Part 1: Hello SAM! – The Interface Between Finance, Legal and IT

By Diederik Van der Sijpe, Deloitte

Why? Risks? Advantages?

How many software licenses does your organization need? Who is responsible for managing all of the installed software? Which costs are linked to your software contracts? For many organizations, Software Asset Management (SAM) is still a relatively unknown field. However, building an effective SAM program can deliver organizations many advantages such as cost savings and the ability to curb various risks linked to the use of software within an organization. In this article, we discuss the importance of SAM and the advantages for your organization.

1. Introduction
The Importance of SAM

If a CFO is asked who within his or her organization is responsible for their fleet, he or she will be able to point out the responsible individual without a doubt. However, if we ask who is responsible for managing the software assets within the same organization, there is a big chance that the question will not be answered or that an ambiguous answer will be provided.

Historically speaking, there has been less attention devoted to the costs and risks of software assets. In comparison, the person responsible for IT will have a fairly good idea of what physical hardware (printers, servers, PCs, etc.) they “own.” Of course, this has a lot to do with the physical aspect of these assets. The use of software, which is intangible and can be easily copied and transferred, cannot be determined by a regular stock count, for example. Monitoring and reporting the use of software requires a more structured approach.

Due to the growing share of software in IT costs (several industry studies show that the estimated costs regarding software can reach up to 20 percent of the total IT budget), it has become vital for organizations to implement strategies and processes which will manage these assets more actively. The purpose, therefore, is to make sure that investments in software are well managed and to maximize the return on the software investments.

Definitions

Software is described as an intangible good protected by copyright and can only be used if all terms and conditions of the software providers are met. As a consequence, all installed software has to be managed in accordance with these terms and conditions. If the latter is not done, negative legal and financial implications can arise for organizations.

In general, Software Asset Management (SAM) can be regarded as a method for providing a single, integrated overview of the installed software with respect to the purchased licenses. Nonetheless, Software Asset Management implies much more than that.

IT Infrastructure Library (ITIL), a generally accepted approach for IT service management, defines Software Asset Management as “all of the infrastructure and processes necessary for the effective management, control and protection of the software assets within an organization, throughout all stages of their lifecycle.”

ISO, which created an international standard for Software Asset Management, describes their standard (and SAM) as follows: “… support for IT-departments to effectively manage processes and procedures and ensure compliance with legal and contractual requirements as well as corporate governance requirements.”

2. Risks and Advantages

IT Managers who are responsible for following the software budgets have to continuously ask themselves which software products are installed, which risks are linked to the use of that software, and whether or not additional software licenses need to be purchased by their organizations.

It is not an easy task to find out which software is used by everyone within the organization and whether the licenses purchased match the number of licenses required for those software products. Sometimes it is even possible that too many licenses were purchased for the installed software, and one can only hope that these excessive licenses will still be used in the future due to growth of the organization or environment.

The dynamic character of IT environments often brings along a fluctuating need for licenses. An unclear decision framework can lead to a continuous “push-pull” behavior of purchasing too many licenses or not owning enough licenses.

As demonstrated in Figure 1 ‘SAM – Risks and Advantages,’ minimizing the purchase and maintenance costs of the installed software while not exposing the organization to any unnecessary security, legal and organizational risks, occupies a central position in SAM.

Cost optimization

If men are from Mars and women are from Venus, then the same notion could apply for many purchasing and IT departments. Often the former orders what the latter thinks it needs at a certain point in time, but in the end, both parties have different goals and at least one party ends up with a less than optimal solution. Due to a lack of common goals and communication, a discrepancy arises between what is actually needed and what is actually ordered.

SAM helps organizations define common goals for various stakeholders. An effective SAM implementation gives the organization a better understanding of what quantity and types of licenses it owns and which software is installed, used and needed. This allows organizations to reduce maintenance costs for software, as well as eliminate the costs of software which is no longer used. This results in a cost optimization when it comes to purchasing licenses, improved relations between departments, and a clear advantage in future negotiations with software providers.

Managing Software Assets

IT environments often undergo radical changes over time as a result of the dynamic character of a business. Moreover, the software industry is known for its mergers and acquisitions. This dynamism makes it increasingly difficult to gather all of the information required for the effective management of the installed software and licenses.

Difficulties in gathering information regarding where a software is installed within an organization, and which licenses it needs, frequently results in a situation of over and under licensing. Often, the easiest solution for organizations in this situation is to acquire extra licenses in order to match the absolute maximum number of installations. However, uninstalling unused software, harvesting licenses and relocating unused licenses would offer a more cost effective solution.

Each software provider has their own kind of licensing contracts, as well as product specific terms and conditions. Monitoring various software contracts, changing licensing models, and the impact this has on licensing of used software can be a major challenge without the availability of SAM.

Additionally, a good SAM baseline is vital when considering mergers and acquisitions of organizations. An imprecise inventory of installed software and purchased licenses can result in over and under valuations of one’s assets. A precise inventory will result in a faster and simpler physical integration of the different IT infrastructures after a merger.

Corporate Governance

An effectively built SAM program can help an organization identify the business and compliance risks derived from managing software and assist with establishing business processes based on a number of well-defined best practices. These best practices help ensure a consistent management of these assets.

Furthermore, SAM can also help an organization comply with specific responsibilities put in place by government regulations such as Sarbanes-Oxley (SOX).

Legal Risks

A SAM program allows an organization to limit both legal and financial risks concerning the use or installation of software. Tracking the installed software limits potential damage to an organization’s reputation resulting from legal conflicts when software usage is contrary to contractual agreements and license terms and conditions.

Improved Security

Organizations expose their systems to external security threats because of insufficient control over, and awareness of, the installed software. When organizations are not capable of efficiently identifying and limiting the permitted software installations, viruses simply pass the protection mechanisms of the system, consequently giving outsiders access to sensitive data of the organization.

Similarly, inadequate patch management can lead to augmented security risks. In extreme conditions, this can even lead to a full shutdown of systems that are critical to the activities of the organization.

SAM allows an organization to limit the security risks from the use of unauthorized software and the lack of knowledge regarding available security updates. SAM makes IT aware that the software is installed in the environment. As a result of limiting the security risks, IT operations are able to reduce operating costs.

Risk of a Software License Compliance Audit

Many big software providers have started software compliance programs over the past few years in order to verify whether organizations use their software in accordance with the contractual agreements and license terms and conditions. A Gartner study, “Data Center Polling Indicates IT Asset Management as an Enabler,” showed that the number of organizations where a software audit had been performed in the past 12 months has risen by almost 60%.

When an organization does not have an effective SAM program, it runs a big risk of incurring unexpected license costs and financial penalties as a consequence of such audits. Besides avoiding possible financial consequences, SAM also considerably lowers the time and resource costs that an organization has to invest during such a software license compliance audit.

3. Agreed, SAM, but how?

Software Asset Management offers organizations plenty of advantages. Knowledge of installed software allows an organization to optimize their IT budgets while the number of operational risks is being reduced. In addition, an organization is well placed and “audit ready” when a software provider decides to hold a software license compliance audit.

Organizations that build up an integrated SAM program often note the importance of direct cost savings and efficiency gains, not only within the IT department, but throughout the entire organization.

Now that the possible risks and advantages for your organization are known, you are wondering how SAM can be implemented within your organization. This topic will be discussed in detail in next month’s ITAK in the second part of “Hello SAM!”

About the Author

Diederik Van der Sijpe