Archive for 'Enterprise risk management.'

Deploying Risk Mitigators For Intangible Assets

February 20th, 2017. Published under Due Diligence and Risk Assessments, Enterprise risk management., Sustainability of intangible assets.. No Comments.

Michael D. Moberly February 20, 2017 ‘A business intangible asset blog where attention span really matters’!

Deploying IA-specific ‘risk mitigators’, at the right time, to the right set of assets, and in the right manner can deliver obvious benefits, i.e., counter, prevent, and/or mitigate risk. Those are the obvious and desired outcomes. But, also, when company leadership and (risk) management teams recognize IA-specific risk mitigators are applicable-relevant to most any circumstance where valuable – revenue generating – competitive advantage producing IA’s are being developed and/or already in play, their contributory value rises accordingly.

For most business circumstances, the presence of and the potential for significant (IA specific) risk to materialize and variously jeopardize an IA-dominant undertaking or transaction is real and persistent. The initial management team action, in my judgment, preferably undertaken in advance, should be to do what is necessary to try to mitigate or prevent those risks from materializing – elevating to the point they can adversely (irreversibly) affect an outcome.

Effectively mitigating-preventing risks directed to undertakings dominated by IA’s or myriad of other business transaction circumstances, for that matter, lie in recognizing that putting risk mitigators in place, at the right time, focused on the right set of assets, i.e., those in play, and in the right manner, can deliver obvious and necessary benefits. The benefits are two-pronged, i.e., (1,) to thwart, counter, and mitigate risk, and (2.) measurably contribute to more valuable and competitive (desired) outcomes.

Those business leaders and management teams who assume risks to a IA’s can be adequately dealt with via the purchase of conventional business insurance (riders), without deploying risk mitigators, I suggest, have misread – misunderstood the current risk environment. That is, the ‘keystroke speed’ and asset-specific targeting capabilities of ultra-sophisticated and predatorial global economic and competitive advantage adversaries with advanced data mining technologies, have indeed become the norm, certainly not an anecdotal (one off) exception.

The effective and timely deployment of IA-specific risk mitigators (at the right time, right place, and right way) are businesses’ prelude to – segue for ensuring the IA’s in play remain as fully intact as possible in terms of their capability to continue to generate value, produce sources of revenue, and underlie competitive advantages.

The primary objectives to deploying IA-specific risk mitigators are to affect the assets’, and their holders’ receptivity – vulnerability to compromise and/or undermining throughout the contributory value – materiality cycle of the assets. This is best achieved when there are coordinated processes – actions in place to recognize, monitor, sustain, and acknowledge…

• asset’s exposure to costly and momentum stifling (risk) acts-events.
• IA’s contributory role and value will favorably distinguish companies
within their sector.
• necessary levels of control, use, ownership, value, equity, and resilience
for the IA’s.
• deployment of IA-specific risk mitigators are not mere operational
electives that can be dropped, dismissed, or delayed indefinitely.

As consistently conveyed since the ‘Business IP and Intangible Asset Blog’ published its initial post in May, 2006, whenever, however, and wherever valuable, revenue generating, and competitive advantage IA’s are in play, company-business leadership and management teams are obliged to consider there will be various types, levels, and motives for (IA-specific) risks to materialize.

The acts of, assessing and monitoring IA-specific risks and identifying effective techniques – strategies to prevent, mitigate, or neutralize, does not require leaders to reach beyond-outside their professional domains of expertise in order to take the necessary action.

Perhaps the most important-relevant component to IA-specific risk mitigation is to…

avoid making purely arbitrary-subjective assumptions about
circumstances when, where, how, and why particular IA’s are
in play and their vulnerability to risk, e.g., fragility,
stability, defensibility, and liquidity if-when compromised.

A common denominator to most all IA-specific risk (and, management) is the persistent presence of (global) economic and competitive advantage (legacy free) adversaries, ultra-sophisticated data mining technologies and methodologies, anyone-of-which by their actions and capabilities, impose consistent risk.

Global Business Risks, Their Changing State

January 29th, 2015. Published under Enterprise risk management.. No Comments.

Michael D. Moberly    January 29, 2015   ‘A blog where attention span really matters’!

