset” the risks.

The steps involved in risk management involve not only deciding what risk response (if any) to take to address these risks (i.e. developing the risk mitigation plan), but also implementing those steps in the company’s management systems. Next, there is the communication of relevant infor-mation to staff, and doing ongoing monitoring and review to ensure that those steps are carried out as planned and are evaluated and updated as needed over time.37

RISK RESPONSE Determining what response to take for each of the risks that the company has identified is not a purely mathemat-ical function, as it involves weighing risks with differing likelihoods and impacts. At this stage, companies typically decide whether to “Avoid, Minimize or Offset” each risk, and determine which of the range of possible risk responses they will take for each risk, such as discontinuing particular activities to avoid the risk, implementing various types of

safeguards, sharing the risk with others to minimize risk (e.g. through outsourcing particular activities), or seeking ways to offset the negative impact. Ultimately, a company may decide to accept a certain risk and take no action. Even if this is the case, the risk assessment is critical to allowing the company to make a conscious decision to accept the risk and “do nothing.”

Some of the considerations that companies use in determin-ing what action to take in response to a risk include:

• how effective a particular action might be in reducing either the likelihood of the risk, its potential impact or both;

• how much the action will cost in comparison to its benefits;

• whether the action or a group of actions will reduce more than one of the identified risks; and

• the company’s tolerances for risk.

In a well-designed ERM program, the responses to individu-al risks are not decided in isolation, but as a group and over the entire enterprise.

Ultimately, risk response should involve concrete implementa-tion plans that involve all management systems and controls relevant to the particular risks—ranging from any number of different corporate policies and procedures, through to finan-cial, recordkeeping and information technology controls, to personnel and supply chain requirements, for example. To qualify for industry guidance such as ISO 31010:2009,38 these plans must be documented (along with the entire risk assessment process). A company’s responses to risk ultimately may be fairly straightforward and obvious, particularly for small and medium companies, or may require quite a bit of input, study and implementation planning.

By way of examples of the types of risk responses that can be taken in relation to IP-related risks, many companies today are examining corporate IT systems to implement specific stan-dards and strategies to reduce the risk of trade secret theft39

such as installation of new servers and firewalls, segregation or encryption of particular sensitive data, limitation of access to particular personnel, and establishment of “emergency proto-cols” for use in case a trade secret is stolen.40

Indeed, incident response plans are increasingly being de-veloped by companies as tools to be used in many risk areas in case a negative event does occur. Typically the incident

response plan covers what to do during the event, how to minimize the ongoing damage from the event, and how to change the management systems to reduce the severity and probability of it happening again.

Other examples of possible risk responses include moving some production in-house, or maintaining ownership of key production equipment, or splitting functions among differ-ent suppliers, to reduce the risk that a company’s IP will be stolen or counterfeited. The electronics company Sharp at one point decided to do repairs of its equipment itself, and to reprogram various computer-aided equipment used by its vendors from time to time without notice, to avoid its trade secrets being shared with its competitors.41

The sample risk assessment form features a section for a company to list the risk responses to be implemented for each of the risks identified.

COMMUNICATION Communication, both internally with employees and exter-nally with suppliers, distributors, business partners and other relevant stakeholders, is another vital component of ERM, and is a two-way street. In identifying and assessing a company’s risks and responses to those risks, good data are needed from all relevant departments, groups and personnel. Similarly, in responding to the company’s risks, good communication with all relevant departments, groups and personnel is essential to convey what needs to be done, by whom, and how.

MONITORING AND REVIEW Effective risk assessment and risk management is not a one-shot exercise, but rather an ongoing program that needs to be reviewed, adapted, measured and improved over time. This makes sense given that the environment, objectives and operations of every company are constantly evolving. As a result, risk factors themselves change, as do the poten-tial likelihood and severity of these risks for the company. Monitoring and review are critical elements of managing risks through a continual improvement cycle, which is at the heart of the management systems approach.

Following risk identification, risk assessment, and the devel-opment of risk-response plans, there are important ques-tions to be answered, such as how particular risk responses have actually been implemented, whether the responses have been effective, and how they might be improved to manage the company’s risks more effectively going forward.

