SAM standard revised

One of my usual minor rants is around software licence management and its facile identification with SAM—Software Asset Management.

License management, I might suggest, is a burden for the business, invented by companies who seemed to encourage software copying and license mismanagement in order to gain market share and now want to get revenue from bullying companies into paying for licences—often for shelf-ware that no-one is using or stuff that has been paid for but has lost its licence record—under threat of legal action.

However, as so often, compliance (which is purely a cost) can be made into an opportunity. If you start managing licences, you get a handle on what software you have and can stop paying for anything you don’t need—using auto-discovery tools to see what is being used (the devil is in the detail with auto-discovery, and it often needs to be backed up by a manual survey, but that’s for a different article).

So, perhaps you find that you have a lot of licenses for a full software publishing suite, when all most people need is the free Reader. You find that a lot of people who came with a company acquisition had licensed desktop software already, as part of the acquired company assets; and you promptly gave them new, duplicate, licences. You find that you have a lot of unused collaborative shelf-ware, because the vendor wanted to ramp up market share and the deal was too good to miss, but when a department actually started an effective collaboration initiative, it just bought new licenses for the same collaboration tool. And, just possibly, you find that there are a lot of unlicensed copies of a database package, say, because it was needed for a really critical business project and your acquisition procedures were simply too slow and cumbersome.

This was a lot of work, for skilled (expensive) people. Luckily, the money you save by not paying for duplicate licenses, for unused shelf-ware and for software no-one uses any more (and isn’t even on a shelf) often easily pays for properly licensing your database packages. And the FAST bogeyman is banished, for a while, from the cupboard he’s been hiding in. End of story?

No, that would be a very short-sighted story—and lead to a repeat of the same expensive mess in a year or so. Having discovered your software assets, you can put in place process to keep the asset register up to date. But you can do more. Your development process obviously isn’t reusing obvious assets (licenses) so what else isn’t it reusing effectively? You might consider improving your development process, to maximise reuse generally—thus increasing efficiency and reducing waste. Your acquisition and provisioning processes obviously need improvement—but the problem with database packages suggests that other areas of business may not have access to the best automation; another chance for process improvement and waste elimination.

Now you’re starting to think about proper Software Asset Management (SAM) in the context of Service Management generally—and there’s a standard which gives you a useful framework for achieving this (whether or not you choose to certify formally or just conform with its principles). This is ISO 19770-1 and WG21: the SAM Working Group at ISO started a review process for a new release of this at the end of November last year (the review document and process can be found on the WG21 site—consultation ends 1st March 2011.

So, what’s new in this proposal and why should anyone get excited about it? Well, according to Ian Preskett, an experienced Asset Management practitioner and member of the BCS Configuration Management Specialist Group committee, ISO 19770-1 is generally accepted as a comprehensive SAM framework to control assets. Nevertheless, it’s quite a lot to take on at one go, so the proposal is for a tiered standard. Organisations will be able to quote certification against Tier 1 of the proposed revision and then show measurable progress as they move up the tiers—thus getting some immediate return for their efforts to manage assets and achieve license compliance.

I like the idea of a staged approach to SAM, partly because it delivers immediate short-term assessment points, which should help maintain commitment; and partly because it implies that an effective process is being followed rather than a set of check-boxes ticked. Good process makes maintaining compliance easier, and cheaper.

However, there may be some issues with the revision. The first Tier is “trustworthy data”; the second is “practical management”; the third is “operational integration”; and the fourth tier is full ISO/IEC 19770-1 SAM certification. Nothing wrong with that, except that you are unlikely to have “trustworthy data” without its collection being managed (Tier 2) and integrated with operational processes (Tier 3). Are the tiers perhaps the wrong way round? Perhaps because companies tend to focus on collecting licence data in order to create license compliance reports, while establishing process needs real thought and commitment, and the tiers have been arranged to reflect this. Nevertheless, however you prioritise it, you will need reliable licence data eventually and there is nothing to stop you putting “just enough” practical management and operational integration in place even before you formally attempt tier 2 and tier 3…

Another issue is common to all formal standards—the standards-making process can become an end in itself and those involved can lose touch with the concerns of real-world practitioners. So, I approached David Marriott-Lodge, Services and Solutions Director at Trustmarque Solutions (which makes its business out of managed services for licence management and other asset management opportunities—and delivering practical cost savings to its customers).

According to Marriott-Lodge: “The revision has sought to borrow best practice from other areas of operations management (i.e. the Deming Cycle) by looking at driving through continual improvements of SAM. The revision is also seeking to offer greater guidance over its predecessor by talking about roles and responsibilities for SAM. It further seeks to borrow best practice from ITIL by making reference to “Relationship and Contract Management in SAM”. Finally, if we notice “Retirement process”, this borrows best practice from FAST”. Since I don’t see SAM as a standalone silo but as a vital part of holistic Service Management, I find this very encouraging—although Marriott-Lodge points out that the inclusion of this “assumed knowledge” makes the revision much longer than the original.

Will Marriott-Lodge have suggestions for the WG21 group? Yes, possibly: “Whilst the draft standard seeks to align SAM to Corporate Governance Objectives, I think it might gain greater traction commercially if it sought to align SAM to IT Strategic objectives, demonstrating how these support the overall business strategy. This would increase the visibility of IT in a positive light, and make the buy-in of a SAM program somewhat easier”. Personally, I like the view that SAM (and other IT governance initiatives) are aspects of Corporate Governance; but I take the point that IT strategic objectives are important too.

He generally welcomes the revisions, because they give the SAM beginner a fighting chance of achieving recognisable milestones. Nevertheless, he also suggests keeping your feet firmly on the ground: “although the best principles of licence compliance and software asset management are laudable aims, I would always advocate a cost/benefit analysis of just how far down the road an organisation wishes to go with such a project—the effort required to account for all software installed on all systems could easily, for example, tip an IT budget into the red”.

Marriott-Lodge’s primary concern with ISO 19770-1 is with the extent of its adoption (something the proposed revision hopes to address, I assume): “no organisation has yet approached the ISO and stated that they will oversee the management of SAM to the requirements that the document lays out”, he says. Until this happens, he points out: “no company can attain ISO 19770-1 certification, which means that following this standard to whatever level (1, 2, 3 or 4) will curry little favour with software vendors should they come knocking”.

That, it seems to me, is a serious issue. Nevertheless, attaining ISO 19770-1 certification shouldn’t be a check-box exercise, purely to keep litigious software vendors away—this should be a side benefit from implementing good process and managing your software assets effectively, without waste. Even if you just conform with ISO 19770-1 principles and never formally certify against ISO 19770-1, this could still help organisations implement process improvement around SAM and give them both a framework for talking about SAM and control points to help them manage their progress internally, as and when they can afford to expand the scope of their efforts.

You can’t imagine companies not managing tangible assets without being accused of incompetent management. Now that businesses more and more depend on software for their core business processes, the same should apply to SAM.