In my first post in the calculating product audit risk (PAR) series, I discussed how organizations should have two different strategies for managing their overall software estate. For the set of products where the value to the business or the risk of non-compliance is high, we suggest a “manage the product” approach. For the rest of the software portfolio, we suggest a “manage the risk” approach. To help differentiate between these two segments of the overall estate, we introduced the PAR value.
As a reminder, here is the PAR formula:
In general, the PAR value is meant to quantify the relative financial risk a product represents within the overall software portfolio. But before you can complete the math, you need to know where to find the factors that go into the equation. Here’s how: Continue Reading…
When it comes to compliance risk, we suggest that organizations craft two very different strategies for their overall software estate. Depending on the software, companies should either manage the product or manage the risk.
Manage the product
For high-risk, high-value software products such as Microsoft SQL Server, IBM Websphere, and Oracle databases, companies should pay careful attention to what licenses are bought and allocated and how they are being used. Because these products represent a relatively large portion of software spend and compliance risk, the products should be watched and managed individually and reviewed continually to ensure license utilization is high and compliance risk is low.
Manage the risk
Lower cost or lesser risk software products generally don’t need the same level of attention. Because costs or compliance risks are relatively lower, these products represent a much smaller financial risk to your organization. Managing this group (which could include thousands of software titles) in the same way as high-value products is difficult and unnecessarily expensive. A more efficient approach is to set reasonable, firm policies to guide proper usage and compliance and then conduct occasional spot-checks to find and rectify situations in which those policies were skirted. Since this approach carries a bit more compliance risk, consider setting aside a small opportunity fund to deal with over-deploys or an adverse audit finding. Continue Reading…