Selecting what to monitor is an important consideration. Effective monitoring looks at a combination of performance indicators and process indicators. All of these considerations can and should be dealt with on an ongoing basis, through regular monitoring and periodic reviews—well-recognized elements of any good management system that are particularly important for a company’s risk management program.

MANAGING IP RISKS IN AN INTEGRATED WAY THROUGH THE COMPANY’S MANAGEMENT SYSTEMS The challenge in taking steps to manage IP and other corpo-rate risks is how to do so in a practical and sustainable way, embedding risk management in a company’s overall business operations without undue costs or management resources, and without overlapping systems or repetitive activities. Companies are already struggling with this. Large suppliers to U.S. and European companies can have 50 or more social and environ-mental audits per year. If not optimized, some risk responses, such as controls to protect against cyber attacks, can have and are “already having a negative business impact” by limiting functionality and slowing information sharing.42

Fortunately, it is not necessary to “reinvent the wheel” to manage IP-related risks in most companies. Management systems that are already in place in many companies to manage a variety of other types of risks can be used to their optimum benefit to help address IP-related risks internally and in the supply chain as well. Such a holistic approach of including intellectual property-related risks—particularly IP risks in the supply chain—as part of a com-pany’s overall risk management program not only helps to ensure that all of the company’s potentially significant business risks get adequate consideration, it also helps to avoid duplication of management time and attention and takes advantage of existing processes and management systems to address IP risks alongside many others in an integrated way.

Stanford Business School noted in a March 2014 research report that systems for addressing other kinds of social and environmen-tal supply chain risks indeed have a lot in common with IP-com-pliance related risk management:

MANAGE WHAT STEPS SHOULD THE COMPANY TAKE TO MANAGE RISKS?3.



Risk response

Communication

Monitoring and Review

3.

CREATe.org

CREATe.org

Given the similarities between many of the underlying issues that lead to Social and Environmental Responsibility (SER) violations and IP infringements, we believe that companies will benefit from aligning their IP protection strategies with those strategies that are associated with improved SER performance. By using a more holistic approach to tackle social, environmental, and ethical issues throughout the supply chain, it is possible to improve performance. In particular, companies are likely to benefit from establishing management systems that lay the foundation for respecting and protecting IP, and from focusing on practices such as risk assessments, supplier capability building, and the implementation of preventive measures to eliminate risk factors. Such proactive practices aim to drive continual improvement and prevent IP infringements, rather than today’s more reactive approach to protecting IP.43

In one recent example, a consumer products multinational has begun developing a holistic program for managing a series of supply chain issues that include IP protection risks along with product quality and safety, labor compliance, environmental compliance and supply chain security. They had a well-established labor and environmental compliance program that had primarily focused on auditing suppliers and licensees. Realizing that auditing alone was not driving improvement, the compliance and sourcing departments started to provide suppliers and licensees with support to develop better management systems. Concurrently, their legal department and business units started to explore ways to improve IP protection in their supply chain. Through a series of cross-functional meetings, the company decided to form a special team to create a holistic way to assess suppliers and licensees on the full spectrum of risks, including IP risks. Improving the management systems of the suppliers and licensees is a key element in reducing its risks.

Implementing risk-treatment measures that address multiple risks can substantially improve the cost-benefit calculation for implementing needed improvements. It makes much more sense to perform risk treatments that address, for example, several related risks at a time (e.g. IT security improvements), both internal and supply chain risks (e.g. internal company policies that suppliers are also expected to implement and comply with), and multiple objectives (e.g. supply-chain risk assessments that

evaluate not just IP but anti-bribery, environmental, labor and other compliance risks).

Effective implementation of risk-management systems requires collaboration and cross-functional support inside a company to address the range of related risks faced by the company in an integrated way. It requires sending a clear and consistent message to supply chain companies on all salient risk-related issues. Senior leadership has to make a clear commitment to the overall effort and commu-nicate this to employees and to suppliers, distributors and business partners. It may even be necessary or advisable for a company to collaborate with other companies in its sector or geography to help raise the overall level, scope and consistency of risk assessment and risk management on such issues.

