Chain of liability model reduces cost through compliance by design

Tao Zhang

Tao Zhang

Tao Zhang (taoz@juniper.net) is Vice President, Deputy General Counsel of IP & Product for Juniper Networks in Sunnyvale, California, USA.

Janet Lee

Janet Lee

Janet Lee (janet.lee@ansys.com) is General Counsel, Vice President and Corporate Secretary for ANSYS, Inc. in Canonsburg, Pennsylvania, USA.

Listen to article
9 minute read

By Tao Zhang and Janet Lee

The operating cost of risk management has escalated significantly due to increasingly complex compliance and regulatory requirements, which are becoming cross-functional efforts. Many chief experience officers across industries are looking for opportunities to meet such compliance obligations at a lower cost.

To achieve this objective, it is vital for corporate functions to adopt a unified compliance and risk management model based on a common goal to prevent reworks caused by incongruent approaches.

Optimize the development and sale of products

We propose optimizing product development and sales as the common goal for product and service companies. Each relevant corporate function must measure its success based on how well the function optimizes its support of the company’s product development, delivery, sales, service, and maintenance, all for the benefit of end users and customers. The product referenced in this context can be broad, encompassing hardware, software, medical devices, pharmaceutical drugs, services, or experiences. The optimization at issue begins from early product conception through design, development, sales, and post-sales. It includes optimization of the entire product experience, starting from the customers’ purchase and user experiences and extending to potential benefits a product may bring long after the customer’s usage.

Then how can a corporation best optimize its development and sale of products? The answer lies squarely in proactive risk management.

Optimization through proactive risk management

Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” Similarly, risk prevention is significantly less costly than risk mitigation after the incident. By anticipating potential risks and requisite compliance or regulatory policies from various stakeholders related to each area of the entire product lifecycle, a company can more effectively optimize its product development and sales across its corporate functions. Take steps to address these issues before they arise and put in place procedures to enable systematic response to these risks if they do surface.

In other words, it is critical to clearly identify product development and sales risks in each relevant corporate functional area and manage them effectively. The chain of liability (CoL) analysis model described below is an effective approach to accomplish this objective.

CoL provides an elegant and intuitive tool to naturally align corporate functions to optimize product development and sales through risk management.

What does CoL mean? For simplicity, let us take a general-purpose, business-to-business (B2B) enterprise software company as an example, as shown in Figure 1, to explain the CoL model. A typical enterprise B2B software product life cycle comprises design, development, sale, and post-sale stages. Research and development (R&D) and business units (BUs) are typically responsible for the design phase. BUs, software release management, product marketing, and sales teams are typically responsible for the software development stage as well as planning and implementing the product’s release to the market.

To some extent, sales teams, business operations, and business units are also responsible for the post-sale phase. Let’s look at this chain of activity from a typical legal function’s perspective. During the first stage (i.e., design), we list examples of key risk factors relevant to a legal function. Similarly, under the second stage (i.e., development), the third stage (i.e., sale), and the fourth stage (i.e., post-sale), we list examples of relevant major risk factors, respectively.

Figure 1: Chain of Liability analysis model for an enterprise B2B software product from the perspective of a legal function

Figure 1 provides a holistic view of product compliance management for the company’s legal function. For example, during the design stage, the legal function needs to preemptively consider risk factors related to cybersecurity, product physical security, intellectual property (IP) infringement, data management, innovation management and patenting, and testing adequacy. Some of these risk factors appear again in the next stage, while other new risk factors appear midstage. It resembles links in a chain from left to right; thus, we dubbed this the chain of liability model. A chain is as strong as its weakest point. A risk factor introduced on the left side of this chain may propagate toward the right and adversely impact the stages downstream. Therefore, it is important to consider relevant risk factors as early as possible in the chain (i.e., “shift left in the lifecycle”).

The CoL model then applies a checklist tailored for each function at each stage for every relevant risk factor for each product. This is a chronological process synchronous with product development. Course corrections are recommended in successive stages. Relevant responsible teams focus on risks pertinent to their stage or “link” in the activity chain. This minimizes costly re-architecting late in the development process and reduces overall product cost. Please note that although the example above is software-based, the approach equally applies to various corporate functions for other industries, such as hardware, services, or pharmaceuticals.

We are highly impressed by the elegance of applying the CoL approach to product risk management and its applicability to all corporate functions. It is intuitive and naturally aligns corporate functions with optimizing product development and sales through risk management. It considers product compliances and regulatory requirements early in the product life cycle, thus reducing costly reworks through compliance by design.

You can build your own CoL that is fit to purpose for your business

The CoL tool can be adapted easily by each corporate function for a company in any industry through careful analysis of risk factors and customization for each function’s specific needs. The following are recommended steps:

  • First, identify key areas on which your corporate function should focus its efforts by enumerating the following:

    • Potential risks that could reduce customer satisfaction or product success, and

    • Potential stakeholders that could be negatively impacted by the product.

  • Second, identify the following defensive and offensive motions to balance short-term and long-term risk management:

    • Offensive measurements to drive away threats to protect your stakeholders (the “sword”), and

    • Defensive measures to protect stakeholders (the “shield”).

  • Finally, consider major potential risks arising in optimal and nonoptimal scenarios:

    • When the product or service performs as designed, and

    • When the product performs poorly, is defective, or performs in a challenging environment.

Each corporate function can establish its most relevant stakeholders or critical risk areas and focus primarily on those key risks.

For enterprise software products, as an example to illustrate the above approach, the legal function could identify six stakeholders and associated vital risks:

  • End users and customers: General Data Protection Regulation (GDPR) violation, breach of contract, and product liability.

