How to manage the risks and costs of software compliance
License complexity per se is not the only challenge. In recent years, a growing number of software vendors have engaged in audits, enforcement actions and other activities that cause anxiety and large bills for IT departments in the Fortune 500 and beyond. Several options are available to manage software contract compliance including legal advice, specialized consulting and technology. Major IT buyers and vendor managers tend to use a combination of these approaches to reduce risk.
Failing a software license audit is far from a hypothetical problem. According to Flexera, a software asset management company, software “license true ups” (i.e. paying for the gap between what a company uses and their license) regularly clears the $1 million mark.
Managing software licenses is comparable to managing an investment portfolio. Underperforming assets that play no clear role are candidates for elimination. There is no reason to wait for a determined software audit representative to review an organization’s portfolio. Instead, leading companies regularly review their IT portfolios to make optimization decisions on their own.
With multi-million dollar contracts and penalties on the line, calling in legal experts is often a smart move. Julie Machal-Fulk, partner at Scott and Scott LLP – a technology focused law firm in Southlake, Texas -- has served a number of clients in software contract and audit matters. Assisting IBM’s customers facing audits and similar challenges has been a recent area of focus.
[Related: Cybersecurity much more than a compliance exercise]
“I have seen cases where IBM is seeking millions of dollars in fees. Fortunately, I have seen negotiated settlements between IBM and their end customers that reduce those amounts,” Machal-Fulk says. “Monitoring tools provided by software publishers are sometimes required in order to receive discounts. However, installing and operating this software is difficult. In those cases, the vendor finds out that the customer has not used the tool. This discovery leads to a discussion about paying additional fees. It is difficult for users to fulfill these requirements even when they wish to do so,” she says.
“Software audits often come in different forms. For example, I have seen software audits from vendors come across as information requests or reviews. When a company responds to these requests without specialized advice, there is a lost opportunity to control costs. I worked with one client on such a request recently where we could have negotiated a limit to scope of the audit. Unfortunately, that discussion did not take place and the audit is now applicable to the client’s operations around the world,” Machal-Fulk says
Timing makes a major difference in seeking legal advice. “Once data is released to the vendor, the user’s ability to negotiate and adjust the scope of the audit is reduced,” Machal-Fulk says. Knowing when to involve legal experts is a matter of a professional judgement. Using the organization’s spending authorization as a guideline is helpful. For example, if the organization requires executive approval on contracts over $100,000, then one can make a case to involve legal experts in those situations.
IT managers seeking to benchmark their approach against best practices have several options. The ISO 19770-1:2012 standard (known as the “SAM Standard”) lays out a framework to manage software assets. “The ISO standard is helpful yet it can be difficult to understand,” says Rodger Correa, Director of Program Coordination for the Americas at the Business Software Alliance (BSA). “BSA has published resources to guide IT staff through the software asset management process,” he says.
For organizations with complex software arrangements, seeking a third party review may be helpful. “The Verafirm process provides a third party review and certification of an organization’s software asset management process,” Correa says. “We launched this program in Asia first and it has been very popular in India and Thailand,” he says. The only downside to this program is the cost and duration – the certification process takes six to twelve months depending on the situation/
IT departments seeking technology solutions have a variety of options available to them. “Technology tools help but they do have important limitations,” Julie Machal-Fulk, partner at Scott and Scott LLP. “The software solution cannot design the strategy or the interaction with the software publisher,” she explains.
Factor in the following considerations when considering a software asset management platform.
Sustaining effective governance over IT software is an evolving struggle. Using outside experience and resources is a proven way to reduce the risk.