By Jan Hachenberger, KPMG
ITAK V10 I2
I have been actively involved in more than 400 license audits, an equivalent of 10,000 hours+ of experience. I have come to the conclusion that even if an organization is willing to invest in software license compliance and spends a “couple of dollars” on a proper SAM implementation (including the roll out of a SAM tool), the overall license risk after 2 or 3 years of SAM operation is almost as high as it would have been without SAM. Looking for an answer for the “why?” is not that hard.
Good Intentions are not Enough
Consider the following scenario. A company with approx. 8.000 employees usually sets up SAM as follows: 1 centralized license manager and + 2 to 4 decentralized license managers – all of them not dedicated 100% to SAM, but give or take 50%, at least in their job descriptions. In reality, the amount of time used for license management is typically much lower than 50%. License management is quite often a side activity because changes in IT infrastructure happen in waves and not on a daily basis. The same applies to software licenses, mostly due to the fact that a change in IT infrastructure determines a change in license requirements. And, last but not least, most enterprise license agreements call for an annual reporting, e.g. the so-called “true up” in a Microsoft Enterprise Agreement.
Thus, license management or SAM has a busy season of 2 to 3 months per year and maybe some firefighting here and there, but usually not enough work to keep those license managers busy on a daily basis. Is this really a problem? Yes, it is. While those license managers are doing “other things” (see table 1), software publishers are changing their license terms, new software products are released, etc.
Figure 1: Main Tasks for a License Manager
When the busy season starts, some license managers have forgotten how to work with the SAM tool, the name of the SAP account manager, the password for the Adobe Licensing website or important license terms. Imagine the difficulty remembering the details of the “how-to” such as measuring server accesses to Microsoft Exchange, deriving the license requirements in virtual environments for IBM Tivoli, understanding the fail over rule for Oracle Database Enterprise Edition and so on. They also know nothing about current changes to the license terms and conditions. You could argue that the license managers should refrain from tasks not directly SAM related and invest their time to keep their knowledge up to date, but that’s not how companies envision the work load of a license manager. Investing 80% of an employee’s work time to enable him for his job? I personally would love that, but from a company’s perspective, this is not efficient. And, from my experience, this situation is not improved by adding more license managers to the SAM team. On the contrary, the time share each license manager has for SAM seems to be reversely correlated to the number of license managers.
Closing the Gap is Hard
To prepare for the busy season and to reduce the risk from costly, overlooked gaps in licensing, a company could help their license managers by eliminating complexity and reducing the number of software products used. Companies call that process software portfolio management. After a software portfolio initiative, a company may be able to reduce the number of software products from 600 to 200. Still, the complexity is too high to know all the bits and pieces in the license terms for the remaining software portfolio. And in many cases, it takes less than three years for the software portfolio policies to soften and allow unwanted software back into the company.
It’s a sad, sad story, but don’t get the wrong picture. Legal, regulatory, contractual and corporate governance requirements for license compliance are here to stay. The number of license audits continues to increase year to year. You need to do something to manage this situation.
The Outsourcing Choice
One solution is outsourcing SAM. In 2014 Gartner predicted that by 2017, enterprises will be spending ten times more on Software Asset Management services provided by third parties then they do on their SAM tools today. Additionally, the ITIL V3 guide to Software Asset Management states that: “Outsourcing may be one of the fastest, most reliable and most cost-effective ways of achieving SAM objectives.”
In other words: Go for it! Outsource your SAM! Oh no, wait, full stop! I forgot to tell you: there is a catch. Read the aforementioned ITIL statement carefully. It says “may be one of,” not “is.” So, before you embark on the outsourcing adventure, you need to have the following things to find the treasure of license management cost savings, risk sharing and SAM expertise: a wand, an invisibility cloak, three magic beans … Stories told by some researchers or service providers on SAM outsourcing may sound like a fairy tale. There is truth in the story, but you cannot apply it 1:1 to your situation.
