This document discusses risk management practices and their application to intellectual property management and trade secret management. It presents frameworks that IP managers can use for risk management, including OECD principles, open-source standards, normative risk standards, academic publications, and commercial consultancies. The document analyzes how risk is addressed in the DIN 77006, ISO 31000, ISO 9001, and ISO 56005 standards and identifies 26 risk themes. It proposes a potential structure for an intellectual property risk management framework based on harmonizing aspects of these various standards and frameworks.

1. Risk Management Practices
and their applications in
Intellectual Property Management
and Trade Secret Management
Master Thesis
Intellectual Property Law and Management, 2022,
University of Strasbourg
1
Dr. Shu-Pei Oei
European Patent Attorney
In-house Patent Counsel

2. What is Risk Management for today’s IP Manager?
Trade Secret Theft?
MIPLM 2022 | CEIPI | Shu-Pei Oei © 2

3. What Frameworks are available from which
today’s IP Manager can operate?
❑ OECD Principles of Corporate Governance
❑ Open-Source Standards
❑ Normative Risk Standards
❑ Academic Publications
❑ Commercial Consultancies
MIPLM 2022 | CEIPI | Shu-Pei Oei © 3

4. ❑ OECD Principles of Corporate Governance
Principle VI.D.1 (OECD (2015) Principles of Corporate Governance
“An area of increasing importance for boards and which is closely related to corporate
strategy is oversight of the company’s risk management.
Such risk management oversight will involve oversight of the accountabilities and
responsibilities for managing risks, specifying the types and degree of risk that a
company is willing to accept in pursuit of its goals, and how it will manage the risks it
creates through its operations and relationships. It is thus a crucial guideline for
management that must manage risks to meet the company’s desired risk profile.”
MIPLM 2022 | CEIPI | Shu-Pei Oei © 4

5. ❑ Open Source Standards
Open Compliance and Ethics Group (OCEG) Governance, Risk and Compliance (GRC) Capability Model:
Principled Purpose
“A principled purpose is perhaps the most basic starting point for principled performance.
Defining your highest purpose via mission, vision and values guide everything that the
organization does.”
Principled People
“Leadership, the workforce and extended enterprise must comprise principled people who
have strong character, and who consistently direct their energies toward a principled
purpose.”
Principled Pathway
“Break down silos and leverage common capabilities in every key system that keeps an
organization on track including governance, strategic management, performance
management, risk management, compliance management and audit management systems.”
MIPLM 2022 | CEIPI | Shu-Pei Oei © 5

6. ❑ Academic Publications
❑ Commercial Consultancies
❖ Provide Transitions from Traditional Risk Management to IP Risk Management.
❖ Wide Range of Views on what constitutes IP Risks.
❖ Reference to the ISO 31000 risk standard varies.
https://www.linkedin.com/pulse/what-correct-standard-ip-risk-management-donal-o-connell/
Cheung, Benny C.F. & Wang, W.M. & Xu, X. & Willoughby, Kelvin. (2014). A Knowledge-Based System for
Assessing and Managing Intellectual Property Managerial Risks for Small-and-Medium Sized
Technological Enterprises. International Journal of Intellectual Property Management. 7.
10.1504/IJIPM.2014.062795.
MIPLM 2022 | CEIPI | Shu-Pei Oei © 6

7. ❖ A Generic Risk Management Standard exists – ISO 31000:2018.
❖ There is no IP Risk Management standard.
❖ There are 2 separate IP management standards - The DIN 77006 & The ISO 56005
ISO 31000:2018
Listed under Biography in ISO 9001: 2015
ISO 9001:2015
Listed as Normative
reference in
DIN 77006:2020
ISO
56005:2020
IP Management Standards
DIN
77006:2020
Innovation
Management
Approach
Quality Management
Approach
Risk Management Approach
❑ Normative Risk Standards
MIPLM 2022 | CEIPI | Shu-Pei Oei © 7
“the distilled wisdom of people with expertise in their subject matter and who know the needs of the
organizations they represent”. - International Standards Organization

8. Risk Management is part of Governance & Compliance
.
Accountability,
Integrity,
Independence
Financial Risks
& Costs
Operational &
Non-Financial
Risks
Compliance
with Local Laws
Quality
Management
To public, private
stake holders,
tax payers,
shareholders
Credit, liquidity, or
market risks, impact
on credit ratings
M& A,
Valuation
IT, Outsourcing,
environmental, health
and safety risks
Jurisdictions,
Regulations, Courts
Internal or
Independent audits
for monitoring
financial and
operational risks
Given the rise in share of intangible assets in organizations (Ocean Tomo, 2020),
IP risk Management MUST logically, also be a part of Governance & Compliance.
Ocean Tomo: https://www.oceantomo.com/intangible-asset-market-value-study/
MIPLM 2022 | CEIPI | Shu-Pei Oei © 8

