Software Asset Management: Risk and Reward March 2015
Agenda What Are the Risks Direct Risks Indirect Risks Future Risks How to Assess the Risks Maturity Frameworks Compliance Assessments Mitigating the Risks The ITIL 4 Ps SAM Strategies Summary 1
The Risks Direct Risks 1 3 Impact 11 2 Probability 1. Non-Compliance: Financial 2. Non-Compliance: Reputational 3. Over-licensing
The Risks: Direct Risks Non-Compliance - Financial exposure 85% Percentage of organisations that are using more software than they have paid for 63% of organisations have been audited within the last 18-24 months 37% of organisations have been audited twice within the last 18-24 months 34% $1.6m Percentage of large enterprises ($ B+) audited three times or more in the last 18-24 months The average true-up payment for a $4B revenue company $263k The average true up payment for a smaller $50M revenue company 64% Percentage of organisations that are not using automated, commercial software to manage their software licenses Key Trends in Software Pricing and Licensing Survey Software Licensing Audits: Costs and Risks to Enterprises, IDC, 2014 3
The Risks: Direct Risks Non-Compliance - Reputational Risk Tibco has filed a lawsuit with the California North District Court alleging the Merrill Lynch division of Bank of America illegally used $300m of its software for a major IT project. The case highlights a catastrophic breakdown in supplier relationships, which could lead to Bank of America being exposed to a potential risk of no longer being able to run software that uses Tibco. http://www.computerweekly.com/news/2240225480/bank-of-america-when-software-relationships-turn-sour Billingshurst engineering firm Project Options has been forced to cough up 33,000 after the BSA found it using unlicensed Autodesk software. http://www.channelweb.co.uk/crn-uk/news/2349161/sussex-engineers-settle-bsa-licensing-stoush The Business Software Alliance (BSA) has stung a safety specialist firm for almost 100,000 following a tipoff over its alleged use of unlicensed software. First Choice Facilities was forced to pay the anti-piracy body 18,000 as part of a settlement, and stump up a further 81,000 in licence costs to address the shortfall, after being found with unlicensed Adobe, Autodesk, Microsoft and Symantec products. http://www.channelweb.co.uk/crn-uk/news/2220503/tip-off-costs-bsa-victim-gbp99-000 4
The Risks: Direct Risks Over-Spending Over-specified license types Inaccurate license quantities Maintenance of unused software Failure to negotiate bespoke terms 5
The Risks Indirect Risks Impact 11 Probability
The Risks: Indirect Risks Security Incomplete Coverage Version Control: Vulnerabilities Unauthorised Software Unauthorised Use 7
The Risks: Indirect Risks Business Continuity/ Service Delivery IT Asset Management IT Service Management Finance/ procurement systems Asset Data License Management System Inventory Asset Registry CMS/CMDB Services & CI Relationships 8
The Risks Future Risks 2 Impact 11 1 Probability 1. Tax 2. Outsourcer performance
The Risks: Future Risks Tax Transfer pricing Indirect tax Outsourcer Performance Based on vendor review experience Cannot outsource responsibility for compliance 10
Assessing the Risks Maturity Frameworks
Assessing The Risks: Maturity Frameworks ISO/IEC 19770 ISO/IEC 19770 is an international standard about software asset management (SAM) 3 Parts: IOS/IEC 19770-1: Processes IOS/IEC 19770-2: Software identification tag IOS/IEC 19770-3: Software entitlement tag First published in 2006, revised in 2012 to enables incremental stages 12
Assessing The Risks: Maturity Frameworks ISO/IEC 19770 Organisational Management Processes for SAM 4.2 Control Environment for SAM Corporate Governance Process for SAM Roles and Responsibilities for SAM Polices, Processes and Procedures for SAM Competence in SAM 4.3 Planning and Implementation Processes for SAM Planning for SAM Implementation of SAM Monitoring and Review of SAM Continual Improvement of SAM Core SAM Processes 4.4 Inventory Processes for SAM Software Asset Identification Software Asset Inventory Management Software Asset Control 4.5 Verification and Compliance Processes for SAM Software Asset Record Verification Software Licensing Compliance Software Asset Security Compliance Compliance Verification for SAM 4.6 Operations Management Processes and Interfaces for SAM Relationship and Contract Management for SAM Financial Management for SAM Service Level Management for SAM Security Management for SAM Primary Process Interfaces for SAM 4.7 Life Cycle Process Interfaces for SAM Change Management Process Software Development Process Software Deployment Process Problem Management Process Acquisition Process Software Release Management Process Incident Management Process Retirement Process 13
Assessing The Risks: Maturity Frameworks ISO/IEC 19770:2012 Tier 4 Full ISO/IEC SAM Conformance Achieving best-in-class strategic SAM Tier 3 Operational Integration Improving efficiency and effectiveness Tier 2 Practical Management Improving management controls & driving immediate benefits Tier 1 Trustworthy Data Knowing what you have so you can manage it 14
