Software risk management is still at last century’s level
Software is currently the largest capital good of most organizations worldwide. As such, this requires solid risk management, but that is hardly the case in the business sector. And it’s easy for things to take a turn for the worse and result in major financial consequences and slow down innovation.
Software is, in its many manifestations, the engine of the Dutch economy. Thanks to software, the port of Rotterdam handles 461 million tons of goods a year, our banks register tens of thousands of payments every day and, in just a few years, we’ll use mostly self-driving cars. The dependence on software is enormous. An interruption of just an hour can cause enormous problems and losses.
In the last century, software was a by-product that made certain matters more efficient. Since then, it has rapidly become better, more advanced and more intelligent. Software has become the most important capital good of companies. The software budgets that, according to Gartner, grow annually, also reflect this. However, while software has undergone an enormous development on a technology and business level, its risk management is stuck in the last century.
Organizations are rarely concerned about managing the risks of software, while spending large percentages of their budget every year on it. There is often nothing else, but a list created manually (e.g. an excel file) of all software products in the organization. This is a method that might work well for physical property, such as office buildings and machines, but not with software, as it is not about ownership, but the intellectual property and usage. Such a list is, by no means, enough to gain insight into the complex world of countless licenses, user rights and contractual conditions. In this virtual world, breaches of contracts are always on the lookout. Particularly as these conditions can change from one day to the next.
This entails major financial risks from a compliance perspective. Violating the license terms can lead to substantial claims from software vendors such as Oracle, SAP, IBM and Microsoft. The Belgian multinational InBev knows now how it can go wrong. Earlier this year, SAP claimed six hundred million dollars from the beverage and brewing company for unauthorized use of their software. Such sanctions are not exceptional in the Dutch business sector either, even though most organizations know how to keep them out of the press. An IDC research shows that software vendors are increasingly performing audits to uncover contract breaches - it has become part of their revenue model.
It goes without saying that a claim of a few millions can have disastrous consequences for an organization’s operational management. It also slows down innovation. The most innovative companies are the ones that depend entirely on software and a claim can jeopardize their continuity. With such financial consequences, it’s easy for fear to arise and stop organizations to try new things and make investments.
The IT department can and must prevent such situations by working together with finance and legal to manage the risks related to software. The amateurism of the last century must disappear. Software has since conquered a prominent position in organizations. Now risk management should follow.
This article is also published in Dutch, on Computable.