9. What could an IP Risk Management Framework
(IPRMF) look like?
❑ On which IP management standard could
the IPRMF be based?
❑ Where do existing IP management
standards stand on risk management?
❑ Are they harmonised with the ISO 31000
risk standard?
❑ Are their risk teachings harmonised with
each other?
MIPLM 2022 | CEIPI | Shu-Pei Oei © 9

10. Methodology:
Basis:
DIN 77006
Identify risk themes
Compare
Determine if
Terminology and
Concepts are
harmonised
Start
End
ISO 31000
ISO 9001
ISO 56005
Compare
Terminology
Harmonised
Similar
Unsupported
Contradictory
Basis:
DIN 77006
Compare
Concept
Harmonised
Easily Inferred
Not easily inferred
Contradictory
Complementary
Unsupported
ISO 31000
ISO 9001
ISO 56005
End
Overview
Granular
MIPLM 2022 | CEIPI | Shu-Pei Oei © 10

11. Results
❑ Risk mentioned 44 times in
the DIN 77006
❑ 26 Risk Themes in the DIN
77006
Harmonised
Easily Inferred
Not easily inferred
Contradictory
Complementary
Unsupported
MIPLM 2022 | CEIPI | Shu-Pei Oei © 11
(Thesis pages 19 to 55).

12. 🗸
🗸
An IPRMF could be based on the DIN 77006
since it is the broader than the ISO 56005,
and due to existing harmonisation with the
ISO 9001 & ISO 31000.
In terms of risk teachings, the DIN77006 is
largely harmonised with the ISO 31000, but
not with the ISO 56005.
What could an IP Risk Management Framework
(IPRMF) look like?
MIPLM 2022 | CEIPI | Shu-Pei Oei © 12

13. Selected Highlights from study of 26 Risk Themes
FRAMEWORK
Design
Implementation
Evaluation
Improvement
PDCA
PROCESS
Risk Assessment
Risk Treatment
Monitoring
& Review
Recording &
Reporting PDCA
IP RISK TREATMENT
Formulate &
Select
Plan & Implement
Assess
Effectiveness
Decide
Take Further
Treatment
PDCA
1. Plan-Do-Check-Act (PDCA)
▪ Central to DIN 77006 & ISO 9001.
▪ Terminology not explicitly used, but
easily inferable throughout the ISO
31000.
▪ But not in the ISO 56005.
MIPLM 2022 | CEIPI | Shu-Pei Oei © 13

14. Selected Highlights From study of 26 Risk Themes
3. Definition of Risk
DIN 77006 ▪ Effect of Uncertainty
▪ Effect - Positive or
Negative
ISO 31000 ▪ Effect of Uncertainty
on objectives
▪ Effect- Positive or
Negative or both.
16. Definition of IP Risk Management
17. Sources of IP Risk Management
18. Sources of IP Risks
19. Examples of IP Risk Management
20. Examples of IP Defence
2. Divergence in the DIN 77006 & ISO 56005
MIPLM 2022 | CEIPI | Shu-Pei Oei © 14

15. (1) SCOPE
(2) NORMATIVE
REFERENCES
(4) CONTEXT
(5) LEADERSHIP
(6) PLANNING
(7) SUPPORT
(8) OPERATION
(9) PERFORMANCE
EVALUATION
(10)
IMPROVEMENT
(3) TERMS &
DEFINITIONS
(1) SCOPE
(2) NORMATIVE
REFERENCES
(4) PRINCIPLES
(5) FRAMEWORK
(6) PROCESSS
(5.2) LEADERSHIP &
COMMITMENT
(5.3) INTEGRATION
(5.4) DESIGN
(5.5)
IMPLEMENTATION
(3) TERMS &
DEFINITIONS
(5.7) IMPROVEMENT
(6.2) COMMUNICATION
& CONSULTATION
(6.3) SCOPE,
CONTEXT, CRITERIA
(6.4) RISK
ASSESSMENT
(6.5) RISK TREATMENT
(6.6) MONITORING &
REVIEW
(6.7) RECORDING &
REPORTING
ISO 31000 ISO 9001
P
D
C
A
(5.6) EVALUATION
?
?
?
?
?
?
?
?
Structure of the ISO 31000
vs High-Level Structure
(HLS) of the ISO 9001
Figure 1, ISO 31000:2018
MIPLM 2022 | CEIPI | Shu-Pei Oei © 15

