Software license management: Calculating product audit risk

 In SAM/IT Asset Management, Software

When it comes to compliance risk, we suggest that organizations craft two very different strategies for their overall software estate. Depending on the software, companies should either manage the product or manage the risk.

Manage the product

For high-risk, high-value software products such as Microsoft SQL Server, IBM Websphere, and Oracle databases, companies should pay careful attention to what licenses are bought and allocated and how they are being used. Because these products represent a relatively large portion of software spend and compliance risk, the products should be watched and managed individually and reviewed continually to ensure license utilization is high and compliance risk is low.

Manage the risk

Lower cost or lesser risk software products generally don’t need the same level of attention. Because costs or compliance risks are relatively lower, these products represent a much smaller financial risk to your organization. Managing this group (which could include thousands of software titles) in the same way as high-value products is difficult and unnecessarily expensive. A more efficient approach is to set reasonable, firm policies to guide proper usage and compliance and then conduct occasional spot-checks to find and rectify situations in which those policies were skirted. Since this approach carries a bit more compliance risk, consider setting aside a small opportunity fund to deal with over-deploys or an adverse audit finding.

Evaluate the software estate

Figuring out which products are high-risk, high-value can be tricky. We often recommend using the Pareto principle (also known as the 80-20 rule) to distinguish between the two types of software estate. Find the 20 percent of products that represent 80 percent of the compliance risk and manage them individually and actively. All other products fall into the “manage-the-risk” category. While I firmly believe these numbers are excellent guides, this advice can be very hard to translate into action. In particular, it’s not clear how to measure risk so that companies can find the all-important 20 percent of products.

So to help organizations find the high-risk, high-value products that need active management, we came up with the following calculation:




Product Usage = The total usage or number of instances that need a license

Product Cost = A reasonable average of what you paid for the product

Audit Penalty = The potential penalty you could pay for each non-compliant instance in use (can be estimated at three times product cost)

Business Value Factor (BVF) = An adjusting factor used for exceptional products. For most products, the BVF should be 1.0 and will have no effect on the PAR. Products that have a disproportionately greater value to the organization than their product cost should have a BVF of greater than 1.0. The BVF can range from 1.0 to 5.0 or more and is used to give those products a PAR greater than they would have otherwise. This makes them more likely to be considered high value.

Vendor Audit Likelihood = An estimate of the relative chance a vendor will choose to audit your software estate. This factor brings together industry audit rates with some customer-specific influences, such as your software asset management (SAM) maturity level, for a factor that can run from near zero (almost no chance of an audit) to 2.0 (very high chance of audit). SHI can determine this factor for customers.

Software asset management

By calculating the PAR value for each product and then ranking those products by the PAR value, it’s easy to see what products contribute to the bulk of your company’s audit risk. You will probably find that the distribution is not exactly 80-20, but I bet it will be close (probably leaning toward 90-10).

In any case, you’ll have separated your high-risk products from the rest of the software estate.

Stay tuned for future posts that will discuss how to determine the key values, such as Vendor Audit Likelihood, and Business Value Factor. We’ll also cover in depth the different compliance risk management strategies that should be applied to the high-risk group of products, as well as the recommended strategy for assessing the rest of your software portfolio.

Related Posts: You may also be interested in...

Showing 9 comments
  • @piarasmacdonnel

    This is an excellent exercise for SAM teams to go through and to share with senior management on a quarterly basis. It then encourages strategic decisions rather than tactical (reactive) once.

    I would include in the calculation a platform risk factor. If a product has a core based license deployment to a VM is significantly more risky than to a physical server

  • Dan Lutter

    When will you guys offer LANDesk as a part of your SAM?

  • Erik Iversen

    We incorporate LANDesk into our SHI/Polaris SAM Services today. We have a number of customers using LANDesk for the configuration and basic discovery functions. The SHI/Polaris SAM Services team adds license and compliance knowledge “on top” to provide actionable analysis and findings. In fact, we design our services around the idea that customers have pre-existing configuration management and discovery systems and we leverage that data as much as we can. LANDesk is just one of the many systems we can incorporate for discovery and foundation services.

  • Kevin

    We are also a heavy LANDesk user in our organization and just used LANDesk to help with our Adobe audit. Are you able to provide those similar services just around LANDesk without the Polaris software?

  • Erik Iversen

    The SHI/Polaris team provides our expertise as a Service – no SHI/Polaris “software” required.
    We know that many customers have built solid capabilities for ITAM data collection through tools like LANDesk. We want to help them get full value from that investment.
    We’ve also observed that many customers struggle to keep up with the complexity and changes in software licensing. This is the area where we focus our attention. We deliver value through expert license/contract advice, helping to match hardware/software inventory to license metrics, and doing the final step of compliance analysis.
    But in general there is no requirement to take on any additional software.

  • Mike Muellon

    do you have certified LANDesk engineers? if so how do you charge for your service?

    Thank you,

  • Erik Iversen

    Hi Mike,
    Thanks for your inquiry. Depending on your particular needs, my team might be able to help. If not, the extended SHI organization can provide technical experts in many tools/functions.
    I’d be happy to discuss privately, understand the need more clearly, and refer you to the right people (if necessary).
    Keep an eye out for an email from

  • Jeff


    Do you have an ETA for when you will post the following:

    “Stay tuned for future posts that will discuss how to determine the key values, such as Vendor Audit Likelihood, and Business Value Factor.”


Leave a Comment

one + 2 =

Pin It on Pinterest