IP Clinic – 3. IP Risk Management

Intellectual Property Risk Management

by Donal O’Connell, Managing Director, Chawton Innovation Services


The connection between IP and risk:

Risk is the chance of something going wrong, and the danger that damage or loss will occur. By its very nature, there are both rewards and risks associated with IP. For anyone involved in IP, then IP-related risks are part of working life. However, many ignore the risks associated with IP or only react when the risk has materialized, which is most times too late.

Some examples:

The obvious IP-related risk is that a business may infringe the IP rights of a 3rd party. However, there may also be IP-related risks associated with for example:

  • Having too narrow a definition of IP, and ignoring potentially valuable IP assets
  • The IP terms and conditions in some development or commercial agreements with 3rd parties
  • The publishing activities of the business
  • Embracing open source software
  • Being involved in certain interoperability standardization activities
  • Getting involved in some open innovation initiatives
  • The use of subcontractors
  • One’s own IP out-licensing program
  • Employees stealing IP from the company
  • The scourge of counterfeit products
  • Trademark disputes with 3rd parties
  • Trade secrets not being properly managed

Are IP-related risks a significant issue?

Any business professor will tell you that the value of companies has been shifting markedly from tangible assets, “bricks and mortar”, to intangible assets like intellectual property in recent years. Research has indicated that intangibles now account for about 80% of the total value of many companies.

There is no data available on the scale of the risks associated with IP, but one can assume that it is significant, and probably around this 80% mark.

There is indeed some data available on the size of the problem associated with certain specific types of IP-related risks such as counterfeit products, patent litigation, trademark disputes, data hacking, and so forth.

The bottom line is that IP-related risks are a significant issue for many companies.

The bottom line is that IP-related risks are a significant issue for many companies.

Are all IP-related risks generally the same or not?

All IP risks are not the same, far from it. Not all IP risks are the same and they may be broken down into a variety of different categories, such as the form of IP involved (e.g. patents, trademarks, copyright, etc.), the source or origin of the IP-related risk, the impact and probability of the IP risk, the date when the risk is likely to materialize, the geographical nature of the IP risk, whether they are generic or specific in nature, the group or sub-group most impacted by this risk in the organization, etc.

Where do IP risks originate?

Many mistakenly assume that all IP risks originate from competitors, but IP-related risks may originate from a variety of sources:

  • The activities of one’s own company and its people
  • The activities of entities within one’s own eco-system (suppliers, partners, distributors, customers)
  • The activities of one’s competitors
  • The activities of other entities such as NPEs
  • Changes to Government policies related to IP
  • The activities of illegitimate entities such as hackers and counterfeiters

IP risk management:

IP risk management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit or organization. It is initially about the identification, assessment, and prioritization of IP-related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP-related risks to the organization.

IP risk management involves understanding, analyzing and addressing IP-related risks to make sure organizations achieve their objectives. So, it must be proportionate to the complexity and type of organization involved. Proper IP risk management is an integrated and joined-up approach to managing IP-related risks across an organization and its extended networks.

IP risk management is about ensuring that the business really understands its IP-related risks, and then mitigates pro-actively.

IP risk management is about ensuring that the business really understands its IP-related risks, and then mitigates pro-actively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.

The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial measures.

The key steps in the IP risk management process

A process is an interrelated set of activities designed to transform inputs into outputs, which should accomplish your pre-defined business objectives. Processes produce an output of value, they very often span across organizational and functional boundaries and they exist whether you choose to document them or not.

A process may be seen as an agreement to do certain things in a certain way and the larger your organization, the greater the need for agreements on ways of working. Processes are the memory of your organization, and without them a lot of effort can be wasted by starting every procedure and process from scratch each time and possibly repeating the same mistakes.

At a very top level, the IP risk management process involves the following key phases:

  • Identification
  • Analysis
  • Review
  • Mitigation
  • Monitoring

“Top down” versus “bottom up”:

The two ‘halves’ of IP risk management are IP risk assessment and IP risk mitigation. Risk assessment is about the identification, quantification, and prioritization of IP-related risks facing an organization.

In the top-down approach, IP risk management begins at the highest conceptual level and works down to the details, with the major IP-related risks being identified by senior management.

