How the CREATe Leading Practices Program Works
What is CREATe Leading Practices?
CREATe Leading Practices is a service that companies can use to measure and improve their business practices in the areas of corruption prevention, cybersecurity, trade secret and intellectual property (IP) protection. CREATe provides four separate services: CREATe Leading Practices for Anti-Corruption; CREATe Leading Practices for Cybersecurity; CREATe Leading Practices for Trade Secret Protection; and CREATe Leading Practices for IP Protection. Each CREATe Leading Practices service includes:
- An Online Self-Assessment providing insights into the controls and practices that companies have in place for IP and trade secret protection, cybersecurity or anti-corruption;
- An Independent Evaluation by a CREATe expert to further assess and benchmark company current processes against internationally-recognized leading practices; and A Summary Report prioritizing immediate areas of concern and recommending actions.
- Improvement Guidance: A defined improvement project and access to comprehensive CREATe Leading Practices Guides. The Guides provide step-by-step directions for improvement along with sample resources such as checklists, communication and contract language and other tools.
CREATe Leading Practices is based on practical experience, insights from academics, think tanks, organizations and the leading practices utilized by companies around the world for IP and trade secret protection, cybersecurity and anti-corruption.
Why should my company participate in CREATe Leading Practices?
Corruption, cybersecurity, and intellectual property and trade secret theft are issues that can put companies at financial, reputational and legal risk. CREATe Leading Practices helps your company mitigate these risks by first assessing current systems in place to prevent corruption, improve cybersecurity and protect IP and trade secrets; and then providing step-by-step guidance for making improvements.
Companies that develop effective programs can enjoy numerous benefits, including safeguarding assets and gaining a competitive advantage, as well as differentiating themselves from their competition when seeking to attract customers and business partners. A company that develops an effective anti-corruption program can avoid costly litigation, fines, penalties, and reputational harm, while enhancing their position as an ethical company and, again, differentiating themselves from competitors, making the company more attractive to business partners, potential employees, and customers alike.
What is CREATe Compliance, the organization behind the service?
CREATe Compliance works with enterprises to better manage internal and third party global risks by making leading practices in anti-corruption, cybersecurity, intellectual property and trade secret protection practical, actionable and achievable.
CREATe Compliance helps companies to embed a cycle of monitoring, measurement and improvement to build and strengthen effective compliance and risk management programs through its CREATe Leading Practices services:
- CREATe Leading Practices for Anti-Corruption
- CREATe Leading Practices for Cybersecurity
- CREATe Leading Practices for Trade Secret Protection
- CREATe Leading Practices for IP Protection
This consistent ‘measure and improve’ approach across key risk areas enables benchmarking and sharing across the global supply chain.
The CREATe Leading Practices services are available in a range of languages including English, Chinese, Japanese, Portuguese and Spanish.
The CREATe Leading Practices services were developed to foster shared learning and resources that are cost-effective, scalable and used broadly across sectors and geographies.
What do you mean by an ‘IP protection program’?
Intellectual property represents valuable corporate assets, which could include patents, design rights, copyright, trademarks and trade secrets. Typically the legal department will manage IP protection through contracts and other means. CREATe Compliance recommends complementing legal actions with a holistic program that takes a ‘management systems’ approach. What this means is that for every IP protection policy, there are actions and practices that will help to ensure that the policy is being consistently implemented. For example, sensitive company information, such as a product formula, should be on a secure computer that can be accessed only by those who require it and have clearance to do so.
The goal should be to protect your own IP and others’ IP through management systems and processes that can be measured and improved over time. CREATe Leading Practices for IP Protection is a service that enables companies to measure and improve systems in place to protect IP.
What do you mean by an ‘anti-corruption program’?
Companies can be held liable for the corrupt activities of employees and third parties working on their behalf. As such, each company should have a management system in place that uses systematic practices and procedures to identify and address potential risks and to prevent corruption. CREATe Leading Practices for Anti-Corruption is a service that offers companies the ability to assess current anti-corruption practices and then make improvements over time. Companies can also use it with third parties such as business partners to help them improve their own anti-corruption management systems and reduce the risk they pose to the company.
What languages are available for CREATe Leading Practices?
CREATe Leading Practices is available in languages including English, Chinese, Japanese, Spanish and Portuguese.
How long does it take to go through CREATe Leading Practices?
CREATe Leading Practices is a multi-step service. The first step, the Online Self-Assessment, takes some initial prep and then 90 minutes to complete. The second step – an Independent Evaluation – takes about 60 to 90 minutes and also can involve the company collecting and sending sample documents, such as employee codes – to the CREATe Compliance experts. In the weeks that follow, CREATe will send the company a summary report and work with the company to identify an improvement project. CREATe Compliance also offers workshops, training and other resources to help guide the improvements.
Who in my company needs to be involved in the CREATe Leading Practices service?
Typically one person will manage the first step of the CREATe Leading Practices Self-Assessment, and as required, draw on the experience of others in the organization. This would be the person with primary responsibility for IP or trade secret protection, cybersecurity or the company’s anti-corruption program.
For the Independent Evaluation portion of the service – which involves a discussion with a CREATe Compliance expert evaluator – many find it helpful to bring together a team of people from different areas of the company. These people can also form the basis for a cross-functional team to help implement a more robust IP protection or anti-corruption program across the organization. These functional areas could include the following roles, however it differs across companies:
- Human resources/training (HR)
- Quality or Occupational Health and Safety (someone who has management system background)
How Your Company is Evaluated
How does the online Self-Assessment work?
The online Self-Assessment asks a series of specific questions about the policies, procedures and management systems that a company has in place to manage the use and protection of IP or to prevent corruption. A management system maturity score from 1 to 5 is automatically generated based on the company responses.
