Intellectual Property Risk Threshold
IP related risks:
Risk is the chance of something going wrong, and the danger that damage or loss will occur. By its very nature, there are both rewards and risks associated with IP. For anyone involved in IP, then IP related risks are part of working life.
Any business professor will tell you that the value of companies has been shifting markedly from tangible assets, "bricks and mortar", to intangible assets like intellectual property in recent years. Research has indicated that intangibles now account for about 80% of the total value of many companies. There is no data available on the scale or size of the risks associated with IP facing companies, but one can assume that it is significant, and probably around this 80% mark.
IP risk management:
IP risk management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit or organization. It is initially about the identification, assessment, and prioritization of IP related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP related risks to the organization.
IP risk management involves understanding, analysing and addressing IP related risks to make sure organizations achieve their objectives. Proper IP risk management is an integrated and joined up approach to managing IP related risks across an organization and its extended networks.
IP risk management is about ensuring that the business really understands its IP related risks, and then mitigates pro-actively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.
The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial measures.
IP risk appetite, tolerance and threshold:
IP risk appetite is defined as the amount and type of IP related risks that a company is willing to take in order to meet their strategic objectives. Companies will have different IP risk appetites depending on their sector, culture and objectives.
While IP risk appetite is about the pursuit of risk, IP risk tolerance is about what a company can actually cope with.
IP risk threshold takes both the uncertainty and the impact into account when determining whether a company takes a specific interest in an IP related risk or not. Below the IP risk threshold, the organization will accept the IP related risk. Above the IP risk threshold, the organization will not tolerate the risk.
Frequently, the terms IP risk appetite, IP risk tolerance and IP risk threshold are used interchangeably, although they represent related, but different concepts.
I favour focusing on the IP risk threshold as it takes both impact and probability into consideration.
It should be stated that the IP risk threshold level for a company cannot really be set to zero as companies have to take some IP related risks but avoid others.
When the IP risk exposure crosses above the IP risk threshold level set, IP Management has to take decisive actions to bring back the IP risk exposure under that level.
What is the right IP risk tolerance level for a company?
There is no right level for the IP risk threshold level for a company as it will change over time. I suggest however that there are three general phases for a company with respect to their IP risk threshold level.
Phase 1:
When a company first embraces IP risk management, I suggest that a company should set its IP risk threshold level very low to ensure that the vast majority of IP related risks in their IP risk register are at least analysed and reviewed and very few IP related risks are ignored.
Phase 2:
Once the company becomes more mature and sophisticated in terms of IP, IP management and IP risk management, I suggest that the IP risk threshold level can be raised by the company so that attention focuses very much on those high impact and high probability IP related risks.
Phase 3:
After a period of time, I suggest that the company should slowly but surely lower its IP risk threshold level, so that mid impact and mid probability IP related risks get properly addressed. If the company leaves its level high, it may mistakenly believe that it faces no IP related risks.
Multiple business units within a company:
In the case of a company have two or more diverse business units, with each unit having different strategies, products / services and financial performance, it is important to take care not to try to average everything out.
Firstly a particular IP risk for one business unit might be low impact and low probability, while a very similar IP risk facing another unit might have a very different impact vs probability rating.
Secondly, the definition of the impact levels and probability levels will differ between different business units.
Thirdly, the IP maturity and sophistication of each unit will differ, so each unit’s ability to first analyse and then mitigate an IP risk will not be the same.
The IP risk appetite, tolerance and threshold for one business unit will differ from that of another unit within the same company
Final thoughts:
IP risk management involves understanding, analysing and addressing IP related risks to make sure organizations achieve their objectives. Proper IP risk management is an integrated and joined up approach to managing IP related risks across an organization and its extended networks.
IP risk management is about ensuring that the business really understands its IP related risks, and then mitigates pro-actively.
The focus should be on IP risk mitigation and not just on IP risk evaluation. IP risk mitigation covers efforts taken to reduce either the probability or consequences of a threat.
IP risk management is also about properly understanding the IP risk threshold of the company, knowing this level and when it needs adjusting.