Software Compliance and Software Portfolio Optimization

Software Compliance

and

Software Portfolio Optimization

Addressing disparate software risks

in the context of

Technology Business Operations

Chris Herman

What You Will Take Away from This Presentation

• Software license compliance and software portfolio management are key vendor

management activities that represent different IT risks and require different

approaches and different mindsets

• A current view of software compliance in the industry

• Forces and factors that increase your compliance risk and exposure today

• 6 processes necessary for a practical compliance program. The straightforward

checklist to help you defend your firm in an audit

• The meaning of Software portfolio optimization

• A practical approach to implementing and maintaining software portfolio

management

• The IT organizational model that unites these two different activities: TBO

• TBO and the Vendor Management Maturity Model

Position of Software in the IT Vendor Spend Portfolio

Figures familiar to most IT Finance and Procurement folks…

– 3

_{party spend as a % of IT budget: 65%*}

•

Software – 19% of total

•Hardware – 19%

•Telecom – 13%

•Other – 14%

– Considering the state of Compliance at many companies, this

figure should probably be higher

– Considering the state of Optimization at many companies, this

figure could be lower

Balancing Disparate Risks:

Compliance Versus Optimization

TWO TYPES OF RISKS

With respect to the use of Software,

Companies are caught straddling

two types of related risks:

1. Compliance Risk

(risk of under

licensing); and

2. Optimization Risk (risk of not

maximizing the productive use of

software assets, supplier

relationships and functional

coverage)

2. Optimization Risk

(risk of

over-licensing….or , put another

way, the risk of not maximizing

the productive use of software

assets, supplier relationships

and functional coverage)

Two Types of Risks - Two Different Mindsets*

Optimization Risk

Compliance Risk

Positive

: Factual

Normative : Relates to values

Asks “What is?”

Asks: “What’s best?”

Two Types of Risks: Why They’re Almost Always

Treated Separately in Industry Literature

Simple questions about

matching:

•

Am I entitled to as many

licenses as I’ve deployed?

•

Do I have the means to

measure deployments and

entitlements?

A complex set of questions about right fit:

• What function sets (note: Not products ) does my organization need to thrive?

• Do I already have one or many products that perform the needed function sets?

• Do I have new needs that can’t be met with the current portfolio?

• Do I have products or components of suites that I no longer need?

• Are my supplier relationships consolidated for the greatest leverage?

• Do I need to form new relationships?

Optimization

Asks: “What’s best?”

Compliance

Asks “What is?”

The First Half of the Problem:

While both Compliance and Optimization can be considered part of

Software Asset Management…

…only Compliance is essential

…(

i.e., no one says you have to be

efficient, but the law says you have to be accurate

)

Simple logical points:

•It’s the Law

•If you don’t know what you have, you can’t take any actions

•It’s a prudent necessity to prepare your company for an

audit

…Why you can’t wait:

Four

complacency-challenging

events that occur to every

company…

Software Compliance:

Knowing What You Have is No Longer a ‘Rainy Day’ Activity:

Four Complacency-Challenging Emergencies that Every Organization will Face

• Merger and Acquisition Activity

– Sale Agreements that require delivery of valid free-standing licenses to the Buyer – Purchase Situations that may require consolidation of multiple Agreements

• Outsourcing/Insourcing

– Pursuit of vendor consents that surfaces compliance issues

– Repatriation of licenses that had been in the ‘custody’ of the service provider

• Cost Reduction Initiatives

– Put you in the middle between cost pressures from the organization (to, e.g., take software off support) and pressure from suppliers to maintain the whole portfolio

• Software Compliance Audits

– Disruptive events that create fire drills and involve unplanned expense – Negative findings can alert Industry groups and other publishers

Preparing for these events requires a formal discipline of administrative oversight and control for IT and software asset management; ad hoc responses are extremely painful

Look at it Another Way:

Both Internal and External Forces

Increase Software License Compliance Risk Today

• Internal Forces

– M&A activity

– Outsourcing

– Cost Reduction Initiatives

– Corporate

adoption

of complexity–bringing technology changes

• Virtualization • Cloud Computing

• External Forces

– Publisher-driven Software Audits

• Note also the rise in the use of 3rd _{party auditors to perform the audits}

– BSA and industry groups

– Whistle blowers

– Down economy(or loss of competitive position) results in publishers looking

to compliance enforcement as revenue source

Internal Forces: Adoption of New Technology

How Adoption of Virtualization Creates Compliance Risk

Before Server Virtualization

Machines to software typically 1:1 ratio Intuitively 200 servers = 200 licenses of X*

Additional software usage, usually associated with clear affirmative steps and incremental effort

(e.g., purchasing, installation, change management, etc.) Client able to insert controls into purchasing processes

Type of challenge was tracking machine types / characteristics to software usage

After Server Virtualization (mostly Wintel platform) No longer 1:1 machine to software ratio

Machine may have 1 instance or 5 instances requiring software licenses Additional instances requiring software can be spun up almost

instantaneously

No logical external control points for new software New tracking / processes required

* Innovations in licensing models has always trailed innovation in processor technology. Before virtualization, licensing complexity arose from sophistication of server CPU technology; # of CPUs, multicore processors, etc., etc.

