Making Audits work for you! · – Print all results on paper and have them work on paper formats...
Transcript of Making Audits work for you! · – Print all results on paper and have them work on paper formats...
Making Audits work for you!
1
Who are we & why speak?
• Who?– Turnover approx. £4B per year (Sainsbury's Argos only which is the non-food side of the business.)
– Spend approx. £100m on IT with software renewals constituting about £30m
– Approx. 400 vendors with the usual 5-10 main vendors and a very long tail and over 3500 products, both licensed and open source
– Complex environment, mainframe, AIX 5.1, Citrix, VMware & Cobol from 1980’s
• Why?– Audits have no set routine, the variances across vendors and products is to great. Knowledge, experience and real world
examples help all of us to mitigate the impact.
– Vendors thrive on the fear of being audited to supress business intelligence being shared.
– SAM is a value driven profession and our stakeholders need to be aware of our capabilities.
1
Audit Steps
• Pre-Audit
– Mitigation
– Risk profiling
– Risk acceptance
– Planning
– Proactive defence
• Audit initiation
– First letter
– Audit checklist
• Audit defence
– Strategies and Legal positioning
• Negotiation
– Team Structure
– Negotiation Strategy
– Concession Strategy
– Timelines
– Future relationship
2
Pre-Audit
3
Mitigation
General Policy creation
– No audit while in RFP
– No audit when delivering results of RFP
– If in an audit then excluded from RFP
Vendor Specific policies or License constraining
– Specify Oracle systems to be brought up in case of DC DR (restricts licenses)
– Test environments to use licenses specified as Development or with Mobility (License pools)
Vendor Relationships
– Good relationships with account manager should reduce risk of Audit.
4
Risk Profiling
What is your risk from Audit?
– Which vendors are active in the market and what is your risk with each vendor
– What is your real risk rather then perceived risk. Would they really audit you?
– Which vendors need an audit defence strategy?
– Which vendors will likely never cause a risk to the business
Expect 2-3 audits per year
– One mitigated
– One resolved with little or no commercial or license implications
– One to affect next years budget
What factors increase risk?
– Divesture and M&A
– Lost sales opportunities
– Lost RFP’s
– Technical staff (internal misinformation)
– Limited dialogue
5
Risk Acceptance
What is total risk in the business
– Often shown as a high, scary figure concentrated on by vendors, consultancies and managed service providers
What is the actually risk
– Maximum that any one vendor could bill with 10-20% headroom for the unknown
– Not just the monetary cost but what is the risk to reputation
What risk will the business accept?
– Work on the largest risk until it reaches the accepted risk level or below another recognised risk.
– If new risk is identified, larger than the risk acceptance move to the new risk.
– Eventually work on all risk areas to keep reducing risk throughout the business.
– Deal with low risk profile vendors as and when an event occurs, renewal/purchase
6
Audit Planning
• Vendor Specific plans / strategies
• Does the vendor require a specific plan/strategy due to its position in the 4 box grid and Risk profile.
• Who will be called upon to answer the audit (Inc. SAM)
• Legal, Procurement, Commercial teams, Vendor/Ops manager
• What are their roles and responsibilities
• When will you meet
• Weekly or monthly
• What are the triggers for changing meeting frequency
• Escalation paths
• Who is accountable if SAM is responsible
• Financial year ends of each vendor
• Communication plan (loose lips cost lives)
7
Autodesk January
Dell January
CA Technologies March
Compuware March
Symantec March
Infor April
Micro Focus April
Oracle May
Microsoft June
HP October
AdobeNovember
SAPDecember
AttachmateDecember
VMwareDecember
ASG Software solutionsDecemberDecembe
Proactive Audit Defence
• Software strategy
– On-boarding
• By risk profile (based upon their activity and aggressiveness in the market)
– Create a 4 box grid for all vendors and use to help with risk profiling (emerging, strategic, tactical and legacy)
• Do you on-board all your vendors if a very long tail or consolidate
– ELP generation
• Accept gaps
• Plan risk mitigation
• Roadmap maturity
– Risk Management
• Risk change
• Risk acceptance appetite change
8
EmergingEmerging StrategicStrategic
TacticalTactical LegacyLegacy
Bu
siness d
irection
Cost
Audit Initiation
9
Audit Start
• Who initiates the audit?
– You or the Vendor?
• Self Audit in response to vendor audit?
– Who carries out the audit?
• Vendor or Third party
– Shut down communications according to communications plan.
• Vendor contract
– Where is your entitlement
– What are your legal obligations
– Review contracts and prior Audits to get you “line in the Sand” – Identify Exclusions
10
• Know your ELP
– Hard to know everything
– ELP is like Swiss cheese
– What is missing for that vendor?
– Who can get that data/can you get the data?
• MSP are slow to respond to requests, cost money
– How is the software used and what is it used for?
• Remember you could have 1000’s of products
Audit Checklist
Negotiate the Scope of the Audit
– Non-Negotiable
– Negotiable
– Wish List
Checklist
– Geography & Legal entities
– Device type & OS
– Start date and grace period
– % of acceptable non-compliance
– Who will conduct the audit
– Where can they work
– What data is allowed off site
– What information is required
– Baseline and compliance agreed at end
– Non-Audit clause at completion for a period
11
12
Audit Defense
Strategies and legal positioning
What do you need to do legally?
– Legal team defines what your minimum commitment of data is and its format
– Legal verify all questions and tactical manoeuvring to ensure contract compliance
Response Strategies
– Print all results on paper and have them work on paper formats to slow the audit down.
– Make the audit difficult but within the constraints of the contract in order to get the audit cancelled or changed to self declaration
– Delay the conclusion of the Audit to after the end of year for the vendor or yourself, depending on the risk.
– Delay the conclusion until Vendor end of year in order to get the best negotiation position.
– Ensure that communications and data is sent through a nominated person (group) any communications outside of this are not subject to Audit
13
Negotiation
14
Team Structure
• Will comprise of some of the Audit response team
• What additional resources are required?
• What are their Roles and what are their negotiation strengths
• Listening
• Communication
• Decision making
• Emotional control
• What are the negotiation styles you will use for/against
• Bully - Competing
• Negotiator - Collaborate
• Politician - Avoiding
• Doormat - accommodating
• Do you have someone of each negotiation style involved?
15
Strategy
• How will you run the negotiations?
• Who will be involved from both the vendor and your company
• How many people will actively negotiate
• What is their cultural perspective (US, EUR, UK, APAC)
• Good cop Bad cop
• Bad Cop Worse cop
• Concession Trading
• Auction Bartering
• WIN-WIN scenario setting
• Concession strategy
• List your goals and the negotiation styles required for each
• Meetings
– Appropriate authority to make decisions
– Have non-negotiables been agreed (don’t start unless they have)
– Assess the negotiating styles they are bringing and determine your defence against them
16
Concession Strategy
• Clarity of the vendors goals
• Clarity on your goals
• Sequence of which goals to trade or exchange for both parties
• SWOT analysis of goals
• Mapped against negotiation styles
• What is your BATNA (Best Alternative To a Negotiated Agreement)
• What happens when it fails
• If the results are less than your BATNA there is no point in proceeding with negotiations
17
Timeline & Relationship
Timeline
• Is there a deadline that needs to be reached? Due to Audit defence strategies followed.
• Clear timelines and meetings keep the pace of negotiations from faltering.
• Ensure that the vendor knows and agrees the pre-planned meetings and the final meeting in advance. To ensure that they make decisions.
• Contracts and baseline should have an agreed date of completion after negotiations so that there is clear commitment
Relationship
• Once the audit is completed you want to see how you can keep the relationship positive
• Keep meeting quarterly or every 6 months depending on the vendor to reduce risk of audit
• Meetings related to the 4 box grid (Emerging, strategic, tactical & Legacy)
• Do the results of the negotiation change their position on the 4 box grid?
18
Thank you!
19