World Economic Forum reports, out of necessity, are generally framed in neutral 30,000 foot altitude contexts.  More specifically, the 2015 WEF Risk Report projects ten risk challenges which are likely to materialize in the coming decade. For me, I would be hesitant to catalog those projections as constituting ‘rocket science’.   What is a form of ‘rocket science’ however, is designing and executing viable strategies to, at minimum, mitigate those risks to merge the chasm of pleasing stake/share holders and companies becoming stagnatingly risk averse.

Among the contributors to – framers of the 2015 Risk Report, I suspect consensus was rather easily achieved. There are some important distinctions however that warrant pointing out, which are, through my lens anyway, significant business risks can manifest much more rapidly today, often ‘overnight’, and there are few examples such risks dissipate, even remotely, with equal rapidity. Instead, they persist, fester, and frequently exacerbate in their complexity and volatility, resembling reputation risks.

Should this be a reasonably correct perspective, it leaves me with the notion that, for greater numbers of global business risks, prevention and/or resolution are rapidly becoming increasingly illogical options, instead, temporary (risk) mitigation is the best most can hope for and can viably achieve.

As a strategic aid to unravel this phenomena further, it certainly would have been useful had the WEF directly addressed their projected business risks in light of the economic fact that today, 80+% of most company’s value and primary sources of revenue globally speaking, lie in – evolve directly from intangible assets!

Reputation Risks vs. Public Relations

November 5th, 2014. Published under Enterprise risk management., Fiduciary Responsibility, Reputation risk.. No Comments.

Michael D. Moberly     November 5, 2014   ‘A long form blog where attention span really matters’!

‘Houston, we’ve got a problem’!  The problem, in my view, is that there are far too many business decision, makers, c-suites, boards, and management teams who persist in framing and seeking resolution to their company’s – businesses’ public persona through conventional public relations lens and not as, in most instances, they should, through a very nuanced and sector specific reputation risk lens.

There seems to be no end to the number of globally operating companies, irrespective of sector, which have taken substantial ‘direct hits’ to their reputation of late. To be sure, reputation risk is certainly not the exclusive domain of Fortune designated firms. And too, there is no indication the number, or the criticality associated with reputation risks will diminish, at least in the near term.

Relevant U.S. Congressional Committees are consistently geared up for investigatory hearings, and yes, numerous have political underliers. That notwithstanding, they all essentially seek answers to the proverbial questions, i.e., who knew what, when did they know it, and what, if anything, did they do about it upon first learning about it’.

Collectively, this should prompt us to ask, and quite correctly so in my judgment…

  • are these mere public relations issues which presumably can be adequately managed through various conventional and social media platforms and public statements and presumptively dissipate with no long term detrimental – adverse financial and/or competitive advantage affects?
  • or, are adverse acts, events, and/or oversights that materialize, the inevitable outcome of dispersed manufacturing and operational (quality control) failures, which, when they come to light, have a higher probability of manifesting as substantial, long term, and potentially irreversible (semi-permanent) risks to a company’s reputation which conventional public relations initiatives may exacerbate instead of ameliorate.

The intangible asset ‘risk of risks’ is a company’s reputation!

Company reputation is an intangible asset of the first order.  So, perhaps it would be useful to say again it an economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, competitiveness, and sustainability lie in or evolve directly from intangible assets, of which reputation is one.

Respectfully, I suspect this economic fact may have prompted The Economist’s Intelligence Unit (EIU) to produce a ‘global risk briefing’ paper titled Reputation: Risk of Risks.

Company reputation is defined (in the Economists’ report) as ‘how a business is perceived by stakeholders, including customers, investors, regulators, the media, and the wider public’.  To be sure, a company’s reputation ‘declines when things fall short of expectations’.  When not one, but multiple consumers – users expectations are not met by a company’s products or services, then it’s unlikely comprehensive and long term remediation will come through conventional public relation strategies.

Company reputation is a prized and increasingly valuable, yet vulnerable and even sometimes fragile asset which the respondents to the EIU survey agreed by stating that sustaining a positive company reputation is a main concern for the majority of risk managers, ahead of, for example…

  • regulatory risk
  • human capital risk
  • IT network risk
  • market risk, and
  • credit risk.

It’s fair to say now that company reputation risk has risen to the level of being a fiduciary responsibility (and concern) that extends well beyond senior risk managers to being permanent fixtures on company management team dashboards, i.e., Stone v Ritter.

