Storm Clouds Brewing
Every morning I pull my smartphone off its charger. The electricity that charged my battery came from my local power utility — a network of cables, wires, shared resources, inventions and capabilities that exploit economies of scale.
I pay my electricity bill every month. Every month I feel I’ve purchased my power fair and square.
With my charged phone in hand, I check my email, scan the news, listen to music from my internet music provider, and do a quick internet search.
All that information got to my phone through my wireless internet service and a behind-the-scenes “cloud” service — an internet-based computing system that, like a utility, uses shared resources, inventions and capabilities to provide my device with on-demand services and applications.
I pay my internet provider every month, but does that mean I purchased access to all the cloud services and innovations too? Have the inventors and patent holders of the cloud capabilities been fairly compensated behind the scenes?
When company data and services move to the cloud, there are risks we manage. Issues around shared access, as clouds are multi-tenanted all using the same computing resources. Questions arise as to data ownership. Resiliency of the cloud service may come into question when systems fail or become unavailable, and the ever-growing threat of unauthorized cloud access is also a concern.
But do risk managers of organizations that use cloud services assess if they are infringing on cloud patents? Is cloud patent infringement even on their risk radars?
I’ve learned recently that it should be. The cloud is full of complex and often foggy technological definitions, making those organizations using cloud services more vulnerable to hungry patent pirates, sharks and trolls.
“For an enterprise with annual revenues of $10 to $25 million, each patent infringement lawsuit typically represents a financial risk of $3 to $5 million.” — Jess Marinez, president, Tout Virtual Inc.
Patent trolls are not mythical characters from an adventure novel. They are companies that profit from using coercive and extortion-like practices.
Patent troll companies buy broadly worded patents on secondary markets and then assert them against you, demanding overpriced royalties or possibly costly patent litigation. If you choose to fight them, note that litigation that goes to trial can cost upwards of $3 million, and result in damage awards that can exceed tens of millions. Trends show that trolls are getting their way and their bounty is growing.
More and more, patent trolls are turning their attention to the cloud market where intellectual property policy is failing to keep pace with technological developments. Trolls don’t necessarily always go after the big companies; they go after the weak, where legal costs and damages could cripple the organization.
Cloud risk management services and cloud patent litigation insurance should be considered by a lot more organizations, specifically start-ups.
“For an enterprise with annual revenues of $10 to $25 million, each patent infringement lawsuit typically represents a financial risk of $3 to $5 million,” said Jess Marinez, president of Tout Virtual Inc., a company that offers cloud risk management services and patent licenses to their cloud patent portfolio. “60 percent of patent infringement lawsuits are targeted at companies with annual revenues of $100 million or less.”
Proactive risk management is a way to blunt the onslaught of trolls seeking to exploit existing cloud and emergent companies through patent infringement lawsuits.
With stormy clouds like this brewing, ensure you have a good umbrella. Specialty risk mitigation services coupled with cloud patent infringement insurance should help you to not get too soaked.
A critical step to creating any risk management framework is risk analysis. Risk analysis comprises risk measurement.
Discovering organizational risks has never been too problematic in my experience. The challenge tends to be around the risk quantification where we try to understand how big the risk is and when the risky event is likely to occur.
Here we tend to admit defeat. We feel that we have little clue as to the likelihood of risks. We throw our hands up in despair trying to predict the nature of the risk’s impact.
It doesn’t help that we read books like Nassim Taleb’s 2007 “Black Swan,” where the underpinning idea throughout the book says that humans should not attempt to predict outlier events known as Black Swans because human thinking is limited.
Humans only make predictions based on what they have already seen and experienced.
But with all due respect, I tend to disagree. After 18 years in this field I have successfully used tactics with some pretty remarkable results when it comes to risk measurement.
For me, the key is to never do risk measurement alone. I always get a collective opinion from a group rather than one single expert. Let the wisdom of a crowd prevail. Feed off their collective intelligence.
The notion traces back to the well-known finding of Francis Galton, a cousin to Charles Darwin, who in 1907 attended a country fair where about 800 people estimated the weight of an ox as part of a contest.
The average estimate was shockingly accurate. It was within 1 percent of the true weight — better than any individual guess of the cattle experts. The event is recounted in James Surowiecki’s “The Wisdom of Crowds.”
