Although intellectual property is central to the success of most companies, many do not routinely consider IP protection alongside other strategic, operational, compliance, financial and reputational risks in enterprise risk management programs. Yet IP theft has the potential to interrupt day-to-day business, impact profits, diminish consumer confidence and even threaten a company’s ability to compete in the marketplace.
It is no coincidence that, in the past year, nearly all of the top 20 Fortune 500 companies’ 10-K filings with the Securities and Exchange Commission list cyberthreats and/or risk to IP as material business risks.
For example, Ford Motors’ 10-K states: “(C)yber incidents could materially disrupt operational systems; result in loss of trade secrets or other proprietary or competitively sensitive information; compromise personally identifiable information of customers, employees, or others; jeopardize the security of our facilities; and/or affect the performance of in-vehicle systems….Such incidents could harm our reputation and subject us to regulatory actions or litigation.”
Although cyberthefts and data breaches tend to grab headlines, other types of IP loss can be damaging:
- Trade secret theft: U.S. textile company W.L. Gore and Associates discovered that one of its chemical engineers had downloaded and printed hundreds of documents about a high-tech camouflage fabric the company was developing for military use. He was arrested shortly after he left the company, just hours
before flying home to his native South Korea.
- Counterfeiting: It is difficult to find an industry that has not been hit by counterfeits—examples include fake pharmaceuticals, faulty car airbags and substandard electronic parts in military equipment. These counterfeits can create health and safety issues for consumers, disrupt production, and cause reputational damage and profit losses.
- Piracy: Companies using unlicensed software puts corporate networks and valuable information assets at risk. Malware in these products can provide a way in for criminals and hackers looking to steal confidential corporate information.
Protecting IP through ERM
When considering IP risks, where does a company start? The initial step is to identify the risks specific to IP-related issues. First, take an inventory of relevant intellectual property. It is helpful as part of this step to identify every department or area within the company and each supply chain partner that deals with each element of IP in the inventory. Next, develop a risk-identification worksheet that lists all of the potential risks the company faces, both internally and along its supply chain, in relation to IP protection, compliance and management.
Once potential risks have been identified, the next step is to evaluate both the likelihood that a risk will actually be realized and the consequences to the company if it happened.
Depending on a company’s business and IP assets, these risks may be very likely to occur and could cause major damage to its business and competitiveness. In the case of trade secrets, companies can evaluate the probability and likelihood of such risks by determining which “threat actors” may have incentives to misappropriate the company’s proprietary information, assessing the relative importance of particular trade secrets to the company, and estimating the financial impact if these were lost or stolen.
Having identified and assessed the company’s potential risks, the next step is to develop a risk mitigation plan. This involves not only deciding what risk response, if any, to take to address these risks, but also implementing those steps in the company’s management systems.
Examples of possible risk responses designed to protect innovative IP and trade secrets include moving some production in-house, maintaining ownership of key production equipment, and splitting functions among different suppliers to reduce the risk that a company’s IP will be stolen or counterfeited. At one point, the electronics company Sharp decided to do repairs of its own equipment, and to sporadically reprogram various computer-aided equipment used by its vendors without notice to minimize the chance of its trade secrets being shared with competitors.
Finally, relevant information should be communicated to staff, and ongoing monitoring and review need to be established to ensure that the steps are carried out as planned and are evaluated and updated as needed.
Pay Attention to Third Parties
It is also critical to identify IP-related risk in global supply chains, as producers, joint venture partners and even customers may have access to IP.
Supply chain disruptions caused by IP-related issues can have serious long-term implications. For example, carelessness on the part of a vendor providing heating, air conditioning and refrigeration services led to the data breach of Target stores that compromised the credit card and personal information of millions of customers. It is not hard for vulnerabilities to be exploited through third-party relationships.
In another case, the alleged theft of a wind turbine company’s software source code by a customer and two former employees, and the inclusion of that technology in competing turbines manufactured by the former customer, resulted in a claimed loss to the company of $800 million in sales and 500 jobs.
By taking a holistic approach implemented through the company’s management systems and business processes, however, companies can deal with a range of very different risks in an organized and integrated way.
The Roche pharmaceutical company, for example, has benefitted from integrating the assessment of IP risks into its ongoing supply chain risk management program. In its program, a number of internal groups at the company—including group safety, security, health and environmental protection and pharma partnering—work with the global procurement compliance team to assess and monitor supplier-related risks and performance.
Roche’s risk management process covers identification, assessment and mitigation of all operational risks in its supply chain, focusing on the three primary categories of economic risks (including bribery, business interruption, insolvency and theft), social risks (such as labor, human rights and data privacy issues) and environmental risks. For IP-related risks, Roche specifically includes counterfeiting as one of the potential economic risks it assesses with respect to the supply chain. It also examines “innovation risk from the loss of intellectual property” as one of the category-specific risk assessments conducted on “critical” suppliers.
Roche is not alone in understanding the value of intellectual property to its success. Netherlands-based electronics and lighting company Philips NV, for example, considers IP-related issues among the strategic and operational risks evaluated as part of the company’s “business control framework.”
Intellectual property and other intangible assets now make up a major part of the wealth of many companies—as much as 75% of Fortune 500 companies’ value, in fact. As such, businesses must factor IP-related risks alongside other strategic, operational, financial and reputational risks in order to remain successful.