  • IP owners and their agents: Misappropriation of trade secrets or patent, trademark, or copyright infringement.

  • Government regulators: Export control regulation infractions, regulatory certification requirements, product liability, antitrust regulatory violations, GDPR violations, or cybersecurity failure.

  • Standards and open-source software (OSS) organizations: Fair, reasonable and non-discriminatory royalty obligations, standard certifications, OSS compliance.

  • Unauthorized end users and software pirates: Loss of revenue; complaints from paying customers.

  • Third-party IP infringers: Noncompetitive pricing and margin, decreased market share, brand erosion.

Having identified the stakeholders and risks, it is possible to analyze product development and sales activity and prioritize the areas of most acute risk to the activity and the enterprise. A careful examination of each stakeholder, the cause of their potential complaints, and the amount and likelihood of damage associated with such risks will facilitate this understanding.

This approach of looking from the perspective of stakeholders and risk management is not merely helpful for legal functions; it can be used for every corporate function, including R&D, business units, sales, human resources, legal, financial, IT, and others. For example, the potential complaint list can be expanded to include stakeholders such as employees, investors, board members, strategic partners, resellers, suppliers, service providers, and others. As a result, the success of each corporate function can be measured by its stakeholders and management of risks.

Use CoL to assess where risks are most acute

Besides aligning each corporate function toward optimizing product development and sales, it is also essential to ensure each function successfully identifies and manages its corresponding risks. Using the product-centric CoL risk management approach, each corporate function can arrive at a list of factors to consider as key risks in a product’s life cycle that are most relevant to their functions and manage these risk factors proactively.

For each corporate function, the risks related to their specific area can be listed under each CoL “link” (or stage of the product lifecycle)—as illustrated in Figure 1—from a legal perspective. This methodology provides a straightforward visual tool to clearly identify risks that either appear early in the product design phase, late in the product lifecycle, and sporadically in some stages or continuously throughout all stages. Prevention processes can then be built to address critical issues at their earliest phases in a coordinated manner across all relevant functions. The CoL can also help identify the most acute risks that appear in multiple stages, facilitating the implementation of processes and procedures to address those risks preemptively in a holistic manner. The CoL is a helpful tool for all corporate functions to spot relevant issues before they appear in the real-time context of active product development. Analysis can pinpoint the most critical risks deserving additional resources and attention.

Risk quantification can guide resource allocation

English mathematician and biostatistician Karl Pearson purportedly declared, “That which is measured improves. That which is measured and reported improves exponentially.” Corporate departments, such as R&D, product development, marketing, legal, and sales, should establish measurable goals and report them regularly. What is the best way to measure each function’s success?

This turns out to be a tough question to answer. Employees constantly receive didactic advice that their contribution is measured by the degree of impact they bring to the corporation. However, these principles are somewhat vague. Therefore, it would be beneficial to establish a clear and consistent overarching common objective or “north star” for corporate functions and their constituents. This way, everyone can strive toward the same goals and continuously adjust and align for success.

After product definition is crystalized, corresponding main stakeholder lists and associated risk factors should be clarified. With potential risks clearly identified, success becomes more quantifiable. There are various ways to quantify a corporate function’s success depending on the risks at hand and the company’s needs at the time.

For example, Upcounsel reports patent royalty rates based on comparable market approaches for various industries ranging from 3.3% for automotive to 9.6% for software.[1] An average annual probability that a patent royalty will be imposed on your product can be used—based on your industry’s trend or your company’s past litigation history—to arrive at an estimated annual risk exposure amount. This annual risk profile can be used to support your staffing and budgeting decisions. For a software company, if your likelihood of owing a patent royalty is 1% in a given year, then your average annual patent exposure or risk profile is 0.096% of your total revenue.

This approach can be leveraged to assess whether current resource allocation is well-justified or completely out of proportion. If existing resources are significantly higher than the average annual exposure, it would be a reason to explore whether there is overinvestment in that area. An estimated return on investment can be obtained for specific subject matters. In addition, this data can be applied to help determine whether to use internal experts or hire outside resources. For instance, for risks with high average annual exposure amount and minimal probability of happening, it makes sense to employ external resources. Using internal employees may be better for frequently occurring risks with relatively low-risk profiles. For risks that require in-depth internal organizational familiarity or deep product knowledge, internal resources would be better suited for such tasks or at least lead such activities. In other words, you can design and budget your corporate functions based on risk management.

CoL brings all corporate functions together

All corporate functions may find this CoL model approach helpful to their work, minimizing oversights and naturally aligning disparate activities, teams, and roadmaps around priority activities. It enables each corporate function to effectively and successfully manage its relevant risks and significantly reduce the cost to your company by mitigating risks before the incidences and through compliance by design.

The views expressed in this article are the authors’ opinions only and do not necessarily represent those of other people or entities.

Takeaways

  • Optimizing the development and sale of products should be one of your company’s overarching goals—which can be achieved through proactive risk management.

  • Chain of liability (CoL) analysis is an elegant and intuitive tool that naturally aligns corporate functions to optimization of product development and sales through risk management.

  • You can build your own customized CoL model for your business and use it to assess holistically where risks are most acute.

  • Risk can be quantified, and the quantification can guide resource allocation.

  • The end result of the CoL model is that all corporate functions are working together effectively and reducing operating costs through compliance by design.

 
1 “Patent Licensing Royalty Rates: Everything You Need to Know,” Upcounsel, updated June 24, 2020, https://www.upcounsel.com/patent-licensing-royalty-rates.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings