Date post: | 14-Jan-2017 |
Category: |
Technology |
Upload: | martin-thompson |
View: | 156 times |
Download: | 0 times |
The ITAM Review US Conference 2016 The ITAM Review US Conference 2016
The ITAM Review US Conference 2016
IBM Audit Defense Eric Chiu
Managing Director Fisher IT Asset Consulting
The ITAM Review US Conference 2016
Who we are
Introducing Fisher IT Asset Consulting § Part of HW Fisher & Company § London | Europe, US and Australia § Poacher-turned-Gamekeeper § IBM+ Services
• Licence Compliance & Optimization • Deloitte/KPMG Audit Defense • ILMT Readiness & Certification • LMO Readiness & Certification • Mainframe Compliance & Optimization
The ITAM Review US Conference 2016
Agenda
What are we covering today § Why IBM is auditing its loyal customers § Case Study - value of audit defense § IBM Audit Lifecycle & Defense Tactics § Top IBM Compliance Risks § Best defense – proactive management § License Management Options
The ITAM Review US Conference 2016
Why IBM Audits
Desperate times, desperate measures • Oct 2014 – IBM drops Earning Per Share Target ($20) • Feb 2016 – IBM announces Reorganization of business • July 2016 – IBM faced 17th consecutive quarter of decline
Revenue Generation Software business contributes
nearly 50% of group profit, over 20% of software revenue is from
compliance
Forced New Business Compliance settlement figures
are often ‘offsetted’ by commitments toward new
product purchases or Enterprise Agreements
The ITAM Review US Conference 2016
Part # Product OWNED DEPLOYED UNDER-LICENSED OVER-LICENSED
D55MRLL Domino Utility Server 2 600 1 200
D17BALL
Cognos BI
Analytics
Admin 5 210
D175DLL Expl. 40 0
D17BGLL User 175 0
D56FELL TSM 44 880 44 880
D55WJLL WAS
Network Deployment
8 800 28 000
175 User
205 users
19 200 PVU
1 400 PVU
! OWNED VS DEPLOYED
40 User
Audit without Defense
The ITAM Review US Conference 2016
11 200 PVU
Product OWNED DEPLOYED NEEDED MISSING SURPLUS Domino
Utility Server 2 600 1 200 800
Cognos BI
Analytics
Admin 5 210 10
Expl. 40 0 0
User 175 0 200
TSM 44 880 44 800 44 800
WAS Network
Deployment 8 800 28 000 20000
5 users
205 users
19 200 PVU
25 Users
OWNED VS DEPLOYED – Post Optimisation
Post-Defense Position
The ITAM Review US Conference 2016
Value of Audit Defense
§ Executed as a Self-Declaration
§ Cash Expenditure reduced from £7.1m to £1.62m
§ Year 2 Renewal reduced from £2m to £1.26m
§ Converted to SSSO from PA
§ “Happy” Customer & IBM
The ITAM Review US Conference 2016
The IBM Audit Lifecycle
How does a typical IBM license audit happen
Selection Notification Scoping & Initiation
Data collection
Data analytics
and validation
Factual accuracy discussion
3-way hand-over
Settlement discussions
The ITAM Review US Conference 2016
Audit Candidate Selection
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Select customers for audit based on risk and rewards
§ Clear internal conflicts and politics
What IBM & Auditors typically do
§ Maintain good relationship with IBM
§ Negotiate audit clause out of the contract
§ Understand the licence models and do NOT sign up to the models that you cannot manage
§ Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control
What customers can do
SPEND
• Customer’s purchase level with the vendor
ORG
• Organisational structure complexity
CHANGE
• Level of organisational change such as M&A activities
COMPLEXITY
• Complexity of licensing model agreed
PATTERN
• Purchase pattern that does not reflect growth
MATURITY
• SAM maturity intelligence gathered from account team
The ITAM Review US Conference 2016
Audit Notification
§ Send formal audit notification letter to notify customers regarding the audit
§ Specify contact details of IBM compliance manager
§ Specify timeframe and audit partner
§ Chase for a ‘kick-off’ meeting
What IBM & Auditors typically do
§ Define a project team to manage the audit, and assign a Single Point of Contact (SPOC)
§ Take ownership of timeline
§ Apply delaying tactics and launch internal audit immediately, if you lack of visibility and confidence in licence compliance
What customers can do
Ask Yourself
Can you measure non-PVU software usage?
Do you discover non-windows, test/dev servers?
