Managing Risk: Assess

Read this blog to understand how to assess your software compliance risks within 30 days.


If you are starting out with your Software Compliance solution, you probably have visions of changing the world.  Really!  You want to know where all of your software is in the business, how many licenses are available, and who is using what.  You will need to get real.  This will not happen unless your business plans to spend lot's of money and give you plenty of time.  Anyway, the key to to success with software compliance is to show measurable results in increments of 90 days or less and drive yourself to answering the ultimate question:  Are you compliant?

Assess Your Spending
Your goal is to understand the total software spending over a five year period (good enough).  That's it.  To do this exercise do the following:

  • Identify the vendor, 
  • Purchase order number
  • Line item description (if provided but be warned this may be inaccurate)
  • Quantity (also may be inaccurate), and the 
  • Total dollar amount
Next, sort in descending order by total dollar amount.  Add, another column and identify the percentage the total dollar amount represents for each vendor.  Now, count the number of vendors that represent 90% of your spending.  That's it.  You have just identified your target group.  You will want to understand the risks associated with these vendors (more on this later).

Overcoming Challenges
Here are some of the challenges you will run into:

  • Your Purchasing/Sourcing is uncooperative
  • The data is not normalized or formatting in a convenient way to report 
  • You have multiple purchasing systems
  • You have mergers and acquisitions to deal with
  • So on, and so fourth
I understand all of these but let's start with where you have control and where you can build success.  Let's focus on workstation software since its a heavily audited area and small and medium size vendors are looking to "true-up" with unsuspecting companies.

Workstation software is typically purchased through a software reseller, Value Account Reseller (VAR) or Large Account Reseller (LAR).  They all are the same but the key here is that they are the middleman between you and your software publisher.  As a middleman, they have all the data going back five or more years on everything that you have purchased.  This is a great place to start.  Get all the data you can from these people and they are generally happy to provide it.  Some are better than others but if you identify all the resellers your company has done business with, you can bypass your purchasing organization all together.

Once you get the data, you will need to normalize it by part number or a natural product name.  Have someone who is good with Microsoft Excel or Access to do this for you.  Never, ever delete any of the data. You will need to amend the data but keeping the source file will give you a baseline to tie-back with and this is essential in your analysis.

For non-workstation data, you will need to work through your Purchasing or Sourcing organizations for the contracts and the PO data.  I know, this is painful but necessary.  Be careful here because this organization protects "their" data carefully.  Another essential reason to advocate your role as a compliance function.  

Good luck and let me know if you have any questions.

Lee