In a well-integrated enterprise risk management program, a company can “make informed decisions about how appropri-ately to use its existing resources to strengthen its ability to mitigate potential threats through advanced protective mea-sures.”44 With the potential likelihood and impact of particular IP risks having been analyzed alongside other corporate risks, and a management-systems approach that seeks to manage a company’s overall risks in a holistic way, a company can assess the time and cost of managing IP and other risks in various ways, and determine the best, most cost-effective means of reducing to acceptable levels or otherwise dealing with these risks.

262014//CREATe.org

Management systems that are already in place in many companies to manage a variety of other types of risks can be used to their optimum benefit to help address IP-related risks internally and in the supply chain as well.

CREATe.org

IP-related risk assessment as part of a company’s overall ERM program, as described in this paper, can be of great benefit in strategically allocating resources and helping to reduce a company’s IP-related risks internally and in its end-to-end supply chain.

SUPPLY CHAIN MANAGEMENTIP risks of all sorts can and do arise not only internally within a company but also in the

company’s supply chain among its suppliers, customers and business partners. Systems for effective due diligence of business partners, policies and procedures that these business partners are expected to have in place and follow, and other ongoing supply chain reporting and management requirements are steps that commonly need to be imple-mented to manage identified IP risks. Again, it is typically not necessary to develop entirely new programs to imple-ment such IP risk-treatment steps with suppliers; these can be integrated into the ongoing supply chain management that the company already uses to deal with other similar types of risks and issues.

SECURITY AND CONFIDENTIALITY MANAGEMENTWhile physical security and IT security measures are important to protect companies’ overall opera-

tions, specific risk-treatment steps may be needed in these areas to address identified IP-specific security risks. Ensur-ing that trade-secret and other IP protections are specifical-ly taken into account among the objectives of a company’s physical and IT security systems, and that effective security measures are implemented not only internally but also throughout the company’s supply chain, are important con-siderations in specifying and implementing improvements in these areas.

TRAINING AND CAPACITY BUILDINGEven if a company’s IP risk management systems are first-rate, there can be unwelcome surprises

if some among the staff come across or deal with IP in their job but do not understand the issue or what they need to do about it. Ongoing IP protection and compliance training for relevant internal and supply chain staff may thus need to be implemented as part of a company’s IP risk management.

MONITORING AND MEASURINGEnterprise risk management is not a “one shot” exercise, but is an ongoing program that needs to

be monitored and measured over time to be sure that it is producing the desired results. Implementing such an ongo-ing process will be needed if it is not already part of the risk management team’s mandate.

CORRECTIVE ACTIONS AND IMPROVEMENTSDealing with specific IP-related problems that have arisen will be needed as a risk-treatment re-

sponse, but it is important that these are not viewed simply in isolation or dealt with ad hoc. Doing root-cause analysis of problems that arise, and making systematic updates and improvements to the company’s risk management approach in the IP-risk areas that have produced such incidents, are important parts of reducing IP-related risks over time.

CONCLUSIONERM can be an effective tool to identify and measure the relevant IP-related risks that can arise within a company and its supply chain, and to implement risk-management steps as described in this paper to avoid, minimize or offset those risks to an acceptable degree. If IP-related risks are considered alongside the other strategic, operational, compliance, financial and reputational risks that a company faces, these can all be assessed and managed in integrated ways that are both cost effective and of potentially great value to the company.

1. 2.

5.

4.

7.

8.

6. 3.


CREATe.org has developed a management-system framework that can help a company identify various areas within its own and its supply-chain partners’ operations where IP-re-lated risk management is necessary. It then describes “lead-ing practices” in eight key areas that the company can use to implement risk-treatment steps to help address IP-related risks identified in the risk-assessment process:45

POLICIES, PROCEDURES AND RECORDSAs in other areas of corporate operations and compliance, company policies and procedures

need to establish the rules and mechanisms for protecting and dealing with the various intellectual property assets that the company owns or manages. The contracts that the com-pany enters into with its employees, contractors, suppliers, customers and other business partners should clearly spell out IP ownership, permitted and prohibited activities, con-fidentiality, warranties, remedies and other relevant details. And the company’s records of its IP ownership and licenses,

inventory, production, sales and usage need to be materially accurate and complete. Actions in each of these areas are common risk-treatment responses to many types of IP risks.

