Intangible Capital Risk Assessment (ICRA): a new framework for SMEs performance management Rony Germon, Patrick Laclémence, Babiga Birregah ICD – CREIDD, UMR STRM – CNRS, University of Technology of Troyes, 12, rue Marie Curie 100010 Troyes
[email protected] Abstract— In times of crisis, the best that one can expect from a company is to be able to continue innovate and create new products based on the skills of their employees. In this paper, we consider that each process integrates four basic components of the intangible capital that are critical in the process of innovation and the creation of factors that put the company out of reach of the consequences of crisis. Risk management in SMEs passes through the performance assessment of the set of these four components of the intangible capital by identifying the most vulnerable components. The main challenge lies not only in increasing the intangible capital of business but it control and protection. The corollary of this challenge is to reduce the vulnerability resulting from the weakest component in order to improve the performance of the intangible capital of small and medium sized enterprises. As a result of the vulnerability assessment these companies must establish overall protection from risk, to maintain or increase their efficiency. This paper proposes a new framework for risk management of intangible capital in SMEs, referred to as ICRA. This Intangible Capital Risk Assessment (ICRA) framework aims to provide helpful guidance to SMEs for protecting their intangible capital and optimizing their decision-making. Index Terms— Business, Competitive Intelligence, Knowledge Management, Vulnerability, Risk analysis.
S
I. INTRODUCTION
the end of the 20th century, knowledge and intangible assets have been central into the economy [5] - [10]. A study by the World Bank considers that 86% of the French economy is intangible. Knowledge has become the main thrust for the production of wealth in business [11]. In 1960, Harold Wilensky had already described the vital role of knowledge in the economy and industry [42]. As an important part of the economy, SMEs are included in this dynamic. Competitive intelligence provides the company protection, by taking into account overall risk and threats [46]-[47]-[48]. With competitive intelligence, SMEs can anticipate and protect themselves in a highly competitive environment [6]. In the European Union, they are 19 million SMEs in hugely different sectors, employing nearly 75 million people. These types of businesses represent a pool of economic dynamism and innovation for countries. The European Commission defines small and medium-sized enterprises are companies that possess between 10 and 249 employees and a balance sheet total of at most 43 million INCE
euros [39]. Purely quantitative considerations apart, we define SMEs as being small (0 to 250 employees), with centralized management, little specialization, with a single information system and with either a single or poorly organized, intuitive, largely informal external strategy [27], [43]. Although we focus on some of the major specificities of SMEs, one should keep in mind that our generic framework needs necessarily to be adapted to fit the reality of each company. SMEs have very valuable assets, such as flexibility, responsiveness, speed of action to meet the challenges of economic globalization. If they want to survive in an uncertain environment, where new proteiform risks emerge. The goal of SMEs should be “total protection”. [34] - [22]. Total protection must be understand as a goal that should guide the actions of the entrepreneur and motivate his team to be more efficient. But in reality this goal is unreachable. Indeed, as zero risk does not exist, it is the same for its corollary which is the total protection. The intangible capital of a company is a chain that leads to innovation, the creation of factors that set the company apart and added value. The performance of this chain will be evaluated in terms of its most vulnerable link. It is necessary to reduce the vulnerability resulting from the weakest link, to improve the performance of the intangible capital of the company [30]. The real challenge is not limited to increasing its intangible capital, but concern as well within its control and protection. Because of the complexity of each decision, the entrepreneur needs to use efficient decision support tools to help him in his strategic decision-making [37]. The literature is full of generic methods devoted to risk assessment in the socio-technical systems. There are several tools of analysis and risk assessment of information. For more details, the reader should refer to: TRA [45], MEHARI [8], Cramm [24]-[25], EBIOS [1], OCTAVE [2]. The approach presented in this paper focuses on risk analysis on intangible capital. To develop this method we have adopted an approach which is both integrated, iterative based on empirical observations. This paper proposes a framework for the risk management of intangible capital in SMEs. The intangible Capital Risk Management Process aims to provide helpful guidance to SMEs for protecting their intangible capital and optimizing their decision-making. The paper is structured as follows. Section II will be a process-approach description of the
II. METHODOLOGY The definition of SMEs developed by GREPME [27] was used to show the specificity of intangible capital in SMEs. We consider a process in a company as a set of interrelated or interacting activities that transforms inputs into outputs [26]. This approach is base on systemic theory [44]. As illustrated in in Figure 1 one can distinguish five sub-processes: Production, Sales, Design, Logistics, Purchasing and Information. We will take the coordination of information as the sixth sub-process. SME
importance of each element. Moreover the violations affecting Intangible Capital can affect the sustainable performance of SMEs. For example, in a SME of 10 employees when an employee resign the company loose 10% of its human capital while in a multinational of thousand employees this event can be unnoticed. In addition, proximity is one of the important aspect to take into account [40]. In fact, SME have there first business relationship with the companies wich are geographically close to them. These two characteristics appear as both strength and weakness for SMEs. SME
Production
Organizational
Intangible Capital
components of intangible capital in SMEs. In section III, we will present the framework of the Intangible Capital Risk Assessment (ICRA). Section IV will develop a case study. This paper concludes with a discussion of our innovative approach and a presentation of outlooks.