16. (1) SCOPE
(2) NORMATIVE
REFERENCES
(4) CONTEXT
(5) LEADERSHIP
(6) PLANNING
(7) SUPPORT
(8) OPERATION
(9) PERFORMANCE
EVALUATION
(10)
IMPROVEMENT
(3) TERMS &
DEFINITIONS
(1) SCOPE
(2) NORMATIVE
REFERENCES
(4) PRINCIPLES
(5) FRAMEWORK (6) PROCESSS
(5.2) LEADERSHIP &
COMMITMENT
(5.3) INTEGRATION
(5.4) DESIGN
(5.5)
IMPLEMENTATION
(3) TERMS &
DEFINITIONS
(5.7) IMPROVEMENT
(6.2) COMMUNICATION &
CONSULTATION
(6.3) SCOPE,
CONTEXT, CRITERIA
(6.4) RISK
ASSESSMENT
(6.5) RISK TREATMENT
(6.6) MONITORING &
REVIEW
(6.7) RECORDING &
REPORTING
ISO 31000 ISO 9001
P
D
C
A
(5.6) EVALUATION
Structural Integration of
the ISO 31000 with the
ISO 9001 using
“10 principled pathways”
of integration
Thesis: Pages 65 to 67
From Risk Management
Quality Management
to
MIPLM 2022 | CEIPI | Shu-Pei Oei © 16

17. 1. PDCA Cycle
2. Assessing Risks and Opportunities as Part of Planning
3. Process- Oriented Approach
4. Risk-Based Thinking
5. The Definition of “Risk”
6. The relationship between “Risks and Opportunities”
7. Addressing Risks and Opportunities as the Purpose of Management
8. Address Risks and Opportunities to achieve Continual Improvement
9. Aims of Actions to Address Risk and Opportunities"
10. Risks and Opportunities for Products and Services
11. Leadership and Commitment by Top Management"
12. Impact on Value Creation
13. Integration with other Processes
14. Scope
15. Role of the Organization
16. Definition of IP Risk Management
17. Sources of IP Risks
18. Examples of IP Risk Management
19. Examples of IP Defence
20. Understanding Needs and Expectations of
Employees and Interested Parties
21. Analysis and Evaluation
22. Management Review
23. Risk Minimalization as Essential
24. Hazards
25. Documenting the Risk Assessment Optional
26. Non-Conformity and Corrective Action
(1) SCOPE
(2) NORMATIVE
REFERENCES
(4) CONTEXT
(5) LEADERSHIP
(6) PLANNING
(7) SUPPORT
(8) OPERATION
(9)
PERFORMANCE
EVALUATION
(10)
IMPROVEMENT
(3) TERMS &
DEFINITIONS
(6) PROCESSS
(6.2) COMMUNICATION
& CONSULTATION
(6.3) SCOPE, CONTEXT,
CRITERIA
(6.4) RISK ASSESSMENT
(6.5) RISK TREATMENT
(6.6) MONITORING &
REVIEW
(6.7) RECORDING &
REPORTING
ISO 9001
P
D
C
A
26 Risk Themes
5, 24
12
11, 20,
23
14, 15
2, 6, 7,
9, 10
13
21, 22,
25
8, 26
16, 17,
18
19
1, 3, 4
INTRODUCTION
(1) SCOPE
(2) NORMATIVE
REFERENCES
(4) PRINCIPLES
(5) FRAMEWORK
(5.2) LEADERSHIP &
COMMITMENT
(5.3) INTEGRATION
(5.4) DESIGN
(5.5) IMPLEMENTATION
(3) TERMS & DEFINITIONS
(5.7) IMPROVEMENT
ISO 31000
(5.6) EVALUATION
INTRODUCTION
IP
… with 26 Risk
Themes
MIPLM 2022 | CEIPI | Shu-Pei Oei © 17

18. (5.1.2) IP
Strategy
(6.1.2) IP
Risk Management
(8.4.2) IP
Generation
(8.4.5) IP
Transactions
(8.1) IP
Administration
(8.4.3) IP
Enforcement
(8.4.4) IP
Defence
(7.3) IP
Awareness
(9.3.1) IP
Reporting
IP
Research & Analysis
IP
Risk Management
IP
Generation
IP
Acquisition
IP
Maintenance
IP
Exploitation
IP
Landscaping
IP
Risk Management
IP
Creating
IP
Portfolio
IP
Commercialisation
IP
Acquisition
IP Management that
contributes to Innovation
Management
(ISO 56005 Fig. 1)
IP Management
(ISO 56005 Fig. 3)
IP Processes
(DIN 77006)
IP
Strategy
Structural
Integration of the
DIN 77006 with the
ISO 56005
❑ Differences in
terminology
❑ Inconsistencies
within the ISO
56005
Unified Understanding
of IP Management
Solves
to
MIPLM 2022 | CEIPI | Shu-Pei Oei © 18