In the bottom-up approach, it begins down with the details and works up to the highest conceptual level, with IP-related risks being identified by middle managers and individual contributors, and with the higher probability and/or impact IP-related risks then being passed up to senior management.

Top down and bottom up are both strategies of information processing and knowledge ordering, used in a diverse range of fields, including in the area of IP risk management. The two approaches may be seen as a style of thinking. Processing here is just a simpler way to say “taking in IP-related risk information, analyzing it, and drawing conclusions or acting”. In a top-down approach, an overview is formulated, with the details beyond that overview specified but not delved into. A bottom-up approach is the piecing together of different details. It should be stressed that both have the same goal, namely to ferret out the key IP-related risks facing the organization.

Success depends on using a combination of top-down and bottom-up approaches to first identify, classify, and prioritize the IP risks facing the organization.

The top-down approach gives IP risk management the necessary strong foundations whereas the bottom-up approach gives it some flexibility.

Combining top-down with bottom-up approaches is especially needed when the IP environment is continuously changing and, consequently, the organization’s IP risk map is shifting. In such circumstances, the top-down approach gives IP risk management the necessary strong foundations whereas the bottom-up approach gives it some flexibility. The combined approach also keeps everybody in the organization involved in the IP risk management process and ensures accountability and improves compliance.

For organizations tackling IP-related risk management for the first time, it is recommended to start initially with a top-down approach but then to roll out a bottom-up approach to reach out across the entire organization over time. The bottom-up approach may for example become an annual exercise conducted across the organization.

Mitigation of IP-related risks:

There are a variety of IP risk mitigation techniques available, but of course their effectiveness will vary from one particular IP risk to another, on timing, and from one business to another.

Some of the IP risk mitigation techniques are listed here, but this list if not exhaustive by any means:

  • Raising awareness of the importance of IP across the organization
  • Leveraging technical co-operation with others
  • Using Standards with fit-for-purpose IP policies
  • Obtaining indemnities
  • Participating in patent pools
  • Licensing IP
  • Designing around
  • Finding prior art to invalidate 3rd party IP
  • IP acquisition
  • Taking out IP insurance

It is important that a company builds up a good understanding and appreciation of the various IP risk mitigation solutions which exist, and if and when they should be deployed. There are a growing number of specialist external IP risk mitigation solution providers which should also be considered.

 The components of a good IP risk management solution

IP risk management is not easy, and several components need to be in place for a company to truly master this aspect of IP. I strongly suggest that the following components are needed:

  • Good IP and IP-related Risk awareness and education
  • A robust fit for purpose IP Risk Management process
  • IP Risk Management system / tool
  • Data (IP-related risks, actions, documents, reports)
  • A variety of IP Risk Mitigation solutions
  • IP Risk Management resourcing (people, budget)
  • Proper IP Risk Management governance

A good IP risk management tool helps ensure that the process is an efficient and effective one.

The value of an IP risk management tool:

A good IP risk management tool helps ensure that the process is an efficient and effective one. It can improve data integrity as well as better support how IP risks are articulated and reported. It should be easy to install, easy to configure, and easy to take into use, otherwise there is a great danger that the system become a ‘white elephant’.

A risk management tool is commonly used in business in such areas as project management and organizational risk assessments. It acts as a central repository for all risks identified and, for each risk, includes information such as risk probability, impact, counter-measures, and risk owner and so on. It can sometimes be referred to as a ‘risk register’ or a ‘risk log’.

An IP risk management tool is no different and is an essential tool to be able to manage this particular risk area. It initially provides a way to articulate the various IP-related risks in a very structured manner. It then acts as an important tool for the ongoing management of these IP risks.

Typically, an IP risk management tool will contain:

  • A description of the IP-related risk
  • The impact should this event occur
  • The probability of its occurrence
  • Risk score (the multiplication of probability and impact)
  • A summary of the planned response should the event occur
  • A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
  • Links to any associated documentation

In a ‘qualitative’ risk tool, descriptive terms are used: for example, a risk might have a ‘High’ impact and a ‘Medium’ probability. In a ‘quantitative’ risk tool the descriptions are enumerated: for example, a risk might have a ‘$1 Million’ impact and ‘10%’ probability.