Relational
Human
Organizational
Organizational
Produced
Human
Produced
Relational
Human
Produced
Relational
Human
Information
Logistic
Organizational
Intangible Capital
Human
Relational
Conception
Organizational
Intangible Capital
Relational
Purchase
Produced
Relational
Human
Produced
Relational
Human
Produced
The purpose of this section is to show how to identify the intangible capital in each process and highlight the methodology used to assess the risk posed by threats to the Intangible Capital in a process. 1. Identification of the Intangible Capital in each process Leif Edvinsson has introduced the notion of intangible capital for the first time in 1999 [16]. One can break intangible capital into four categories, which are illustrated in Table 1.
Purchasing policy Process performance Knowledge management Methods Process Corporate culture Values Company Innovation capacity Etc.
Intangible Capital Relational Human Capital Capital Customer Individual relations capacity Relationship Knowledge with the community Relationship Skills with suppliers Investor Experiences relations
Relationship with partners Etc.
Know-how Etc.
Conception
Logistic
Information
Organizational
Figure 1 - The intangible in every process
Organizational Capital Pricing policy
Purchase
Figure 2 - Example of intangible capital in a process
Organizational
Intangible Capital
Sales
Intangible Capital
Production
Intangible Capital
Intangible Capital
Produced
Sales - Organisation - Performance etc... - Relation - Communication etc... - Know-How - Knowledge etc... - Patent - Trend etc...
Produced Capital Patent Brands Drawing models Notoriety product Trust
&
Trade secret Etc.
Table 1 – Types of intangible capital
The nature of small size of a business leads to an “enlargement effect” [31]. In fact, the small number of elements form Intangible Capital increases the relative
In this work we selected the Leif Edvisson approach for the study of the typology of the Intangible Capital. Although it is not the unique approach, its simplicity is well adapted to the structure of SMEs. The identification of the Intangible Capital in each process is essential to select in priorities which components must be protect in the company. The next sub section deal with second step which focus on the Risk Assessment on the selected components. 2. Risk assessment on the Intangible Capital The nature and the changing perception of risk by area of interest [38] - [15] - [30] - [35] imply to build specific risk assement method or tool. In a generic way, risk can be defined as any source of hazards that may cause an adverse impact on human lives or the society [10]. The risks faced by SMEs are increasingly complex and intertwined despite their specificities. Small structures should anticipate for better management [7] - [13]. Over 200 management methods for risk analysis, either public or confidential, exist to date, across the world [33]. While several methods are devoted to risk management, information systems or information [1] - [8] [25] - [36], no literature review has been specifically conducted on the cycle of knowledge in SMEs. Implementing ICRA method would require taking into account the volatile nature of knowledge and the fact that knowledge is deeply rooted in the context in which it operates [29]. In this paper we chose to model risk as the combination of five components as shown in Figure 3: (1) the Threat denoted T , (2) the Criticity denoted C , (3) the Vulnerability denoted V , (4) the Impact denoted I and (5) the Exposition denoted Fexp
follow a direction. For example, an element like “Pricing Policy” may depend on the two elements like “Relationship with customer and the “Knowledge management” without any relationship between us. Factor Dependance Replaceability
Risk
Singularity Complexity Reproducibility
Figure 3 – The five components of risk
Formalization
In this part we proposed a global review of ICRA method. We have introduced a set of step to build an efficient risk assessment on Intangible Capital. In the others sub-parts we detail our approach.