19. Open-Source Standards
OECD
DIN 77006
ISO
56005
ISO 9001
ISO
31000
IP Risk Management Framework
based on the ISO 31000, ISO 9001, DIN 77006 (& ISO 56005)
MIPLM 2022 | CEIPI | Shu-Pei Oei © 19

20. PLAN
DESIGN
Leadership and
Commitment
IP Risk Assessment
PRINCIPLES
FRAMEWORK
DO
IMPLEMENTATION
CHECK
EVALUATION
ACT
IMPROVEMENT
Scope, Context
Criteria
IP Risk Treatment
Risk Identification
Risk Analysis
Risk Evaluation
Recording &
Reporting
PROCESS
Monitoring &
Review
Communication
&
Consultation
PLAN
DESIGN
DO
IMPLEMENTATION
CHECK
EVALUATION
ACT
IMPROVEMENT
Integration
Formulate &
Select
Plan & Implement
Assess
Effectiveness
Decide
Take Further
Treatment
Achieves Combination of
Risk Management and
Quality Management
Visualisation of the
ISO 31000 integrated
with the ISO 9001
MIPLM 2022 | CEIPI | Shu-Pei Oei © 20

21. Visualisation of IP Risk
Management Framework
(DIN 77006 centric approach)
DIN 77006, 0.4 PDCA Cycle
MIPLM 2022 | CEIPI | Shu-Pei Oei © 21

22. What other Risk Standards are applicable to IPRM?
IP
Strategy
IP
Risk
Management
IP
Awareness
IP
Administration
IP
generation
IP
Enforcement
IP
Defence
IP
transactions
IP
Reporting
Yes
(Y)
Potential
(P)
No
(N)
ISO 31000:2018 Risk management — Guidelines y y y y y y y y y 9 0 0
ISO/IEC 31010:2019 Risk management — Risk assessment techniques y y y y y y y y y 9 0 0
ISO 31073:2022 Risk management — Vocabulary y y y y y y y y y 9 0 0
ISO 31022:2020 Risk management — Guidelines for themanagement of legal risk y y y y y y y y y 9 0 0
ISO/IEC 27005:2018
Information technology — Security techniques — Information security risk
management y y y y y y y y y 9 0 0
ANSI B11.19-2019
PerformanceRequirements for Risk Reduction Measures: Safeguarding and other
Means of Reducing Risk y y y y y y y y y 9 0 0
SA/SNZHB 89:2013 Risk management - Guidelines on risk assessment techniques y y y y y y y y y 9 0 0
GB/T27921-2011 Risk management--Risk assessment techniques (TEXTOF DOCUMENTIS IN CHINESE) y y y y y y y y y 8 0 0
SIS-ISO/TR 18128:2015
Information and documentation - Risk assessment for records processes and systems
(ISO/TR 18128:2014, IDT) (Swedish Standard) n y n y y y y y y 7 0 2
DS/EN 62198:2014 Managing risk in projects - Application guidelines p y p p y y y p y 5 4 0
IEC 62198 Ed. 2.0 b:2013 Managing risk in projects - Application guidelines p y p p y y y p y 5 4 0
ANSI/ASIS SCRM.1-2014 Supply Chain Risk Management: A Compilation of Best Practices y y n n y y y n n 5 0 4
ETSI GR F5G 010 V1.1.1 (2022-04)
Fifth Generation Fixed Network (F5G); Security; Threat Vulnerability Risk Analysis and
countermeasurerecommendations for F5G y y n y y n y p n 5 1 3
CYBER; Methods and protocols; Part 1: Method and pro forma for Threat,
Search Hits
Many.
What gaps
need to be
filled?
Full List: Thesis - Pages 75 to 76
MIPLM 2022 | CEIPI | Shu-Pei Oei © 22