In most instances, companies would be well advised to acquire a deeper appreciation, clarity, and understanding of the asymmetric nature (elements) of reputation risk which can be summed up as…unsatisfactory (poor) company reputation can rapidly, and often times irreversibly and adversely affect a company economically and competitively, aside from the embarrassing and probing questions that will be inevitably posed by the media Congressional Committee members, especially, those who have constituent(s) who personally suffered due to a company’s obvious absence of understanding and correcting reputational risks in a timely manner.

Preferably, reputation risks are identified, assessed, and remediation is commenced in a manner that meets or exceeds regulatory agency oversight, statutory requirements and before unwitting consumers die or become injured as a consequence.

As always, readers comments are most welcome!

New Drivers of Computer/IT Security: Contributory Value, Materiality, and Risk!

November 4th, 2014. Published under Cyber security, Enterprise risk management.. No Comments.

Michael D. Moberly   November 4, 2014   ‘A blog where attention span really matters’!

Achieving efficiencies by differentiating the information and data being safeguarded…

Aside, for the moment, statutory and regulatory mandates, I am increasingly confident the day is quickly approaching (in many instances, it already has, in my judgment) when it becomes impractical for companies to assume the costs and time of installing ever bigger, one size fits all, snap-shot-in-time firewalls and data/information security – protection systems and products to try to thwart the growing numbers of intensely sophisticated and global economic and competitive advantage adversaries and legacy free players, aka hackers.

There are two key and inter-related reasons why I believe this to not only be true, but an inevitability.

First, it is a globally universal and irreversible economic fact that rising percentages – 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, and relationship/social capital and other forms of intellectual property.

Second, data/information generation, storage, and archival needs are continually ratcheting up from megabytes, gigabytes, to terabytes+, particularly in intangible asset intensive and dependant companies and R&D sectors.

So, out of necessity to achieve cost efficiencies and a more specified return on investment, technologies must be developed with heretofore unique capabilities to differentiate company information and data that should receive the maximum IT/computer safeguards, which initially I propose, encompass the following four factors, i.e., the (intangible) assets…

  • contributory value to a particular project, product, and/or the company’s mission.
  • continued materiality to a particular project, product, and/or the company’s mission.
  • level of assessed risk to theft, infringement, misappropriation, etc.
  • relevance to a company’s reputation (image, goodwill, brand) etc.

Reputation Risk Cyber Attacks

March 5th, 2014. Published under Enterprise risk management., Reputation risk.. No Comments.

Michael D. Moberly    March 5, 2014    ‘A blog where attention span really matters’.

According to Homeland Security News (March 4th) there is rising anxiety over the possibility of a cyber-attack on the U.S. power grid. In other words, both the private (industry) and government sectors respectively remain insufficiently set up to effectively counter the risks – threats posed by the cyber arena.

The report was produced by a Washington nonprofit called the Bipartisan Policy Center which admittedly did not produce much interest, primarily because there are literally hundreds of such entities ensconced throughout the ever expanding Washington, D.C. circular interstate highway system, many, if not most of which consistently seek notoriety and efficacy based on their presumed expertise and/or sought after endorsements from publicly recognized experts or airplay on C-SPAN.

With respect to this particular report, what did strike me as it having a higher level of credibility was that it was reportedly led by individuals whom most would agree possess unique insights into the subject matter, i.e., Michael V. Hayden, the former NSA and CIA director and Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission.

Readers are respectively reminded that the U.S. is one of a very few countries in which much of its infrastructure, i.e., utilities, transportation, communication, healthcare, banking, water, etc., are under private sector ownership. So what turned out to be no particular surprise in the report, but still distressing, is that a percentage of these companies remain variously reluctant to share (cyber-security, cyber-attack) information with other companies presumably inside or outside their infrastructure sector.

I understand the rationale behind most such reluctance, that is, to openly share experiential information, the basis for which has been loudly and repeatedly conveyed following the terrorist attacks of September 11, 2001, because it involves the potential for antitrust violations, or merely giving away very expensive and proprietary intellectual and structural capital that delivers competitive advantages, along with numerous other intangible assets.

