Latest ITAM News

Building a SAM program: Update existing or “rip & replace”?

“Update, or, rip and replace?” We have all heard this phrase. In fact, it is likely that most adults have said this phrase at some point in their life. The phrase is commonly used when discussing or thinking about a house remodeling. Do you spend the money to upgrade your house within the confines of the “four walls” that are there, or would you be better served, or your investment better made, in ripping down the existing structure and start from scratch? It seems like an easy decision, brand new electric, brand new plumbing, brand new design and layout. All the newness seems overwhelmingly positive! However, is it really all positive? If that was the case, it would always be about new construction and never about remodeling the existing. The reality is that nothing is free, and in the end, it is the cost that will determine the approach you will chose. It comes down to the simple question: “How much for new construction versus remodel?” The answer to the question of course, when you break it down, is a personal one. You may be a person that always opts for new, new car every three years so you lease, new house so you rip and replace or move to a new neighborhood, or even, you opt to go out to dinner versus eating leftovers. These are all individual or family decisions, which you control. However, when dealing in the corporate world, it isn’t so simple.

Conceptually, building a Software Asset Management (SAM) program or organization would appear to be a straightforward and simple process. Every organization has a framework for the “who”, “what”, “where”, “when”, “why” and “how” of SAM. ISO 19770 provides this framework and provides a roadmap for SAM organizations. Specifically, ISO 19770-1: 2017 provides the critical process objectives by process type in the following areas and sub-areas:

IT asset Functional Management Process Areas IT Asset Life Cycle Management Processes
Change Management (Tier 1) Specification (Tier 2)
Data Management (Tier 1) Acquisition (Tier 2)
License Management (Tier 1) Development (Tier 2)
Security Management (Tier 1) Release (Tier 2)
Relationship/ Contract Management (Tier 3) Deployment (Tier 2)
Financial Management (Tier 3) Operation (Tier 2)
Service Level Management (Tier 3) Retirement (Tier 2)
Other Risk Management (Tier 3)

*Above table is summarized from Annex A of ISO/IEC 19770-1 Third Edition 2017-12

Additionally, the standard associates these process types into three defined IT Asset Management (ITAM) tiers that assess the level or “maturity” of the SAM program:

• Tier 1: Trustworthy Data – knowing what you have so you can manage it.
• Tier 2: Life Cycle Integration – Achieving greater efficiency & cost-effectiveness in the IT asset life cycle.
• Tier 3: Optimization – achieving greater efficiencies and cost-effectiveness through functional focus.

*Above tiers are summarized from Annex B of ISO/IEC 19770-1 Third Edition 2017-12

The ideal approach for a SAM team would be to implement these process objectives in a strategic way to progress from one tier to the next. With the implementation of each process, the capabilities of the SAM organization bring greater and enhanced value to the business. However, “reality” for SAM teams looking to “implement” ISO 19770 processes, procedures and technologies into their corporate environment, can feel like putting an extension on a house. “Reality” includes all the existing processes, procedures and technology within the corporation that the SAM program must co-exist and integrate with, however, are not owned by the SAM organization Corporate reality is that the “four walls” define the current environment, and the likelihood of “ripping and replacing” those “four walls” to facilitate the integration of the SAM objectives is highly unlikely. If there was a magic wand that could remove all the barriers to progress, it would be simple to roll out new processes and procedures and implement new technologies to facilitate the SAM vision. Unfortunately, this “magic wand” does not seem to exist in practicality.

The question that comes to mind is “Why can’t we just change the processes and procedures that are in place today to enable the value of SAM to be achieved?” It is a great question, but not the question corporate executives seem to be asking. Rather, the question they seem to focus on is “What is the cost of changing the current processes and procedures and implementing the new technology needed to provide these SAM insights?” This question shifts the focus from implementing the standard completely or in part, to a focus based on the investments required versus the value returned. This is a far more complex question to answer since the reality is that the SAM team/organization does not own the broader processes and procedures in place today, such as the software request process for development, or the software move, add or change processes for operations, or the software removal process for terminated employees. These are all processes defined and established within IT Service Management (ITSM), not within IT asset management (ITAM) or SAM. This is key in the vision for your SAM organization as ITAM is a sub-component of the ITSM framework. ITAM is essentially a functional component of ITSM and needs to integrate into the ITSM processes and procedures, not the reverse. This is the reality of the SAM organization. The decision to “rip and replace” your house to build new rather than remodel or buying a brand-new construction home in a new neighborhood, is controlled by the home owner. All the decisions and costs are owned by the same persons/individuals. Whereas, the SAM organization is a team within the broader organizational structure that does not have control of the decisions or total costs of the business.

The “reality” of SAM is that it is not possible to develop, build and deploy a SAM program in a vacuum. If it was built in a vacuum, you can start from scratch and build it exactly as you would want it to be based on the ISO 19770 standard and framework. This would be a great approach and would be the preferred design if the SAM program was being developed and deployed as the company was forming. However, in the real world, the SAM program must be integrated within already defined and existing organizational processes and procedures. Why? Because SAM is a supporting structure to the broader corporate structure. SAM is a provider of data and information critical to finance, risk management, IT security, development, procurement, human resources, etc.

SAM as a stand-alone and isolated function doesn’t make sense. It is the interconnection with all the business units that will utilize the data that truly defines the value of SAM to an organization and the value that the corporation will receive. This seems to be the vision and strategy being set forth in the current edition of ISO 19770-1. The standard defining the ITAM tiers brings clarity to the importance of the integration of the processes and organizational responsibilities down to the fundamental level of the IT asset itself. Clearly, this cannot be done in a vacuum and it cannot be done by redefining all new process and procedures. The best approach is to “remodel” the processes and procedures, and update/upgrade technology where appropriate, but it starts with the “remodeling plan”. The “reality” of the SAM team is to focus on understanding the broader corporate processes and procedures that are in place and how best to integrate with them. What are the existing technologies that are in place and how can they be leveraged or upgraded – “rip and replace” is an option here if it is justifiable and provides a broader corporate value beyond the SAM effort. When building your SAM program, it is critical to start by asking what are the corporate objectives of the SAM team.

Therefore, the “remodeling plan” is all about defining and outlining your objectives for the SAM organization. The plan should answer the following or similar questions:
• What are the corporate objectives for the SAM team? Are they counting licenses for audit defense or proactively providing insights into the environment in real time?
• What is the critical data and/or information that the team is to provide to the business?
• What are the time-frames in which this data must be provided?
• To whom should the data be provided and how should it be delivered?
Once the goals and objectives are defined for the SAM team, understanding the current processes and procedures will allow the team to define how the SAM team will integrate into the existing processes. With a clear understanding of how to integrate into the existing workstreams, the SAM team will be able to provide recommendations on how to modify and improve the existing workflows to enable the value of SAM to be brought about. This is the “reality”! The SAM team is not proposing massive changes and redefining of processes and procedures, just to update and modify where necessary, to enable the collection of data and provide information at the right time and in the right way.

These changes are designed to allow the SAM team to function within the corporate eco-system while delivering the true value of SAM to each organization through communication and information availability. For SAM, the reality is to be a provider of software asset utilization, consumption and/or financial information, in a timely fashion to the business. We should not think it is any more complex than enabling that information sharing. This doesn’t mean it isn’t complex or challenging to implement and run daily, but SAM is not a corporate billing system that drives the business nor a customer-facing application that drives revenue. For this reason, “rip and replace” is not realistic. We should look to adopt and adapt the appropriate ISO 19770 components to deliver the SAM business objectives set forth by corporate governance.

About Frank Venezia

Frank Venezia is the Managing Director, Advisory, EY US LLP