The 5 values that determine your product audit risk
In my first post in the calculating product audit risk (PAR) series, I discussed how organizations should have two different strategies for managing their overall software estate. For the set of products where the value to the business or the risk of non-compliance is high, we suggest a “manage the product” approach. For the rest of the software portfolio, we suggest a “manage the risk” approach. To help differentiate between these two segments of the overall estate, we introduced the PAR value.
As a reminder, here is the PAR formula:
In general, the PAR value is meant to quantify the relative financial risk a product represents within the overall software portfolio. But before you can complete the math, you need to know where to find the factors that go into the equation. Here’s how:
Two key factors for the PAR value — product usage and product cost — can be gathered from fact-based systems. For example, software discovery tools and software usage metering, like System Center Configuration Manager (SCCM) or SHI’s Polaris Windows Discovery Agent (WDA), can determine product usage — the number of instances a product is in use within your environment. Similarly, purchase records, quotations, and pricelists can indicate product cost. Neither factor needs to be an exact measurement; reasonable approximations are sufficient and will spare you the time of fine-tuning those numbers.
Audit penalty can be a little trickier because some publishers impose penalties when they conduct an audit and some do not. It comes down to how they perceive intent. You’re more likely to see penalties if the publisher believes a compliance violation was intentional than if the violation was an honest oversight. Our typical advice is to leave the audit penalty factor neutral at 1.0. However, if you have a strained relationship with the publisher, you might consider raising this factor to between 1.0 and 1.5.
The business value factor (BVF) is a measure of how important a particular product is to your business and is therefore very specific to your business needs. Your average software product, such as TechSmith’s Snagit, should receive a neutral BVF (1.0). This is important to pay attention to, but not mission critical. The BVF should probably range from 0.5 (not critical) to 5.0 (absolutely mission critical). Most software products should cluster around 1.0.
And finally, there is the vendor audit likelihood (VAL) factor. In a completely transparent audit world, this factor would be a factual ranking of publishers that conduct audits in their respective markets. But most audits and audit results are private affairs, so the information that feeds into this factor tends to be anecdotal and experiential. SHI has experience in this space and can help calculate this factor. It can also be derived from sources like BSA | The Software Alliance, the Software & Information Industry Association (SIIA), Gartner, IDC, and other software industry observers. In general, if the publisher has an audit program but isn’t considered aggressive, the VAL factor would be neutral (1.0). If the publisher has no track record of conducting audits, the VAL would be near zero. On the other hand, if the publisher has a reputation for being an aggressive auditor, consider a VAL factor between 1.5 and 3.0.
Once you’ve determined all these factors, plug them into a spreadsheet and let Excel do the calculations.