A robust framework that considers technology, processes and people controls is vital for effective SAM. Often these controls are visible and easy to review and enhance, however, it’s the conduct and behaviours of an organisation that can often derail a robust framework.
When it comes to Software Asset Management (SAM) it is important that organisations look to implement controls to build visibility of their software use, keep costs controlled, and to minimise compliance exposures and cyber security risks.
However when these controls (‘hard controls’), such as organisational systems, processes and policies take into account a company’s code of conduct, the engagement of its people, and the everyday behaviours that define the culture of an organisation, as well as its external interactions with IT vendors, the enhancement to the success of the SAM framework can be significant. Often the breakdown in the SAM framework can be linked back to an inability to reconcile misaligned or conflicting interests and objectives of the various internal (i.e. employees and management) and external (i.e. vendors) stakeholders, leading to mistrust and adversarial relationships.
Hard SAM controls can include segregation of duties, governance and risk management, KPIs, policies and related processes and security measures. They could comprise a restriction of administration rights, implementing formal processes for on-boarding software, vendor management frameworks, or chargeback systems for software use.
Soft controls are the less tangible factors that promote desired behaviours. They include clarity of roles and responsibilities, appropriate role modelling from leadership, and clear direction about what is expected.
There are a number of SAM issues driven by behaviours that could benefit from soft controls. These include:
Shadow IT – This is when an end-user implements software that has not been sanctioned/reviewed by IT, exposing the company to risks. It may stem from a frustrated employee trying to improve efficiency, who faces roadblocks to get approval, for example.
Software re-harvesting – When organisations meter how employees use each piece of software, they may look to re-harvest it if it is underused. However, when IT asks for uninstallation, the user may say “I still need it”. Consequently, additional money needs to be spent on more licences.
Chargebacks – These are used to influence consumption behaviour. If a cost is allocated to the use of software, the idea is the business will be more likely to agree to re-harvest it. However, implementation can be difficult due to lack of usage and costing data, but also dissatisfaction from the business around quality of service and value for money.
Bring-your-own devices – With a rising trend for employee mobility and using their own technology, it can be even harder to keep track of software use and risk exposure.
Clarity of roles and responsibilities – As we explored in ITAM vs ITSM – why they should be separate, SAM teams can be unclear of their roles and responsibility, as software touches so many parts of a business. If people don’t have clarity, there is a chance they won’t be doing what they should be.
Vendor management – The relationship between the organisation and its IT Vendors can often be strained due to traditional sales models adopted by vendors that prioritise month end sales over the real needs of the organisation. Therefore, vendor-initiated licence audits become perceived as another means of extending their sales pipeline that the organisation must ‘defend’ against – rather than an opportunity to enhance the contractual relationship and mutually drive a better outcome for both parties.
In each scenario, it is clear that the company is relying on people’s behaviour to prevent issues and risk exposure. This is where soft controls as part of SAM can make a key difference.
By ensuring soft controls are considered as part of the SAM framework, whether that be training, communication, or role modelling, for example, people can better understand the potential impact of their actions on risk. This should in turn help to shape behaviours, and encourage people to ‘do the right thing’.
KPMG’s Software Asset Management as-a-Service (SAMaaS) helps organisations to implement both hard and soft controls to help achieve this balance.
In our SAMaaS offering, hard controls include data management, ongoing compliance management, and cost optimisation. You can read more about this in Taking charge of Software Asset Management.
To support these hard controls, we can include consideration of soft controls. We look to uncover the culture, behaviour and habits that are driving decisions and actions related SAM. Where are people taking short cuts? Or doing things in a way that isn’t documented or expected? Is the SAM function connected to the organisation and adding value in their role?
To explore these behavioural factors, we work with your organisation using a globally accepted methodology through one-on-one interviews and focus groups, surveys, and observation. Our findings can enhance the way we help organisations to implement SAM and to get the best results possible.
Ensuring SAM incorporates both hard and soft controls can help organisations to achieve greater effectiveness and efficiency of SAM processes, enabling SAM teams to shift from lower value activities to more strategic ones.
Soft controls can also help transform the traditional ‘arm’s-length’ transactional relationship with IT vendors into a true, technology, strategic partnership. By fostering greater transparency, clearer lines of accountability and commitment to the long-haul, it is possible for organisations and vendors to not only work together to ensure software is managed effectively, but is also aligned to the organisation’s needs.
Soft controls work best when the operating model of SAM is sound. Find out more in The power of a Software Asset Management operating model.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.