Most people would quickly identify the
financial risk of Software Asset Management (SAM) from vendor audit and compliance measures, but this
is not the only risk. The risk profile of SAM can be extremely high where there can be significant
impacts on budgets, opportunity costs, reputation and contract negotiation. This article will discuss
these risks and some of the remedial actions you need to consider lowering the likelihood and impact
of those risks occurring.
We will discuss the most
obvious risk first, the risk of non-compliance and the financial costs involved. There are two possible
scenarios for paying a vendor additional licence fees for non-compliance. The most common one is through
a vendor exercising their rights in undertaking an audit of use of their software based on the licensing
model. The second scenario which is starting to become more common place, is where an organisation
undertakes a self-audit and if over deployed has occurred they will pay the vendor the additional money
to procure these licences. In an IT environment that does not control its distribution and installation
of software, the non-compliance risk is very high.
Of the two scenarios discussed
above, as a software asset management professional you should be working to have the second scenario as
your preferred option in managing non-compliance with a vendor. The reason that this is the better
option is that you can negotiate with the vendor before hand on what will be the financial costs for
non-compliance. This places certainty on the costs that would be involved in non-compliance and also
establishes a clear process with the vendor.
The first scenario is more
complex and the level of uncertainty on the outcomes if non-compliance is identified, is quite high both
in a financial and process perspective. Where an organisation believes the vendors claim either through
evidence of an audit or through other mechanisms the cost to pay the vendor is usually an unfunded
liability. This means this cost is not in an existing budget for and it must be paid from other budgets.
The cost of the software will be greater than if it was bought under normal procurement processes,
therefore the financial cost will be much greater than normal. This is one of the advantages of the
second scenario, where the costs of non-compliance have already been agreed to by your organisation and
the vendor. For the first scenario if the organisation and the vendor cannot agree then there is the
cost of arbitration through mediation and/or court proceedings. These costs can build up quickly and do
require a substantial commitment of resources to meet the requirements of mediation and/or court
proceedings. If a court judgement is made against the organisation then the financial costs could be
very high, as the vendor’s claims are usually much higher in a court situation.
Opportunity cost is not
normally associated as a risk but it surely is. Opportunity costs is where because of another
requirement to assign resources to an unplanned activity, the planned activity does not proceed on
schedule, or at all, thereby the benefits that were expected from the planned activity are not realised,
whilst the costs of resources are still incurred on another activity. In the scenario of a claim of
non-compliance from a vendor, the resources needed to address risks from a vendor audit means that these
resources could not be deployed to other initiatives that are maturing your organisations SAM
capability. As this work is not being done, it potentially is introducing a new risk. The treatment of
an opportunity cost risk is not straight forwarded, a lot will depend on what is the likelihood on the
maturity of your Software Asset Management program and the maturity of your software asset management
teams planning, reporting and monitoring of achievements against the plan. The more times that an
opportunity cost is incurred by the software asset management team, the longer it will take for the
Software Asset Management program to reach its desired maturity state.
The reputation risk that
exposes an organisation to substantiated claims of non-compliance is potentially a heavy cost to bear,
especially for organisations where there main organisation image is about trust, compliance and good
corporate citizens. A good reputation is an extremely hard to develop and build but it can quickly be
damaged or totally removed. Organisations spend a lot of money and effort over long periods of time to
enhance their standing in the eyes of their customers, shareholders, partners, the community and
stakeholders. Organisations with reputation damage can find it hard to attract and retain existing
customers, sponsors, partners and staff. Costs of funding could increase due to the market perception of
the cost of the reputation damage and the follow on effect of the organisations net profit due to the
increased costs of funds.
The risks during contract
negotiations are not knowing what is the actual deployment and usage, effectively this is the
organisations baseline. If a vendor knows that an organisation doesn’t have an effective SAM program
then they will take advantage of that and put proposals that may be more costly than what they should
be, you will more than likely be buying software licences in far greater numbers than what is required.
This cost is then increased with support and maintenance costs paid to the vendor each year and the
additional organisation costs in managing these extra licences by the software asset management team. As
an organisation if the vendor arguments are convincing and you lack the organisations records to
disprove the vendors arguments, then decision making without evidence is a risky management practice.
Organisations continually buy more software licences than they need to, due to the lack of a baseline.
This is a waste of valuable funding that could be used elsewhere in the
organisation.
There are multiple risks to
ongoing operations, these include; the use of unauthorised software, the use of non-supported software,
future budget liabilities on software over deployment, the availability of software when required, the
reallocation of resources away from supporting ongoing operations to be assigned to discovery tasks, the
undertaking of manual tasks that extended completion timelines and accuracy of information and the
opportunity costs in not focussing on core operation support functions.
