Siva, R, Lead – Client Operations and Services, Infosys BPO Limited
Avoiding risks and eliminating compliance issues in software procurement and management have been the most difficult challenges for CIOs and CPOs all over the word. If you come across software vendor audits and potential legal issues, you would find this article providing realistic solutions.
Case in Point:
An organization has invested more than $ 2 Million in implementing a ‘best in class' software asset management (SAM) tool. The senior management has approved this investment with a forecasted return on investment (ROI) of 3. The following was the outcome after several months of implementing a SAM program:
Software Asset Management team continues to struggle in reconciling and optimizing the software licenses.
There is no clarity regarding the entitlement data for many of the widely used software applications. Sensing potential issues, software vendors continue to insist for compliance audits and threat of vendor penalties looms large.
There is a total cost spiral instead of positive ROI.
Senior management has started rethinking about the viability of the program.
The above issues have been found to be common across several organizations where a lack of focus in adequate planning and related shortcomings have resulted in chaos and drain of scarce resources.
Source: Infosys BPO Research
A ‘well-conceived' Software Policy:
Lack of a software policy leads to multi-dimensional challenges in every organization. Software policy should cover both licenses and services. How the policy would be governed and administered should be clarified to all the relevant stakeholders across the organization. Best in class organizations have separate policies for software that come under ‘End User License Agreements (EULA)' and other software that are covered by Master Licenses and Services Agreements (MLSA).
Applications that are procured using EULA create bigger challenges to both CPOs and IT managers, since the organization has little control over the terms and conditions that govern these agreements.
The policy needs to highlight the approach towards software resellers. If the software purchase agreements with the resellers do not include the publishers, compliance issues get complicated. Hence, a tripartite agreement covering the customer, reseller and the publisher safeguards the interests of the buyer organization and minimizes challenges.
Process for Software Entitlement Data Collection:
Investing in ‘high-end' technology tools to collect the installed counts of software licenses would not serve the purpose of reconciliation and optimization, unless a reliable entitlement data is available for comparison. It was observed that most of the failures in a typical SAM project are related to non-availability of ‘purchased' software licenses with the procurement organization.
The conventional methodology of maintaining copies of software license agreements and purchase orders would be laborious and may not yield desired results. Since the software applications are purchased over a period of time and upgraded from time to time (still maintaining copies of older versions in some locations) this process becomes more complex.
The ideal way to get the most accurate data related to entitlement would be to ‘completely' automate the process by including mandatory fields in the purchase orders that would contain information like license type, license quantity, product name, manufacturer SKU number, license expiry date etc., that can be pulled in the form of a report and analyzed ‘on-line' at any time.
A typical template used for software entitlement data collection is illustrated below:
Source: Infosys IT Category Council
Process of Software Contracting:
A well-documented software contracting process helps the end users, requesters and the buyers to be conversant with the process to be followed and understand the responsibility of various stake holders in the entire process. A visual representation in the form of a process flow diagram simplifies the understanding for user functions and also minimizes potential compliance issues. Typically, software contracting process document would be the result of a collaborative effort among the purchasing, legal and IT functions and would require senior management ‘sign-off' before implementation.
Software contracts start with a Master Licenses and Services Agreement (MLSA) that is followed by several sub agreements, amendments and work orders. A comprehensive due diligence is carried out by the compliance team and appropriate recommendations are made before finalizing a Master Agreement. Entering in to a direct software purchase agreement without a Master Agreement would a high risk engagement and could lead to potential legal pursuits. Some of the best in class organizations adopt ‘product specific' or ‘service specific' NDAs before initiating a formal RFX process with the potential bidders.
Technology Governance Review:
This process is owned by the CIO's organization and involves review and approval of all new software applications that are needed for the organization. The technology governance team maintains an inventory of applications that are currently used in various parts of the organization and the relevant usage information. In case of a new request, they verify the availability of a similar application within the organization, suitability and technical viability of the application and analyze potential threats associated with those applications.
The technology governance review process has been automated in many ‘best in class' organizations and the users are suggested to submit their requests through a work flow tool that is typically linked with the software procurement tools. The users would fill in the necessary data in the standard temple and the overall approval process gets completed as per the mutually agreed SLAs between the technology governance team and the purchasing organization.
Software Exceptions Management:
There is a need for a detailed exception procedure to address various risks and mitigate them in an appropriate manner. The “Shrink-Wrap" or “Click-Wrap" products pose significant challenges to the organization. These challenges main arise due to very limited confidentiality of purchaser's information, limitation of liability and no warranty protection.
In spite of the above mentioned challenges, there can be a strong business need to go for such applications for sustaining various business functions. If unique risks are present in any of the shrink-wrap purchases, the risks are clearly identified and documented. In such cases, amendments are proposed to the shrink wrapped agreements to mitigate risks. Acceptance of these amendments by the vendors depends upon the bargaining power and the size of the organization.
Whenever the amendments are not accepted by the vendor and no alternate products are available, the documented risks are submitted to the senior management along with necessary justification for exception approvals. The risks arising out of such exceptions are typically owned by the business owner who takes a decision to go ahead with such software products.
The following graph highlights the cost benefits of enforcing a comprehensive Risk and Compliance Management program in a typical organization:
Source: Infosys BPO Research
By applying the various strategies described in this article, organizations can achieve the following benefits;
Quantum jump in contract compliance related to software
Anytime readiness to face software audits
Visible improvement in process efficiency
Measurable savings and cost avoidance in software license purchases and maintenance costs
Siva, R, Lead – Client Operations and Services, Infosys BPO Limited, is a practicing professional in the field of strategic sourcing of IT commodities and services. Siva has an experience of 22 years in the industry and currently manages the IT category council in Infosys. Siva leads a team of experts in the US for managing the operations and services for a Telecom Giant.