Assessing The Risks: Maturity Frameworks Microsoft SAM Optimisation Model (SOM) ISO 19770-1 Key Competency Competency Question Organisational Management SAM Throughout Organisation SAM Self Improvement Plan How has software asset management (with documented procedures, roles, responsibilities and executive sponsorship) been implemented in each infrastructure group? Does your organisation have an approved SAM self improvement plan? SAM Inventory Processes SAM Verification Processes Operations Management and Interfaces Lifecycle Process Interfaces Hardware and Software Inventory Accuracy of Inventory License Entitlement Records Periodic Self Evaluation Operations Management Records Interfaces Acquisition Process Deployment Process Retirement Process What percentage of user PCs and servers are included in a centralised software inventory/ CMDB (configuration management database); which is populated by a software tracking tool? How often do you reconcile software inventories with other sources to verify accuracy of assumed license metrics (for example user counts based on HR employee records)? What percentage of procured software licenses are recorded in a license entitlement inventory (a central repository/ tracking of all licenses owned and/or previously acquired)? How often do you reconcile software deployments (usage) to software entitlements (purchases)? Software entitlement are software licenses owned or previously acquired. How do the various Operations Management functions (contracts, financial fixed assets, service support, security, networking) use software and hardware inventories in their daily roles? What percentage of total software purchases in your organisation are made through or are controlled & tracked by centralised procurement? What percentage of total software deployed across organisation s PCs and servers (considering all operating systems) is installed through centralised sources or through a controlled distribution system? What percentage of retired hardware assets are tracked in a way to enable the software on them to be reused? 15
Assessing The Risks: Maturity Frameworks Microsoft SAM Optimisation Model (SOM) BASIC Basic SAM Ad Hoc Little control over what IT assets are being used and where. Lacks policies, procedures, resourced and tools. STANDARDISED Standardised SAM SAM processes exist as well as tool/data repository. Information may not be complete and accurate and typically not used for decision making. RATIONALISED Rationalised SAM Active Management Vision, policies, procedures and tools are used to manage IT S/W asset lifecycle. Reliable information used to manage the assets to business targets. DYNAMIC Dynamic SAM Optimised Near real-time alignment with changing business needs. SAM is a strategic asset to overall business objectives. 16
Assessing The Risks: Maturity Frameworks Other FSSC-1: FAST Standard for Software Compliance ITIL: Information Technology Infrastructure Library 17
Assessing The Risks: Maturity Frameworks Assess current maturity Agree desired state Plan improvement Look for quick wins Implement Conformance verification Act Check Plan Do Repeat.. 18
Assessing the Risks Compliance Assessments
Assessing The Risks: Compliance Assessments Prioritise 80/20 Business Software Alliance (BSA) Vendor Audit Teams Adobe Autodesk DELL (Quest) EMC HP IBM Micro Focus (Attachmate & Novell) Microsoft Oracle Pitney Bowes SAP Symantec VMWare BSA Membership: ACCA Software Adobe Altrium ANSYS, Inc. Apple Autodata Limited Autodesk Bentley Systems CA Technologies CG Tech Ltd CNC Software Mastercam Corel DELL IBM Intel Intuit Microsoft Minitab NetCad Ulusal CAD Oracle Parallels PTC Salesforce.com Siemens PLM Software, Inc. Symantec Tekla The Mathworks 20
Mitigating the Risks The ITIL 4 Ps
Mitigating Risks: The ITIL 4 Ps People IT Procurement Finance Legal Process Senior sponsorship ISO 19770 Conformance verification 4 Ps Product Inventory License management Information libraries Partners SAM experience Licensing knowledge Vendor knowledge 22
Mitigating the Risks SAM Strategies
Mitigating Risks: SAM Strategies In-house Outsourced Service Service Provider Reactionary 24
Summary
Summary: Software Asset Management Consider adding to Internal Audit Probability is relatively high: 63% Impact is potentially significant Establish risks Assess maturity Assess a sample of compliance Impact 11 Investigate strategy Process not project Progress not perfection Probability 26
KPMG Strengths Tools and vendor technology knowledge We have firsthand experience of dozens of software tools which can automate elements of the software asset management process. Our team includes staff who have previously implemented and worked with tools on a day-to-day basis. The KPMG network Approximately 450 licensing practitioners across the globe working on various vendor technologies. We are able to draw on our firms deep industry experience to provide Audit, Tax & Advisory services. This enables us to build cross-functional teams to address the specific needs of all our clients. Independence and confidentiality We are independent of both software publishers and resellers and do not re-sell software licences or software asset management tools. In circumstances where it is beneficial for our clients we do however work in partnership with publishers, resellers and tools vendors. 27
Thank you Contact Presentation by Arpit Agarwal Manager Software & IT Asset Management Mobile: +44 (0) 7824377737 Mailto: arpit.agarwal@kpmg.co.uk KPMG SAM Dinner If Software Asset Management/ software licensing is of particular interest to yourself or a colleague, please note we hold SAM client events on a regular basis; please contact me at arpit.agarwal@kpmg.co.uk for more information.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.