23. Sampling of 3 Expert Opinions on IP Risk
3 Expert Opinions from
public & private
sources (redacted for publication)
Vs
Potential
Supplementary
Standards
KEY:
ISO 27005: Information
Security Risk
Management
ETSI TS 102 165: Cyber:
Methods and Protocols
ISO/TR 18128:
Information and
Documentation
ISO 31022: Guidelines
for the Management of
Legal Risk
ANSI/ASIS SCRM.1-
2014: Supply Chain Risk
Management
ISO 22380: Security
and Resilience- General
Principles for Product
Fraud Risk and
Countermeasures
▪ 1. A presentation entitled “IP Management at TK”, by Stephen Wolke from Thyssen Krupp.
▪ 2. A book entitled “Intellectual Property Risk Management” by Donal O'Connell, founder and
Managing Director of Chawton Innovation Services Ltd.
▪ 3. A presentation by Uwe Schaberg to students of the Master of Intellectual Property Law and
Management (MIPLM) at the Center for Intellectual Property Studies (CEIPI).
MIPLM 2022 | CEIPI | Shu-Pei Oei © 23
❖ Presentation by S. Wolke
(Thyssen Krupp)1
❖ IP Risk Management book by D.
O’Connell2
❖ Risk Lecture by U. Schaberg3
REDACTED

24. White - Space in the DIN 77006
Wolke (Thyssen
Krupp) O'Connell Schaberg
DIN 77006
(IP Services)
third-party
copyrights
applicable
requirements
for
the
protection
of
know-how
national
and
international
legal
requirements
contracts
(license
and
usage
agreements)
contracts
(employment
contracts)
contracts
(with
temporary
workers)
contracts
(with
suppliers),
contracts
(customers)
contracts
(cooperation
partners
and
academic
partners)
contracts
(confidentiality
agreements)
ownership
—
detection
and
avoidance
of
infringement
risks;
—
checking
freedom
to
operate/right
to
use
(FTO);
—
monitoring
the
IP
activities
of
third
parties,
including:
—
monitoring
third-party
IP
rights,
literature
research;
—
monitoring
the
legal
status
of
third-party
IP
rights;
—
regularly
checking
and
updating
the
search
profiles
and
criteria
applied;
—
checking
for
infringement
of
third-party
IP
rights
during
development;
—
continually
checking
for
infringement
of
third
party
IP
rights
during
the
life
cycle
of
products,
services
and
business
models;
—
monitoring
and
assessing
the
achievement
of
desired
exclusivity
positions
according
to
the
IP
strategy;
—
taking
actions
to
protect
existing
know-
how,
for
example,
against
destruction,
diffusion,
unauthorized
access
or
disorder;
—
recommending
actions
to
control
IP
risks
and
bring
about
decisions
by
interested
parties;
—
documenting
the
risk
assessment,
if
necessary,
by
integrating
it
into
existing
risk
management
systems.
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸
Trade secret loss
risk
Risks with keeping
information secret
🗸 🗸 🗸 🗸
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸
Risks with
employee know-
how
Know-how
Theft
🗸
🗸
Infringement of
3rd party IP
rights
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸
Infringement risk
(FTO)
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸
Risks associated
with dirty IP data
🗸
- IP
Administration
🗸
Having too
narrow a
definition of IP,
ignoring
valuable assets
🗸
Risks with “Soft”
forms of IP
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 IP in contracts
risks
IP terms and
conditions in
Agreements
🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸
IP risks with non-
obvious
agreements
🗸 🗸 🗸 🗸 Risks associated
with IP licensing
IP Out-licensing
Program
🗸 🗸
Risks associated
with jointly owned
IP
🗸 🗸 🗸 Risks with open-
source software
Embracing
Open Source
Software
🗸 🗸
Getting
involved in
Open
Innovation
- IP Transactions
- IP Awareness
🗸 🗸
IP risks associated
with
interoperability
standards
Being involved
in
standardisation
activities
- IP Transactions
🗸
Risks from changes
in the tax rules
linked to IP
- IP
Administration
🗸
IP risks from key
suppliers
The use of
subcontractors
- IP Enforcement
🗸
Risks from online
counterfeiters
- IP Enforcement,
- IP Transactions
🗸 🗸 🗸
Invalidity of IP
rights
- IP
Administration
🗸 🗸
Publishing
activities of the
organisation
- IP
Administration
Too-Less [sic] IP
* less leverage
due to lack of
signiicant IP
portfolio
- IP Strategy
- IP Defence
DIN 77006 (6.1.2 Sources of IP Risks)
- IP Risk
Management
- IP Generation
- IP Awareness
- IP Defence
- IP Transactions
- IP Awareness
- IP Strategy, (Risk
Identification)
- IP Awareness
DIN 77006 (Actions to Address risks and opportunities, IP Risk Management A.6.1,
A.6.1.1)
3 Expert Opinions
Vs
DIN 77006
▪ Sources of IP Risks (6.1.2)
▪ Actions to Address risks and
Opportunities (A6.1.1)
▪ DIN 77006 IP Processes
MIPLM 2022 | CEIPI | Shu-Pei Oei © 24
REDACTED