Appropriation
2.1 Criticity: It’s necessary to have an overview of the Intangible Capital (IC) existing in the company and know the importance of this IC for each process. This step is the first step of our methodology. To determine the criticity score for each item, we define a criticity function based on these seven criteria: Dependence: measure if the IC can exist alone or need another IC, Replaceability: measure how a IC can be replaced by another inside or outside the enterprise, Singularity: measure the extent to which the IC in uncommon, Complexity: measure if the IC has many or few parts, Reproducibility: measure how is easy or difficult to reproduce a IC, Formalization: measure if the IC is either oral or written and codified, Appropriation: measure if the IC is individual or collective. Criticality measures how an element of intangible capital is important for the company. The higher the levels of the various criteria are, the greater the estimated importance of the IC is for the process and, consequently, the higher the level of protection it must have, as illustrated in Figure 4.
Scoring 0 Independant 0 Remplaceable 0 Common 0 Simple 0 Easily 0 Tacit 0 Individual
1 Dependant 1 Irrempaceable 1 Singular 1 Complex 1 With difficulty 1 Explicit 1 Collective
Table 2 - Scoring scale of the seven criteria of criticity
We have introduced a set of items to define the criticity score of an element of Intangible Capital. This step is lead to identify the IC critical for the company. The next step is the evaluation of threats and impacts. 2.2 Identification of the threats and categorization of the various impacts on the Intangible Capital At this stage, one has to consider the complexity and the volatility of the intangible capital. Given this specificity, it is necessary to define a range of threats as generically as possible, in order to fit with any situation. We propose to divide the threats into three types of tactics (alteration, acquisition, unfair competition), which we then break into different techniques. These threats can be either internal or external. Threats Altération
Acquisition
Unfair competition
Destruction
Robbery
Forgery
Degradation
Extorsion
Usurpation
Spying
Disclosure
Change Weakening
Uptake
Figure 5 - Types of threats Depandance
Replaceability
Singularity
Complexity
Reproductibility
Appropriation
Formalization
+ +
+
+
+
+ +
Criticity
+
Protection
Figure 4 - The seven factors of criticity
One can also establish a link between different types of Intangible Capital. The link can both be direct or indirect and
The direct consequences of the occurrence of an unwanted event on the intangible capital can take several forms: decrease of production, loss of competitiveness, loss of credibility, etc. All these threats can lead to a change in the business organization and strategy and in the innovation process. They can induce immediate or long-term effects. Erreur ! Source du renvoi introuvable. shows some of the possible impacts on SMEs organization, employees, knowledge, business and technics. Determining the level of a threat allows a company to develop or to adapt is strategic plans, in order to increase the ability to cope with change.
Organizational Impacts
Relational Capital
Capital. The next step is the monitoring of the risk in the time and the determination of priority of action.
