In order for a company IP protection program to succeed, it must meet the following criteria: • Protect that which requires the greatest protection • Be optimized to address actual, potential threats • Require the minimum investment of company resources possible • Protect company assets without unduly impeding operations and efficiency • Be understood, implemented, and adopted by the entire company workforce
At the core of an effective IP protection program is a systematic, rational strategy for making informed, intelligent decisions as to where to invest resources to manage risk. With the above criteria in mind, below is the five-phase, sequential approach to developing an efficient, cost-effective, realistic, and successful IP protection program.
A company’s IP assets include information, processes, people, and technology. The first step in developing an IP protection strategy is determining what IP needs to be protected; this calls for an IP inventory. Not all IP is equally important, nor requires an equal investment of resources to protect it. Categorizing IP is a helpful method for prioritizing where to invest IP protection resources (such as time, effort, money, personnel, systems). Refer to the four categories below. The greater the negative consequences for the company of particular IP loss, the higher the category: Category A - Catastrophic The loss of certain IP (such as the recipe for Coca-Cola) could be catastrophic to a company. Category B - Significant By comparison, the compromise of a company’s negotiating strategy for a merger or acquisition, while (financially) significant, would not pose an existential threat to the company. Category C – Moderate Theft of the exterior design for a new mobile phone containing novel features not found on existing models could be catastrophic if that loss occurs right after feasibility testing and prior to production. Closer to roller, the categorization of that loss might drop to moderate, or even negligible, as the potential negative consequences of losing that IP decline. Category D - Low Theft of a company’s financial records, market entry strategy, or personnel records could be harmful. Category E – Negligible Loss of IP data in this category would have negligible impact on a company.
Once a company’s IP assets have been identified and categorized, the next step is to assess the risk to each identified IP asset within each broad category, and the vulnerability of that asset to each risk, starting with the most important IP assets (Category A). Threat vectors can be human, physical, or cyber.
Quantifying risk is done by assessing the likelihood of a particular risk factor occurring and the severity of the consequences if it does occur. A seemingly simple tool like a risk factor decision matrix can be extremely helpful in conceptualizing and quantifying risks to specific IP assets.
Risk tolerance is the willingness of some person or some organization to accept or avoid risk. How much is the company willing to lose if the risk happens? Looking at the risk quantification graphic above, a company that assesses the severity of a particular risk’s impact on an IP asset as catastrophic and its likelihood as probable should adopt a low risk tolerance for such an event. The company is not willing to tolerate the loss of this IP, and is therefore willing to invest the resources necessary to protect it.
For each identified risk to IP, there are four options: Accept, avoid, reduce, or transfer the risk. Accept Accepting risk is selected as a tactic whenever one acknowledges that a risk exists, but determines that investing resources to avoid or reduce the impact of the risk is not cost-effective. A company that builds a factory in Pennsylvania may forego earthquake insurance. The same company building a factory in California should not accept that risk. Avoid The CEO of a multinational corporation planning an overseas business trip to a country where the risk of cybertheft and industrial espionage is high worries that the highly sensitive proprietary data on his laptop and cell phone may be at risk of cyber theft. He may opt to simply leave his laptop and mobile phone behind, thus avoiding the risk entirely. The CEO pays a price in convenience and efficiency, but he has avoided the risk. Mitigate Mitigating a risk to IP means taking steps to reduce the probability of that risk occurring, and/or the severity of the consequences in the event it did occur. Farmers use irrigation and pest control to mitigate the risk of inadequate rain or pest to their crops, for example. Transfer A company may elect to transfer the risk to another entity, or entities, that are better able to cope with it. Purchasing insurance is the most frequently-used strategy for transferring risk. Risk transfer can also be achieved through a contract. Example: A company offering a stolen car location service offers to compensate the victim the difference between his auto insurance company’s reimbursement and the full replacement value of a stolen vehicle in the event the car is not recovered. Successfully coping with multi-faceted, serious threats to IP demands an effective IP protection program that is based on a comprehensive, rational and systematic strategy and approach. By following the five steps above, a company can lay the groundwork for a robust, cost-effective, manageable and successful IP protection program. Cipher is an innovative boutique consultancy focused on providing strategy consulting services and intelligence technology solutions that help clients make smarter, faster decisions. Our consulting services include IP Protection, Operations Consulting, War Games & Scenario Planning, and CI and Counter-CI Training. Cipher’s Integrated IP Asset Protection Solution is a risk-based, coordinated approach to securing critical IP. Our experience has taught us that successful IP protection strategies are built on the solid foundation of a “Culture of Awareness” within your organization. Our security awareness and counter-intelligence training solutions sensitize employees to the threat, provide them with tools to successfully recognize potential threats, and teach them how—and to whom—those issues should be reported.
Cipher is a full-service competitive strategy and technology firm. We provide world-class consulting services and technology solutions that help our clients gain and maintain a competitive edge.