That said, I am unaware of any disagreement among the more notable players and information sharing advocates (related to cyber-security and attacks) is that ‘sharing’ is essential to reducing – mitigating vulnerability which can be accompanied by the wrath, scorn, and certainly reputation risk, all of which will surely materialize and be directed to companies accused of not sharing and/or being out of compliance with cyber-security ‘rules of the day’.

Equally troubling, the report cites, are federal rules intended to safeguard, the electric/power utilities from cyber-attack, which, as one example, have a basic flaw, which is, they do not give companies sufficient incentive to continually improve and adapt to ever changing cyber risks and threats.

In my judgment, perhaps the most telling aspects of the report are…

  • public utility commissions are generally well set up to address new problems, presumably risks and threat to their systems and grids for which regulated utilities can add security costs to the expenses which they bill their customers, providing the regulators determine those expenditures to be prudent and warranted.  The problem lies, the report say, in the reality that many regulators lack sufficient expertise to make – distingush these types of judgments.

 

  • the report alos raised the issue that public utility commissioners, who decide which utility expenses are prudent and eligible to be passed on to customers, have trouble determining the value of such (security) investments.

 

  • outside experts who were not involved with the report, nevertheless, endorsed some of its findings, e.g., Samuel P. Liles, of Purdue University’s Cyber Forensics Laboratory, rather pessimistically characterized risk – threat information sharing best practices as constituting “hit or a miss” propositions.

 

  • Nadya Bartol, a cybersecurity expert with the Utilities Telecom Council, a trade association of electric and water utilities, said the report was correct in asserting that utilities might not always come forward with helpful information.  The reason, she says, is because “if utilities say, ‘I have this vulnerability,’ they may be subject to fines if the cited vulnerability turns out to be a violation.  Too, this circumstance thus may prompt additional hesitation – reluctance to talk about cyber vulnerabilities because, “if a utility puts it out in the public space, it elevates the probability they may get hacked even more.”

As a side note to the general findings of this report, on the morning of September 11, 2001, within minutes of the terrorist attacks on the Pentagon, I received calls from former students who were employed in various agencies in the District of Columbia describing to me in detail, their personal observations of what was occurring. Having military experience myself, and being an ardent researcher in information asset protection strategy, I rather instinctively called an acquaintance who’s role was director of security for a super computing environment and asked her if she was observing any potential adverse activity on ‘the grid’.

My concern, and that of thousands of others, were that the attacks at the World Trade Center and Pentagon were possibly forerunners to larger secondary, but perhaps, more expansive ‘cyber attacks’ on the U.S. infrastructure.

Interestingly, the response I received from my super computer security expert was the following, ‘Mike, I don’t know if anything adverse is occurring on the grid, I’m watching CNN, I will get back to you’!

Intangible Asset Risk Assessments: Qualitative vs. Quantitative

February 27th, 2014. Published under Communicating Risk, Due Diligence and Risk Assessments, Enterprise risk management.. No Comments.

 Michael D. Moberly    February 27, 2014   ‘A blog where attention span really matters’.

As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.

Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.

But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.

So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.

Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.

Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.

For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment.  That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).

Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.

From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.

Qualitative risk-threat assessment

Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.

The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.

Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate.  Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA.  Collectively, the additional factors serve to expand the risk-threat equation.

Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.

Assessment process…

The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.

Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,

500,000 records X $30 remediation cost per record = $15 million.

In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.

So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade.  Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.

One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.

Sources for quantitative and qualitative data…

Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.

Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.

Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute  Other Related Articles in Audit and Governance

  

Pharmaceutical Company’s ‘Futures Market’ for Reputation Risk

February 6th, 2014. Published under Enterprise risk management., Reputation risk.. No Comments.

Michael D. Moberly    February 6, 2014   ‘A blog where attention span really matters’.

Pharmaceutical company’s ‘futures market’ for reputational risk, kicking the ‘reputational risk can down the road’.

As regular readers of this blog know, I am an intangible asset strategist and risk specialist who also has a strong interest in most ‘all things intangible’ including offering guidance to companies to avoid incurring potentially costly and with increasing frequency, irreversible reputational risks.

I am also an ardent NPR (National Public Radio) listener.  Recently I listened to an NPR program, i.e., The Dianne Rehm Show, in which had three well versed guests variously addressed, from their respective perspectives, the subject of ‘low testosterone’ for men, of course with the benefit of Ms. Rehm’s formidable probing questions.

