Australian Software Asset Management Association




Software Asset Management Risks



Most people would quickly identify the financial risk of Software Asset Management (SAM) from vendor audit and compliance measures, but this is not the only risk. The risk profile of SAM can be extremely high where there can be significant impacts on budgets, opportunity costs, reputation and contract negotiation. This article will discuss these risks and some of the remedial actions you need to consider lowering the likelihood and impact of those risks occurring.

We will discuss the most obvious risk first, the risk of non-compliance and the financial costs involved. There are two possible scenarios for paying a vendor additional licence fees for non-compliance. The most common one is through a vendor exercising their rights in undertaking an audit of use of their software based on the licensing model. The second scenario which is starting to become more common place, is where an organisation undertakes a self-audit and if over deployed has occurred they will pay the vendor the additional money to procure these licences. In an IT environment that does not control its distribution and installation of software, the non-compliance risk is very high.

Of the two scenarios discussed above, as a software asset management professional you should be working to have the second scenario as your preferred option in managing non-compliance with a vendor. The reason that this is the better option is that you can negotiate with the vendor before hand on what will be the financial costs for non-compliance. This places certainty on the costs that would be involved in non-compliance and also establishes a clear process with the vendor.

The first scenario is more complex and the level of uncertainty on the outcomes if non-compliance is identified, is quite high both in a financial and process perspective. Where an organisation believes the vendors claim either through evidence of an audit or through other mechanisms the cost to pay the vendor is usually an unfunded liability. This means this cost is not in an existing budget for and it must be paid from other budgets. The cost of the software will be greater than if it was bought under normal procurement processes, therefore the financial cost will be much greater than normal. This is one of the advantages of the second scenario, where the costs of non-compliance have already been agreed to by your organisation and the vendor. For the first scenario if the organisation and the vendor cannot agree then there is the cost of arbitration through mediation and/or court proceedings. These costs can build up quickly and do require a substantial commitment of resources to meet the requirements of mediation and/or court proceedings. If a court judgement is made against the organisation then the financial costs could be very high, as the vendor’s claims are usually much higher in a court situation.

Opportunity cost is not normally associated as a risk but it surely is. Opportunity costs is where because of another requirement to assign resources to an unplanned activity, the planned activity does not proceed on schedule, or at all, thereby the benefits that were expected from the planned activity are not realised, whilst the costs of resources are still incurred on another activity. In the scenario of a claim of non-compliance from a vendor, the resources needed to address risks from a vendor audit means that these resources could not be deployed to other initiatives that are maturing your organisations SAM capability. As this work is not being done, it potentially is introducing a new risk. The treatment of an opportunity cost risk is not straight forwarded, a lot will depend on what is the likelihood on the maturity of your Software Asset Management program and the maturity of your software asset management teams planning, reporting and monitoring of achievements against the plan. The more times that an opportunity cost is incurred by the software asset management team, the longer it will take for the Software Asset Management program to reach its desired maturity state. 

The reputation risk that exposes an organisation to substantiated claims of non-compliance is potentially a heavy cost to bear, especially for organisations where there main organisation image is about trust, compliance and good corporate citizens. A good reputation is an extremely hard to develop and build but it can quickly be damaged or totally removed. Organisations spend a lot of money and effort over long periods of time to enhance their standing in the eyes of their customers, shareholders, partners, the community and stakeholders. Organisations with reputation damage can find it hard to attract and retain existing customers, sponsors, partners and staff. Costs of funding could increase due to the market perception of the cost of the reputation damage and the follow on effect of the organisations net profit due to the increased costs of funds. 

The risks during contract negotiations are not knowing what is the actual deployment and usage, effectively this is the organisations baseline. If a vendor knows that an organisation doesn’t have an effective SAM program then they will take advantage of that and put proposals that may be more costly than what they should be, you will more than likely be buying software licences in far greater numbers than what is required. This cost is then increased with support and maintenance costs paid to the vendor each year and the additional organisation costs in managing these extra licences by the software asset management team. As an organisation if the vendor arguments are convincing and you lack the organisations records to disprove the vendors arguments, then decision making without evidence is a risky management practice. Organisations continually buy more software licences than they need to, due to the lack of a baseline. This is a waste of valuable funding that could be used elsewhere in the organisation. 

There are multiple risks to ongoing operations, these include; the use of unauthorised software, the use of non-supported software, future budget liabilities on software over deployment, the availability of software when required, the reallocation of resources away from supporting ongoing operations to be assigned to discovery tasks, the undertaking of manual tasks that extended completion timelines and accuracy of information and the opportunity costs in not focussing on core operation support functions. 