Internal Forces: Adoption of New Technology

How Adoption of Virtualization Creates Compliance Risk

Dynamic and evolving Usage Rights (See excerpted TOC from MS

licensing publication on virtualization)

“It’s complicated” - It’s not uncommon for large companies to retain

dedicated staff who specialize in license usage rights

Internal Forces: Adoption of New Technology

Virtualization:

Big Players are pursuing the Space

Microsoft and Citrix join

VMware in Gartner’s Market

Leaders Quadrant for

Virtualization Technology:

This graphic is important to

guide your prioritization of

efforts

The normal sourcing approach

is to prioritize actions by

spend; an informed view of

compliance prioritization is

also guided by considerations

of risk/exposure

External Forces: Software Publisher Audits

Software Publisher Audit Activity – Gartner 2011 Survey

Survey Data: Percentage of Gartner members reporting being

audited by named publishers within last 12 months

IBM – (44%)

Adobe – (38%) …and you thought Adobe was free?

Microsoft – (32%) Oracle – (19%) SAP – (16%) McAfee (15%) Attachmate (13%) HP (14%) Autodesk (12%) VMware (11%) BMC (5-10%) CA – (5-10%) EMC – (5-10%) Novell – (5-10%) Informatica – (5-10%)

From Gartner website: visit www.gartner.com for additional information.

Individual Publisher

Audits represent the

vast majority of

formal audits.

External Forces: Industry Publisher Alliances

Business Software Alliance Facts

54% 65%

35%

BSA Member Companies

From BSA website: visit www.bsa.org for additional information.

2011

USA

World

Piracy Rate 19%

42%

Value $

$9.7 Billion $63.4Billion

The Magnitude

of the problem:

From the 2011

BSA/IDC

Global Piracy

Study

External Forces: Software & Information Industry Association

54% _65%

SIIA Facts: Whistle Blowing

Those reporting piracy can receive up to $1M rewards Using Illegal software OR content (newspapers, articles) Typically from Employees, Vendors, or SIIA Members

SIIA Audit Process:

Contacted by / Question “Source” (if reliable) Notify publisher, get authority to pursue

Forward to outside counsel

Counsel requests cooperative “audit” president If unlicensed copies found SIIA requires

Uninstall illegal copies Purchase required licenses

Pay significant fines and penalties

Implement company wide compliance policies If company refuses to cooperate, SIIA can/will sue for copyright infringement on behalf of software publisher

SIIA Participating Companies

Breaking Down Compliance Practicalities:

The Six Processes Needed to Support a Compliance Program

• 1. Track Entitlements:

– Acquisition artifacts (Locatable Vendor Contracts; Searchable PO, payment and receipt records) – Approval /allocation artifacts (supporting financial allocations to specific users/BUs /Apps/Projects) – Entitlements definitions, organization and tracking (Within contracts: Administrative tracking and

maintenance of rights by product/platform/version)

• 2. Track Deployment:

– Deployment records (physical/logical)

– In advanced shops, the CMDB being timely and appropriately updated and supported by robust change management, release management and configuration management processes…

– Establish active decommissioning processes (how counts are actively decremented as platforms and apps and specific servers are sunset or taken out of the environment…and, via linkage to HR systems, when individuals leave the organization)

– Link deployments to Strategic Portfolio Review (See Optimization) and to the activities of the ‘tsar’ of sun-setting

• 3. Control Physical Media Assets:

– Establish process for Media Storage and Access (management and control of “Gold disks” and other physical media assets)

Breaking Down Compliance Practicalities:

The Six Processes Needed to Support a Compliance Program

• 4. Measure Usage:

– Measurement/Scanning (identifying what’s on the machines; using different tools for different platforms, such as SMS for Wintel; Tivoli for Unix; IBM Tivoli License Compliance Manager for z/OS [was Isogon’s SoftAudit ] for mainframe)

– Tracking other usage records for validation (e.g., utilities that report detail on capped partitions, usage high watermarks, and other usage profile info that might not be captured in a static periodic scan)

– Understanding and administering License Use restrictions, Entity; Organization; Location; User, etc.

