software asset management: risk and reward - · pdf filesoftware asset management: risk and...

Software Asset Management: Risk and Reward

March 2015

1© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Agenda

What Are the Risks

■ Direct Risks

■ Indirect Risks

■ Future Risks

How to Assess the Risks

■ Maturity Frameworks

■ Compliance Assessments

Mitigating the Risks

■ The ITIL 4 Ps

■ SAM Strategies

Summary

11

The RisksDirect Risks

Probability

Impact

1

2

3

1. Non-Compliance: Financial2. Non-Compliance: Reputational3. Over-licensing


The Risks: Direct Risks

Non-Compliance - Financial exposure

85% Percentage of organisations that are using more software than they have paid for

63% of organisations have been audited within the last 18-24 months

37% of organisations have been audited twice within the last 18-24 months

34% Percentage of large enterprises ($£B+) audited three times or more in the last 18-24 months

$1.6m The average true-up payment for a $4B revenue company

$263k The average true up payment for a smaller $50M revenue company

64% Percentage of organisations that are not using automated, commercial software to manage their software licenses

‘Key Trends in Software Pricing and Licensing Survey – Software Licensing Audits: Costs and Risks to Enterprises’, IDC, 2014



http://www.computerweekly.com/news/2240225480/Bank-of-America-When-software-relationships-turn-sour

“Tibco has filed a lawsuit with the California North District Court alleging the Merrill Lynch division of Bank of America illegally used $300m of its software for a major IT project.The case highlights a catastrophic breakdown in supplier relationships, which could lead to Bank of America being exposed to a potential risk of no longer being able to run software that uses Tibco.”

http://www.channelweb.co.uk/crn-uk/news/2349161/sussex-engineers-settle-bsa-licensing-stoush

“Billingshurst engineering firm Project Options has been forced to cough up £33,000 after the BSA found it using unlicensed Autodesk software.”

Non-Compliance - Reputational Risk

http://www.channelweb.co.uk/crn-uk/news/2220503/tip-off-costs-bsa-victim-gbp99-000

“The Business Software Alliance (BSA) has stung a safety specialist firm for almost £100,000 following a tip-off over its alleged use of unlicensed software.First Choice Facilities was forced to pay the anti-piracy body £18,000 as part of a settlement, and stump up a further £81,000 in licence costs to address the shortfall, after being found with unlicensed Adobe, Autodesk, Microsoft and Symantec products.”



Over-Spending

• Over-specified license types

• Inaccurate license quantities

• Maintenance of unused software

• Failure to negotiate bespoke terms

The RisksIndirect Risks

11

Probability

Impact


The Risks: Indirect Risks

Security

• Incomplete Coverage• Version Control: Vulnerabilities

• Unauthorised Software• Unauthorised Use


Business Continuity/ Service Delivery

The Risks: Indirect Risks

Asset Registry

CMS/CMDB

Asset Data Inventory

Services & CI Relationships

IT Asset Management IT Service Management

License Management System

Finance/ procurement

systems

The RisksFuture Risks

11

Probability

Impact

1

2

1. Tax2. Outsourcer performance


Tax

• Transfer pricing

• Indirect tax

The Risks: Future Risks

Outsourcer Performance

• Based on vendor review experience

• Cannot outsource responsibility for compliance

Assessing the RisksMaturity Frameworks


Assessing The Risks: Maturity Frameworks

ISO/IEC 19770

• ISO/IEC 19770 is an international standard about software asset management (SAM)

• 3 Parts:

• IOS/IEC 19770-1: Processes

• IOS/IEC 19770-2: Software identification tag

• IOS/IEC 19770-3: Software entitlement tag

• First published in 2006, revised in 2012 to enables incremental stages


ISO/IEC 19770Organisational Management Processes for SAM

4.2 Control Environment for SAMCorporate Governance Process for SAM

Roles and Responsibilities for SAM

Polices, Processes and Procedures for SAM

Competence in SAM

4.3 Planning and Implementation Processes for SAMPlanning for SAM Implementation of SAM Monitoring and Review of

SAMContinual Improvement of SAM

Core SAM Processes4.4 Inventory Processes for SAM

Software Asset Identification

Software Asset Inventory Management

Software Asset Control

4.5 Verification and Compliance Processes for SAMSoftware Asset Record Verification

Software Licensing Compliance

Software Asset Security Compliance

Compliance Verification for SAM

4.6 Operations Management Processes and Interfaces for SAMRelationship and Contract Management for SAM

Financial Management for SAM

Service Level Management for SAM

Security Management for SAM

Primary Process Interfaces for SAM4.7 Life Cycle Process Interfaces for SAM

Change Management Process

Software Development Process

Software Deployment Process

Problem Management Process

Acquisition Process Software Release Management Process

Incident Management Process

Retirement Process




ISO/IEC 19770:2012

Tier 4

Tier 3

Tier 2

Tier 1Trustworthy DataKnowing what you have so you can manage it

Practical ManagementImproving management controls & driving immediate benefits

Operational IntegrationImproving efficiency and effectiveness

Full ISO/IEC SAM ConformanceAchieving best-in-class strategic SAM



Microsoft SAM Optimisation Model (SOM)

ISO 19770-1 Key Competency Competency Question

OrganisationalManagement

SAM Throughout Organisation How has software asset management (with documented procedures, roles, responsibilities and executive sponsorship) been implemented in each infrastructure group?