The use of unauthorised software may expose the organisation to security risks, support risks, performance risks, availability risks and long term architecture risks. The implementation of unauthorised software should not occur if the service management change and release management services are functioning correctly and at least at a basic maturity state. Unauthorised software would not have been able to follow the standard processes in development and test; thereby the software has not been through any security review and accreditation processes. This exposes a risk in the supportability of a patch management availability and release cycle, the vulnerabilities of the software are unknown and the sociability of its operation with the other authorised software in the environment is unknown. Unauthorised software will not have a support agreement in place with the vendor, as it has not been procured through the authorised software asset management channel. This means that if the software becomes unstable, is failing and/or needs to be tailored to your environment you will have to complete these tasks within the organisation, which in the vast majority of organisations is an impossible task. This leads to availability and performance issues with the business services that the IT department is supporting for your organisation. This is a core problem for the operations team if they are not meeting availability and performance targets. 

Unauthorised software does not have an approved budget expenditure. This means that if funds were found to purchase the software from other budgets the budgetary requirements for future years will need to be reallocated as well if you enter into maintenance and support for the software. Any future years costs for maintenance, licence growth, compliance requirements and other associated costs are not certain to be available. This then is a risk to the rest of the IT budget as if funds are required, then these funds need to be reallocated away from other budgets, potentially causing a funding issue and a delivery issue on the services that no longer have their funding to deliver.

Authorised software is managed by the software library who provide arrange of services to ensure the operations team have access to software when its required to ensure that the availability and performance requirements of the business services are being met. If unauthorised software has been implemented, the software library is unable to provide the operations team with their support services, therefore placing a risk to the availability and performance of the business services. 

Where unauthorised software is suspected or has been discovered in the IT environment, the operations team will need to reallocate some of their operations resources away from supporting ongoing operations, to be assigned to discovery tasks. Discovery tasks can be quite drawn out and complex, which usually means that the operations team needs to assign their more skilful, experienced, knowledgeable staff to this work, which can expose the business services to a risk, if these staff have been reassigned away from supporting the business services. The analysis of unauthorised software generally takes a lot more time than authorised software as it is unknown, compared to authorised software that has been approved through standard processes and procedures as it has been implemented through the development, test and finally production environments. Whilst these activities are being undertaken both the software asset management team and the operations team are being diverted from their previously agreed work plans. This means that there is now an opportunity cost on your organisation to undertake work on unauthorised software that previously hadn’t been planned for. This cost may impact on future software asset management capability and support of the business service, thereby causing a risk that hadn’t been planned for. 

There are risks for senior executives if there is a significant financial and/or reputational issue to the organisation due to the lack of an appropriate level of management of software assets. As senior executives they are responsible and accountable to protect the organisation from threats to the organisations financials and reputation. The senior executive is accountable to identify what are the requirements to enable the organisation to undertake the management of software assets and to put in place the necessary capability. It is widely known in the IT industry that the number of vendor audits that have been steady increasing in recent years and that a number of companies are being found to be non-compliant. If the organisation is being exposed to this risk, without the appropriate measures being undertaken then the accountability will be with the appropriate senior executive. 

Another risk is when the software asset management team just gets it wrong on a key issue. This is a risk to any capability in the organisation, however usually with software asset management this could come at a large financial cost. The likelihood of this happening will depend on the current skill and experience of the software asset management team, the training programs in place, the level of governance and reporting, the authorisation levels for decision making and the quality assurance procedures that have been implemented. 

Security threats of unlicensed software are a risk to the organisation. This software usually has not been bought into the organisation through the proper channels and therefore has not been through the security accreditation process. The purpose of the security accreditation process is to ensure that the introduction of new software does not compromise the IT environment and the business services that the IT environment is providing to the organisation. It is quite possible that malware can be introduced either directly by the software or indirectly through the software requirements. One of the software requirements could be the opening of a port that could allow malware to be introduced. There is also the possibility that the software could contain malicious code. One of the key roles of the software asset management team is to monitor and report on any software that is discovered that is not on the approved software list and does not have software licensing entitlements. A strong working relationship should be developed with the security team in ensuring that the software installed in the environment is authorised and licensed. 

This article covered a lot of ground in identifying risks and some treatments of those risks to reduce their likelihood and to mitigate their impact. Management of Software Asset Management risk is a key priority for your software asset management team. Risks are complex and the depth of actions required are to be discussed in far greater detailed are to be discussed in far greater detailed in the topic specific articles and in-depth information articles. 

(IE Printing: - There are known IE printing problems that affect certain printer brands and printer types; Chrome and Firefox have no reported issues.)