Intellectual Property Risk Mitigation

By Donal O’Connell

Risk

Risk is the chance of something going wrong, and the danger that damage or loss will occur, whereas risk management is the process of analysing exposure to risk and determining how best to then handle such exposure.

Intellectual Property (IP)

By its very nature, there are both rewards and risks associated with intellectual property (IP).

Legal and IP text books typically describe IP and patents in particular in somewhat negative terms. A patent is not a right to practice or use the invention, rather, a patent provides the right to exclude others from making, using, selling, offering for sale or importing the patented invention for the term of the patent, which is usually twenty years from the filing date. A patent is, in effect, a limited property right that the government offers to inventors in exchange for their agreement to share the details of their inventions with the public.

However, a more enlightened view describes IP and patents in particular as a means to build innovation, as opposed to blocking innovation. Innovation and especially collaborative innovation is reliant on some form of management and control and IP is the means to manage knowledge-based collaborations, as knowledge and technology needs to be managed as a transaction of objects in the development stages. These objects may be as valuable as or even more so than the resulting products and services. IP in this regards can be seen as a means to objectify knowledge so that it can be properly managed. Without IP and patents, collaboration in technology development becomes prohibitively difficult. This is therefore a fresher way to view IP, as a management system for knowledge-based business, instead of a legal right to exclude others.

Regardless of which view of IP you support, there are risks associated with it, which need to be understood, and managed accordingly.

IP risk mitigation

IP risk mitigation is about ensuring that the business really understands its IP related risks, and then mitigates proactively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.

The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial measures.

Different types of IP related risks

The obvious IP related risk is that a business may infringe the IP rights of a 3rd party. However, there may also be IP related risks associated with …

• the IP terms and conditions in some development or commercial agreements with 3rd parties,
• the publishing activities of the business,
• embracing open source software,
• being involved in certain interoperability standardisation activities,
• getting involved in some open innovation initiatives
• the use of subcontractors

IP Risk Register

A risk register is a risk management tool commonly used in business in such areas as project management and organisational risk assessments. It acts as a central repository for all risks identified and, for each risk, includes information such as risk probability, impact, counter-measures, risk owner and so on. It can sometimes be referred to as a ‘risk log’.

An IP risk register is no different and is an essential tool to be able to manage this particular risk area. It initially provides a way to articulate the various IP related risks in a very structured manner. It then acts as an important tool for the ongoing management of these IP risks.

A wide range of suggested contents for an IP risk register exist. Typically an IP risk register should contain …

• A description of the IP related risk
• The impact should this event actually occur
• The probability of its occurrence
• Risk score (the multiplication of Probability and Impact)
• A summary of the planned response should the event occur
• A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)

In a “qualitative” risk register descriptive terms are used: for example a risk might have a “High” impact and a “Medium” probability. In a “quantitative” risk register the descriptions are enumerated: for example a risk might have a “$1m” impact and a “50%” probability.

Logging risks into the IP risk register

Populating the IP risk register is a crucial step, but it is important to understand that identifying those IP related risks which should be logged into the register may be done by a variety of different people.

Some IP related risks may be obvious, such as assertions from 3rd parties, lawsuits and IP litigation cases but others may be less so. Some IP related risks may be flagged up while conducting the other key IP processes, such as IP creation, IP portfolio management, IP exploitation or IP enforcement activities.

Some IP related risks to be logged may come from within the business and its involvement for example with interoperability standards. Some may come from its own R&D activities or its collaborative innovation activities with 3rd parties. Some may come when a business gets involved in M&A activities. Some may come just by observing what is happening to others in the industry.

An ‘active’ IP risk register

Good practice suggests having the following steps in the top level process to manage this IP risk register …

• Gather
• Record
• Review
• Prioritise
• Evaluate
• Mitigate
• Inform

The emphasis must be on risk mitigation, and taking the necessary actions. This in essence means utilising one or more of the IP risk mitigation techniques to mitigate each IP risk logged or at least the critical ones.

IP risk mitigation techniques

There are a variety of IP risk mitigation techniques available, but of course their effectiveness will vary from one business to another.

Some of the IP risk mitigation techniques are listed here, but this list if not exhaustive by any means …

• Leveraging technical cooperation with others
• Using standards with fit for purpose IP policies
• Obtaining indemnities •Participating in patent pools
• Licensing IP
• Design arounds
• Finding prior art to invalidate 3rd party IP
• IP acquisition

Some tend to categorise or sub-divide these IP risk mitigation techniques as follows ..

• safety via agreements & contracts
• safety by avoiding 3rd party IP
• safety by invalidating 3rd party IP

Others tend to sub-divide the techniques as follows …

• actions to be taken within the business
• actions to be taken in conjunction with suppliers
• actions to be taken in conjunction with customers
• actions to be taken in conjunction with 3rd party IP solution providers

Regardless of how the various IP risk mitigation techniques are categorised, a model should exist which allows a business to review each of the IP risk mitigation techniques available both internally and externally. This model should then allow the business to rate each of these techniques by its relative impact on the risk, the ease of implementation, plus cost and time to implement.

Skills and competencies needed

The skills needed to succeed with IP risk mitigation do not match exactly those needed to be successful with the other key IP processes, such as IP creation, IP portfolio management, IP exploitation and IP enforcement. The mindset is just different for those involved with IP risk mitigation.

Best practice suggests the creation of a small rapid reaction force to support the business with managing IP risks. The resources for this may be drawn from within the IP Dept but should include representatives from technology, commercial and from group risk.

It is also highly recommended that this rapid reaction force is trained on IP risk mitigation techniques and on its mode of operation, including, for example, modes of communication between the group.

A different management and leadership approach plus a different set of associated processes, tools, skills and competencies are needed for IP risk management in comparison to those needed when focused on other aspects of IP. One should take care however not to minimise or exaggerate the risks associated with IP.

The IP risk mitigation tool kit

A business, especially one serious about IP, should develop and maintain an IP risk mitigation ‘tool kit’ consisting of the following elements …

• an IP risk mitigation process description
• an IP risk register
• a comprehensive list of the IP risk mitigation techniques
• IP risk mitigation education material
• a small rapid reaction force
• a network of 3rd party IP risk mitigation solution providers

It is most important that business is aware of the full range of techniques available to recognise, manage and mitigate IP related risks. Workshops maybe needed to determine the suitability of these techniques to a particular business and the creation of a plan to implement these within the business. There should be specific focus on the short, medium and long term vulnerability to IP related risks and how these three phases can be differently addressed.