In an increasingly competitive global economy, information and ideas are the fuel that makes companies viable, allowing them to grow and create jobs.
Intellectual property (IP) — that covered by patents, trademarks, copyrights and harder-to-protect trade secrets — is now worth as much as 75 percent of the total value of major companies. But while the importance of these assets has grown, many businesses lag in their efforts to protect IP.
There is a compelling case for companies to size up and address IP risks alongside the other risks that they face. Fortunately, most companies already have in place a system that can be adapted to meet the challenge. These “enterprise risk management” (ERM) systems offer a way to put a dollars-and-cents value on potential theft or misappropriation of IP so that companies can invest appropriately in safeguarding it.
In a white paper, the Center for Responsible Enterprise and Trade (CREATe) has explored how the integration of IP in ERM systems can work to protect trade secrets. There are several popular ERM models, but generally speaking they all serve to “identify, assess and manage” risks. The best ERM programs use risk assessment not only in their internal operations, but also to evaluate the risks in the company supply chain. Typically these systems focus on financial stability, quality control, health and safety, and environmental and labor compliance issues.
In many companies, IP risk is handled separately. It is considered an issue for the legal department — which crafts contracts and chases down infringements — and the IT department, charged with cyber security. But the large and growing array of risks to IP argues for a more proactive and holistic approach, like that employed by ERM.
Theft of trade secrets by insiders is a major and growing problem. In April, for instance, a chemical engineer who had recently left a job at the U.S. textile company W.L. Gore and Associates was arrested just hours before flying home to his native South Korea. An investigation revealed that he had downloaded and printed hundreds of documents on a high-tech camouflage fabric the company was developing for military use.
This case — not yet resolved — has a narrative that has played out in virtually every industry. Digitization of information and the high degree of mobility in the workforce have made it easier than ever for critical information to simply walk out the door.
Counterfeiting of products and parts also affects many industries. Where once it was a problem characterized by knock-off Rolex watches and fake Gucci handbags, it now surfaces in the form of fake parts in automobiles and military equipment — or substandard ingredients making their way into production, leading to tainted foods or pharmaceuticals.
This growing threat of cyber attacks also highlights the need for effective IT security. What is less obvious to many companies is the need to tailor IT security to protect IP, so that it guards not only the outer perimeter, but is designed to prevent breaches internally or within the supply chain. The data breach of Target stores, compromising the credit card and personal information of millions of customers, reportedly has been traced in part to carelessness on the part of a vendor providing heating, air conditioning and refrigeration services for the big box store. The case illustrates how vulnerabilities may be exploited through third-party relationships.
A New Approach
Companies are aware — and increasingly anxious — about the risk of IP misappropriation. The PwC 2013 State of Compliance survey of chief compliance officers found that intellectual property risks ranked among the top three risks faced both by manufacturing and technology companies.
Some major companies are beginning to fold their IP-related risks into their ERM systems — moving toward a holistic and proactive approach and away from an ad hoc, after-the-fact approach that tends to be more damage control than protection.
One leader in this area is Amsterdam-based technology giant, Philips N.V. At the highest level, it has identified some of IP risks as “strategic,” or potentially affecting the company’s overall ambitions — including problems securing or maintaining IP rights, as well as those involving third-party licenses covering its products and design and manufacturing processes.
Other IP-related risks are designated as “operational” at Philips, such as the potential leakage of confidential information or the theft of intellectual property or sensitive data through unauthorized access to or cyber attacks on its IT systems.
Getting in Front of Risk
We have worked with companies to show how the ERM system can be applied despite the variety of risks in different companies and different industries.
The first critical step is to create an inventory of IP that the company owns, as well as IP it manages or uses that is owned by third parties. With that in hand, the company then identifies and lists potential risks internally and in its supply chain in relation to IP protection, compliance and management.
The next step in the process is to assess the likelihood of various risks occurring and estimate how serious the damage to the business if it did. A company may recognize a low probability risk that could put the company out of business if it became a reality — think Coca-Cola suffering the theft of the formula that it uses to produce its signature beverage. It may also have a risk that is highly likely to occur but would have very little impact on the business.
The ERM approach then helps the company rank its potential risks so that it can invest in processes, training, infrastructure (such as security systems) and monitoring that correspond to its priorities.
Closing Supply Chain Gaps
In the globalized economy, risk management is inadequate if it does not account for the risks that arise in the supply chain, which may consist of a few — or thousands — of business partners operating in different nations with different laws and norms.
Switzerland-based pharmaceutical giant Roche is a leader in its incorporation of IP risks into supply chain risk management. Its program engages internal groups across the company to assess and monitor supplier-related risks and performance.
Roche’s risk-management process covers identification, assessment as well as mitigation of all operational risks in Roche’s supply chain, focused on three primary categories: economic risks (including bribery, business interruption, insolvency and theft), environmental risks and social risks (such as labor, human rights and data privacy issues).
In addressing IP-related risks, Roche includes counterfeiting as one of the potential economic risks it assesses in its supply chain, in response to the widespread problem of fake and adulterated drugs. The company also examines “innovation risk from the loss of intellectual property” as a key factor when it assesses critical suppliers.
The sophistication that Roche and Philips employ in addressing IP risks, however, remains the exception rather than the rule. CREATe’s work with dozens of multinational companies reveals that many have policies for IP protection, but no concrete procedures, little or no training for internal employees with respect to handling valuable IP — and even less for supply chain partners.
Due diligence tends to be a “vet it and forget it” approach, rather than follow up to ensure that IP protection requirements are being followed. Even companies that have excellent IP protection regimes in place at headquarters find that the system is not employed fully or at all in regional or foreign offices.
To be sure, protecting IP is not a simple matter, and looking at the entire threat landscape can be daunting. But the costs associated with IP misappropriation are now too great to handle the threat in an ad hoc fashion.
ERM is a powerful tool to get a focused picture of potential problems, as well as to avoid, minimize or offset these risks to an acceptable degree. By adapting this well-developed system, companies can take on the IP challenge in a holistic and cost-effective way without reinventing the wheel.
Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade (CREATe.org), a global nongovernmental organization dedicated to helping companies and supply chain members prevent corruption and protect intellectual property.