Software Compliance: A Risk and an Opportunity

The brand-new CIO of a large financial services organization had been on the job less than a week when a major software vendor handed him a bill for unauthorized usage to the tune of $1 million. By contract, the burden of proof fell to the organization, which was expected to pay up or prove that it was in compliance.

This isn't an isolated incident. Software vendors and trade associations are aggressively auditing organizations with little advance warning, often resulting in heavy fines. Industry watchdog groups such as the Business Software Alliance (BSA) that represent software manufacturers took in piracy settlements of $12 million in 2002, and they say they catch an organization that's out of compliance every working day. Gartner Inc. estimates that the probability of an audit for a midsize to large organization is 40% over the next two years and that it will increase by 20% each year.

In the 1990s, software compliance was seemingly a non-issue. Today, it's a crucial business issue with major cost and regulatory implications. How did this happen?

During the economic explosion of the '90s, organizations purchased software with little concern for cost. No one, including the software manufacturers, paid much attention to software license compliance. Toward the end of 2001, as the growth in technology slowed considerably, the economic effects of Sept. 11 were painfully being felt, and a growing tide of regulatory reforms were being implemented, cost containment became the major issue for CIOs. CIOs found themselves under increasing pressure from both the chief financial officer and the chief risk officer to control costs while addressing increasing regulatory requirements, and they significantly curtailed their software purchases. As their traditional sources of revenue dried up, software manufacturers adopted an aggressive new approach, pursuing organizations they believed were out of compliance as a source of revenue.

Today, software vendors continue to generate significant revenues from zealous auditing, and there's no end in sight. The BSA estimates that 25% of organizations that do business in the U.S. have some form of noncompliance, resulting in an estimated $6 billion in lost revenues to software manufacturers.

Potentially noncompliant organizations are identified in a variety of ways by software vendors:

  • They compare their records of license sales against public information including the published number of employees and send a bill for the difference. The organization receiving the bill incurs the burden of proof to demonstrate compliance.
  • They conduct audits themselves or through audit firms, often doing sweeps by geographical region or industry.
  • They learn of suspected software piracy from disgruntled employees via anonymous Web sites and toll-free hot lines. With increasing IT turnover rates and offshore outsourcing, the incidence of piracy reporting by disgruntled employees has risen exponentially.

The Cost of Noncompliance

Noncompliance can be costly. Organizations that are out of compliance not only have to settle up with the manufacturers, but they may also have to pay fines that can total $100,000 per infraction. Fines equal the infringement on intellectual property plus four times the retail value of the software found to be unlicensed. Organizations that don't focus on software compliance risk even more-costly audits from other software manufacturers, which tend to follow one another in auditing organizations that don't have a handle on compliance.

The good news is that periodic audits are easy to do, are relatively inexpensive-and can offer major cost benefits. The new CIO in the example above who had been slapped with a $1 million bill developed a defensible, documented position on the organization's compliance and was able to resolve the problem with less than $100,000 in license purchases.

How Do Organizations Fall Out of Compliance?

While some organizations choose to take their chances, most don't knowingly put themselves at risk for being out of compliance.

Software license noncompliance can occur for a variety of reasons:

  • Lack of an asset management system
  • Misuse of MSDN media and licenses
  • Reimaging of systems
  • Assumption that vendor records are accurate
  • Failure to perform periodic software audits
  • Poor contract record-keeping
  • Lack of understanding of software rights as granted in license (such as dual-use conditions) or changed licensing terms
  • Overbuying server licenses but underbuying client licenses
  • Lack of centralized or consistent procurement policies

Compliance isn't easy. Many software manufacturers have so many different licensing programs that it takes a Ph.D. to make sense of them all. Manufacturers also include in their contracts the ability to change usage rights at will, which means that even the most diligent organizations may fall out of compliance without even realizing it.

Most organizations fall out of compliance as a result of a combination of inadequate record-keeping, ignorance of their license rights and lack of policies to address the issue. However, as hard as it is to stay in compliance, it's even more difficult to face the consequences that can result from noncompliance.

How Can Organizations Protect Themselves From Software Noncompliance Audits?

Organizations tend to take one of two approaches to software compliance. One is to perform "true ups" on a monthly, quarterly or yearly basis and then purchase appropriate licenses as necessary. The second, more common, approach is to hope for compliance and pray that the audit request never arrives.

The cost variance between the two approaches can be significant. In addition to the risk of being audited, you may be wasting money by using software ineffectively. Software has become a significant cost for most organizations and requires trained personnel and software tools to manage it. Although Gartner recommends that organizations spend 3% to 5% of their software acquisition budget on management, many organizations fall well short of that, greatly increasing their risk of an audit.

Organizations need to take proactive steps to protect themselves from potential damage. Unfortunately, many organizations are still in reactive mode and seriously address software compliance only when confronted with an audit or a bill from a manufacturer or watchdog group.

Organizations must first determine what's actually running in their environments. Plenty of technology is available to provide that baseline data. However, just because software is installed doesn't mean that the organization has the right to use it. As with many issues facing CIOs today, technology comprises only about 20% of the solution. Business processes make up the other 80%, and no auto-inventory tool can help you with that.

To truly understand if it's in compliance, an organization needs not only a baseline comparison, but also a view of the software it has purchased, has installed and is using. It has to prove ownership, which requires matching actual inventory (gathered through customers' autodiscovery tools or through a third-party inventory audit) with internal contracts and manufacturers' records. This information can be used as protection against fines, fees and penalties.

Once organizations reconcile all the necessary information from various sources, they then need to take steps to ensure software compliance. These steps can include renegotiating contracts, removing licenses that are no longer needed or used, or purchasing additional licenses.

Software Optimization: A Step Beyond

While compliance is usually the primary objective of organizations concerned about software license audits or dealing with bills from manufacturers, software optimization is the ultimate benefit. Organizations can use the resulting information to maximize the value of their software assets.

Software is a huge cost for most organizations. Organizations tend to use only approximately 70% of the server licenses they pay for and only about 70% of capacity. According to leading analysts, many CIOs believe that as much as 20% of all installed desktop software is unused, often becoming "shelfware." Software optimization depends on knowing who is using what, how much and whether software is just running as opposed to being used in a meaningful way. Software license agreements should be evaluated and renegotiated to ensure that the organization is getting the best value.

Organizations that go through the process of determining true software compliance can benefit in another way -- by reusing the information to drive tangible cost savings through:

  • Maintenance consolidation audits
  • Business continuity/disaster recovery assessments
  • Security baseline assessments
  • Server/storage consolidation studies
  • IT optimization/technology life-cycle reviews
  • Data center relocations

When viewed from a strategic perspective, the painful process of ensuring software compliance can transform into a significant business opportunity.

Jason Sango is a director in Forsythe Technology Inc.'s IT portfolio management practice and is responsible for the company's software-compliance and asset-optimization offerings.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon