Most organizations have a well-developed risk management practice. The most mature organizations practise enterprise risk management, which is process-based and cross-functional. Other companies are still on their way there, but do at least manage operational risk and project risk. Within these companies, most IT business units practice IT asset management (ITAM) and software asset management (SAM). What is disturbing is that SAM risks are generally missing from the organizational risk register, and are only visible at IT level, or come under annual scrutiny at license renewal time. What can happen under these circumstances is that an audit by the software vendor can identify non-compliance and make a huge hole in the company’s annual revenue. We are not talking small or medium businesses here, although they are also at risk.
SAP on the Warpath
When SAP saw its revenues flagging, a decision was made to tighten up on compliance. It decided that APIs that allowed other software such as Salesforce to access the SAP database were “users” and were breaching their agreements with customers. It confronted some of its largest customers, like Diageo and AB (Annheuser Busch)-InBev and won. The claim against AB-InBev was for $600-million – even the world’s biggest brewer cannot afford to cough up such a totally unexpected and unbudgeted expense. There was an out-of-court settlement, which would have been at a lower sum, but it would still be material enough to feature in the next annual report.
SAP’s aggressive policy is open to dispute, and Diageo recently won an appeal against the judgement passed in 2017, but it raises some serious questions. If these massive organizations cannot manage their compliance effectively, what hope is there for the rest of us? The next question is whether the risk of non-compliance is listed as an organizational risk, and not merely the CIO’s nightmare?
It is not Just about Compliance
While every CFO understands licensing issues around SAP, Oracle, Microsoft and Adobe, because this software is used throughout the organization, they are often in blissful ignorance of the same threats that specialized engineering and scientific software represent.
- the licensing costs per user are usually very high, so overspending is easy
- some of the products are not managed by the IT department, but rather by the engineers and researchers who use them, such as network planners, transmission engineers and even environmental impact assessors in an energy company. They may even be in the hands of third parties.
- The software vendor provides the licensing software that estimates how much the company owes (a case of the wolf watching the sheep).
- Asset management policies are often not in place or monitored.
- Good license administrators are hard to find.
- Major vendors are discontinuing perpetual licenses, which have always been the cost-efficient way to minimize costs and maximize productivity.
- Digital disruption is bringing new complications to licensing. This includes cloud computing and SaaS, virtualization, BYOD (bring your own device), the IoT and artificial intelligence.
While most of these issues appear to be something that can be relegated to IT, in fact, each of them can affect the bottom line. While they can be managed by IT, understanding these risks and their mitigations is critical at executive and even at board level. After all, most companies are totally reliant on proprietary software to function on a daily basis. A dispute which invalidates all the CAD licenses and removes access in a manufacturing organization would cripple it.
What Should be in Every Risk Register
Each one of the items listed above is a discussion in itself, but here are a few risks we believe should be listed in every company risk register and actively monitored by the CRO.
- Risk – We do not manage and monitor compliance for every one of our software assets.
- Implications – financial and reputational risk
- Mitigation – fix this. If you don’t believe that there are companies who are in this position, Gartner ran a webinar on ITAM risk management and 10% of the audience admitted to not only not managing compliance, they were not even planning for it. And while 40% of the audience had an asset management strategy in place and working, the rest of the audience were still working on it.
There is no quick fix, as all the following risks contribute to the overall vulnerability.
- Risk – There is no IT asset management policy in place
- Implications – financial, cyber and governance risk
- Mitigation – Structure a policy that covers all types of computing, from on-site to cloud and mobile, and implement the processes that support and monitor adherence. Train all employees and create awareness, as well as imposing penalties for infringements.
- Risk – We do not have centralized control of our software licenses.
- Implications – financial, compliance and operational risk
- Mitigation – Try and centralize control as much as possible, although this can be n issue for multinationals. At least ensure that the asset register is complete.
- Risk – We do not know if we are using all our licenses to their maximum potential
- Implications – financial and operational (productivity) risk
- Mitigation – Become active in license management, with centralized control and your own license administration and management which you can use as a yardstick against vendors’ claims.
- Risk – One or more of our vendors is sunsetting perpetual licensing
- Implications – financial – subscription licensing on average is 1.8 times more expensive than perpetual licensing (Gartner), business continuity.
- Mitigation – Decide whether to remain on perpetual licensing, move to subscription licensing or discontinue the relationship and move to another vendor.
- Risk – We do not understand the implications of all the new digital models.
- Implications – could be anything from financial risk to business continuity.
- Mitigation – Get to grips with what impact digital disruption will have on your licensing costs and compliance risk (it does not go away just because you are using a browser)
Building a Proactive Approach.
We mentioned above that 10% of the audience had no ITAM strategy in place. What was even more disturbing is that in the same audience, 24% of participants said they had no SAM tools in place. This does question how effective their ITAM strategies were, even if they were still being implemented. There is no way that software licenses can be managed effectively without a good license management application. The license managers supplied by vendors were written with the vendor’s interests in mind, and focus on compliance. When the same audience were quizzed on their primary reason for asset management, only 27% mentioned compliance; 54% of the audience wanted to optimize their license usage. For that you need a license management application that will help you realise your objectives. This is why we at OpenLM founded our business, to help customers get the most out of their licenses. It started with ArcGIS, but now we can help you with thousands of engineering and scientific and engineering applications from the world’s leading vendors. Not only do we have licensing management software, we offer consulting, support and outsourcing services to help you simplify license management. Take a trial of our software or ask to speak to a consultant, license management is our passion!