Is your License Management Flying below your Risk Manager’s Radar?

Most organizations have a well-developed risk management practice. The most mature organizations practise enterprise risk management, which is process-based and cross-functional. Other companies are still on their way there, but do at least manage operational risk and project risk. Within these companies, most IT business units practice IT asset management (ITAM) and software asset management (SAM). What is disturbing is that SAM risks are generally missing from the organizational risk register, and are only visible at IT level, or come under annual scrutiny at license renewal time. What can happen under these circumstances is that an audit by the software vendor can identify non-compliance and make a huge hole in the company’s annual revenue. We are not talking small or medium businesses here, although they are also at risk.

SAP on the Warpath

When SAP saw its revenues flagging, a decision was made to tighten up on compliance.  It decided that APIs that allowed other software such as Salesforce to access the SAP database were “users” and were breaching their agreements with customers. It confronted some of its largest customers, like Diageo and AB (Annheuser Busch)-InBev and won. The claim against AB-InBev was for $600-million – even the world’s biggest brewer cannot afford to cough up such a totally unexpected and unbudgeted expense. There was an out-of-court settlement, which would have been at a lower sum, but it would still be material enough to feature in the next annual report.

SAP’s aggressive policy is open to dispute, and Diageo recently won an appeal against the judgement passed in 2017, but it raises some serious questions. If these massive organizations cannot manage their compliance effectively, what hope is there for the rest of us? The next question is whether the risk of non-compliance is listed as an organizational risk, and not merely the CIO’s nightmare?

It is not Just about Compliance

While every CFO understands licensing issues around SAP, Oracle, Microsoft and Adobe, because this software is used throughout the organization, they are often in blissful ignorance of the same threats that specialized engineering and scientific software represent.

  • the licensing costs per user are usually very high, so overspending is easy
  • some of the products are not managed by the IT department, but rather by the engineers and researchers who use them, such as network planners, transmission engineers and even environmental impact assessors in an energy company. They may even be in the hands of third parties.
  • The software vendor provides the licensing software that estimates how much the company owes (a case of the wolf watching the sheep).
  • Asset management policies are often not in place or monitored.
  • Good license administrators are hard to find.
  • Major vendors are discontinuing perpetual licenses, which have always been the cost-efficient way to minimize costs and maximize productivity.
  • Digital disruption is bringing new complications to licensing. This includes cloud computing and SaaS, virtualization, BYOD (bring your own device), the IoT and artificial intelligence.

While most of these issues appear to be something that can be relegated to IT, in fact, each of them can affect the bottom line. While they can be managed by IT, understanding these risks and their mitigations is critical at executive and even at board level. After all, most companies are totally reliant on proprietary software to function on a daily basis. A dispute which invalidates all the CAD licenses and removes access in a manufacturing organization would cripple it.

What Should be in Every Risk Register

Each one of the items listed above is a discussion in itself, but here are a few risks we believe should be listed in every company risk register and actively monitored by the CRO.

  • Risk – We do not manage and monitor compliance for every one of our software assets.
  • Implications – financial and reputational risk
  • Mitigation – fix this. If you don’t believe that there are companies who are in this position, Gartner ran a webinar on ITAM risk management and 10% of the audience admitted to not only not managing compliance, they were not even planning for it. And while 40% of the audience had an asset management strategy in place and working, the rest of the audience were still working on it.

There is no quick fix, as all the following risks contribute to the overall vulnerability.

  • Risk – There is no IT asset management policy in place
  • Implications – financial, cyber and governance risk
  • Mitigation – Structure a policy that covers all types of computing, from on-site to cloud and mobile, and implement the processes that support and monitor adherence. Train all employees and create awareness, as well as imposing penalties for infringements.


  • Risk – We do not have centralized control of our software licenses.
  • Implications – financial, compliance and operational risk
  • Mitigation – Try and centralize control as much as possible, although this can be n issue for multinationals. At least ensure that the asset register is complete.


