With software use prolific and vendors focused on compliance, organisations could be facing significant financial ramifications if they aren’t accurately licensed for the software that they use. To mitigate risks, it is vital to have a clear strategy for Software Asset Management.

Managing software licences in today’s rapidly evolving information technology (IT) landscape can be a complex task – and one that cuts across many functional areas of an organisation.

A company can be using thousands of software applications from various vendors, deployed across devices, networks and users. And while many think they have their Software Asset Management (SAM) under control, in reality they can have significant compliance risk exposure. In fact, an organisation may be spending 22 percent of its IT budget on software (Gartner), but struggle to know what software it owns, or whether it has the right number of licences for its people and ‘bots’.

Vendors have a right to ensure organisations are compliant, so not having a clear picture of licences and usage can have serious financial ramifications. In fact, in recent years, we have seen multiple examples of software vendors taking organisations to court for software licensing disputes. Some of these have exceeded $100 million in ‘technical findings’. Over the past 12 months in Australia alone, organisations have paid in excess of $100 million in settlements with various software vendors.

In addition to compliance and financial risks, without good SAM a company can be exposed to unnecessary costs, potential cyber risks, and can miss opportunities to leverage SAM to support key business decisions in technology adoptions such as AI, cognitive intelligence, IoT and Blockchain, facilitating a stronger link between technology, business and operational functions.

Here we look deeper at the challenges contributing to this risk environment, how good SAM can help to mitigate these risks, and how KPMG’s new Software Asset Management as-a-Service (SAMaaS) model can make SAM much easier and more effective for organisations.

A complex software environment

There are a number of forces adding to how complex today’s software environment is, and how compliance and financial risks are heightened.

SAM not taken seriously – A key cause of risk exposure is that SAM is often not taken seriously enough to be a function of its own. This means SAM can lack clear objectives, along with the right governance, roles and responsibilities, and KPIs to ensure it is done well.

New technology – As software increasingly moves to the cloud, it is easy to ‘spin up’ virtual machines, or to introduce ‘bots’ as team members, and software use can quickly escalate.

The cloud – While it has so many advantages, the cloud can present new challenges when it comes to monitoring software use. The ability to quickly source and install software means staff can potentially exceed a company’s licence count and bypass security checks. It can lead to subscriptions that are unused, unmonitored, and wasted expenses. It can also open a company up to cyber risk if it doesn’t know where its data is going.

Outsourcing – A shift towards using business partners, outsource teams, or external suppliers often creates confusion when it comes to responsibilities. For example, the outsourcer may deploy software as requested, but the end user is still responsible for considering the licensing impact. This again can easily lead to a misalignment of expectations and expose the organisation to non-compliance risks.

Under-utilised software – It can be easy to waste significant costs paying for software licences that are sitting on an end-user’s desktop and used only once.

These factors increase the need for a ‘source of truth’ about software assets, and a culture of best practice around maintaining that information base.

A better way to manage software

At KPMG, we help companies to set up their SAM operating model so that they have a trustworthy ‘source of truth’ about their software usage and licences. We help them to better manage assets, identify and mitigate compliance risks, support initiatives to reduce costs, and prevent cyber-attacks. And importantly, we help them use SAM insights to assist with better decision making.

Examples of how we have helped organisations with SAM include:

  • For a large government department, we designed a SAM and hardware asset management operating model and transition roadmap. This helped the department to secure a business case to uplift its capabilities, and to implement a chargeback model for its services to other government agencies.
  • With a major infrastructure organisation, we established a licence baseline position across all software vendors, after a vendor audit resulted in a multi-million-dollar settlement. We identified a material compliance exposure and provided mitigating strategies to remove the risk.
  • For a global financial services organisation, our team helped to optimise costs in the lead up to a contract renewal with a major software vendor. We extracted over $150 million of value, reduced licensing costs by $73 million, and also helped to identify a potential non-compliance exposure of $2.5 million.

Drawing on our experience, we have taken our approach a step further to develop a managed service – KPMG Software Asset Management as-a-Service. Our SAMaaS is specifically designed to help organisations stay on the front foot of compliance.

Software Asset Management as-a-Service

In an ideal world, an organisation would have complete visibility over its software usage across all of its environments, including data centres, virtualisation platforms, cloud subscriptions, and end-user computing devices – at all times. It would be in control of compliance, costs, and cyber security risks, rather than relying on external sources to help rectify issues after they happen.

With our SAMaaS approach we can help organisations bring this to life in a way that is ‘business as usual’.

Our SAMaaS is hosted in the cloud (or can be hosted on premise) and powered by a market leading SAM tool, coupled with our vast risk management, assurance, technology and data capabilities. It offers access to a broad range of subject matter experts throughout the KPMG global network (i.e. Cyber, Privacy, Asset Management, etc.). Our approach has three core modules:

  1. Data management – Data is the core of successful SAM. Data management involves our professionals examining all software in use and related licences to produce a ‘baseline’ software licence position, followed by monthly updates. This provides insight into how many licences an organisation is entitled to, and how many licences it is currently using, thereby exposing any non-compliance and enabling the organisation to manage the attendant risk. As the data matures and becomes more trustworthy we can help organisations to use it to deliver real insights back to the organisation. For example, what software is being used most, where is it being used, and what software has access to the company’s data? Where is that information going?
  2. Ongoing compliance management – We assist with regular data updating and reporting that identifies non-compliance. We help to plan a course of remediation, and provide oversight to ensure this remediation occurs.
  3. Cost optimisation – Here, we help identify a pipeline of opportunities to change, amend, or optimise licensing to deliver cost savings as contracts come up for renewal.

Bringing SAMaaS to life

To maximise the benefit of SAMaaS, we will work with you to integrate SAMaaS within your SAM operating model from both technology implementation and process augmentation perspectives, to ensure that the service successfully achieves the desired outcomes.

Complacency over SAM can lead to significant compliance, operational and financial risks, unnecessary costs, and even cyber or privacy risk exposure. Instead, a proactive approach can minimise these risks, and ensure the SAM Manager and team can focus on adding deeper value to the business.

Learn more about how Software Asset Management should be a function taken seriously in ITAM vs ITSM – why they should be separate.