With software use prolific and vendors focused on compliance, organisations could be facing significant financial ramifications if they aren’t accurately licensed for the software that they use. To mitigate risks, it is vital to have a clear strategy for Software Asset Management.
Managing software licences in today’s rapidly evolving information technology (IT) landscape can be a complex task – and one that cuts across many functional areas of an organisation.
A company can be using thousands of software applications from various vendors, deployed across devices, networks and users. And while many think they have their Software Asset Management (SAM) under control, in reality they can have significant compliance risk exposure. In fact, an organisation may be spending 22 percent of its IT budget on software (Gartner), but struggle to know what software it owns, or whether it has the right number of licences for its people and ‘bots’.
Vendors have a right to ensure organisations are compliant, so not having a clear picture of licences and usage can have serious financial ramifications. In fact, in recent years, we have seen multiple examples of software vendors taking organisations to court for software licensing disputes. Some of these have exceeded $100 million in ‘technical findings’. Over the past 12 months in Australia alone, organisations have paid in excess of $100 million in settlements with various software vendors.
In addition to compliance and financial risks, without good SAM a company can be exposed to unnecessary costs, potential cyber risks, and can miss opportunities to leverage SAM to support key business decisions in technology adoptions such as AI, cognitive intelligence, IoT and Blockchain, facilitating a stronger link between technology, business and operational functions.
Here we look deeper at the challenges contributing to this risk environment, how good SAM can help to mitigate these risks, and how KPMG’s new Software Asset Management as-a-Service (SAMaaS) model can make SAM much easier and more effective for organisations.
There are a number of forces adding to how complex today’s software environment is, and how compliance and financial risks are heightened.
SAM not taken seriously – A key cause of risk exposure is that SAM is often not taken seriously enough to be a function of its own. This means SAM can lack clear objectives, along with the right governance, roles and responsibilities, and KPIs to ensure it is done well.
New technology – As software increasingly moves to the cloud, it is easy to ‘spin up’ virtual machines, or to introduce ‘bots’ as team members, and software use can quickly escalate.
The cloud – While it has so many advantages, the cloud can present new challenges when it comes to monitoring software use. The ability to quickly source and install software means staff can potentially exceed a company’s licence count and bypass security checks. It can lead to subscriptions that are unused, unmonitored, and wasted expenses. It can also open a company up to cyber risk if it doesn’t know where its data is going.
Outsourcing – A shift towards using business partners, outsource teams, or external suppliers often creates confusion when it comes to responsibilities. For example, the outsourcer may deploy software as requested, but the end user is still responsible for considering the licensing impact. This again can easily lead to a misalignment of expectations and expose the organisation to non-compliance risks.
Under-utilised software – It can be easy to waste significant costs paying for software licences that are sitting on an end-user’s desktop and used only once.
These factors increase the need for a ‘source of truth’ about software assets, and a culture of best practice around maintaining that information base.
At KPMG, we help companies to set up their SAM operating model so that they have a trustworthy ‘source of truth’ about their software usage and licences. We help them to better manage assets, identify and mitigate compliance risks, support initiatives to reduce costs, and prevent cyber-attacks. And importantly, we help them use SAM insights to assist with better decision making.
Examples of how we have helped organisations with SAM include:
Drawing on our experience, we have taken our approach a step further to develop a managed service – KPMG Software Asset Management as-a-Service. Our SAMaaS is specifically designed to help organisations stay on the front foot of compliance.
In an ideal world, an organisation would have complete visibility over its software usage across all of its environments, including data centres, virtualisation platforms, cloud subscriptions, and end-user computing devices – at all times. It would be in control of compliance, costs, and cyber security risks, rather than relying on external sources to help rectify issues after they happen.
With our SAMaaS approach we can help organisations bring this to life in a way that is ‘business as usual’.
Our SAMaaS is hosted in the cloud (or can be hosted on premise) and powered by a market leading SAM tool, coupled with our vast risk management, assurance, technology and data capabilities. It offers access to a broad range of subject matter experts throughout the KPMG global network (i.e. Cyber, Privacy, Asset Management, etc.). Our approach has three core modules:
To maximise the benefit of SAMaaS, we will work with you to integrate SAMaaS within your SAM operating model from both technology implementation and process augmentation perspectives, to ensure that the service successfully achieves the desired outcomes.
Complacency over SAM can lead to significant compliance, operational and financial risks, unnecessary costs, and even cyber or privacy risk exposure. Instead, a proactive approach can minimise these risks, and ensure the SAM Manager and team can focus on adding deeper value to the business.
Learn more about how Software Asset Management should be a function taken seriously in ITAM vs ITSM – why they should be separate.
© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Liability limited by a scheme approved under Professional Standards Legislation.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.