Making Audits work for you!

1

Who are we & why speak?

• Who?– Turnover approx. £4B per year (Sainsbury's Argos only which is the non-food side of the business.)

– Spend approx. £100m on IT with software renewals constituting about £30m

– Approx. 400 vendors with the usual 5-10 main vendors and a very long tail and over 3500 products, both licensed and open source

– Complex environment, mainframe, AIX 5.1, Citrix, VMware & Cobol from 1980’s

• Why?– Audits have no set routine, the variances across vendors and products is to great. Knowledge, experience and real world

examples help all of us to mitigate the impact.

– Vendors thrive on the fear of being audited to supress business intelligence being shared.

– SAM is a value driven profession and our stakeholders need to be aware of our capabilities.

1

Audit Steps

• Pre-Audit

– Mitigation

– Risk profiling

– Risk acceptance

– Planning

– Proactive defence

• Audit initiation

– First letter

– Audit checklist

• Audit defence

– Strategies and Legal positioning

• Negotiation

– Team Structure

– Negotiation Strategy

– Concession Strategy

– Timelines

– Future relationship

2

Pre-Audit

3

Mitigation

General Policy creation

– No audit while in RFP

– No audit when delivering results of RFP

– If in an audit then excluded from RFP

Vendor Specific policies or License constraining

– Specify Oracle systems to be brought up in case of DC DR (restricts licenses)

– Test environments to use licenses specified as Development or with Mobility (License pools)

Vendor Relationships

– Good relationships with account manager should reduce risk of Audit.

4

Risk Profiling

What is your risk from Audit?

– Which vendors are active in the market and what is your risk with each vendor

– What is your real risk rather then perceived risk. Would they really audit you?

– Which vendors need an audit defence strategy?

– Which vendors will likely never cause a risk to the business

Expect 2-3 audits per year

– One mitigated

– One resolved with little or no commercial or license implications

– One to affect next years budget

What factors increase risk?

– Divesture and M&A

– Lost sales opportunities

– Lost RFP’s

– Technical staff (internal misinformation)

– Limited dialogue

5

Risk Acceptance

What is total risk in the business

– Often shown as a high, scary figure concentrated on by vendors, consultancies and managed service providers

What is the actually risk

– Maximum that any one vendor could bill with 10-20% headroom for the unknown

– Not just the monetary cost but what is the risk to reputation

What risk will the business accept?

– Work on the largest risk until it reaches the accepted risk level or below another recognised risk.

– If new risk is identified, larger than the risk acceptance move to the new risk.

– Eventually work on all risk areas to keep reducing risk throughout the business.

– Deal with low risk profile vendors as and when an event occurs, renewal/purchase

6

Audit Planning

• Vendor Specific plans / strategies

• Does the vendor require a specific plan/strategy due to its position in the 4 box grid and Risk profile.

• Who will be called upon to answer the audit (Inc. SAM)

• Legal, Procurement, Commercial teams, Vendor/Ops manager

• What are their roles and responsibilities

• When will you meet

• Weekly or monthly

• What are the triggers for changing meeting frequency

• Escalation paths

• Who is accountable if SAM is responsible

• Financial year ends of each vendor

• Communication plan (loose lips cost lives)

7

Autodesk January

Dell January

CA Technologies March

Compuware March

Symantec March

Infor April

Micro Focus April

Oracle May

Microsoft June

HP October

AdobeNovember

SAPDecember

AttachmateDecember

VMwareDecember

ASG Software solutionsDecemberDecembe

Proactive Audit Defence

• Software strategy

– On-boarding

• By risk profile (based upon their activity and aggressiveness in the market)

– Create a 4 box grid for all vendors and use to help with risk profiling (emerging, strategic, tactical and legacy)

• Do you on-board all your vendors if a very long tail or consolidate

– ELP generation

• Accept gaps

• Plan risk mitigation

• Roadmap maturity

– Risk Management

• Risk change

• Risk acceptance appetite change

8

EmergingEmerging StrategicStrategic

TacticalTactical LegacyLegacy

Bu

siness d

irection

Cost

Audit Initiation

9

Audit Start

• Who initiates the audit?