During the program, while listening to Ms. Rehm’s questions and the responses and remarks made by her guests, it occurred to me that pharmaceutical drug pitches, now well embedded in every media marketing format, may collectively constitute, for lack of a better term, a ‘futures market’ for reputational risk to ‘big pharma’.

My point is this, there are potential ‘future) reputational risks these media campaigns may pose to pharmaceutical companies in terms of influencing viewers/readers, i.e., men, to ‘self diagnose’ based on a generalized check list of physical and emotional symptoms someone has deemed to be associated with men experiencing low testosterone.

So, prompted no doubt, in large part, by the significant rise in prescriptions being written for drugs marketed as elevating or balancing men’s testosterone levels as necessary to mitigate or relieve men of the symptoms the media advertisements have associated with men experiencing ‘low T’.  Now, we learn there are various research entities, including the FDA which have identified specific adverse side effects to consuming these drugs by men, several of which may rather obviously outweigh the benefits, e.g., elevating one’s vulnerability to incurring a heart attack in the initial 70+ days of taking the drug.

To bring more clarity to my question, are pharmaceutical companies that engage in media – marketing presentations aimed at producing not so subtle subliminal inclinations for viewers to (a.) self-diagnose based on the laundry list of symptom descriptors, and (b.) actually seek these recommended’ therapies from their physician, may be positioning (auctioning) themselves to incur future reputational risks in favor of more immediate revenue generation and profit making?

Too, one must ask whether skillfully created media messages that portray a particular disease as perhaps being more prevalent than it really may be, prompts me to reconsider the old adage of ‘the tail wagging the dog’, or, are drugs being manufactured in search of a disease?

The intent seems rather evident, that is to (a.) elevate awareness linked with readily understood symptoms, in order to (b.) create a broader market demand for the drug, when again, the health benefits or adverse complications are yet to be fully understood.

I claim to possess no insight or medical background to make any medical judgments on this matter.  However, through my lens as an intangible asset strategist and risk specialist with strong interest in objectively elevating operational familiarity about corporate reputation risks, I find this, and other similar circumstances akin to ‘kicking the reputation risk can down the road’.  That is, profitability now and costly reputation risk tomorrow, should this or other drugs are found or confirmed to be more physically or emotionally detrimental than what’s being conveyed in the media marketing disclaimers.

 

Entrepreneurs and Patents…

June 22nd, 2013. Published under Due Diligence and Risk Assessments, Enterprise risk management., Intangible asset protection. 1 Comment.

Michael D. Moberly    June 21, 2013     ‘A blog where reader attention span matters’.

There are and infinite number of interpretation to what is routinely referred to as what ‘the American dream’ and an equal number of paths how to achieve it.  The notion of ‘the American dream’ has certainly embedded in political rhetoric as one need only watch C-SPAN and listen to countless elected politicians consistently apply those three words to produce – elicit a myriad of emotions, imaginations as well as anger and frustration among their so-called target audience at the time.  The lingering effects of the 2008 economic recession are still very much evident in most sectors as many Americans and certainly citizens in numerous other countries struggle to find sustainable paths to surface from their own economic breakdowns.  Collectively, these persistent downturns has made first, retaining, and second, re-achieving ‘the American dream’, however one wishes to personally characterize it, elusive.

But, this piece is not about painting a new or conventional portrait of ‘the American dream’, rather it’s about the one twentieth of one percent of those individuals engaged in entrepreneurism and R&D who are seeking their version of ‘the American dream’ which often commences with making application for and hopefully having a patent issued for their work and achievement.

Due largely to the nature of my business consultancy, I encounter entrepreneurs of all stripes engaged in some truly remarkable endeavors.  These very purposeful encounters over the years have lead me to conclude that while there are numerous rationales for entrepreneurs to seek a patent for their idea – innovation, one rationale seems to repeatedly surface, which is, seldom are they familiar with, nor have they been apprised of options or alternatives to the ‘conventional patent route’.  Instead, I often characterize entrepreneurs as being singularly focused on seeking and securing conventional intellectual property, i.e., a patent.

There’s little doubt, being in a position to seek and possible secure a patent is indeed a privilege and achievement which very few others can put on their resume.  Further, in many instances, obtaining an issued patent will shine a well deserved light on one’s expertise and assign instantaneous credibility, short-lived as it ultimately may be among colleagues, peers, and even competitors.