It appears that the average approximation of a group tends to converge towards a good result, often better than the response given of any one individual. But be aware. Group dynamics are tricky. I rely on two rules-of-thumb when facilitating a group: assure diversity and independence.
First, know the make-up of your group. Make sure you have legitimate subject matter “experts” in the crowd. Also, ensure representation from multiple areas within your organization.
It appears that the average approximation of a group tends to converge towards a good result, often better than the response given of any one individual.
If your risk measurement session is to discuss, for example, cyber security risks, ensure that the room does have participants from not only the IT department but from other divisions such as operations, legal, human resources and communications as well. All these groups see cyber risk from their unique vantage points and estimate risk using their own lens.
Also, don’t forget to invite a few organizational curmudgeons. To gain further accuracy, having those who may strongly disagree with your group is critical. In essence, you don’t want the group to start herding and copy-cat towards a consensus. The wisest groups are the most diverse, made up of diverse opinions and ideologies.
Secondly, try to eliminate social influence and bias in a crowd. Group members should feel comfortable to contribute. Individuals need to feel their initial judgments are independent and are not influenced by other’s responses.
It may be a good idea not to have key contributor’s bosses in the room where they may sway their subordinates. In addition, do know that the more information participants get about each other’s responses, the higher the likelihood you degrade the collective answer — best to use secret ballots or electronic voting mechanisms.
So it appears the many are wiser than the few. Have a party and measure your risk.
The Upside of Uncertainty
Just recently, a friend needed some help with a tough decision and wanted to sound out her decision process between two job opportunities. Both options were full of uncertainty.
When we spoke about her potential bosses, she was uncertain if they were good people. In other words, she feared they may not be very nice.
When we spoke of the job security, she was uncertain one organization was stable. In other words, she feared her job may be short term.
When we spoke of her potential for succession, she was uncertain there was room to grow. In other words, she feared her job would be a dead end.
The conversation got a bit draining. When I sat back to think about why, I realized that we covered only the uncertainty of negative things. Her decision process was driven mostly by fear and pessimism and she failed to be inspired by faith and opportunity.
But it seems, we all tend to do that. I think of the expression: “Where there is mystery, the human mind tends to go to dark places.” I have often used that expression in my speaking engagements when I try to convey the idea of “upside risk.”
Her decision process was driven mostly by fear and pessimism and she failed to be inspired by faith and opportunity.
Imagine you are walking down the hall at the office. You see two colleagues chatting in the distance. As they see you approach, they quickly stop talking. It is obvious they stopped because of your proximity.
So let us take an honest vote. Who would think that your colleagues were gossiping about you and curtailed the conversation so as to not hurt you?
Conversely, who would think they stopped talking because they did not want you to overhear details of the surprise birthday party they were planning for you?
When things are uncertain, why immediately associate it to something negative when we also have the opportunity for it to be positive? That is the paradoxical beauty of uncertainty. When nothing is sure, everything is possible. Uncertainty should fuel opportunity too. That is what we call “upside risk.”
People and businesses assess risk, mine data, carve learnings from past experiences and we do our “due diligence.” But often we only do this to gain more certainty around negative things that can happen.
However, true enterprise risk management organizations, mature ones, conduct “upside risk” assessments too. Upside risks act as your organization’s natural hedges against your ever more popular “downside risk.”
Our human condition naturally makes it difficult to do “upside risk” assessments. If you don’t believe me, facilitate a risk assessment session where at first you only elicit negative risks. Then switch. Ask the group to talk about things that “could go overly right” in your organization.
You will be inundated with negative risks. Moreover, you’ll find the longer the negative risk list, people will feel more certain and secure by knowing you have captured the scary business monsters and now have actionable risk attack plans for them. I take no issue with that. That is good risk management. But it is only one side of the story.
Your upside risk list will be much shorter. I truly feel we need to do a better job at identifying what should be on that list.
Not only would the assessment be conducted in a much more pleasant headspace, but the longer we can make the upside risk list, people will feel more certain and secure. They’ll know they have captured their great business opportunities and now have an actionable risk-fostering plan for those opportunities.