A clever feature is to allow some calibration of the tool as different levels of impact and probability will differ from one company to another.

An IP risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way.

IP risk heat map:

An IP risk heat map is a tool used to present the results of a risk assessment process visually and in a meaningful and concise way. It is a simple yet extremely powerful tool.

Heat maps are a way of representing the resulting qualitative and quantitative evaluations of the probability of risk occurrence and the impact on the organization in the event that a particular risk is experienced.

The development of an effective heat map has several critical elements – a common understanding of the risk appetite of the company, the level of impact that would be material to the company, and a common language for assigning probabilities and potential impacts.

An IP risk heat map diagram provides an illustration of how organizations can map probability ranges to common qualitative characterizations of IP risk event likelihood, and a ranking scheme for potential impacts. They can also rank impacts on the basis of what is material in financial terms, or in relation to the achievement of strategic objectives.

IP risk heat maps provide several benefits:

  • A visual, big picture, holistic view to share while making strategic decisions
  • Improved management of IP risks and governance of the IP risk management process
  • Increased focus on the IP risk appetite and IP risk tolerance of the company
  • More precision in the IP risk assessment process
  • Identification of gaps in the IP risk management and control process
  • Greater integration of IP risk management across the organization and embedding of risk management in operations

The importance of IP risk data:

IP risk management is important, so it is therefore imperative that the associated data is also treated with the respect that it deserves, and that data integrity is maintained.

Several best practices exist to help address data integrity issues within an IP risk management system:

  • Control the data entry
  • Define mandatory and optional data fields properly
  • Assign rights and roles for access to the system
  • Assign personal responsibility
  • Keep a change history
  • Design ‘intelligent’ data fields
  • Use tools to measure and clean the data on a regular basis
  • Make data management a living process
  • Measure, measure, measure!!!

Data is only as good as the process and system that collects it.

The best approach is to make data management an on-going process and an integral part of IP risk management.

Managing the associated data as a resource is an important function of IP risk management. Accurate and relevant data is the source of valuable information. By managing data efficiently, properly-informed, sound management decisions can be made.

Data is only as good as the process and system that collects it. Analysis is only as good as the data on which it is based and the skills and experience of the analyst. Without data, it is simply an opinion.

Who should be interested in IP risk management?

Anyone interested in IP should take IP risk management seriously. It should be of interest to anyone:

  • Operating in an IP-litigious environment
  • Coming up for exit or listing
  • Anxious to get IP risk management under control
  • Whose executive management team are demanding visibility of IP-related risks
  • Experiencing major business changes
  • Facing a major IP risk and realizing that they are unprepared
  • Interested in proper governance of IP

It is best to master IP risk management when things are calm rather than when one is tackling a major IP risk.

Regardless of why one is interested, it is best to master IP risk management when things are calm rather than when one is tackling a major IP risk, when pressure is intense, and everything seems chaotic and dis-organized. This is not the right time for a GC, CIPO, or IP Manager to have to go to the Board and explain that the IP risk management process is to ‘panic widely and run away’.

The keys to success with IP risk management:

I suggest that IP awareness and IP governance are like the bookends, keeping everything else in proper order. Governance here is about management putting IP risk on their agenda and regularly asking themselves whether they have the right culture, people, and processes in place.

The skills needed to succeed with IP risk management do not match exactly those needed to be successful with the other key IP processes, such as IP creation, IP portfolio management, IP exploitation and IP enforcement. The mind-set is just different for those charged with IP risk management.

Final thoughts:

It is important not to underestimate or exaggerate the risks associated with IP. As IP relates to innovation and creativity, it can sometimes be an emotive subject and some care is needed.


Donal O’Connell is the Managing Director of Chawton Innovation Services, a firm which offers consultancy in the areas of innovation and intellectual property management, and also licenses a number of IP software solutions to clients. Previously he enjoyed a 21-year career at Nokia, where he had such roles as VP of R&D and a Director of IP.

He’s an Adjunct Professor at Imperial College Business School in London, teaching about IP management. He is also the author of two books, “Inside the Patent Factory” and “Harvesting External Innovation”, along with hundreds of papers which have been published in magazines, websites, and blogs around the world.