COMPLIANCE TEAM IP management and compliance needs a specified company executive “owner,” and is best managed

by a cross-functional team representing relevant areas such as legal, finance, design, manufacturing, supply, compli-ance and/or risk management. This team may be IP-specific or may be one that deals with multiple areas of risks for the company. Responding to IP-related risks may require the establishment of such a team, or the addition of IP risks to an existing team’s mandate.

RISK ASSESSMENT Some companies simply do not identify, assess and manage their IP-related risks in any in-

tegrated way, but instead only take action reactively in response to particular problems that arise. Doing ongoing

A MANAGEMENT- SYSTEM FRAMEWORK FOR MANAGING IP RISKS

CREATe.org

CREATe.org

CREATe.org

Different ERM standards and frameworks divide up the basic steps of identifying/assessing/managing risks in differ-ent ways. ISO’s 31000 series Enterprise Risk Management guidelines identify the elements of ERM as Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation, Risk Treatment, and Communication and Consultation.46 The COSO framework divides these into somewhat more detailed steps, specifying the elements of an ERM program to include Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring. 47 The Institute of Risk Management’s 2002 standard calls for establishing Strategic Objectives, doing Risk Analysis,

Risk Evaluation, Risk Reporting and Risk Decision, then doing Risk Treatment, Residual Risk Reporting and Monitoring.48 These are compared below.

Obviously if a company intends to be formally certified under one or more of these standards, it will need to organize its ERM framework and document its activities using the categories of the particular standard chosen. A more flexible approach to structuring a company’s ERM process, but one that still takes into consideration the same types of elements examined under the formal standards, may be appropriate for small and medium companies and others that want to improve their IP-related risk management but do not necessarily seek formal standards certification.

APPENDIX ACOMPARISON OF RISK MANAGEMENT STANDARDS

IDENTIFYWhat risks does the company face?



Context RiskIdentification

RiskAnalysis

Risk Treatment

Risk Evaluation

Communication& Consultation

1. 2. 3. ISO 31000 RISK ASSESSMENT GUIDELINE:

COSO FRAMEWORK:

IRM RISK MANAGEMENT STANDARD 2002:

StrategicObjectives

RiskAnalysis

Event Evaluation

Risk Reporting Decision Risk

TreatmentResidual Risk

Reporting Monitoring

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

ControlActivities

Information & Comm. Monitoring

292014//CREATe.org

Different ERM standards and frameworks divide up

the basic steps of identifying, assessing, and managing risks

in different ways.