• 5. Administer a Reconciliation Process:

– Comparison (ideally automated) of acquisition/entitlements/approval artifacts with deployment installation/usage info

– Design and implement mitigation activities (Buying to remedy shortfalls, or reducing usage to force deployments to match entitlements)

– Periodic True-ups/downs with suppliers

• 6. Create Policies /Communications:

– Compliance Policy Development and Maintenance – Communication Program

19

Compliance Practicalities: Do I have to Boil the Ocean?

• Implementing the 6 processes for every piece of software in your

environment may seem impossible

• Common attitude: “If I can’t resolve to be perfect, then I’m just

going to wait until I get my first audit letter.”

• Message of Hope: For every category of process there is a maturity

model that begins with simple awareness of the issue

20

Compliance Practicalities: Do I have to Boil the Ocean?

• Let prioritization be your guide

• Choosing the top vendors by spend and risk will help you do the

following:

– Address the majority of your portfolio (the familiar 80/20 rule)

– Design, pilot and establish processes that can be rolled out for the entire portfolio

• It’s OK to start small,

but you must start

• The compliance processes and policies that you promulgate

through your organization and attempt to implement begin to form

your defense against

punitive

audit findings (

checklist for those who leave a card with your email address

)

The BSA* has excellent training resources for any firm

wishing to formalize their compliance program

Visithttp://www.bsa.org/country/Tools%20and%20Resources.aspxfor additional information.

The Other Half of the Problem:

What is Software Portfolio Optimization?

It addresses a complex set of questions about

the right fit

:

“What’s the least we can buy in the most efficient way

(lowest unit cost and fewest suppliers) to meet the

company’s requirements and to be in compliance with

our licenses?”

It may appear superficially to describe a Sourcing

function, but it’s much deeper and more proactive…

Portfolio optimization seeks the following:

1. Optimal

Functional

Consolidation

2. Optimal

Product

Consolidation

3. Optimal

Supplier

Consolidation

What is Software Portfolio Optimization?

By another analogy, it addresses how to best manage the

ecology

of software usage…raising the concepts of:

Need

Use/Consumption

Desired Benefit

Surplus

Breaking Down Optimization Practicalities

Part I: Discovery

Do a

‘

forensic’ review of your artifacts in the following priority order:

• Financial and budget documents

– Current costs (info can be collected in expanding circles as practical: Actual license and maintenance cost, cost of associated technology environments [if any]),

• Systems Architecture

– Relationship of Software Products to key client applications

• Systems Architecture Standards

– Establish the strategic standing of individual products with the Architecture group

• Software Asset management records (

the link with compliance

)

– Software entitlement information

• Perform a Stakeholder survey on products:

To get maximum buy-in (and to avoid pitting experts against users) create and

administer a survey process that quickly captures information about products

relative to multiple aspects of need and adoption:

– Valid business requirements for function

– Current directional nature of the product within organization (being adopted? being sunset?) – Need for level of support (Platinum, Gold, Silver?...Are you able to drop support completely?)

• Perform a Stakeholder survey on processes: To understand your organization’s

current and planned ability to support and sustain optimization:

– Financial Controls – IT Sourcing

– Systems Architecture/Technology Standards Board

– Software Asset Management/Software Compliance program (Tools) – Contracts Management (Tools)

Breaking Down Optimization Practicalities

Breaking Down Optimization Practicalities:

Breaking Down Optimization Practicalities

Part II: The Roadmap

• Review, document and organize the findings and develop recommendations and

an action plan that includes:

– Organized survey results

– Findings on current or planned tools and processes that will support or inhibit implementation of optimization initiative:

– Prescriptive action plans that prioritize and calendar specific optimization/rationalization activities

– Identification of implementation risks and assumptions

– A reusable process to roll out to additional high impact product categories (if piloted on a single category and through the documentation of lessons learned)

– Identification of subsequent phase activities such as:

• Improvement of supporting tools and processes

• Implementing a software lifecycle management approach that will stay aligned with

Bringing the Two Halves Together:

New IT Organizational Model –Technology Business Operations (TBO)

• Asset Tracking and Reporting • Asset Audits -Reconciliation • CMDB • Recycling and Disposition

Technology Business Operations (TBO):

An Organizational Model for IT; The “Other” of IT Functions

Asset

Management Management Financial Management Vendor Management Customer

CIO

AMO

(Applications) (Infrastructure) ITO

TBO

• Budget Forecasting • Business Cases • Chargeback -Transfer Pricing • Cost Management • Invoice Analysis • Compliance • Contract Management • Outsourcing Governance • Sourcing • Communications • Customer Relationship Management • Demand Management • Project Portfolio Management (PMO) • Work Intake The TBO Functions optimally enable the delivery of core IT services through efficiency and business alignment