Technical Impacts Threat
Organizational Capital
Intangible Capital
Produced Capital
Human Capital
Human Impacts Impacts on Knowledge Impacts on business
Figure 6 - Impact on Intangible capital in SMEs
With the rating scale, one can evaluate the impact of a threat on the intangible capital we consider three “aspects”: i) the productivity ii) the development of the organization, and iii) knowledge, know-how and skills productions and transmission. The evaluation lead to five levels of qualification: (1) minor, (2) major, (3) moderate, (4) critical, (5) catastrophic. We have proposed in this part a set of generic threats and evaluated the impact theses threats. This step provides a global view of the threats to the Intangible Capital of the company. The next step focuses on the evaluation of the vulnerability. 2.3 Evaluation of the vulnerability of each type of Intangible Capital In a previous article we showed how to determine the vulnerability [21] by using four criteria: (1) Deterrence: all the measures taken at the technical, organizational and human level that may prevent or delay an attack on all or part of the cycle in the company. (2) Detection: probability of detecting a malicious act before its completion. (3) Delay: time to implement measures to counter the malicious action. (4) Response: time to stop or mitigate the effects of the attack (latency included). These criteria contribute to the implementation of protective measures, since the level of protection depends on the value of the criterion. As an example, when the level of deterrence is high, protection has naturally increased. The property remains correct for the other criteria [17]. In a previous article we showed how to determine the vulnerability [21]. After evaluating the vulnerability, it is necessary to determine the frequency of exposure. The frequency of exposure of intangible capital to a threat is defined in Table 3. Description Very rare Exceptional exposure and low probability of occurrence < 25% time of exposure Rare Infrequent exposure and average probability of occurrence 25% < Time of exposure < 50% Common Regular exposure and high probability of occurrence 50% < Time exposure < 75% Very Permanent exposure or quasi-steady and common very high probability > 75% time of exposure
It is clear that the risk increases proportionally with each of its components. The risk will be higher than if the majority of components have a high value. In practice the "ICRA" method suggests that the risk will be considered as minor if the 1/5 at most of the components is estimated to be high; major if the 4/5 at least of the components is estimated high and medium between these two boundaries. 3 Risk control and prioritization of priority We define risk acceptability, to reduce the subjectivity of the individual assessment [32]. We categorize risk into four levels of acceptability: acceptable, acceptable with a required review, unacceptable and intolerable. The aim is to reduce the subjectivity of individual assessment by broadly categorizing risk. Monitoring Impact Risk Frequency Score Impact Level acceptability Punctual 1 Minor Acceptable Acceptable 2 Moderate with review Frequent 3 Major Unacceptable 4 Critical Continuous 5 Catastrophic Intolerable Table 4 - Acceptability of a risk and monitoring
The evaluation helps to define the Monitoring Frequency (MF) between punctual, frequent and continuous. Then one should select the effective countermeasure for each threat. This step leads to the selection of the different countermeasure and the different recommendation to face the threats. 4. Selection of Countermeasures and recommendation A security countermeasure is a way to detect, prevent or minimize losses associated with a specific threat [36]. In the case of the intangible capital, it is necessary to take into account the threat and the specificity of the intangible capital, in order to choose efficient countermeasures. Figure 7 illustrates the integration of the countermeasure in the intangible capital risk assessment. Threats
Adapt to Exploit
Countermeasures
Decrease
Vulnerability
Cause
Need
Table 3 - Frequency of exposure
In this part we have introduced the evaluation of the vulnerability for each type on Intangible Capital. This step leads to identify and quantify the weakness of an Intangible
Intangible Capital
Affect
Impacts
Figure 7 – Principle for countermeasures definition
Efficient countermeasures must adapt to the threats to decrease the vulnerability of Intangible Capital. The countermeasures can be organized into four categories: technical, physical, legal, and organizational. These countermeasures can be considered according to four approaches [28]: Avoidance, Mitigation, Acceptance, Transfer. ICRA contains a large countermeasure library. Indeed, we try to take in count a large sample of possible countermeasures. We give some examples of these countermeasures in Table 5 A/M/Ac/T
This identification served to highlight the key elements of the intangible capital of the company. In the Table 6 with give an example of this assessment. Enterprise X
Process Production
Intangible Capital Factor of importance Threat
Trade secret 0,71 Extortion Level
T/J/O/P
Intangible Capital Countermeasures Patent Designs Semiconductor topography Privacy Charter of access to the premises Local alarms Formalisation of knowledge Charter Data protection charter Computer Intelligence Software Etc.
0,2
Vulnerability
Deterrence
0,2
Detection
24h (0,166)
Delay
24h (0,166)
Response
Score
0,183
III. CASE STUDY Consider as a case study example of a company 10 years old. This company is specialized in the production of metallic components for automobiles. The company is currently experiencing some difficulties. Its strategy for recovery is based on innovation. In the past two years, the company has filed two patents and two brands. Conscious of the importance of its intangible capital, the entrepreneur turned to a consultancy: “the expert” to help him to establish a protection strategy. His objective is to maintain the competitiveness and performance of the company.
Intangible Capital
Process Production
Activity Engineering new product
Trade secret
Factors of importance
Level
Score
Dependence Replaceability Singularity Complexity Reproducibility Formalization Appropriation
0.30 0.5 0.70 0.90 0.90 0.5 0.5 0,61
Table 6 - Determine intangible capital importance
In cooperation with the entrepreneur the expert identify the intangible capital present in the different business process.