Too, once a patent is issued it provides the holder with well deserved grounds for expressing pride in their labors, which in many instances have evolved over many years, depending on the product, testing, re-testing, etc.  Of course some do in a singularly boastful manner while others are far more humble and even self-deprecating in their characterizations.

But, I often find it puzzling, particularly with individual entrepreneurs, who, for the most part are very thorough, objective, and ‘driven’ researchers, why and how they readily gravitate to ‘going the patent route’ versus taking time to genuinely explore perhaps just as viable alternatives and/or options.

For the countless entrepreneurs I have had the pleasure of meeting over the past 25+ years, is their seemingly innate penchant for ‘going the patent route’ while conveying little if any awareness or interest in exploring alternatives to safeguard and commercialize their innovation against the realities of the increasingly predatorial global business environment in which any idea, patented or otherwise, is in a constant state of risk of infringement, misappropriation, theft, counterfeiting or a target of economic espionage.

As readers know well, there are numerous variables and influences that come to bear on entrepreneurs with respect to the path they choose for safeguarding and commercializing their original idea.  Aside from the demands made by would-be investors, including venture capitalists, angel investors, etc., one influential variable, I’m quite confident, even though I have never heard it specifically expressed in these terms, is that ‘idea holders’ opt for the patent route because they mistakenly assume that if/when a patent is issued, the stewardship, oversight, and management of their intangible asset (idea, innovation) becomes magically guaranteed, thereby relieving them of absolutely essential chores, which of course, is simply not the case!

I respectfully and admirably recognize possessing an issued patent represents for many entrepreneurs the ultimate ‘brass ring’ if you will, that will define, in many instances, one’s professional career.  Any assumption though that ‘going the patent route’ is the only option to achieve the necessary protection, and thus serve as the singularly best path to successful commercialization of an idea and possible profitability, is one that numerous professions and institutions wish to preserve and are not so courteous to those who want entrepreneurs to at least be exposed to equally viable alternatives.  To be sure, part of the challenge lies in the reality that there is no intangible asset strategist available to objectively articulate viable alternatives and objectively describe, with no malice, the reality that all forms of intellectual property, i.e., patents, trademarks, and copyrights have been the victim of some major hits in the past 20 years.

Let’s be clear, intellectual properties, i.e. patents, trademarks, copyrights, etc., are merely one type or category of intangible asset. The primary difference is that a patent, once issued by the U.S. Patent and Trademark Office (USPTO) or other countries’ counterpart, will assume a tangible/physical property only insofar the issuance letter one receives which can be framed and hung on an office wall as a testament of one’s persistent and challenging work.

Too, I suspect, respectfully so, that deference is often attached to patent (only) strategies by entrepreneurs due to the time honored, but flawed assumption that an issued patent conveys a more personal sense of ownership and certain legally defensible rights of protection, technically speaking, over say, a trade secret.

Too, a constant source of nourishment to ‘patent only’ strategies is the widely held, but mistaken assumption that an issued patent constitutes a standalone deterrent to, or safe harbor from, would be infringers, misappropriators, counterfeiters, and economic espionage in general.  To that I say, in today’s increasingly aggressive, globally predatorial, and winner-take-all R&D and business transaction environments, ‘idea holders’ can be assured that depending on the nature and subject matter of their patent, it will likely be in a constant state of risk from a host of legacy free players, independent (information) brokers, and certainly state-sponsored entities engaged in economic (industrial) espionage.

Some years ago, I would characterize/frame the likelihood that an entrepreneurs’ idea, innovation (or patent) would be stolen, infringed, or counterfeited, etc., in the context of probabilities.  Since the early 2000’s, I believe I have taken a wiser and more reasoned and realistic approach by framing such likelihoods, not as mere probabilities, rather as inevitabilities if relevant precautions and safeguards are not taken that extend beyond the presumptive deterrents and safeguards in conventional intellectual property.

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Intangible Assets…Prosecuting Theft – Misappropriation!

