Calculating business risks? Be Sure to Factor in Threats to Intellectual Property
Written by Pamela Passman
How do you measure and manage risk? This question is at the heart of a growing discipline fueled in large part by rapid globalization. The field of Enterprise Risk Management (ERM) has helped many companies make a critical shift to a proactive and preventative posture towards potential problems with appropriate allocation of resources, rather than simply reacting ad hoc to negative events.
Careful risk assessments can help enterprises anticipate and mitigate risks in an array of areas, typically financial stability, quality control, health and safety, environmental, and labor issues. The best of these ERM programs not only evaluate a company’s own internal risks, but also risks that arise in its supply chain—which may involve a few, or thousands, of business relationships around the globe. Inherent in those relationships are potential hazards that can affect profits, reputation, daily production, strategic goals, and survival. However, many companies’ ERM programs give short shrift to the risks associated with intellectual property (IP) misappropriation—and do so at their own peril.
IP—know-how that includes trademarks, designs, copyrights, registered designs, patents, and trade secrets—makes up a growing portion of company assets, comprising as much as 75 percent of total value for some companies. The misappropriation of IP can have a devastating impact, and not only on profits. Cases where counterfeit parts have found their way into the supply chain have caused product failures, resulting in injuries, sickness, and even death for consumers.
There are a myriad of ways that IP theft can damage business and underscore the need for ongoing assessment of IP-related risks in the company supply chain. For example:
- Unreported “back door” sales of a company’s branded clothing products by its manufacturing supplier.
- Departure of a supplier’s employees to another company that then produces directly competing products using the company’s secret manufacturing process.
- Theft of a company’s software source code by its customer and former employees and inclusion of that technology in competing products manufactured by the former customer. This real-world example resulted in a claimed loss to the company in question of $800 million in sales and 500 jobs.
In a survey conducted by the Economist Intelligence Unit among 269 senior risk managers, 53 percent said that loss or theft of intellectual property had inflicted damage on their company’s financial performance, and 14 percent reported this as “major” damage. PricewaterhouseCoopers’ 2013 State of Compliance survey of Chief Compliance Officers found that intellectual property risks ranked among the top three risks faced both by manufacturing and technology companies, and these risks were perceived to be increasing.
The good news is that risk management programs that companies may already have in place for addressing other types of risks can be adapted for IP-related risks as well, without reinventing the wheel, and without creating excessive bureaucracy.
Risk management programs—and there are several leading frameworks—essentially all have three steps. First, they ask, “What are the risks to the business, given its objectives and context?” This critical step accounts for the full risk landscape, including:
- Strategic risks: These are the big-ticket items that can affect a company’s overall mission, business objectives and strategy, market acceptance, future growth, and/or shareholder value. For a manufacturer, this might be something as fundamental as a design failure.
- Operational risks: These encompass problems and hazards that can arise in the day-to-day running of a company’s business and have a negative effect on the company’s income, profits, and expenses. Cyber-attacks that disrupt computer systems or steal customer data are an example of operational risk that has been in the headlines lately.
- Compliance risks: These are problems that arise in areas covered by government regulation, industry standards, or other undertakings. Failure to comply with product safety regulations, anti-bribery laws, anti-fraud rules, labor standards, environmental regulations, or intellectual property rules constitutes a common compliance risk.
- Financial risks: These arise in such areas as financial statement reporting, financial controls, internal audits, credit problems, currency and interest rate fluctuation, and liquidity and similar risks.
- Reputational risks: Exposure to the risk of events that undermine public trust in your company, products, or services.
Secondly, risk management programs look at the gravity of these risks—that is, how likely are they to occur and what would be the impact if they did? Is the likelihood of the problem occurring low, but the potential impact devastating? Is the likelihood high, but the impact insignificant?
Third, on the basis of the first two steps, management systems consider what measures should be put in place, if any, to mitigate the risk. They may discontinue an activity to eliminate a risk, do nothing and accept the risk, or take mitigation measures that fall in between. Critically, risk management involves ongoing assessments and monitoring to ensure that the company’s response evolves with the risks.
Intellectual property risks can be managed in the same holistic fashion, beginning with a detailed inventory of intellectual property. Where companies tend to fall short on IP protection is by focusing only on the very biggest-picture strategic risks, such as the possible inability to monetize a product without more patents, or the threat of expensive litigation over a company’s core IP, to the exclusion of any other IP risks.
The management systems approach to IP risk should include all other IP-related operational and compliance issues that pose significant risks for the company as well, such as the potential for cyber-intrusion that compromises trade secrets or company data, as well as the risk of supply chain partners misappropriating the IP of other parties.
Another common weakness in IP risk assessment is conducting supply chain risk evaluations that are overly general (for example, determining risk only on the basis of the particular country in which a supplier is located) or done only as one-off investigations when a supplier is appointed.
A handful of companies are beginning to shift the paradigm on IP protection. Switzerland-based pharmaceutical multinational Roche, for example, has integrated the assessment of intellectual property risks into its ongoing supply chain risk management program. A number of internal groups that specialize in health, safety, labor practices, and other areas work with Roche’s Global Procurement Compliance Team to assess and monitor supplier-related risks and performance.
Roche’s risk management process covers identification, assessment and mitigation of all operational risks in Roche’s supply chain, including bribery, labor and human rights violations, data privacy and theft, and more.
To address IP-related risks, Roche focuses, in particular, on the threat of counterfeiting in its supply chain. The company also examines “innovation risk from the loss of intellectual property” as one of the category-specific risk assessments it conducts on critical suppliers.
The approach Roche is taking remains the exception, not the rule. But with the risk of IP misappropriation on the rise, we expect more companies to seek a better means of protecting these valuable assets. This kind of holistic approach of including intellectual property-related risks as part of a company’s overall risk assessment program not only helps to ensure that all of the company’s potentially significant business risks get adequate consideration, it also helps avoid duplication of management time and attention.