SAM is complex (see Figure 2) and outsourcing SAM needs to be done thoroughly and with preparation. It can range from a one-time SAM service (such as for SAM implementation or a baseline project), to outsourcing SAM tasks and processes (such as software product identification or contract management as a follow on service), to outsourcing SAM roles (such as asset manager), and lastly to the overall SAM organization as a “continuously managed service.”
Figure 2: SAM Tasks and Processes
To successfully outsource, you need to be clear on where you require external support and if that requirement is temporary or permanent. It is easy to find experts that train your team on how to do “this and that in license management,” but a onetime training may not be the best choice if the know-how is going to be put in action more than six months from delivery. An extreme action to avoid is signing up with a SAM tool provider for a multi-year SaaS-agreement before you have cleaned up your software portfolio.
To help you prepare, the following topics and questions are a good start on making the right choice when outsourcing.
What do you need and where do you need support? Do you need enablement or do you need expertise? If you are short on internal resources you may require a “body leasing” solution instead of training. Lest you think I am against training, a SAM tool may not provide more transparency or control if the people using the tool did not receive proper training.
Outsourcing SAM should not artificially extend your processes, create redundancy or cover a bottomless hole. It should help a company become more effective and efficient in SAM.
When do you need the external support, for how long or how often over the next two to three years? SAM has a rhythm which is usually linked to one or more of the following:
· The fiscal year of your company
· The fiscal year of the software publisher
· Your company’s budget processes, demand planning or reporting cycles
· Anniversary and renewal dates of license agreements as well as purchase deadlines
Signing up for a SAM service should never lead to higher “frequency” in your license management processes.
Who should be the service provider and is one provider enough? There are many service providers in the market, ranging from one-man-shows, small SAM boutiques, SAM tool providers to larger organizations like global software resellers, IT outsourcers, IT consultancies and, last but not least, audit firms like KPMG. Searching “SAM managed service” on the internet will give you an idea of the available service provider candidates and their service offerings. But, don’t be fooled by marketing! Instead, set your requirements and make an objective choice.
A SAM service provider should be:
· Experienced and successful. Ask for references and client base
· Impartial and independent. Inquire about networks and business relationships
· Reliable and Agile. Research profitability and service approach
· Competitive and Innovative. Uncover their unique selling proposition and technology
How should you outsource SAM? Without considering budget restraints, the process for SAM should be the same way you would outsource other business functions or sign up for other external services. Check with (IT) procurement for applicable policies, especially since signing up for a SAM service could imply annual costs of tens of thousands US Dollars. Before you sign up for a multi-year engagement, we recommend that you start small with a onetime project to find out whether you have chosen the trusted service provider you were looking for.
Figure 3: The Process for Selection
Suitable onetime projects could be: training of your license managers, conducting a SAM baseline project for selected software products, performing a risk analysis on a license agreement, assessing a license for a planned software migration or checking quality on a SAM tool implementation. The important criterion is to choose a project where a wide variety of skills are demonstrated in a short period of time.
What cannot be outsourced? After talking about opportunities, we need to emphasize the downside of SAM outsourcing. Even if you want to outsource your SAM organization, e.g. to an audit firm or to an IT service provider (to “get rid of all the troubles”), you will still be liable for any license incompliance. Yes, you can include an indemnification clause in the service agreement that the service provider has to pay a penalty in case of a service level violation. You can make the provider liable for damages resulting from negligence such as closing the license gaps identified in an audit. By the way, this is the main reason why most service providers will only take the SAM job with a limitation on their liability. You remain liable, at least to some extent, for license compliance without any limitation. In a worst case scenario, the service provider pays the contractual fine and you go to prison. It’s all contractual and you are the licensee, not the SAM service provider.
Someone may say “I can use licenses provided by a third party service provider.” For instance, Microsoft offers licenses through a so-called service provider license agreement (SPLA) where the service provider is the licensee. Nonetheless, and this holds true for the majority of software publishers offering licenses for hosting, the service provider has to establish End User license terms with you, making you as the user of the software – again – liable for noncompliance.
After all, there is no silver bullet for outsourcing SAM and there is a real risk of failure when trying to make it work. But, as Mark Twain put it: “To succeed in life, you need two things: ignorance and confidence.”