25. ISO 27005
ISO/TR 18128
Supplementary
Risk Standards
Open-Source
Standards
OECD
DIN 77006
ISO
56005
ISO 9001
ISO
31000
MIPLM 2022 | CEIPI | Shu-Pei Oei © 25

26. Enhanced-IPRMF for Trade Secret Management
ISO 27005
Information Security
Risk Management
ISO 31022
Guidelines for the
Management of Legal Risk
ISO 22380
Product Fraud Risk and
Countermeasures
ISO 31000
Risk Management-
Guidelines
MIPLM 2022 | CEIPI | Shu-Pei Oei © 26

27. Trade Secret Risk Management
Knowledge/
Innovation
Management
Legal
Requirements
• Knowledge assets are
of value to an
organization if it
increases an
organization’s ability to
earn economic rents1.
• Knowledge leaks that
hurts an organization,
are losses of
information that is
valuable, rare,
inimitable and non-
substitutable (VRIN)2
Characteristics Inherent
to Information itself
Behavioural
Requirements
1 Aaker, D.A. (1989), “Managing Assets and Skills: The Key to a Sustainable Competitive Advantage
2 Ahmad, A., Bosua, R. “Protecting Organizational Competitive Advantage: A Knowledge Leakage Perspective”, (2014)
• “not generally known”
• “Economic value”
• “reasonable steps
to keep it secret”
Derived from legal definitions e.g. EU Trade Secrets Directive, Defend Trade Secrets Act (US)
MIPLM 2022 | CEIPI | Shu-Pei Oei © 27

28. Trade Secret Risk Management based on ISO 31000
“Identification, Classification,
Valuation, Protection”
Adapted from M. Halligan, Trade
Secrets Litigator
ISO 31000
Risk Management-
Guidelines
MIPLM 2022 | CEIPI | Shu-Pei Oei © 28

29. S
W O
T
INTERNAL External
Scope, Context, Criteria
MIPLM 2022 | CEIPI | Shu-Pei Oei © 29

30. INTERNAL External
ISO 31022 Legal Issues Details Inter-Departmental
Involvement
5.2.2
External
Context of
Legal Risk
Jurisdiction ▪ Environmental and cultural differences
among different jurisdictions,
▪ Application of federal or nationalTrade
Secret laws (e.g., US), Directives (e.g.,
EU),
▪ Conflict of laws and the mutual
recognition of laws
▪ Identification of the applicable
jurisdiction may also require
consideration.
▪ Legal Department
communicates withTop
management to shape
corporate & IP Strategy,
▪ Further communicates
requirements of laws
within IP department,
R&D, & IT
Table C.1
Assessing
Likelihood of
Legal Risk
Event
Enforceability of
Laws
▪ Expectation in court to enforceTS laws As above
Adequacy of
Training for
Legal Risk
Implications
▪ Awareness of employees ofTrade Secret
risks
▪ Extent of incorporation into day-to-day
functions
▪ Legal Department
communicates with HR,
Top Management
Counterparty
Risk
▪ Likelihood of breach of duty to maintain
secrecy
▪ Breach of contract (e.g., employment
contract, NDA)
▪ Default of responsibility
▪ Legal Department
responsible for quality of
contracts, clauses (Table
E.1)
▪ Whole of organization
approach to IP awareness
▪ IT department to be in the
loop
Table B.2 Table Legal
Advice Received
▪ From External and Internal Counsel
▪ Protection of legal information from
becoming public information in some
jurisdictions
▪ Legal Department
▪ ExternalCounsel
▪ Top Management
Registrable IP
right (e.g.,
Patent)
Defensive
Publication
Trade Secret General
Knowledge
Cost Transaction
Costs
Fixed -High Fixed- Low Variable
Opportunities Revenue Licensing Fees None Licensing Fees None
Risk Issues Time to Public Known (legal
time limit)
Known
(publication
time limit)
Unknown Predictable
(Industry
diffusion time)
Knowledge
Requirement
High Low High Low
Knowledge
Value
Value from the
right to exclude
others using
knowledge.
Knowledge
prevents others
from obtaining
an IP right (e.g.,
patent).
Value in
keeping
information
secret.
Value as a
public good.
Value
Variability
Value changes
over time, and
as public
awareness or
demand grows.
Value does not
change. Hard to
measure.
Value changes
based on
innovation
diffusion.
Value as a
public good.
Risk vs
Opportunity
Value vs Cost Maintenance
cost
independent of
Patent value.
Costs do not
change with
value.
Cost increases
with increasing
value.
Costs do not
change with
value.
Abandon when PredictedValue
< Cost
PredictedValue
< Cost
PredictedValue
< Cost
- NA -
Scope, Context, Criteria ISO 31022
Guidelines for the
Management of Legal Risk
MIPLM 2022 | CEIPI | Shu-Pei Oei © 30
• Applying Risk-based thinking,
• Risk vs Opportunities
• As purpose of management

