A SAM Journey for compliance

By Julien Kuijper

A SAM (Software Asset Management) journey starts with understanding your corporate environment and is followed by implementing best practices aligned with the analyses of your business…it’s actually as simple as that! It means understanding SAM compliance rules, designing processes and procedures, implementing a tool or a right set of tools and finally, running this environment. If I wanted to detail those steps and reflect my experiences, this is what it would look like…

Journey Step One:

Take the right amount of time to understand your business. A SAM project, like any other IT project, is very much business driven. Software usage depends directly on your business. The key is to spend the right amount of time to understand your business needs with regards to software. Corporate environments don’t have this built into their DNA; they think that software can be purchased as easily as boxes of pencils. The concept of Software Asset Management is not widely known; most people still think of this as “software licensing” that is 100% driven by a purchasing department. A lot of teaching and learning needs to happen. The following list has hints and questions to help complete this first step:

  • What is vital for your business? In a development company, access to “any” software is a strong need…but maybe not in a bank!
  • Is your company doing a lot of M&A (mergers and acquisitions)?
  • Do your end users have “administrator rights” on their machines?
  • What is the size of your company?
  • Have you done risk analysis for software noncompliance? What is your management tolerance for risk? Have you already passed audits and how did it go?
  • How efficient are your software contracts; have you undertaken any benchmarks?
  • Do you have representation in a number of different locations? Do some locations have local governmental audits (such as for tax reasons)? Are locations centrally managed or locally managed?
  • Do you know your top 10 software vendors and your top 50 titles?
  • Do you know your software procurement methods? Are they global? Do you know your license contracts and license models?
  • Determine the current maturity level of Asset Management (you can refer to ITIL for that)
  • Are all employees aware of the corporate software licensing rules? And, in actuality, are there existing software licensing rules in your company today?
Journey Step Two:

Set up a SAM project with well-defined expectations. When the first step is completed and you have a global understanding of what you want to achieve, it is likely that your research has triggered some questions and/or concerns for your management. Your CIO will most likely understand that compliance risks are worth taking care of! This is the right moment to build your project plan and team. How shall you proceed?

  • Get management understanding and buy-in at the highest level. The CIO is the minimum level, board level is better. SAM needs money and power
  • Set the right level of expectations. A stepped approach with small wins and measures will strengthen your success
  • Don’t mix savings and cost avoidance in your business case. Spending less than budgeted is “savings,” dividing an audit penalty by two is “cost avoidance”
  • Understand management’s definition of success and set up a steering committee so that accountability is equally shared
  • Be careful about regional laws. Some countries have unions and workers councils. Scanning the PC and IT environment touches the topic of data privacy. It’s legal to do so, but it needs to be negotiated and accepted by those social partners
  • The help and full support of your procurement organization is imperative. They must be part of your project team
  • Get help from consulting experts in SAM. There is no shame in seeking expertise in that domain. Partner with your vendors
  • Position the project in the right area, for example; position in the ITSM group if you have IT running ITIL, or if not, then a “classic” IT operations group has the responsibility
Journey Step Three:

Define your processes and ONLY THEN choose and implement a tool. Remember what Abraham Lincoln said: “If I had eight hours to cut down a tree, I’d spend six hours sharpening the axe.” So, don’t start by choosing tools. With your project team defined in the previous step, spend all the time necessary to define your processes. With this trick, you will discover that a lot of SAM processes touch various core finance and HR processes. Involve these colleagues as early as possible as they might have other business priorities.

The choice of the tool is secondary. With what we have on the market today, pretty much all solutions “can do the job;” but select the vendor with whom you have full trust and with whom you’ll be able to partner to build your SAM. Your vendor will be eager to partner with you if you can help him/her to improve the product they sell.

To help you with your process definitions, here are a few hints:

  • Spend sufficient time on process definitions and modify your business priorities wisely. You’ll minimize rework by defining your process first
  • Adopt a stepped approach in your tool implementation and keep in mind that “100% out of the box” cannot be expected…far from it!
  • Document, translate and teach your processes
  • Check compatibility of tools and integrations
  • Build Quality Assurance into your processes to minimize the garbage in – garbage out problem

This last point is absolutely critical. So many IT and LOB processes interact with the SAM database through unverified automated bridges that the risk of getting wrong data introduced into the SAM system is extremely high. This is actually a significant topic that should be covered by a full article on its own.

Journey Step Four:

Have an appropriate team to operate the tools and the processes. Of course, when your SAM environment is implemented, the journey is not over. This fact is particularly true in a SAM project because a SAM project is similar to a monitoring or a network operations center (NOC) project for the operation phase. Dedicating employees to keeping processes up to date and subsequently running continuous improvement are essential elements of ITAM. As an example, creating and populating the contract/licensing models information in your tools for all relevant software of your company is an ongoing activity with software editions and versions changing every six months. This information needs to be maintained. Other items to remember include:

  • Watch for industry changes. SaaS, virtualization, storage and BYOD have all changed the game for SAM
  • Follow the asset management tool evolution
  • Balance manual effort vs. automation
  • Invest in your staff; regular training is required
  • Keep your SW contract/amendments/evidences of purchase in a safe place and don’t hesitate to make copies.
  • Communicate to management and employees, teach compliance and hold every employee accountable for ensuring software compliance

When your SAM implementation is up and running and you are able to produce automated reports on compliance per software title, you will have taken a splendid step. If you face an audit and you can produce, in a couple of clicks, compliance reports without reworking your data in an Excel spreadsheet, then auditors might very well stop at this point, confident that your SAM is comfortably under control.

Self-Service Delivers

In my organization, we also put a lot of effort into ensuring that the end user takes full responsibility with regards to compliance. Employees have access to SAM data and can take action autonomously. In addition to building software compliance, this step uncovers savings by encouraging users to return software licenses that they no longer need. It also increases user satisfaction such as when a user loses software after a computer re-imaging. The SAM self-service tools and processes “know” exactly what software the user was entitled to and allows, amongst other choices, the option to re-install the software immediately.

So, a SAM journey is not impossible. Keep it simple, dive deeply into your corporate business to understand how it impacts the usage of software and remember that to target compliance, teaching, passing responsibility and offering service proactively is much more powerful than punishing retro-actively.

About the Author

Director of Asset and License Management at SAP since 2010