Score Level
Disruption
Impact
We have introduced the different elements of ICRA method. We should illustrate our method by a little case of study.
Questioning
Consequence
Type of impact
Table 5 - Example of countermeasures
Enterprise X
Activity Engineering new product
1
1
0
Critical Table 7 - Intangible Capital Risk Assessment (ICRA)
The assessment of the intangible capital: “Trade secret” demonstrates the importance of this element, which is strategic for the performance of the company. After that it is necessary to achieve the risk assesment ont this élement of intagible capital. The result of Intangible Capital Risk Assessment for one threat: “Extortion” is synthesized in Table 7. The impact of this threat for the company is critical. Impact Score 4
Impact Level Critical
Risk tolerance Intolerable
Monitoring Continuous
Table 8 - Tolerance of the risk of extortion
The Table 8 highlight the risk tolerance is intolerable. Company X must increase the protection of this intangible asset. In the countermeasure library in Table 5 we can select the right action depend of the strategy. IV. CONCLUSION Intangible capital play central role in the overall performance of SMEs. The recent global economic crisis increased the strategic importance of intangible capital in the sustainability of the performance in organizations. In this paper, we have proposed a framework for the Intangible Capital Risk Assessment (ICRA). Our approach provides
insight in prevention and/or mitigation of the effects of threats on the intangible capital. ACKNOWLEDGMENT This thesis has financial support from the Aube Conseil General, the Chamber of trade and handicraft of Troyes, the General Secretariat for Defence and National Security (SGDSN) and the “Institut des Hautes Etudes de la Defense Nationale” (IHEDN) REFERENCES [1] AGENCE NATIONALE DE SECURITE DES SYSTEMES D'INFORMATION. (2004). OUTILS METHODOLOGIQUE. CONSULTE LE 2010, SUR ANSSI: HTTP://WWW.SSI.GOUV.FR/SITE_ARTICLE45.HTML [2] Alberts, C. J., Dorofee, A. J., & Allen, J. H. (2001). OCTAVE Catalog of Practices. Rapport Technique. [3] Argyris, C. (1995). Savoir pour agir. Paris: Interéditions. [4] Argyris, C. (1976). Single-loop and double-loop models in research on décision making. Administrative Science quaterly , 21, 363-375. [5] Bell, D. (1973). The coming of the Post indutrial Society. New-York: Harper. [6] Bulinge, F. (2002). Pour une culture de l'information dans les petites et moyennes organisations: un modèle incrémental d'Intelligence Economique. Université Toulon Var. Thèse. [7] Choo, C. W., & Auster, E. (1993). Environnemental scanning: acquisition and use of information by Managers. Annual Review for the American science and Technology , 28, pp. 280-310. [8] Clusif. (2010). Présentation de MEHARI. Récupéré sur Clusif: http://www.clusif.asso.fr/fr/production/mehari/ [9] Cohen, D. (2006). Trois leçons sur la société postindustrielle. (C. L. Idées, Éd.) Paris: Seuil. [10] Culp, C. L. (2001). The risk management process. (J. W. ltd, Éd.) [11] Davenport, T. H. (2003 йил May). What's the Big Idea: Creating and Capitalizing on the Best Management Thinking. Harvard School Press . [12] Davenport, T., & Prusak, L. (1997). Information: Mastering the Information and Knowledge Management. New-York: Oxford University Press. [13] Drucker, P. (2001). The essential Drucker: The best of sixty Years of Peter Drucker's Essential Writtings on Management. New-York: Collins. [14] Ducan, R. (1972). Characteristics of Organizational Environnements and perceived environnement uncertainty. Administrative Science Quaterly , 313327. [15] Dufour, L. (2008). Le risque dans sa diversité. Paris: Lavoisier. [16] Edvinsson, L. (199). Word of value-giving word ti IC. Skandia. [17] Ezell, B. C. (2008). Infrastrure vulnerability Assessment Model (I-VAM).