CREATe.org

1 I. Cockburn, Assessing the Value of a Patent: Things to Bear in Mind (accessed Oct. 1, 2014), http://www.wipo.int/sme/en/ documents/valuing_patents_fulltext.html. 2 PriceWaterhouseCoopers (“PwC”), A Practical Guide to Risk Assessment, p. 6 (Dec. 2008) [“PwC Guide”], http://www.pwc.com/us/en/issues/enterprise-risk-management/assets/risk_assessment_guide-rdt.html; see generally G. Dickinson, Enterprise Risk Management: Its Origins and Conceptual Foundation, Geneva Papers on Risk and Insurance, vol. 26, no. 3, pp. 360-61 (July 2001), http://www.actuaries.org.uk/sites/all/files/documents/pdf/dickinson-g-2001-enterprise-risk-management-its-origins-and-conceptual-foundation-3.pdf.3 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management — Integrated Framework: Executive Summary, p. 1 (Sept. 2004) [“COSO Framework”], http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf. 4 The COSO Framework thus calls for Internal Environment and Objective Setting to be evaluated before any risk Event Identification takes place. Id., pp. 3-4. The International Standards Organization (ISO) 31000 risk management standards series includes Establishing the Context as a step distinct from actually identifying and assessing risks. ISO 31000:2009, Risk Management – Principles and Guidelines, pp. 15-17 [“ISO 31000”]; ISO/IEC 31010:2009-11, Risk Management – Risk Assessment Techniques, pp. 9-10 [“ISO 31010”]. The Institute for Risk Management (IRM) 2002 standard calls for understanding the company’s Strategic Objectives. Institute of Risk Management (IRM), The Association of Insurance and Risk Manager (AIRMIC) and The Public Risk Management Association (Alarm), A Risk Management Standard, pp. 4-5 (2002) [“IRM Standard”], http://www.theirm.org/knowledge-and-resources/risk-management-standards/irms-risk-management-standard/.5 COSO categorizes risks as strategic, operations, reporting or compliance risks, see COSO Framework, supra note 3, p. 3. PriceWaterhouseCoopers lists the types of risks frequently assessed as strategic, operational, compliance, internal audit, financial statement, fraud, market, credit, customer, supply chain, product, security, information technology, and project risks. PwC Guide, supra note 2, pp. 9-11. The Institute for Risk Management categorizes risks as hazard or pure risks, control or uncertainty risks, and opportunity or speculative risks. P. Hopkin, Fundamentals of Risk Management, p. 15 (2d ed. 2012). 6 Federal Reserve Board, Examination Strategy and Risk-Focused Examinations, Commercial Bank Examination Manual, p. 4-5 (April 2011), http://www.federalreserve.gov/boarddocs/SupManual/cbem/1000.pdf. 7 Economist Intelligence Unit, Reputation: Risk of Risks, p. 10 (2005), www.eiu.com/report_dl.asp?mode=fi&fi=1552294140.PDF. 8 PwC, Deeper Insight for Greater Strategic Value: State of Compliance 2013 Survey, p. 8, http://www.pwc.com/en_US/us/risk-management/assets/pwc-soc-survey-2013-final.pdf

[PwC Compliance Survey]; see generally P. Passman, The Risk Management Society, Understanding the Risks: Eight Elements of an Effective IP Protection Program (Oct. 1, 2013), http://www.rmmagazine.com/2013/10/01/understanding-the-risks-eight-elements-of-an-effective-ip-protection-program/. 9 Koninklijke Philips N.V, Philips Annual Report 2013, Our Approach to Risk Management and Business Control (accessed Oct. 1, 2014), http://www.annualreport2013.philips.com/content/en/risk_management/our_approach_to_risk_management_and_business_control.html. 10 Id. 11 Id., Strategic Risks, http://www.annualreport2013.philips.com/content/en/risk_management/strategic_risks.html. 12 Id., Operational Risks, http://www.annualreport2013.philips.com/content/en/risk_management/operational_risks.html. 13 JISC, IPR Risk Assessments, SCA IPR Toolkit – Practical Tools, http://www.jisc.ac.uk/publications/programmerelated/2009/scaiprtoolkit/2riskassessments.aspx#assessments. 14 PwC Compliance Survey, supra note 8, p. 38.15 McKinsey & Co., Risk and responsibility in a hyperconnected world: Implications for enterprises (Jan. 2014) (accessed Oct. 1, 2014), http://www.mckinsey.com/insights/business_technology/risk_and_responsibility_in_a_hyperconnected_world_implications_for_enterprises.16 SEC, CF Disclosure Guidance Topic No. 2: Cybersecurity (Oct. 13, 2011), http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 17 Hopkin, supra note 5, p. 44.18 See ISO, ISO/IEC 27001:2013 standard, https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en.19 See generally ISACA, Risk IT Framework, http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx (part of COBIT 5 framework). 20 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity version 1.0 (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf. 21 ISO/IEC 27001, supra note 18. 22 See CREATe, Trend Alert: Building on IT Security for Effective IP Protection (2014), http://create.org/resource/building-on-it-security-for-effective-ip-protection/. As CREATe.org noted in this publication, “For example, a company may have strong firewalls in place to prevent outsiders from accessing confidential material on the company’s computer networks, but still allow all employees to access any data on that network without restriction—even when they have no ‘need to know.’ Or the company may not have implemented asset-management requirements for the installation of software on their computers (along the lines of ISO 19770), which can raise IP infringement risks as well as compromise a company’s IT security.” Id., p. 2.