The use of unauthorised
software may expose the organisation to security risks, support risks, performance risks, availability
risks and long term architecture risks. The implementation of unauthorised software should not occur if
the service management change and release management services are functioning correctly and at least at
a basic maturity state. Unauthorised software would not have been able to follow the standard processes
in development and test; thereby the software has not been through any security review and accreditation
processes. This exposes a risk in the supportability of a patch management availability and release
cycle, the vulnerabilities of the software are unknown and the sociability of its operation with the
other authorised software in the environment is unknown. Unauthorised software will not have a support
agreement in place with the vendor, as it has not been procured through the authorised software asset
management channel. This means that if the software becomes unstable, is failing and/or needs to be
tailored to your environment you will have to complete these tasks within the organisation, which in the
vast majority of organisations is an impossible task. This leads to availability and performance issues
with the business services that the IT department is supporting for your organisation. This is a core
problem for the operations team if they are not meeting availability and performance
targets.
Unauthorised software does not
have an approved budget expenditure. This means that if funds were found to purchase the software from
other budgets the budgetary requirements for future years will need to be reallocated as well if you
enter into maintenance and support for the software. Any future years costs for maintenance, licence
growth, compliance requirements and other associated costs are not certain to be available. This then is
a risk to the rest of the IT budget as if funds are required, then these funds need to be reallocated
away from other budgets, potentially causing a funding issue and a delivery issue on the services that
no longer have their funding to deliver.
Authorised software is managed
by the software library who provide arrange of services to ensure the operations team have access to
software when its required to ensure that the availability and performance requirements of the business
services are being met. If unauthorised software has been implemented, the software library is unable to
provide the operations team with their support services, therefore placing a risk to the availability
and performance of the business services.
Where unauthorised software is
suspected or has been discovered in the IT environment, the operations team will need to reallocate some
of their operations resources away from supporting ongoing operations, to be assigned to discovery
tasks. Discovery tasks can be quite drawn out and complex, which usually means that the operations team
needs to assign their more skilful, experienced, knowledgeable staff to this work, which can expose the
business services to a risk, if these staff have been reassigned away from supporting the business
services. The analysis of unauthorised software generally takes a lot more time than authorised software
as it is unknown, compared to authorised software that has been approved through standard processes and
procedures as it has been implemented through the development, test and finally production environments.
Whilst these activities are being undertaken both the software asset management team and the operations
team are being diverted from their previously agreed work plans. This means that there is now an
opportunity cost on your organisation to undertake work on unauthorised software that previously hadn’t
been planned for. This cost may impact on future software asset management capability and support of the
business service, thereby causing a risk that hadn’t been planned for.
There are risks for senior
executives if there is a significant financial and/or reputational issue to the organisation due to the
lack of an appropriate level of management of software assets. As senior executives they are responsible
and accountable to protect the organisation from threats to the organisations financials and reputation.
The senior executive is accountable to identify what are the requirements to enable the organisation to
undertake the management of software assets and to put in place the necessary capability. It is widely
known in the IT industry that the number of vendor audits that have been steady increasing in recent
years and that a number of companies are being found to be non-compliant. If the organisation is being
exposed to this risk, without the appropriate measures being undertaken then the accountability will be
with the appropriate senior executive.
Another risk is when the
software asset management team just gets it wrong on a key issue. This is a risk to any capability in
the organisation, however usually with software asset management this could come at a large financial
cost. The likelihood of this happening will depend on the current skill and experience of the software
asset management team, the training programs in place, the level of governance and reporting, the
authorisation levels for decision making and the quality assurance procedures that have been
implemented.
Security threats of unlicensed
software are a risk to the organisation. This software usually has not been bought into the organisation
through the proper channels and therefore has not been through the security accreditation process. The
purpose of the security accreditation process is to ensure that the introduction of new software does
not compromise the IT environment and the business services that the IT environment is providing to the
organisation. It is quite possible that malware can be introduced either directly by the software or
indirectly through the software requirements. One of the software requirements could be the opening of a
port that could allow malware to be introduced. There is also the possibility that the software could
contain malicious code. One of the key roles of the software asset management team is to monitor and
report on any software that is discovered that is not on the approved software list and does not have
software licensing entitlements. A strong working relationship should be developed with the security
team in ensuring that the software installed in the environment is authorised and
licensed.
This article covered a lot of
ground in identifying risks and some treatments of those risks to reduce their likelihood and to
mitigate their impact. Management of Software Asset Management risk is a key priority for your software
asset management team. Risks are complex and the depth of actions required are to be discussed in far
greater detailed are to be discussed in far greater detailed in the topic specific articles and in-depth
information articles.
(IE Printing: - There are known IE printing problems that affect certain printer brands
and printer types; Chrome and Firefox have no reported issues.)
