I recently conducted a quick straw poll regarding the concept of ‘Guaranteed Software Compliance’. Thank you to all those that responded (n=74).
In a nutshell, the premise was: “Would a software compliance insurance policy, which paid out in the event of a shortfall in an audit, be of interest to you?” (See the original article here).
General Consensus: Nice idea, I’d like to see someone try to deliver it.
Overall a large proportion of end user organisations in the survey expressed an interest. Some even said “Hmm, that looks good please send me a brochure” (For clarity – The ITAM Review is not a service provider nor is it representing a service provider).
I was not explicit about how I saw this software compliance insurance policy being delivered. I envisaged this being an additional top up in addition to a SAM service that demonstrated the confidence the SAM partner has in their service. Some SAM practitioners got quite irate that this would lead to end users being drunk at the wheel and not caring about SAM. I think the opposite is true – anyone offering this form of insurance policy would want to check that you have adequate processes in place before agreeing a premium. In the same way that your car insurance is based on your history and state of your car. You don’t suddenly start driving like a mad man because you are insured – you want to protect a) yourself and b) your premium.
The general consensus was that is a nice idea, but I would like to see someone try and deliver it given the complexities involved. The harsh reality is that a company could spend a lot of money trying to implement SAM and still get stung with a compliance audit. Common sense says that SAM implemented properly should eliminate the requirement for such an insurance policy – yet the lure of a guarantee is still attractive.
Have you any other comments regarding the idea of Guaranteed Software Compliance via an insurance policy?
- Government has to be careful with this because we are dealing with taxpayer funds so it might be a hard sell but it is great concept.
- We developed this offering at [our organisation] and included it in our managed services. However, there are some challenges in saying we’ll cover the shortfall as we cannot make a company remove software. Also, for some enterprise clients sometimes it’s easier for them to purchase the shortfall then it would be to make the changes which the consultancy cannot be liable for.
- Great idea – could be cost effective for the largest organisations or government but unlikely to be taken up in SMEs.
- The whole concept sounds good. It would certainly keep service providers in the area of SAM on their toes
- When selling a solution to a prospect, it would definitely be of use to state that for an extra premium it could be guaranteed that they would not be caught out in the event of a licence shortfall. The additional cost for such a service would be of great interest, as licensing audits tend not to uncover small shortfalls in customers I deal with.
- Interesting idea – would be curious of the metrics that would be evaluated to determine the cost of such a proposition. Do you sign up for audits? Just sit with a “wait and see” outlook (maybe they will audit, maybe they won’t??) The most difficult part of SAM is the legacy data gathering effort – which leaves the most exposure. Is this a part of the insurance cost equation??
- This would only be feasible if there were definitive controls which could be measured by an insurer could be put in place which is not practical. It would discourage companies from taking responsibility for compliance. I don’t think this is workable.
- The business is compelled to have their licensing in order. A Software Compliance Insurance Policy is more or less a crutch, it takes away the need to be vigilant in software compliance. What is needed to enforce vigilance in compliance is to offer an incentive to 1) get to a level of compliance and 2) periodic awards to maintain compliance.
- I regard an insurance policy for a guaranteed software compliancy as a slap in the face for the License managers of the company.
- I think it is an interesting concept, but it would not be a replacement for SAM. While it may help a company recoup the cost of purchasing the missing software and or penalties it would not address the potential damage to a company’s reputation that make come with being seriously out of compliance. In addition, some companies may become lax with their SAM if they had an insurance policy in place. I think that would be a mistake as SAM offers more than the financial protection.
- One concern that I have with the idea of a compliance security policy is that it could lead a customer to have a sense of complacency towards SAM. This could prevent SAM from being developed past the simple compliance stage into a core part of the businesses processes. To work a compliance insurance policy would likely need to require a highly sophisticated SAM implementation and ongoing oversight to ensure that the SAM systems were used correctly. If a customer deviated from the defined SAM process and this led to a compliance shortfall, would the insurance policy pay out?
- Still keeps SAM detached from the business when I feel it should be fully owned.
- I would imagine the conditions of such insurance be rather interesting. This to me is akin to asking for insurance to allow you to drive when drunk.
- Unless a company has experienced an audit, management tends to want to not think about compliance and the actual risk. My current company has been in that situation so they often inquire about compliance and support the SAM projects. So they expect us to be compliant and not need such a policy.
- This would work from a financial perspective, but would not work from contractual perspective; being non-compliant is a breach of licensing rules, so the vendor could still terminate; an unacceptable risk. In addition, the legal consequences of the copyright breach would still exist.
On The Fence
- Which would be the terms and conditions for it to apply? Would the company conducting the SAM have the buying power to acquire any required licenses?
- I think it’s pretty difficult to consider this insurance policy, the value of which would have to be determined by the poorness of your current SAM process. I’m not sure how a software compliance insurance policy could possibly price itself, unless it simply overpriced itself to ensure losses are covered. I would be hesitant to bring that to a client until I saw the value first hand or at minimum saw a published case study that I valued.
- Possible in only basic licensing scenarios. Complex situations like global IBM incorporating mainframe, midrange & distributed with a smattering of sub-capacity will be uninsurable.
- The idea would be an interesting value-add to selling SAM. The two issues I see is that, one, insurance is priced and risk factored based on data such as actuarial table etc. I am not sure this type of data could be provided accurately since different customers have different issues, policies, cultures, etc. This could make any insurance somewhat cost prohibitive to the provider. The second issue is a customer might be incentivized to not participate in the “down and dirty” aspect of ITAM and SAM (e.g. not attend meetings, not enforce policy) If a CIO knows he/she is covered on SW compliance whether or not they’re people help out, he/she may not put the resources in place to execute a SAM plan. As we know, no single technology or process/policy can truly make a customer compliant. It takes buy-in from a high level, and cooperation from end users up and down the ladder. The issue boils down to the real cost-benefit of “Guaranteeing” Compliance (including what expected percentage of customers receiving shortfall payouts and average payout amounts) and, and what kind of margin or profit potential is available versus selling SAM/ITAM without such a promise.
- As an employee of one of the SAM vendors, I’d see this initiative as a threat to the SAM market, except if the insurance policy price is dependent on some level of SAM implementation, could it be based on maturity level, number of software manufacturers covered through internal audits, etc.?
- I believe the value of having an insurance policy is largely based on the depth of the business’ SAM program, and the current audit environment. If an organization believes significant audit risk exists, there program is underdeveloped, and the cost is not prohibitive, then it may be of interest. However, in some cases, management may consider such a “policy” reflects their inability to control their environment.
- Insurance policies are for organizations that don’t have direct control or influence over potential loses, i.e. fire, flood, etc. Compliance is within your control and funds potentially targeted for insurance plans should be spent on maturing the compliance process
About Martin Thompson
Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.
On a voluntary basis Martin a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
Learn more about him here and connect with him on Twitter or LinkedIn.