Many organisations embark on a journey to implement SAM or enhance their current practices without a clear view of what is required or the objectives they want it to achieve. This means they are missing the mark on reducing compliance and financial risk exposure, incurring unnecessary or unplanned costs, increasing vulnerability to cyber-attack, and more. To overcome this, a strong SAM operating model is essential.
Software Asset Management (SAM) helps organisations to maintain a ‘source of truth’ for its software assets and licences across end-user-computing, infrastructure and cloud environments. This data source should help the SAM function to better manage compliance risk, unnecessary costs, and to mitigate against cyber-attack. It should ideally support strategic decision making and aligning the organisation’s software needs against its current and future needs.
As organisations seek to achieve a mature SAM framework, they often implement asset data management software such as Flexera, Snow, ServiceNow, Aspera etc., in the hope this will be a quick fix and reduce all risks related to software management. However, while a SAM software tool is essential, organisations can fall into the trap of not having a robust and flexible operating model to support it.
This means a company may be unclear on the right processes, technology and people to ensure an effective SAM framework. For example, who is responsible for steps such as data upkeep, identifying compliance issues, reporting issues, working to prevent risks, and keeping costs in check?
Without a clear operating model for SAM, the business could remain exposed to risks and costs, and could be missing out on the range of other benefits that SAM will provide.
To get the most out of SAM, an effective operating model must address everything from where SAM sits in an organisation, through to an agreed risk exposure appetite and how that is monitored.
Essential components include:
Organisational structure – SAM should be part of the Information Technology Asset Management (ITAM) function, which should be separate from Information Technology Services Management (ITSM), to ensure the responsibilities are clear. We explored this in detail in ITAM vs ITSM – why they should be separate.
Reporting line – The SAM team may be held accountable for significant risk factors, but it doesn’t always have the authority it needs to influence necessary change. Therefore SAM should report to a level that is able to influence cross-organisational behaviour – such as the Chief Information Officer (CIO). Our infographic SAM manager of the future shows how this could look in future.
Governance – Clear objectives for SAM must be set, and then governance must be in place to ensure they are met. Governance involves aligning each objective with key performance indicators (KPIs) that are measurable. KPIs for SAM could be the degree of risk appetite that the organisation has, and how much the exposure must be reduced to meet that level.
Roles and responsibilities – Accountability for every aspect of SAM must be defined. This can, interestingly, be the most emotionally negotiated part of the operating model. Therefore, it can be useful to have an objective, external party to assist with this framework. It is also important to ensure that the people with SAM responsibilities are provided with appropriate training. For example, when licensing rules change, is it clear who is responsible for maintaining this information? Do they know what to do to ensure the integrity of the SAM data? Often, when organisations outsource SAM functions or implementation of software and related tools, they will perceive it is the outsource provider’s responsibility to ensure compliance with vendor terms and conditions. While the outsource provider will help manage the process and reporting, the accountability for compliance always sits with the organisation who signs the terms and conditions with their vendors.
Performance evaluations and improvement – These are key to upholding governance and ensuring SAM activities are effective in meeting the company’s goals. For example, if a remediation plan is in place to reduce a $1 million exposure to within an acceptable level of $100,000, then performance tracking should show how the company is progressing towards that level.
Once a strong operating model is in place, organisations need to ensure that there is a culture of continual improvement around SAM, to ensure everyone is contributing to, and getting the best out of it. Areas of focus should include:
Software asset lifecycle management – It is important for those involved in management of software to, at each stage of a software asset’s lifecycle, think about SAM requirements. For example, if someone in ITSM replaces a computer and installs some software, they will typically focus on solving the problem, rather than thinking – ‘I just added a new computer, what have I done with the old one, and am I licensed for the software that I’ve just installed?’ If they are trained to alert SAM, SAM data will be cleaner and risk is kept in check.
Relationships and contracts – A key value of SAM is the ability to help with cost optimisation, particularly at the time of licence agreement renewals. The SAM function can also help to understand the company’s roadmap for IT asset requirements and can establish contracts that accurately reflect these needs. SAM can look for opportunities to optimise costs for software use, and to develop strategic relationships with key vendors, understand their technology roadmap, and how it aligns with that of the business.
Financial management – A good SAM function will also proactively work with ITAM budget owners to ensure that budgets are established on time and are adequate. SAM can monitor consumption against the budget, and provide timely reports to the budget owners. It can also implement a cost chargeback model that recovers the cost of IT assets, consistent with usage of the assets.
At KPMG, we not only help organisations to design and implement a robust SAM operating model, but through our Software Asset Management as-a-Service (SAMaaS) approach – which we explore in Taking charge of Software Asset Management – we can help with ongoing improvements.
Our journey starts with defining the SAM objectives, governance, roles and responsibilities, and KPIs, then flows to implementation such as establishing a data baseline, and offering reporting and insights.
You can learn about how a good SAM strategy can help to mitigate cyber risk in SAM and cyber security – a key role.