31. Identification of Trade Secrets
Risks related to Legal Proofs Risks of TS leaks during Innovation
MIPLM 2022 | CEIPI | Shu-Pei Oei © 31

32. Classification of Trade Secrets
Class
Score
Name Definition Protection Guidelines Action
4 Top Secret ▪ “Exceptionally grave”
consequences to organization
if asset were compromised
▪ Designated Custodian
▪ Restricted & Monitored Access
▪ Biometric Access
▪ Labelled as Top-Secret
▪ NDAs
▪ No Electronic Storage
▪ No Cloud Storage
▪ No licensing
▪ “take reasonable
measures to keep such
information secret”
▪ Inform IP department
▪ Legal Department
▪ IT
▪ Building Security
3 Trade Secret ▪ Meets Definition of Trade
Secrets according to 6- factor
test.
▪ Critical to business
▪ “Serious damage” to
organization if asset were
compromised
▪ Designated Custodian
▪ Restricted Access
▪ Restricted users
▪ Electronic Copies require
password and ID access
▪ Labelled as confidential
▪ NDAs
▪ Importance of secrecy
reiterated
▪ Disposal standards
▪ Storage and Backup standards
▪ Encryption
▪ No Cloud Storage
▪ “take reasonable
measures to keep such
information secret”
▪ Inform IP department
▪ Legal Department
▪ IT
▪ Building Security
2 Confidential ▪ Information that should not be
made available for general
public access, but whose
secrecy is not as critical as
Trade Secret
▪ Access allowed only on
internal server
▪ User login and password
required
▪ IT- basic cybersecurity
precautions
▪
1 Public ▪ Information that can be made
public with minimal or no
adverse consequences if made
public
▪ No restrictions or basic
regulations
▪ No restrictions or basic
regulations
ISO 27005
Information Security
Risk Management
MIPLM 2022 | CEIPI | Shu-Pei Oei © 32

33. Valuation of Trade Secrets
𝑣𝑎𝑙𝑢𝑒 = σ𝑡
𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝐼𝑛𝑐𝑜𝑚𝑒𝑑−𝐶𝑜𝑠𝑡
1+𝑊𝐴𝐶𝐶 𝑡
WACC: weighted average cost of capital
Incomed:
Expected Income discounted for risk = risk
free income x (1-discountA x impactA) x (1-
discountB x impactB).
t: time (in years)
Example Using Reasonable Royalty Rate
MIPLM 2022 | CEIPI | Shu-Pei Oei © 33
Legal Risk (Trade Secrets) Description of Threat Threat Source
Status ▪ Does the trade secret meet
the legal requirements?
▪ Is it distinguished from
general knowledge?
▪ Is it of economic value?
Internal (Legal context)
Invalidity
Ownership ▪ Have rights been properly
assigned?
Internal/External
(Laws, Employee Contracts,
agreements)
Scope ▪ Has the trade secret been
defined with sufficient
particularity?
Internal/External
(Laws, Contracts, agreements)
Enforcement
▪ Have “reasonable
measures” been taken to
protect trade secret
▪ Can we “prove
misappropriation by
improper means”
Internal (Disgruntled
employee)
External
(Espionage)
Circumvention
▪ How easy is it to be Reverse
Engineered?
▪ How easy is it to derive it
independently
Arriving at knowledge
independently (growth of
industry knowledge)
Freedom to Operate (FTO)
▪ How many people are
allowed to use the Trade
Secret?
▪ How many people know
about the trade secret?
Improper behaviour,
Unawareness, joint ventures
7 Pillars of Risk
Value = f (Income, Cost, Risk factors)
behaviour
Knowledge legal

34. Protection of Trade Secrets
Threats & Vulnerabilities Assessment
ISO 27005
Information Security
Risk Management
MIPLM 2022 | CEIPI | Shu-Pei Oei © 34
Type Threat Vulnerability Department
Hardware ▪ Unprotected Storage
▪ Lack of care of Disposal
▪ Uncontrolled copying
▪ theft of media or documents ▪ IT
Software ▪ Lack of identification and authentication
▪ Poor password management
▪ Loss of information ▪ IT
Physical ▪ Lack of physical protection of doors, windows,
rooms
▪ Theft ▪ Building Security
Network ▪ Espionage ▪ Misappropriation ▪ IT
Personnel ▪ Lack of monitoring
▪ Lack of awareness
▪ Reneging on contractual agreement
▪ Misappropriation
▪ Loss of information
▪ HR, IP, Legal

