Software Asset Management: Risk and Reward - · PDF fileSoftware Asset Management: Risk and...
Transcript of Software Asset Management: Risk and Reward - · PDF fileSoftware Asset Management: Risk and...
Software Asset Management: Risk and Reward
March 2015
1© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Agenda
What Are the Risks
■ Direct Risks
■ Indirect Risks
■ Future Risks
How to Assess the Risks
■ Maturity Frameworks
■ Compliance Assessments
Mitigating the Risks
■ The ITIL 4 Ps
■ SAM Strategies
Summary
11
The RisksDirect Risks
Probability
Impact
1
2
3
1. Non-Compliance: Financial2. Non-Compliance: Reputational3. Over-licensing
3© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Risks: Direct Risks
Non-Compliance - Financial exposure
85% Percentage of organisations that are using more software than they have paid for
63% of organisations have been audited within the last 18-24 months
37% of organisations have been audited twice within the last 18-24 months
34% Percentage of large enterprises ($£B+) audited three times or more in the last 18-24 months
$1.6m The average true-up payment for a $4B revenue company
$263k The average true up payment for a smaller $50M revenue company
64% Percentage of organisations that are not using automated, commercial software to manage their software licenses
‘Key Trends in Software Pricing and Licensing Survey – Software Licensing Audits: Costs and Risks to Enterprises’, IDC, 2014
4© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Risks: Direct Risks
http://www.computerweekly.com/news/2240225480/Bank-of-America-When-software-relationships-turn-sour
“Tibco has filed a lawsuit with the California North District Court alleging the Merrill Lynch division of Bank of America illegally used $300m of its software for a major IT project.The case highlights a catastrophic breakdown in supplier relationships, which could lead to Bank of America being exposed to a potential risk of no longer being able to run software that uses Tibco.”
http://www.channelweb.co.uk/crn-uk/news/2349161/sussex-engineers-settle-bsa-licensing-stoush
“Billingshurst engineering firm Project Options has been forced to cough up £33,000 after the BSA found it using unlicensed Autodesk software.”
Non-Compliance - Reputational Risk
http://www.channelweb.co.uk/crn-uk/news/2220503/tip-off-costs-bsa-victim-gbp99-000
“The Business Software Alliance (BSA) has stung a safety specialist firm for almost £100,000 following a tip-off over its alleged use of unlicensed software.First Choice Facilities was forced to pay the anti-piracy body £18,000 as part of a settlement, and stump up a further £81,000 in licence costs to address the shortfall, after being found with unlicensed Adobe, Autodesk, Microsoft and Symantec products.”
5© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Risks: Direct Risks
Over-Spending
• Over-specified license types
• Inaccurate license quantities
• Maintenance of unused software
• Failure to negotiate bespoke terms
The RisksIndirect Risks
11
Probability
Impact
7© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Risks: Indirect Risks
Security
• Incomplete Coverage• Version Control: Vulnerabilities
• Unauthorised Software• Unauthorised Use
8© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Business Continuity/ Service Delivery
The Risks: Indirect Risks
Asset Registry
CMS/CMDB
Asset Data Inventory
Services & CI Relationships
IT Asset Management IT Service Management
License Management System
Finance/ procurement
systems
The RisksFuture Risks
11
Probability
Impact
1
2
1. Tax2. Outsourcer performance
10© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Tax
• Transfer pricing
• Indirect tax
The Risks: Future Risks
Outsourcer Performance
• Based on vendor review experience
• Cannot outsource responsibility for compliance
Assessing the RisksMaturity Frameworks
12© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
ISO/IEC 19770
• ISO/IEC 19770 is an international standard about software asset management (SAM)
• 3 Parts:
• IOS/IEC 19770-1: Processes
• IOS/IEC 19770-2: Software identification tag
• IOS/IEC 19770-3: Software entitlement tag
• First published in 2006, revised in 2012 to enables incremental stages
13© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
ISO/IEC 19770Organisational Management Processes for SAM
4.2 Control Environment for SAMCorporate Governance Process for SAM
Roles and Responsibilities for SAM
Polices, Processes and Procedures for SAM
Competence in SAM
4.3 Planning and Implementation Processes for SAMPlanning for SAM Implementation of SAM Monitoring and Review of
SAMContinual Improvement of SAM
Core SAM Processes4.4 Inventory Processes for SAM
Software Asset Identification
Software Asset Inventory Management
Software Asset Control
4.5 Verification and Compliance Processes for SAMSoftware Asset Record Verification
Software Licensing Compliance
Software Asset Security Compliance
Compliance Verification for SAM
4.6 Operations Management Processes and Interfaces for SAMRelationship and Contract Management for SAM
Financial Management for SAM
Service Level Management for SAM
Security Management for SAM
Primary Process Interfaces for SAM4.7 Life Cycle Process Interfaces for SAM
Change Management Process
Software Development Process
Software Deployment Process
Problem Management Process
Acquisition Process Software Release Management Process
Incident Management Process
Retirement Process
Assessing The Risks: Maturity Frameworks
14© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
ISO/IEC 19770:2012
Tier 4
Tier 3
Tier 2
Tier 1Trustworthy DataKnowing what you have so you can manage it
Practical ManagementImproving management controls & driving immediate benefits
Operational IntegrationImproving efficiency and effectiveness
Full ISO/IEC SAM ConformanceAchieving best-in-class strategic SAM
15© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
Microsoft SAM Optimisation Model (SOM)
ISO 19770-1 Key Competency Competency Question
OrganisationalManagement
SAM Throughout Organisation How has software asset management (with documented procedures, roles, responsibilities and executive sponsorship) been implemented in each infrastructure group?