[18] Fayard, P. (2003). Le concept du ba dans la voie japonaise de création du savoir. Ambassade de France à Tokyo, Service pour la Science et la Technologie. [19] Fillias, E., & Villeneuve, A. (2011). E-reputation: stratégies d'influence sur Internet. Paris: Ellipses. [20] Fitchett, J. (1998). Managin your organization's key assey: knowledge. Health Forum Journal , 41, 50-60. [21] Germon, R., Laclemence, P., & Birregah, B. (2011). A matrix approach for threat assessment on Human Capital in SMEs. International Journal of Business and Management Studies , 3. [22] Germon, R., Laclémence, P., & Birregah, B. (2011). Sécurité économique des PME par la protection du cycle du savoir . Revue Internationale d'Intelligence Economique . [23] Guilhon, A., & Oubrich, M. (2004). La création des connaisances dans un processus d'intelligence économique: contribution conceptuelle et Etude empirque. Veille Stratégique Scientifique et Technique, (pp. 319-337). Toulouse. [24] Insight Consulting. (2005). Integrating Security into ITProjects and Programmes. Rapport Technique, Siemens Global network of innovation. [25] Insight Consulting. (2005). The logic behind CRAMM's Assessment of Measures of Risk and Determination of Appropriate Countermeasures. Rapport Technique, Siemens, Siemens Global network of innovation. [26] ISO9000V200. [27] Julien, P.-A. (1994). Les PME: Bilan et perspective. Paris: Economica. [28] Lane, V. (1985). Security of computer based Information Systems. London: Macmillan Education. [29] Legrand-Escure, L., & Thietard, A. (1997). Complexité du vivant au management. Dans s. l. P., Encyclopédie de gestion. Paris: Economica. [30] Lemettre, J.-F. (2008). Risque, Information et organisation. (L'Harmattan, Éd.) Press Universitaire de Sceaux. [31] Mahé De Boislandelle, H. (1996). L'effet de grossissement chez les dirigeants de PME: ses incidences sur le plan du management des hommes et de la GRH. 3ème Congrès Internationale Francophone PME, (pp. 101-115). Trois-Rivière. [32] Massingham, P. (2009). Knoawledge risk management: a framework . Journal of Knoawledge Management . [33] Mayer, N., & Humbert, J.-P. (2006). La gestion des risques pour les systèmes d’information . MISC , 24. [34] Otterson, S. (2005). Transferring catastrophe risk management knowledge. Risk Management , 52. [35] Pardini, G. (2009). Introduction à la sécurité économique. Paris: Lavoisier. [36] Peltier, T. (2001). Information Sécurity Analysis. New-York: Auerbach. [37] Roy, B. (1996). Multicriteria methodology for decision aiding. (Springer, Éd.) Dordrecht: Kluwer Academic Publishers.
[38] Slovic, P. (2006). The perception of risk. Londres: Earthscan. [39] (2003). Small and medium-sized enterprises (SMEs). European commission. [40] Torres, O. (2002). Small firm, glocalization strategy and proximity. 16ème Conférenece of European Coucil of Small Business , (pp. 21-22). Bacelone. [41] Weick, K. E. (1995). Sensmaking in organizations. Sage Publication. [42] Wilensky, H. (1967). Organizational Intelligence: Knowledge and Policy in Government and Industry. Basic Books Inc.,U.S. . [43] Torres, O (2000) Du role et de l’importance de la proximité dans la spécifité de gestion des PME, 5ème Congrès International sur la PME [44] Von Bertalanffy, L. (1973), Théorie générale des systèmes, Dunod, 1973 [45] Communications Security Establishment - Royale Canadian Mountain Police (2007), Harmonized Threat and Risk Assessment (TRA) Methodology. [46] McCrohan, K.F (2002), Competitive Intelligence: Preparing for the Information War, Lon Range Planning, Vol.31, 586-593 [47] Crane A. (2005), In the company of spies: When competitive intelligence gathering becomes industrial espionage, Business Horizons, Vol.48, 233-240 [48] Gupta M. (2010), A new strategy for the protection of intellectual property, Computer Fraud & Security Rony G. Author he is born in 1986 in Fort-de-France. He is a phd student in University of Technology of Troyes. He is specialize in business intelligence and knowledge management for SMEs at the Joint Research Unit in Sciences and Technologies for Risk Management. Mr. Germon is member of CIFPME.