  • Risk – We do not know if we are using all our licenses to their maximum potential
  • Implications – financial and operational (productivity) risk
  • Mitigation – Become active in license management, with centralized control and your own license administration and management which you can use as a yardstick against vendors’ claims.


  • Risk – One or more of our vendors is sunsetting perpetual licensing
  • Implications – financial – subscription licensing on average is 1.8 times more expensive than perpetual licensing (Gartner), business continuity.
  • Mitigation – Decide whether to remain on perpetual licensing, move to subscription licensing or discontinue the relationship and move to another vendor.


  • Risk – We do not understand the implications of all the new digital models.
  • Implications – could be anything from financial risk to business continuity.
  • Mitigation – Get to grips with what impact digital disruption will have on your licensing costs and compliance risk (it does not go away just because you are using a browser)

Building a Proactive Approach.

We mentioned above that 10% of the audience had no ITAM strategy in place. What was even more disturbing is that in the same audience, 24% of participants said they had no SAM tools in place.  This does question how effective their ITAM strategies were, even if they were still being implemented. There is no way that software licenses can be managed effectively without a good license management application. The license managers supplied by vendors were written with the vendor’s interests in mind, and focus on compliance. When the same audience were quizzed on their primary reason for asset management, only 27% mentioned compliance; 54% of the audience wanted to optimize their license usage. For that you need a license management application that will help you realise your objectives. This is why we at OpenLM founded our business, to help customers get the most out of their licenses.  It started with ArcGIS, but now we can help you with thousands of engineering and scientific and engineering applications from the world’s leading vendors. Not only do we have licensing management software, we offer consulting, support and outsourcing services to help you simplify license management. Take a trial of our software or ask to speak to a consultant, license management is our passion!

OpenLM and the trend of increase in license auditing


As the economic condition continues to falter, the rate of software compliance auditing rises. This is caused by rising pressure in companies to use unlicensed software on one end, and equivalent pressure on the side of software vendors to keep their revenue. According to BSA (Business Software Alliance) officials,  the current economic climate “could have an impact on companies cutting corners and using unlicensed software to save perceived-costs”. This in turn leads the BSA step up license compliance enforcement and litigation against violators.

As a tool dedicated for the monitoring of licensed applications, OpenLM perfectly fits in the capacity of keeping BSA officials content, and CEOs of software using companies relaxed.

Ensuring license agreement compliance.

Software vendors use several methods in order to ensure license compliance.

  • Inside information: Violation reports are routinely submitted to the BSA by insiders. These are individuals with inside information, that report violation of license usage for various reasons. The BSA’s response to such referrals would normally be a letter to the suspected violator, indicating that an investigation is taking place and offering to give up litigation action if a compliance audit is conducted. If the compliance audit is conducted, the company must provide a list of all the software in question, as well as the purchase dates of the software licenses.

  • Piracy business intelligence may be collected by the software and gathered by the vendors in order to pinpoint license violations.

  • End-User License Agreements: Large vendors may have the ability to conduct software audits for their software for license compliance purposes according to their End User License Agreements.

Pressure builds up

When the time comes for an unexpected external audit, or when the expiration of a license is closing in, companies tend to rush IT personnel to take manual inventory of existing software. This process is inefficient for several reasons:

  • It is an error prone process, mainly in large companies that run hundreds of licensed applications. Moreover: employees don‘t necessarily act in compliance with license agreements.

  • It is also inefficient. It consumes system administrators’ time and concentration, and may raise tension within the organization.

Continuous monitoring is needed

In order to ensure full compliance and peace of mind, organization executives should enforce formal, ongoing software license management policies. This is where OpenLM comes in into the picture:

  • Having an organized license usage report reduces the risk of an external audit, and serves as an insurance policy against the consequences of liability actions by the BSA.

  • Organized reports may also improve a company’s position, and have benefits when negotiating with a vendor for license renewal.

  • En-route the organization of software inventory, license activity is made apparent, and software costs are reduced.

  • IT personnel are taken off the mundane, but error prone procedure of manual inventory taking, and their productivity is increased.

Further reading

Software License Audits: What Does It Mean to Be Non-Compliant?