SAM Self Improvement Plan Does your organisation have an approved SAM self improvement plan?

SAM Inventory Processes

Hardware and Software Inventory

What percentage of user PCs and servers are included in a centralised software inventory/ CMDB (configuration management database); which is populated by a software tracking tool?

Accuracy of Inventory How often do you reconcile software inventories with other sources to verify accuracy of assumed license metrics (for example user counts based on HR employee records)?

SAM Verification Processes

License Entitlement Records What percentage of procured software licenses are recorded in a license entitlement inventory (a central repository/ tracking of all licenses owned and/or previously acquired)?

Periodic Self Evaluation How often do you reconcile software deployments (usage) to software entitlements (purchases)? Software entitlement are software licenses owned or previously acquired.

Operations Management and Interfaces

Operations Management Records Interfaces

How do the various Operations Management functions (contracts, financial fixed assets, service support, security, networking) use software and hardware inventories in their daily roles?

Lifecycle Process Interfaces

Acquisition Process What percentage of total software purchases in your organisation are made through or are controlled & tracked by centralised procurement?

Deployment Process What percentage of total software deployed across organisation’s PCs and servers (considering all operating systems) is installed through centralised sources or through a controlled distribution system?

Retirement Process What percentage of retired hardware assets are tracked in a way to enable the software on them to be reused?



Microsoft SAM Optimisation Model (SOM)B

ASIC Basic SAM

Ad Hoc

Little control over what IT assets are

being used and where.

Lacks policies, procedures,

resourced and tools.

STAN

DA

RD

ISED Standardised

SAM

SAM processes exist as well as

tool/data repository.

Information may not be complete and accurate and typically not used

for decision making.

RAT

ION

ALI

SED Rationalised

SAMActive Management

Vision, policies, procedures and tools are used to manage IT S/W asset lifecycle.

Reliable information used

to manage the assets to

business targets.

DYN

AMIC Dynamic

SAMOptimised

Near real-time alignment with

changing business needs.

SAM is a strategic asset to overall

business objectives.



Other

• FSSC-1: FAST Standard for Software Compliance

• ITIL: Information Technology Infrastructure Library



Plan

DoCheck

Act

• Assess current maturity

• Agree desired state

• Plan improvement

• Look for quick wins

• Implement

• Conformance verification

• Repeat…..

Assessing the RisksCompliance Assessments


Assessing The Risks: Compliance Assessments

Prioritise

• 80/20

• Business Software Alliance (BSA)

• Vendor Audit Teams• Adobe

• Autodesk

• DELL (Quest)

• EMC

• HP

• IBM

• Micro Focus (Attachmate & Novell)

• Microsoft

• Oracle

• Pitney Bowes

• SAP

• Symantec

• VMWare

BSA Membership:• ACCA Software• Adobe• Altrium• ANSYS, Inc.• Apple• Autodata Limited• Autodesk• Bentley Systems• CA Technologies• CG Tech Ltd• CNC Software – Mastercam• Corel• DELL• IBM• Intel• Intuit• Microsoft• Minitab• NetCad Ulusal CAD• Oracle• Parallels• PTC• Salesforce.com• Siemens PLM Software, Inc.• Symantec• Tekla• The Mathworks

Mitigating the RisksThe ITIL 4 Ps


Mitigating Risks: The ITIL 4 Ps

People• IT• Procurement• Finance• Legal

Process• Senior sponsorship• ISO 19770• Conformance verification

Product• Inventory• License management• Information libraries

Partners• SAM experience• Licensing knowledge• Vendor knowledge

4 Ps

Mitigating the RisksSAM Strategies


Mitigating Risks: SAM Strategies

In-house

Outsourced Service

Service Provider

Reactionary

Summary


Summary: Software Asset Management

Consider adding to Internal Audit

• Probability is relatively high: 63%

• Impact is potentially significant

Establish risks

• Assess maturity

• Assess a sample of compliance

Investigate strategy

• Process not project

• Progress not perfection

11

Probability

Impact


KPMG Strengths

Tools and vendor technology knowledge

• We have firsthand experience of dozens of software tools which can automate elements of the software asset management process. Our team includes staff who have previously implemented and worked with tools on a day-to-day basis.

The KPMG network

• Approximately 450 licensing practitioners across the globe working on various vendor technologies.

• We are able to draw on our firms’ deep industry experience to provide Audit, Tax & Advisory services. This enables us to build cross-functional teams to address the specific needs of all our clients.

Independence and confidentiality

• We are independent of both software publishers and resellers and do not re-sell software licences or software asset management tools. In circumstances where it is beneficial for our clients we do however work in partnership with publishers, resellers and tools vendors.

Thank youContactPresentation by Arpit Agarwal

Manager – Software & IT Asset Management

Mobile: +44 (0) 7824377737

Mailto: [email protected]

KPMG SAM DinnerIf Software Asset Management/ software licensing is of particular interest to yourself or a colleague, please note we hold SAM client events on a regular basis; please contact me at [email protected] for more information.

mailto:[email protected]

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

software asset management: risk and reward - · pdf filesoftware asset management: risk and...

Documents