• Asset Tracking and Reporting • Asset Audits -Reconciliation • CMDB • Recycling and Disposition

Technology Business Operations (TBO):

Related Functions Supporting both Compliance and Optimization Under Single Stable Model

Asset

Management Management Financial Management Vendor Management Customer

CIO

AMO

(Applications) (Infrastructure) ITO

TBO

• Budget Forecasting • Business Cases • Chargeback -Transfer Pricing • Cost Management • Invoice Analysis • Compliance • Contract Management • Outsourcing Governance • Sourcing • Communications • Customer Relationship Management • Demand Management • Project Portfolio Management (PMO) • Work Intake

A cross-functional IT business office that optimally

enables the efficient delivery of the core IT function

(both applications and infrastructure)

An organization staffed with subject matter experts in IT

Finance, Sourcing, and Technology Management

To manage the increasing complexity and vendor

management focus of the Corporate IT Function

Processes that sustain the alignment with internal

customer business goals by matching spend to value.

The only durable way to solve the problem of ownership

and change agency

TBO:

Definition of the Required Function

WHAT:

WHO:

WHY:

RESULTS IN:

Level 1 – Basic Level 2 – Standard Level 3 – Advanced Level 4 – Dynamic

Lacking or Limited:

•IT buying is done without processes; Multiple resellers used without coordination •Separate vendor relationships inconsistently managed by SMEs

•No consistent storage of Agreements

•No knowledge of vendor spend •Minimal Outsourcing

Governance

Uncoordinated Improvements:

•IT buying is organized under a larger sourcing function; some consistent processes exist; there is some consolidation of resellers for efficiency

•Some management of major IT vendors, primarily based around executing annual commitments (e.g., true-ups and renewals) •Some physical and some online storage of major agreements •Info on IT vendor spend and multiple vendor relationships comes from budgeting process and sourcing organization •Periodic Outsourcing Governance meetings mostly related to operational issues

Cross-Functional Focus:

•IT buying is organized under a larger sourcing function with consistent processes across all regions and affiliates; strategic reseller relationships established •Top 10 major IT vendors are managed with QBRs and other formal periodic assessments •Online and physical storage of all major agreements via a single tool

•Integrated info on IT vendor spend is available and is used to leverage relationships

•Appropriate Outsourcing Governance meetings occur regularly to manage ops, consumption,, and business issues; formal program exists to educate stakeholders in the key agreement terms

Dynamic Integration:

•IT buying is organized under a larger sourcing function with consistent processes across all regions and affiliates; strategic reseller relationships

consolidated and optimized •All major and mid-size IT

vendors are managed with QBRs and other formal periodic assessments

•Online and physical storage of all major agreements via a single tool with links into the CMDB •Integrated info on IT vendor spend and on forecasted demand is available and actively used to optimize relationships •Appropriate Outsourcing Governance meetings occur….etc.

•VM function fully integrated with Asset Management, Fin Mgmt. and Customer Mgmt.

Moving up the Vendor Management Maturity Model

Ch

ar

act

eri

stics

Reacting Controlling Optimizing Innovating

TBO Supports the Stability and Evolution of Vendor Management

• As long as compliance

and optimization

processes are viewed

as independent

initiatives without a

stable organizational

‘home’, they always risk

loss of ownership

• The only way to assure

their evolution and

protect them from

organizational

distractions is to make

them a formal part of

the IT Organization

through the TBO model

Conclusion

• Software license compliance and software portfolio optimization are often treated separately in the industry because…

– addressing their distinctive issues seems to require two different ways of thinking: Pure

administrative tracking versus seeking to understand and serve requirements at the lowest cost

• Compliance is the fundamental activity and the current environment is one of increasing risk and exposure

• There are 6 basic processes necessary to implement a practical compliance program

– Prioritization based on spend and risk/exposure offers you a starting point

• Software portfolio optimization means addressing requirements at the least cost

– The approach outlined here begins with financial and process discovery; proceeds with a structured survey of requirements and results in the development of a roadmap for license portfolio

optimization

• The most effective way to address both Compliance and Optimization requires

implementation of an IT organizational model called Technology Business Operations or “TBO”

– Adopting the TBO model resolves the problem of functional ownership and the missing change agent

– The highest level in the Vendor Management maturity model can only be reached and sustained with the implementation of the TBO model

Contact Information

Chris Herman

Senior Consultant

[email protected]