SAM Self Improvement Plan Does your organisation have an approved SAM self improvement plan?
SAM Inventory Processes
Hardware and Software Inventory
What percentage of user PCs and servers are included in a centralised software inventory/ CMDB (configuration management database); which is populated by a software tracking tool?
Accuracy of Inventory How often do you reconcile software inventories with other sources to verify accuracy of assumed license metrics (for example user counts based on HR employee records)?
SAM Verification Processes
License Entitlement Records What percentage of procured software licenses are recorded in a license entitlement inventory (a central repository/ tracking of all licenses owned and/or previously acquired)?
Periodic Self Evaluation How often do you reconcile software deployments (usage) to software entitlements (purchases)? Software entitlement are software licenses owned or previously acquired.
Operations Management and Interfaces
Operations Management Records Interfaces
How do the various Operations Management functions (contracts, financial fixed assets, service support, security, networking) use software and hardware inventories in their daily roles?
Lifecycle Process Interfaces
Acquisition Process What percentage of total software purchases in your organisation are made through or are controlled & tracked by centralised procurement?
Deployment Process What percentage of total software deployed across organisation’s PCs and servers (considering all operating systems) is installed through centralised sources or through a controlled distribution system?
Retirement Process What percentage of retired hardware assets are tracked in a way to enable the software on them to be reused?
16© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
Microsoft SAM Optimisation Model (SOM)B
ASIC Basic SAM
Ad Hoc
Little control over what IT assets are
being used and where.
Lacks policies, procedures,
resourced and tools.
STAN
DA
RD
ISED Standardised
SAM
SAM processes exist as well as
tool/data repository.
Information may not be complete and accurate and typically not used
for decision making.
RAT
ION
ALI
SED Rationalised
SAMActive Management
Vision, policies, procedures and tools are used to manage IT S/W asset lifecycle.
Reliable information used
to manage the assets to
business targets.
DYN
AMIC Dynamic
SAMOptimised
Near real-time alignment with
changing business needs.
SAM is a strategic asset to overall
business objectives.
17© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
Other
• FSSC-1: FAST Standard for Software Compliance
• ITIL: Information Technology Infrastructure Library
18© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Maturity Frameworks
Plan
DoCheck
Act
• Assess current maturity
• Agree desired state
• Plan improvement
• Look for quick wins
• Implement
• Conformance verification
• Repeat…..
Assessing the RisksCompliance Assessments
20© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Assessing The Risks: Compliance Assessments
Prioritise
• 80/20
• Business Software Alliance (BSA)
• Vendor Audit Teams• Adobe
• Autodesk
• DELL (Quest)
• EMC
• HP
• IBM
• Micro Focus (Attachmate & Novell)
• Microsoft
• Oracle
• Pitney Bowes
• SAP
• Symantec
• VMWare
BSA Membership:• ACCA Software• Adobe• Altrium• ANSYS, Inc.• Apple• Autodata Limited• Autodesk• Bentley Systems• CA Technologies• CG Tech Ltd• CNC Software – Mastercam• Corel• DELL• IBM• Intel• Intuit• Microsoft• Minitab• NetCad Ulusal CAD• Oracle• Parallels• PTC• Salesforce.com• Siemens PLM Software, Inc.• Symantec• Tekla• The Mathworks
Mitigating the RisksThe ITIL 4 Ps
22© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Mitigating Risks: The ITIL 4 Ps
People• IT• Procurement• Finance• Legal
Process• Senior sponsorship• ISO 19770• Conformance verification
Product• Inventory• License management• Information libraries
Partners• SAM experience• Licensing knowledge• Vendor knowledge
4 Ps
Mitigating the RisksSAM Strategies
24© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Mitigating Risks: SAM Strategies
In-house
Outsourced Service
Service Provider
Reactionary
Summary
26© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Summary: Software Asset Management
Consider adding to Internal Audit
• Probability is relatively high: 63%
• Impact is potentially significant
Establish risks
• Assess maturity
• Assess a sample of compliance
Investigate strategy
• Process not project
• Progress not perfection
11
Probability
Impact
27© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG Strengths
Tools and vendor technology knowledge
• We have firsthand experience of dozens of software tools which can automate elements of the software asset management process. Our team includes staff who have previously implemented and worked with tools on a day-to-day basis.
The KPMG network
• Approximately 450 licensing practitioners across the globe working on various vendor technologies.
• We are able to draw on our firms’ deep industry experience to provide Audit, Tax & Advisory services. This enables us to build cross-functional teams to address the specific needs of all our clients.
Independence and confidentiality
• We are independent of both software publishers and resellers and do not re-sell software licences or software asset management tools. In circumstances where it is beneficial for our clients we do however work in partnership with publishers, resellers and tools vendors.
Thank youContactPresentation by Arpit Agarwal
Manager – Software & IT Asset Management
Mobile: +44 (0) 7824377737
Mailto: [email protected]
KPMG SAM DinnerIf Software Asset Management/ software licensing is of particular interest to yourself or a colleague, please note we hold SAM client events on a regular basis; please contact me at [email protected] for more information.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.