ENDNOTES23 See NIST Roadmap for Improving Critical Infrastructure Cybersecurity, p. 8 (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf: “Increasing adoption of supply chain risk management standards, practices and guidelines requires greater awareness and understanding of the risks associated with the time-sensitive interdependencies throughout the supply chain, including in and between critical infrastructure sectors/subsectors.”24 PwC/CREATe.org, Economic Impact of Trade Secret Theft (2014), http://create.org/resource/economic-impact-of-trade-secret-theft/.25 S. Chopra & M. Sodhi, Managing Risk to Avoid Supply-Chain Breakdown, MITSloan Management Review (Oct. 2004), http://sloanreview.mit.edu/article/managing-risk-to-avoid-supplychain-breakdown/. 26 Id.27 See R. Parloff, Not Exactly Counterfeit, Fortune (Apr. 26, 2006) (“third shift” production of Limited Too clothing being sold in TJ Maxx shops) (case settled), http://archive.fortune.com/magazines/fortune/fortune_archive/2006/05/01/8375455/index.htm. 28 TanRui Group v. ITC, No. 2010-1395 (Fed. Cir. Oct. 11, 2011) (railway car wheels), http://www.cafc.uscourts.gov/images/stories/opinions-orders/10-1395.pdf. 29 Wall Street Journal, China Securities Regulator Probes Sinovel Wind Group (Jan. 13, 2014), http://online.wsj.com/news/articles/SB1000142405270230381970457931803045420671; Chinese Wind-Turbine Firm Charged with Stealing US Trade Secrets, The Guardian (Jun. 28, 2013), http://www.theguardian.com/world/2013/jun/28/chinese-wind-turbine-sinovel-trade-secrets; Press Release, Department of Justice, Sinovel Corporation and Three Individuals Charged in Wisconsin with Theft of AMSC Trade Secrets (Jun. 27, 2013), http://www.justice.gov/opa/pr/2013/June/13-crm-730.html. 30 The ISO standard has three separate steps for Risk Analysis, comprising Controls Assessment, Consequence Analysis, and Likelihood Analysis and Probability Estimation. ISO 31010, supra note 4, pp. 12-15. The COSO framework simply terms these steps Likelihood and Impact, COSO Framework, supra note 3, p. 4. The the IRM standard labels these “Probability” and “Consequences”. IRM Standard, supra note 4, pp. 6-8. Many organizations classify risk by “Probability of Occurrence” and “Severity of Negative Impact.” Regardless of the specific terms used, the concept is the same. 31 See supra note 22.32 See supra note 24. 33 The Conference Board, Safeguarding Intellectual Property and Addressing Corruption in the Global Supply Chain, pp. 5, 12 (Dec. 2012), https://www.conference-board.org/publications/publicationdetail.cfm?publicationid=2379. 34 CREATe.org, CREATe Leading Practices: Pilot Program Results Report, p. 6 (Feb. 2014), https://create.org/resource/ip-protection-pilot-program-results/.