– You or the Vendor?

• Self Audit in response to vendor audit?

– Who carries out the audit?

• Vendor or Third party

– Shut down communications according to communications plan.

• Vendor contract

– Where is your entitlement

– What are your legal obligations

– Review contracts and prior Audits to get you “line in the Sand” – Identify Exclusions

10

• Know your ELP

– Hard to know everything

– ELP is like Swiss cheese

– What is missing for that vendor?

– Who can get that data/can you get the data?

• MSP are slow to respond to requests, cost money

– How is the software used and what is it used for?

• Remember you could have 1000’s of products

Audit Checklist

Negotiate the Scope of the Audit

– Non-Negotiable

– Negotiable

– Wish List

Checklist

– Geography & Legal entities

– Device type & OS

– Start date and grace period

– % of acceptable non-compliance

– Who will conduct the audit

– Where can they work

– What data is allowed off site

– What information is required

– Baseline and compliance agreed at end

– Non-Audit clause at completion for a period

11

12

Audit Defense

Strategies and legal positioning

What do you need to do legally?

– Legal team defines what your minimum commitment of data is and its format

– Legal verify all questions and tactical manoeuvring to ensure contract compliance

Response Strategies

– Print all results on paper and have them work on paper formats to slow the audit down.

– Make the audit difficult but within the constraints of the contract in order to get the audit cancelled or changed to self declaration

– Delay the conclusion of the Audit to after the end of year for the vendor or yourself, depending on the risk.

– Delay the conclusion until Vendor end of year in order to get the best negotiation position.

– Ensure that communications and data is sent through a nominated person (group) any communications outside of this are not subject to Audit

13

Negotiation

14

Team Structure

• Will comprise of some of the Audit response team

• What additional resources are required?

• What are their Roles and what are their negotiation strengths

• Listening

• Communication

• Decision making

• Emotional control

• What are the negotiation styles you will use for/against

• Bully - Competing

• Negotiator - Collaborate

• Politician - Avoiding

• Doormat - accommodating

• Do you have someone of each negotiation style involved?

15

Strategy

• How will you run the negotiations?

• Who will be involved from both the vendor and your company

• How many people will actively negotiate

• What is their cultural perspective (US, EUR, UK, APAC)

• Good cop Bad cop

• Bad Cop Worse cop

• Concession Trading

• Auction Bartering

• WIN-WIN scenario setting

• Concession strategy

• List your goals and the negotiation styles required for each

• Meetings

– Appropriate authority to make decisions

– Have non-negotiables been agreed (don’t start unless they have)

– Assess the negotiating styles they are bringing and determine your defence against them

16

Concession Strategy

• Clarity of the vendors goals

• Clarity on your goals

• Sequence of which goals to trade or exchange for both parties

• SWOT analysis of goals

• Mapped against negotiation styles

• What is your BATNA (Best Alternative To a Negotiated Agreement)

• What happens when it fails

• If the results are less than your BATNA there is no point in proceeding with negotiations

17

Timeline & Relationship

Timeline

• Is there a deadline that needs to be reached? Due to Audit defence strategies followed.

• Clear timelines and meetings keep the pace of negotiations from faltering.

• Ensure that the vendor knows and agrees the pre-planned meetings and the final meeting in advance. To ensure that they make decisions.

• Contracts and baseline should have an agreed date of completion after negotiations so that there is clear commitment

Relationship

• Once the audit is completed you want to see how you can keep the relationship positive

• Keep meeting quarterly or every 6 months depending on the vendor to reduce risk of audit

• Meetings related to the 4 box grid (Emerging, strategic, tactical & Legacy)

• Do the results of the negotiation change their position on the 4 box grid?

18

Thank you!

19