35. Determine Jurisdiction,
Laws, Courts
ISO 31022
Legal Risk Register,
Legal advice received
Identification of Trade
Secrets
ISO 31022 Trade Secret
legal criteria
ISO 27005
Identification of Trade
Secrets according to
legal criteria
Classification of Trade
Secrets
ISO 27005
Identification of Threats,
Asset Value, Likelihood,
Impact
Protection of Trade
Secrets
ISO 27005:
Protection according to
Measure of Risk, or
Threat Ranking
ETSI TS 102 165: Cyber:
Methods and Protocols,
proportional to
measure of risk and/or
threat ranking
Valuation of Trade
Secrets
Legal
IP
IP, Legal, HR
IT
Legal
IP, R&D
IP, Finance
Tools Departments Objectives DIN 77006
IP Strategy
IP
Enforcement
IP
Transactions
IP
Administration
IP
Awareness
IP Risk
Management
IP
Generation
IP Risk
Management
IP Risk
Management
ISO 22380:
Detecting Fraud Risk,
Motives for Fraud, Types
of Fraudsters
Supplementary Standards in Trade Secret Risk Management
MIPLM 2022 | CEIPI | Shu-Pei Oei © 35

36. In conclusion, this thesis…
🗸 Developed an IP Risk Management Framework (IPRMF)
achieving harmonisation between IP Management, Quality
Management & Risk Management.
🗸 Explored the possibility of an enhanced-IPRMF using
Supplementary Standards for specific IP risks.
🗸 Applied the enhanced-IPRMF towards a multi-disciplinary
risk management context, namely, Trade Secret risk Management.
🗸 Used the enhanced-IPRMF as a springboard for developing
further analysis processes for Trade Secret Risk Management.
MIPLM 2022 | CEIPI | Shu-Pei Oei © 36

37. Everyone has to start somewhere. Maturity Model.
PEOPLE LEGAL FINANCE TECHNOLOGICAL PROCESS/
ORGANIZATIONAL
STAGE 1
DISORGANIZED
▪ No overview of staff
▪ No coordination between
departments
▪ No Trade Secret committee
▪ No In-house knowledge of Trade
Secret Law
▪ Businesses use external
contractors
▪ Not strategically aligned
with IP management
▪ No security controls
▪ No overview of staff
No coordination between
▪ No support from top management
▪ No awareness
▪ No budget
STAGE 2
REPEATABLE
▪ Trade Secret Leadership
Established
▪ Informal Communication with
Interested parties
▪ Available in-house legal support
▪ Supported by external
consultants
▪ Ad hoc updating and
meeting
▪ Some security controls
▪ Minimal documentation
▪ Basic awareness of risk policies
▪ Basic awareness of IP rights
▪ Ad hoc Reporting
STAGE 3
DEFINED
▪ Some formal roles and
responsibilities established
▪ In-house legal lead external
consultants in clear direction
▪ In-house legal team leads
strategy discussion
▪ All financial procedures
concerning IP are
aligned with IP
department (e.g., tax,
valuation, mergers,
acquisitions, budgeting,
relevant revenues)
▪ Controls and documentation
established
▪ Responsibilities assigned but
reliance on individuals
▪ Teams and leadership appointed
and defined
▪ Accountability measures in place
STAGE 4
MANAGED
▪ Dedicated resources and
awareness
▪ Clearly defined roles and
responsibilities
▪ Most trade secret operations
supported in-house
▪ Legal team well integrated with
top management, R&D, HR
▪ Detail processes and
transfer of information
between departments
established
▪ Controls are monitored
▪ Compliance checks in place
▪ Able to test processes and
measure performance
▪ Able to improve based on
performance indicators
STAGE 5
OPTIMIZED
▪ IP culture and awareness
supports information security
skills and technology
▪ Legal team works to set IP
strategy
▪ Well integrated with technology,
automated renewals
▪ Well-integrated with performance
metrics
▪ Strategic alignment with
IP department
▪ Aligned with global
strategy
▪ Tax optimised
▪ Controls are automated
▪ Prediction technologies in place
▪ Continuous Improvement
▪ Management processes are
integrated with technology
▪ Management processes are
integrated and coordinate across
business units
MIPLM 2022 | CEIPI | Shu-Pei Oei © 37

38. The End.
MIPLM 2022 | CEIPI | Shu-Pei Oei © 38
With grateful thanks to my supervisors,
Prof. Dr. Alexander Wurzer &
Mr. Thibaud Lelong
Dr. Shu-Pei Oei
shupei@oeipatents.com
Linkedin.com/spoei