December 28th, 2012. Published under Enterprise risk management., Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly    December 28, 2012

An intriguing question was posed by Stuart Green, a Rutgers law professor, in a New York Times article (March 28, 2012), in which he frames in a very ‘forward looking’ manner whether the terms theft and/or stealing actually fit today’s business circumstances?  That is, when company’s most valuable assets likely to be stolen, misappropriated, or infringed, are intangible, (non-physical) in the form of intellectual, structural, and relationship capital, will the conventional (prosecutorial) definition and/or application of theft and/or stealing fit?  Or, do (will) prosecutors, to maximize court understanding, find it necessary to portray intangible assets in a tangible context?

This question, in my view, should not be misinterpreted as merely constituting an issue that best belongs in a law school lecture hall espoused as merely legal theory.  Rather, in my view, it actually underlies an important aspect to company’s ‘sustaining control, use, ownership and monitoring the value, materiality, and risk’ to their intangible assets.  In that sense, it should carry considerable relevance to the responsibilities associated with CSO’s (chief security officer), CIPO’s (chief intellectual property officer), CISO’s (chief information security officer), CTO’s (chief technology officer), CRO’s (chief risk officer), and corporate legal counsel alike.

Having developed and taught various asset protection courses in a university criminology department for 20 years, it’s widely recognized that acts of theft and/or stealing of ‘property’ have conventionally been taught and interpreted to mostly involve tangible-physical assets or property, with intangible (non-physical) assets seldom, if ever, being addressed.

I suspect some readers, particularly those in the security – asset protection profession, may find this question unnecessary, or perhaps worse, opening a much unwanted ‘legal can of worms’.

For a significant percentage of prosecutors, and presumably the music and film industries too, I assume they would prefer, and are quite willing to devote the necessary resources to ensure the relevant (criminal justice) institutions continue applying the conventional and time-honored language, i.e., (a.) an individual or entity acquires (takes) property belonging to another, (b.) without their permission, and (c.) with the intent to permanently deprive the rightful owner of its use. Or, what Professor Green and others characterize as a ‘zero sum game’.  That is, one party loses an asset (property) rightfully belonging to them, while another party gains that asset or property.

In other words, there is no significant distinction between tangible and intangible assets when it comes to theft and/or misappropriation.

However, in the current knowledge – intangible asset dominated global (business, transaction) economy in which, conservatively speaking, 65+% of most company’s value and sources of revenue lie in – evolve directly from intangible assets, it does beg the legal question; can those conventional, time-honored definitions regarding theft, misappropriation, and infringement be consistently applied to non-physical (intangible) assets, or will challenges be forthcoming?

To add complexity, but, perhaps reality to this position, Professor Green suggests, when particular types/categories of intangibles are stolen, the rightful owner is likely to retain some  use of those assets, albeit perhaps in a depreciated and/or undermined form insofar as reduced value and fewer sources of revenue.  Had, for example, music, video-based assets not been illegally downloaded, they presumably would have delivered greater sources of revenue to the rightful holder, i.e., artist, copyright holder, producer, etc.

The reality is, as readers know well, companies are producing, acquiring, and, inventing significantly fewer tangible or physical assets today in lieu of assets which are more likely to be intangible and non-physical. So how does this globally universal and irreversible circumstance mesh with the conventional perspective of prosecutorial ‘zero sum gain’ relative to (asset, property) theft and stealing?

As we know, various courts and legislative bodies have adjusted some of the conventional language found in theft and misappropriation statutes to accommodate growth in intangibles. Thus, has the time come, as Green posits, for specialized legal doctrines to be developed to specifically reflect the theft, misappropriation, infringement, and counterfeiting of intangible assets and its subset, intellectual properties, i.e., patents, trademarks, copyrights, etc.

Actually, in the mid-1960’s, some would-be reformers of criminal law became frustrated with how courts and legal practitioners were endeavoring to distinguish tangible and intangible property. One outcome of their frustration was that the American Law Institute developed a ‘model penal code’ which essentially defined property as constituting ‘anything of value.’ Personally, I remain unconvinced this was the most appropriate way to handle this problem. Admittedly though, in 1962, intangible (non-physical) assets were hardly part of mainstream business or legal vocabulary.

On a relevant note, a trust and estate attorney I met recently was asked about how she intended to address intangible assets clients had accumulated when drafting trusts, wills, or estate documents. The attorney expressed virtually no interest, nor seemingly a clue about how to identify, unravel, value, divide, or incorporate intangible assets in a will or trust other than to characterize them merely as issues which were referred to accountants, but only for asset valuation which she would accept without challenge. This perspective prompted me to wonder if this attorney was indeed operating in the 21st century, or perhaps worse, had her clients’ best interests in mind, and worse, understood intangible assets at all.