How does the Independent Evaluation work?
In most instances, the Independent Evaluation will be conducted by telephone and will include a review of existing documents. If desired and practical, the Independent Evaluation meetings can take place in-person. The Independent Evaluation covers the same management system categories covered in the Self-Assessment. The Independent Evaluation is conducted as a shared learning discussion and is designed to help companies better understand the level of maturity of the systems they have in place for IP or trade secret protection, cybersecurity or anti-corruption. The CREATe Compliance expert will ask for some sample documents of non-proprietary information that reflect the company’s program. These documents will be only seen by the evaluators on a need-to-know basis and then are deleted or destroyed. All information is treated as confidential.
For the CREATe Leading Practices service, what kind of information or report will CREATe Compliance provide once a company has completed the Self-Assessment and Independent Evaluation?
After completing the CREATe Leading Practices Self-Assessment and Independent Evaluation, your company will receive the following:
- Self-Assessment scores in each of the process categories;
- Independent Evaluation scores in each of the process categories along with an overall score;
- A Summary Report that benchmarks your scores against blinded, aggregated scores from all participating companies; and a recommended improvement project.
- Observations and recommended actions for the company to improve its programs and access to the comprehensive CREATe Leading Practices guides.
Does CREATe Compliance publicize the benchmark results?
The benchmark results are only published in aggregate (as a group) so no company’s individual results are published. Upon consent of a company, we will add its scores to a database where third parties have controlled access to search and view them.
Does CREATe Compliance issue a certificate to the companies who have completed the assessments?
Companies can print a certificate of completion for each part of the CREATe Leading Practices service that is completed.
How the CREATe Leading Practices Service Addresses IP Issues
Is the CREATe Leading Practices service intended to cover all aspects of IP, from misappropriation of copyrighted material to unauthorized use of trademarked material to theft of patented material and trade secrets? These issues are so different that entirely different assessment processes could be designed for them.
CREATe Leading Practices is focused on improving the management systems that companies have in place for IP protection, and as such is designed to be flexible enough to deal with all kinds of IP and trade secret protection issues.
That is not to say that how these different types of IP issues are managed will be the same – specific procedures to protect against incorporating counterfeit trademarked components will not be the same as those for protecting trade secrets, for example. Indeed, different kinds of businesses may only need to manage a subset of IP issues. More detailed procedures for different types of rights and IP-related activities are the norm and are to be expected, but we are not specifying these here. Rather, we are suggesting only that strong management systems should be in place in areas relevant to the company. This makes CREATe Leading Practices useful for different types of businesses and different mixes of IP-related issues.
We deal with patents very differently from other forms of IP – a company cannot be expected to search and be aware of every patent that might possibly affect its business, can it?
CREATe Leading Practices does not promote or evaluate any such practices. CREATe Leading Practices looks at eight ‘process management categories’ that are as relevant to patents as to other forms of IP. For example – Is there management support and a relevant team that manages patent issues? Are relevant records kept, for example of filings and licenses? Are monitoring and corrective actions in place (e.g. procedures for reporting third-party patent claims to relevant customers)? These types of ’process management categories’ are relevant to patents, just as team management, recordkeeping, and monitoring and corrective actions are relevant in other ways to other forms of IP. All are anticipated by the CREATe Leading Practices service in ways appropriate to different forms of IP and different types of businesses.
How will companies get more detailed information on managing particular types of IP?
CREATe Leading Practices will help you understand the key categories of general IP protection and our recommendations will apply to all types of IP. You will also have access to a comprehensive Guide to Improving Your IP Protection Program, which includes specific steps for IP protection as well as resources and direction specific to particular types of IP.
How the CREATe Leading Practices Service Addresses Corruption Issues
Is CREATe Leading Practices intended to cover all aspects of corruption risk?
CREATe Leading Practices is focused on improving the management systems that companies have in place to deal with corruption risk and to help ensure compliance. It is designed to be flexible enough to deal with various kinds of corruption risk in a variety of situations. While each compliance program must be designed with unique company circumstances in mind, CREATe Leading Practices can help you gain insight into the strengths and weaknesses of your program and determine whether it meets best practices outlined by international organizations. The CREATe Leading Practices Guide to Improving Your Anti-Corruption Program is another resource included in CREATe Leading Practices, which provides you with actionable steps for improvement and helps your company to demonstrate a commitment to compliance.
Security and Legal Issues for CREATe Leading Practices Participants
How will CREATe Compliance keep company information secure?
Both the Self-Assessment and Independent Evaluation responses, and any information you provide as part of the Independent Evaluation, are kept on a secure, password protected server. Only the CREATe Compliance’s evaluator and CREATe Compliance’s senior management will have access to it on a need-to-know basis. You will have access to reports by using a unique user name and password. Documents provided as part of the Independent Evaluation are deleted once the evaluation is complete.
CREATe Leading Practices’ online services are hosted Microsoft Azure servers (Azure). Azure are world-class enterprise-level hosting service providers with data centers around the world, mirrored services in the USA, EU, Asia, and South America and an immense focus on protecting data. Through Azure, bandwidth, security, redundancy, system capacity, backup and concurrent usage issues are managed automatically. The self-assessment will be accessed through a unique user ID and password.
All data used for internal analysis to generate metrics and reports, will be stored on a single machine in a secure Azure Datacenter. The data will be stored in MySQL tables on this machine. MySQL has sophisticated security schemes to protect data. Without direct physical access to the data files, defeating this security is very difficult. Remote access over IP will be limited to CREATe administrative personnel and specific remote IP addresses. All actual data will be encrypted at rest and in transit utilizing AES 256 and SSL certificates.