A new report has highlighted the potential risks business leaders face from their trusted software suppliers.
As businesses become more digitally enabled, their operations and profitability will rely increasingly on software. But as the leading software companies migrate to cloud computing with subscription-based licensing, their traditional on-premise licence customers are caught in a tricky situation.
Smith & Williamson/Cerno’s Software risk report 2017 warned that company directors are ultimately responsible for the commercial agreements associated with the purchase and use of software by their organisations.
Specifically, the report urged company chief to look seriously at all risks associated with under-licensed software both within their own companies and any organisation they acquire or merge with.
Robin Fry, legal director at Cerno, said that as the main software providers come under more pressure from newer cloud providers, they are increasingly dependent on their existing customer base to generate new revenue. He warned that even trivial under-licensing infractions could lead to huge penalties.
“What is worrying for many customers is unpredictability in software licensing because it depends on the supplier’s own interpretation of ambiguous and opaque licence agreements,” he said. “This is the major IT risk for companies.”
The report used the recent National Association for Adult Vocational Training (AFPA) case as an example of how software suppliers can go after customers. As Computer Weekly has previously reported, Oracle went after the AFPA, claiming that it was not authorised to run the purchasing module for 885 named users. Smith & Williamson/Cerno’s report warned: “This case highlights the continuing jeopardy of even the most diligent of customers to high-value claims by software suppliers even where, in the end, the claim is found to be highly inflated and ultimately unfounded.”
Highlighting the importance of board-level visibility of software licensing, Fry said: “Quite often, it is disregarded as a CIO issue. But when you look at the prices businesses are being called on to pay, both auditors and the full board need to realise there is an impact on their balance sheet and profit and loss.”
In one case involving a mid-sized European retailer, Fry said the assessed software licensing risk was more than £160m, representing a quarter of the group’s turnover. “This isn’t just a rounding error in management accounts,” he said. “It can be devastating – and it is critical that it is identified and then remediated, in advance of any supplier licence audit, in a controlled manner.”
Fry said software licensing issues tend to get elevated to C-level only when people get their fingers burnt lower down the organisation in an unexpected audit and the penalties then spiral. In his experience, companies can often get caught out by fairly innocuous add-ons to a core product, run in virtualised IT environments.
“What might seem like a small and inadvertent infraction to the IT team can readily elevate to six or seven figures,” said Fry.
The report warned that even the best-managed businesses, with absolute regard to compliance in their software licensing, are being confronted with shortfalls, often resulting in very high unbudgeted demands to be paid immediately.
As Computer Weekly has previously reported, SAP is seeking $600m in compensation for unlicensed use of its software by Belgian brewer Anheuser-Busch InBev. And earlier this year, the High Court ruled in favour of SAP in its case against Diageo for indirect access to its software. The ruling stated that “only named users” are authorised to use or access SAP’s mySAP enterprise resource planning (ERP) software directly or indirectly. SAP is seeking £59m from Diageo.
Smith & Williamson/Cerno’s report warned that if a business is not keeping complete and up-to-date financial records, including contractual obligations such as software liabilities, then it and, in particular, its directors may be in breach of the Companies Act 2006.
“A consequence of significantly under-recording liabilities (and thereby overstating financial performance) is that the management team will not make informed decisions and may well face solvency and liquidity problems,” the report said.
Serious business impact
Given that stakeholders such as shareholders, bankers, employees and suppliers rely on the financial information that businesses produce in their day-to-day dealings, if software liabilities are not accounted for, the reporting errors will have a serious business impact.
Smith & Williamson/Cerno warned that it would affect an organisation’s reputation and could lead to adjustments to credit ratings, supplier terms and, for public companies, the share price.
The report pointed out that the under-reporting of liabilities could raise questions about a company’s general governance. “In the most extreme cases, shareholders could call for a director to resign, particularly for a poorly-performing business, or where the liability is significant,” it said.
Fry added: “Alongside credit risk and liquidity risk, businesses must also now include software licence risk.”
Merger and acquisition due diligence should include software liabilities, the report noted. “If a business has been under-paying material software costs for several years, then a higher level of earnings will have been reported than would have otherwise occurred,” it said. “A purchaser may therefore overpay and, on discovery, seek compensation.”