Today, of course, intangible asset intensive – driven businesses have sprouted globally, brimming with all forms of intellectual, relationship, and structural capital, intellectual properties, brands, and reputation interests, each of which play critical economic and competitive advantage roles relative to a company’s profitability, sustainability, and growth potential.  So, if intangibles are not addressed in wills, estates, and trusts, it’s quite possible there will be many opportunities for same to be contested and challenged, thereby minimizing the significance attached to otherwise well constructed documents.

So, for me, and my colleagues in the information asset protection and insider threat – risk arena, it seems, the more engaged we become in intangible assets and businesses and transactions in which intangibles are routinely in play, the more complex and broader the dilemma becomes.

This post was inspired and adapted by Michael D. Moberly from a piece authored by Stuart P. Green published in the NYT’s on March 28, 2012.

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593.

 

Privacy In Social Media Apps: A Valuable Intangible Asset…!

December 13th, 2012. Published under Enterprise risk management., Fiduciary Responsibility. No Comments.

Michael D. Moberly   December 13, 2012

The assurance of privacy for social networking apps is a valuable, competitive advantage driving intangible asset that should be integrated before launch and certainly not dismissed or squandered!

As an admitted intangible asset advocate and strategist, personal privacy, and, I mean real and consistent personal privacy, not just the sort conjured in legal ease as a ‘check the box’ prelude to joining a social networking platform, is an incalculably valuable intangible asset that unfortunately, some ‘app’ developers appear to be squandering and/or ‘turning a blind eye’ in an effort to achieve near term revenue streams.

What’s’ really being squandered when such technological indiscretions occur are consumer presumptive trust, the company’s reputation, and its relationship capital.  Each is an intangible asset, and each has significant value, but, when those assets experience erosion and/or undermining, i.e., user privacy did not appear a primary factor in the apps’ development, substantial reputational, financial, and market space losses can materialize very rapidly.

Here’s just one example, probably among thousands, which I believe goes to the heart of the issue. Parker Higgins highlighted a privacy problem in Electronic Frontier Foundations’ blog (March 8, 2012), i.e., how apps need to respect user privacy rights from the start.

In the post, Higgins’ describes a Texas developed app that facilitates, ‘ambient social networking’. Translated, that means the app runs in the background of one’s phone collecting and sharing location data, etc., and then notifies the user when your friends and/or others with shared interests are in proximity, thus, enhancing serendipitous meetings.

I am certainly not suggesting these types of apps are inherently wrong or necessarily violate the increasingly tenuous and blurred presumptions of privacy app users have some right to expect. After all, one must willingly purchase the app, therefore buyers/consumers presumably understand (are forewarned about) the apps features and its often requisite connection to other social networking sites.

As Higgins quite correctly points out though, it certainly doesn’t require much imagination to foresee how sending a steady stream of data and information of all types to a third party, that may not have a (personal) privacy or data retention policy in place, can, and therefore, as the number of users increase, will inevitably give rise to a host of potentially significant personal privacy issues, particularly when the primary target market for the apps are children.

So, I reiterate, personal privacy, presumed or not, is, in my view, an extremely valuable, yet very fragile form of intangible asset and should be treated as such.

There is no question, if I were a board member or shareholder of an app developing firm, I would make every effort to obligate management (app development) teams to consider ‘personal privacy’ as being integral, if not a fiduciary responsibility to app development and not just ‘play fast and loose’ with app privacy features, and instead incorporate it as a real (business, added value) intangible asset!

The personal privacy issues Higgins and I claim are being dismissively disregarded, bring to the forefront, as they are today, a larger problem in app development, which is, initially building and marketing a ‘minimum viable product’ only to see how it’s received by niche consumers, and then adding personal privacy features later.  But, cutting personal privacy corners that are likely to undermine the relationship capital, trust, and reputation that is essential for the app sector’s sustainability is, to be sure, much more than mere shortsightedness. As aptly noted by Marissa Levin (Successful Culture Blog) a lifetime that has become largely ‘app driven’, we also must consider safeguarding the humanity of our companies!

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593.