Is your knowledge based on facts or words
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
Audit Scoping & Initiation
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Walk you through what will happen in an audit (could be intentionally vague about data requirements)
§ Propose audit scope
§ Propose project plan
What IBM & Auditors typically do
§ Request for NDA
§ Request clarifications and review on data requirements before any commitment
§ Control the scope of audit to your advantage (e.g. expand or limit)
§ Take ownership of the project timeline after data requirements and scope are agreed
What customers can do
The ITAM Review US Conference 2016
Data Collection
§ Remote data collection
§ Onsite data collection
What IBM & Auditors typically do
§ Ensure all data collection requests are reviewed by the SPOC
§ Ensure all communications are through the SPOC
§ Limit the scope of scripts to be executed and onsite validation samples
§ Ensure data sets released are of good quality and do not conflict each other
§ Ensure you understand the use and impact of each data set released
What customers can do
Interviews: auditors talk to your staffs and collect information verbally or through observations
Self-declaration: a guided template for you to supply software usage information
Request existing records: any existing data that you already have from CMDB or tools
In-App reports: generate built-in reports in some applications, such as user or connection reports.
Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts
Challenge on requests that you
are not comfortable with
!
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
Data analytics and validation
§ Consolidate data and generate reports
§ Ask for additional follow-up questions
What IBM & Auditors typically do
§ Use a consistent review and communication protocol as per Data Collection stage
What customers can do
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
Factual Accuracy Discussion
§ Present you with a Draft Effective Licence Position Report with initial findings
§ Seek your factual accuracy confirmation (agreement) to the Draft Report
What IBM & Auditors typically do
§ Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that provided the data and product owners.
§ Validate auditor’s comments and assumptions documented
§ Seek clarifications for items that you do not fully understand
§ Only to provide ‘agreement’ with heavy caveats
What customers can do
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
3-Way Hand-Over
§ Close the ‘fact-finding’ part of the audit, and confirm compliance observations
§ Discuss settlement timeframe
What IBM & Auditors typically do
§ Highlight disagreements on any compliance observations
§ Do not commit to any settlement timeframe proposed
§ Start preparing for settlement negotiation strategies
What customers can do
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
Settlement Discussions
§ Send an initial cash quote with very high figures (‘the stick’)
§ Offer concessions and discounts if valid mitigation circumstances are provided
§ Part-cash, part purchase commitment offers
§ Partial settlement offers
What IBM typically does
§ Create strong mitigation circumstances
§ Request waivers
§ Use time to your advantage
What customers can do
Revenue Timing
Revenue Target
Future Revenue Possibility
Customer Relationship
Mi#ga#on Strength
Vendor Goodwill
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
The ITAM Review US Conference 2016
Top IBM Software Compliance Risks
Virtualisation (Sub-capacity)
User role & access
definition
Server role definition
Multiplexing
Application specific
restrictions
3x – 8x
20x – 50x
2x – 5x
50x – 100x
2x – 3x
The ITAM Review US Conference 2016
Don’t forget Mainframes
Unlicensed Product & Features The built-in SCRT report on average only reports
75% of the enabled products and features
Sysplex & Sub-Capacity Violation Stringent eligible criteria causes incompliance
which often increases licence cost by 10+ times
Complex Licence Calculation From PSF Printers points to IPLA Value Units,
calculating correct licence count is challenging
Undeployed Software You are charged for all entitled MLC titles in your contract even they are not deployed
Unnecessary Licensed Capacity The average licensed capacity excess (unused capacity) is over 20% per mainframe contract
Sub-Capacity Licensing Discounts Many customers are unaware or unclear of the
platforms and products eligible for sub-capacity
The ITAM Review US Conference 2016
IBM – Proactive Management
Top Down
Bottom up then
What we
have bought
?
PVU
Non-PVU
ILMT Deployment & Validation Bundling, coverage & accuracy
Additional Information Required
Design Data Collection
Methodology to measure usage
according to charge metrics
Manual Calculation
ILMT Update & Sign-off
Effective Usage
i.e.
Licence Consumpt
ion
The ITAM Review US Conference 2016
§ ESSO/NGSA Customers Only § Offered at contract renewal or under audit § Replacement of audit clause with self-reporting § Must be certified first!
Is IBM LMO for You?
License Management Option
The ITAM Review US Conference 2016
Questions?
The ITAM Review UK Conference 2016
The ITAM Review US Conference 2016
Thank You