Software license management: Calculating product audit risk
When it comes to compliance risk, we suggest that organizations craft two very different strategies for their overall software estate. Depending on the software, companies should either manage the product or manage the risk.
Manage the product
For high-risk, high-value software products such as Microsoft SQL Server, IBM Websphere, and Oracle databases, companies should pay careful attention to what licenses are bought and allocated and how they are being used. Because these products represent a relatively large portion of software spend and compliance risk, the products should be watched and managed individually and reviewed continually to ensure license utilization is high and compliance risk is low.
Manage the risk
Lower cost or lesser risk software products generally don’t need the same level of attention. Because costs or compliance risks are relatively lower, these products represent a much smaller financial risk to your organization. Managing this group (which could include thousands of software titles) in the same way as high-value products is difficult and unnecessarily expensive. A more efficient approach is to set reasonable, firm policies to guide proper usage and compliance and then conduct occasional spot-checks to find and rectify situations in which those policies were skirted. Since this approach carries a bit more compliance risk, consider setting aside a small opportunity fund to deal with over-deploys or an adverse audit finding.
Evaluate the software estate
Figuring out which products are high-risk, high-value can be tricky. We often recommend using the Pareto principle (also known as the 80-20 rule) to distinguish between the two types of software estate. Find the 20 percent of products that represent 80 percent of the compliance risk and manage them individually and actively. All other products fall into the “manage-the-risk” category. While I firmly believe these numbers are excellent guides, this advice can be very hard to translate into action. In particular, it’s not clear how to measure risk so that companies can find the all-important 20 percent of products.
So to help organizations find the high-risk, high-value products that need active management, we came up with the following calculation:
Product Usage = The total usage or number of instances that need a license
Product Cost = A reasonable average of what you paid for the product
Audit Penalty = The potential penalty you could pay for each non-compliant instance in use (can be estimated at three times product cost)
Business Value Factor (BVF) = An adjusting factor used for exceptional products. For most products, the BVF should be 1.0 and will have no effect on the PAR. Products that have a disproportionately greater value to the organization than their product cost should have a BVF of greater than 1.0. The BVF can range from 1.0 to 5.0 or more and is used to give those products a PAR greater than they would have otherwise. This makes them more likely to be considered high value.
Vendor Audit Likelihood = An estimate of the relative chance a vendor will choose to audit your software estate. This factor brings together industry audit rates with some customer-specific influences, such as your software asset management (SAM) maturity level, for a factor that can run from near zero (almost no chance of an audit) to 2.0 (very high chance of audit). SHI can determine this factor for customers.
By calculating the PAR value for each product and then ranking those products by the PAR value, it’s easy to see what products contribute to the bulk of your company’s audit risk. You will probably find that the distribution is not exactly 80-20, but I bet it will be close (probably leaning toward 90-10).
In any case, you’ll have separated your high-risk products from the rest of the software estate.
Stay tuned for future posts that will discuss how to determine the key values, such as Vendor Audit Likelihood, and Business Value Factor. We’ll also cover in depth the different compliance risk management strategies that should be applied to the high-risk group of products, as well as the recommended strategy for assessing the rest of your software portfolio.