35 F. Hoffman-La Roche Ltd, Ensuring Responsible Practices, http://www.roche.com/responsibility/business_ethics/sustainable_supply/supply_practices.htm. 36 Id. For a description of Roche’s overall ERM program, see F. Hoffman-La Roche Ltd, Risk Management & Compliance, http://www.roche.com/responsibility/business_ethics/risk_management_and_compliance.htm (accessed Oct. 1, 2014). 37 The ISO standard calls these steps Risk Treatment, Communication and Consultation, and Monitoring and Review. ISO 31010, supra note 4, pp. 9-11. COSO divides these steps into the somewhat more detailed categories of Risk Response, Control Activities, Information and Communication, and Monitoring. COSO Framework, supra note 3, p. 4.38 ISO 31010, supra note 4.39 As noted above, IT security measures in themselves may not be adequate to protect trade secrets if such protection is not one of the implementation objectives. One principal finding of CREATe.org’s pilot study was that “During the independent evaluation interviews, it became clear to many companies that they were really only focused on IT security and not the broader issue of IP protection.” In and of itself, security and confidentiality—particularly IT security—were the most well-developed means of protecting IP among the companies surveyed, with 70% having a high maturity level for IT security. But 45% of these companies had a low overall maturity level for all the processes needed to protect trade secrets, for example—with security left primarily to “security guards and/or IT staff and not integrated into business operations.” See CREATe Leading Practices: Pilot Program Results Report, supra note 33, pp. 6-7.40 See supra note 24.41 Chopra & Sodhi, supra note 25.42 McKinsey & Co., supra note 15. 43 B. Gillai, S. Rammohan & H. Lee, Similarities in Managing Supply Chain Sustainability and Intellectual Property, p. 15 (Mar. 2014), https://www.gsb.stanford.edu/sites/default/files/documents/Sustainability_and_IP_in_supply_chains_FINAL.pdf. 44 PwC/CREATe.org, supra note 24, p. 22. 45 See CREATe.org, CREATe Leading Practices for IP Protection, http://create.org/services/create-leading-practices-for-ip-protection/. 46 ISO 31000, supra note 4; see generally D. Gjerdrum & M. Peter, The New International Standard on the Practice of Risk Management – A Comparison of ISO 31000:2009 and the COSO ERM Framework (Mar. 2011), https://www.soa.org/library/newsletters/risk-management-newsletter/2011/march/jrm-2011-iss21-gjerdrum.aspx. 47 COSO Framework, supra note 3, pp. 3-4.48 IRM Standard, supra note 4, p. 4.


http://www.wipo.int/sme/en

valuing_patents_fulltext.html

http://www.pwc.com/us/en/issues/enterprise-risk-management/assets/risk_assessment_guide-rdt.html



http://www.actuaries.org.uk/sites/all/files/documents/pdf/dickinson-g-2001-enterprise-risk-management-its-origins-and-conceptual-foundation-3.pdf



http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf

http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf

http://www.theirm.org/knowledge-and-resources/risk-management-standards/irms



http://www.federalreserve.gov/boarddocs/SupManual/cbem/1000.pdf

http://www.federalreserve.gov/boarddocs/SupManual/cbem/1000.pdf

www.eiu.com/report_dl.asp

1552294140.PDF

http://www.pwc.com/en_US/us/risk-management/assets/pwc-soc-survey-2013-final.pdf

http://www.pwc.com/en_US/us/risk-management/assets/pwc-soc-survey-2013-final.pdf

http://www.rmmagazine.com/2013/10/01/understanding

http://www.rmmagazine.com/2013/10/01/understanding

http://www.annualreport2013.philips.com/content/en/risk_management/our_approach_to_risk_management_and_business_control.html



http://www.annualreport2013.philips.com/content/en/risk_management/strategic_risks.html

http://www.annualreport2013.philips.com/content/en/risk_management/strategic_risks.html

http://www.annualreport2013.philips.com/content/en/risk_management/operational_risks.html

http://www.annualreport2013.philips.com/content/en/risk_management/operational_risks.html

http://www.jisc.ac.uk/publications/programmerelated/2009/scaiprtoolkit/2riskassessments.aspx

http://www.jisc.ac.uk/publications/programmerelated/2009/scaiprtoolkit/2riskassessments.aspx

http://www.mckinsey.com/insights/business_technology/risk_and_responsibility_in_a_hyperconnected_world_implications_for_enterprises



http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

https://www.iso.org/obp/ui

https://www.iso.org/obp/ui

http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx



http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

http://create.org/resource/building

CREATe.org

CREATe.org

CREATe.org

Documents

Through Enterprise Risk Management - CREATe.org · Effective risk management should not increase bureaucra- cy at the expense of corporate flexibility and profitability. Quite the