In the previous post, we have talked about the relevance of IP in industry, concluding that in the actual world it must be considered essential, taking into account that the industry is highly based in and influenced by technology. This time, we are going to learn about another key point around the Intellectual Property, the risks. As in other areas, topics, fields… of industry or technology, we can find some risks around the Intellectual Property, when protecting it, when applicating the laws… So, in order to go deeper in the area of IP, let’s talk about the risks around it.
First of all, I think that is important to present in a clear way what a risk is. For this, I consider the best definition the one provided by the International Organization for Standardization, as specified in the ISO/IEC 27005: “Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization”. I think that this definition is great, but in order to get the essence of what a risk is and what it suppose, let’s present the definition of risk provided by the FAIR Institute: “the probable frequency and probable magnitude of future loss”. This basically means the probability of something bad to happen and the impact that this will have in the company, institution…
In order to understand better what a risk is, we can imagine for example the risk of updating the Windows systems of your company. This will have some risks that must be analysed, because, for example, this can suppose that your key employees are not able to execute their daily job due to the systems hang or do not perform. This, probably, will not happen too frequently, but the impact that can have is pretty high.
Once having clear what a risk is, we will analyse the most important risks around Intellectual Property in a general way per risk type, in order to go to more specific examples:
- Availability Risk: It is necessary for a company to make information available, and yet it is necessary for all information to be well-protected against possible infringements.
- Compliance Risk: Due to the number of legal issues pertaining to IP rights, it is important to be aware of their legal implications.
- Brand Risk: A company’s brand is part of its IP and can be one of its largest assets. It is important to protect the company images and brand reputation.
- Access Risk: Access risk includes the risk that access to information (data or programs) will be inappropriately granted or refused. Access risk ensures protection of trade secrets.
- Business Value: It is important to be aware of and track a company’s IP and know their associated business value.
So, after having a overview of the risks around IP, I will present the risks that I consider most important, ordered by priority, and following the criteria of most frequent and biggest from the point of view of the impact:
- Lose a good idea with potential to become a business due to ignorance: not listing the IPs of a company and ignoring their associated business value can finish with the loss of that opportunity because another company or person develop the same idea and is faster protecting it. Obviously, it is hard to put examples about this topic due to its naturality, but we can imagine easily that this happens quite frequently nowadays with companies interested in the same products of fields.
- Lose money or not earn as much as possible due to bad protection of IPs: not understanding the importance of the protection, ignoring the laws… can suppose the loss of an IP, the possibility of copies due to the existence of legal loopholes, a bad temporal exploitation of the ideas…
- Loss of information related with IPs from inside the company due to lack of regulations or good practices and low security: not documenting or logging the work and inventions properly, not controlling the storing of sensitive information… It is easy to put an example of this risk, as it happens very frequently. One famous case is the one of the stole of 100.000 documents of AMD from inside.
- Loss of information related with IPs from outside the company due to low security or bad management of the information: easy to hack servers, putting sensitive information in easily accessible databases… As example, there is a case known by many people: The boy who stole Half-Life 2.
- Violation of other companies’ patents or protected products by copyright laws: not analysing the market of patents and developing of ideas without knowing surrounding companies’ developing products may conclude with complaints due to IP violations. I do not consider necessary to put examples of violations of patents, as this type of legal issues can be constantly between big companies, like Samsung and Apple.
In the following table, we can find the respective level of each risk (H – High, M – Medium, L – Low) in relation with the likelihood and the financial impact. To understand better the Likelihood Scale and the Impact Scale (financial), I highly recommend the reading of the pages 13 and 14 from the document Developing the IT Audit Plan inside the Global Technology Audit Guide, written by the Institute of Internal Auditors.
|1||H||H||In the actual industry, full of competence, in which the faster is frequently the one that get the business, it is essential to register all the new good ideas and which is their value . The impact of not doing this is high, but can be huge if we are talking about millionaire o billionaire ideas.|
|2||M||H||Protection of ideas is essential, by patents, copyright or trademark laws. A bad protection can be exploited by the competence, being high its impact in the company.|
|3||L||H||Maybe the probability to be stolen by your employees is low, but it is important to control it, as the impact can be high in the business, because the employees know what to look for if they want to steal, and can have access to a lot of sensible information. Apart from that, following good practices can decrease the probability to lose information.|
|4||M||M-H||Cyber attacks can happen, and its impact can go from low impact to a very high one.|
|5||L||M-H||It is difficult not to see that an idea is actually patented when it suppose a high source of money, as it will be published quickly, but the consequences of not considering it can go from little money loss to big problems with justice.|
In conclusion, knowing and understanding the risks around the Intellectual Properties is essential in industry, due to the technology in constant developing and the big competence in business. So, developing some expertise around the presented content can result in the prevention of possible bad events