The retailer. EY s publication in consumer products and retail sector. April June 2014

Transcription

1 The retailer EY s publication in consumer products and retail sector April June 2014

2 Foreword Dear reader, We are delighted to present the April June 2014 edition of The retailer, our quarterly publication in the consumer products and retail sector. In this addition of The retailer we have primarily focused on the themes of risk management and IT in retail and consumer products setups. In the first article, we have highlighted the complexities in risk management, especially complying with laws of different countries. A robust risk management system benefits most stakeholders and contributes toward improvement in operations and valuation of the company. Any consumer business is relationship oriented and a provider needs to aim for 100% customer satisfaction. Therefore, a provider has to ensure minimal downtime and focus on developing a business continuity program (BCP). The article provides a high-level framework that retail companies could use to develop their BCP. Further, we have highlighted needs and benefits of effective software asset management program. An effective software asset management program will not only help companies save software expenditure, but also give a realistic picture of true cost of ownership (TOC). Furthermore, it would help in better control over latest software and security updates and help in staying compliant. Finally, we continue our featured section, the Innovation board, where we aim to present to you snapshots of recent innovations in the Indian and global retail and consumer products sector. We hope you enjoy reading this issue of the retailer and look forward to your valuable comments and feedback. Pinakiranjan Mishra Partner and National Leader, Retail and Consumer Products EY, India Celebrating five years of The retailer 2 The retailer

3 Contents Risk Management: need of the hour 4 Recognizing the importance of business continuity in retail 8 Software asset management 14 Innovation board 20 Involve yourself: We look forward to hearing your feedback and suggestions. To contribute to editorial content, please contact Ashish Kakwani T: E: ashish.kakwani@in.ey.com The retailer 3

4 1 Risk Management: need of the hour Introduction In recent years there has been an increase in international enforcement of foreign anti-corruption laws in India across different sectors. The US Foreign Corrupt Practices Act (FCPA), the UK Anti-Bribery Act, and Canada s Corruption of Foreign Public Officials Act have targeted a broad range of foreign companies and individuals conducting business in India. Some of the world s most prominent companies have been subjected to anti-corruption investigations by American enforcement agencies. Violations of FCPAs anti-bribery and so-called books and records provisions in India have resulted in foreign companies paying multi-million-dollar fines, in addition to other criminal penalties. Further these companies are spending millions of dollars on establishing internal anti-corruption mechanisms and controls designed to ensure compliance with the FCPA in the country s high-risk environment. However, there are signs that India s own regulatory landscape is evolving, in an effort to more effectively battle corruption. Amendments to India s antiquated Companies Act that were put into effect are intended to foster increased transparency and accountability within India s burgeoning corporate sector. Governing trends indicate that American authorities, in particular, are likely to continue their rigorous enforcement of the FCPA in India. As a result, foreign companies must remain cognizant of various risks they face when conducting business in India and ensure that they have credible anti-corruption compliance measures in place, which effectively guard against those risks. Risk management has now become a key enabler in driving the overall strategy of leading companies unlike in the past, where risk management was looked upon as a policing and regulating function. Risk is now everybody s responsibility and plays a major role in decision-making across the organization. Leading companies are improving their risk and control functions, adding new people and leveraging specialty skills to address business risk on a comprehensive basis. Overall, leading organizations are driving Risk Governance from a holistic business perspective. Questions to ask How well do we know organizational key compliance, reputational and business risks? Do we know the significant compliance and reputational risks we face? How are these risks we take related to our strategies and objectives? Do the risks we take give us a competitive advantage? How are the risks we take related to activities that create value? Are the risks in line with the norms of the local market? Are we taking the right amount of risk? Are we getting a return that is consistent with our overall level of risk? Does our organizational culture promote or discourage the right level of risk-taking activities? Do we have a well-defined organizational risk appetite? Has our risk appetite been quantified in aggregate and per occurrence? Is our actual risk level consistent with our risk appetite? Are we adequately managing our risks? Is our risk management process aligned with our strategic decision-making process and existing performance measures? Is our risk management process coordinated and consistent across the entire enterprise? Does everyone use the same definition of risk? Do we have gaps and/or overlaps in our risk coverage? Is our risk management process cost effective? 4 The retailer

5 An inside out and outside in task The inside out component of risk management requires the organization s leaders to establish a vision, values and strategic goals that set the right tone. This is expected to permeate the entire organization and guide actions and behaviors throughout all its operations, creating a culture where responsible and ethical conduct is the norm. These should be supported by policies and codes of conduct; a robust framework for identifying and managing threats and opportunities to reputation; and roles and reward systems that are fully aligned with the objectives and ethos of the business. The business s approach to governance should consider the needs and expectations not only of shareholders but also of other partners who have a stake in the business. The way to gain a good reputation certainly is to endeavour to be what you desire to appear. However, this tackles only the inside out perspective of reputation. You also need to scan external impacts and influences, canvas stakeholder opinion and understand future trends to ensure that the business you are seeking to be is the business your stakeholders want you to be both now and in the future. It requires frank and open dialog with your stakeholders to gain a real understanding of those impacts and issues, to truly grasp what will earn the respect and trust of your stakeholders, to fathom what might spark conflict, and to identify new business opportunities. What is needed is both an inside out approach that enshrines the business values in policies, integrates them with strategy and examines internally generated risks and An EY survey indicated that 82% of investors will pay a premium for companies that demonstrate successful risk management, while 61% of investors will avoid investing if risk management is deemed insufficient. 1 an outside in approach that appraises the business from the perspective of its stakeholders and its external impacts on society and the environment, and seeks to minimize threats and maximize opportunities. The key components of effective risk management are: 1. Unequivocal vision and values that set the tone for the entire organization and delineate accountability. 2. Supporting policies and codes of conduct that guide employee behaviors and decision-making so that goals are achieved in accordance with organizational values. 3. Inclusive approach to governance that is accountable to stakeholders other than shareholders. 4. Understanding of /responsiveness to shifting stakeholder requirements and expectations that seeks balanced solutions 5. A robust and comprehensive risk management system that is able to curb threats and leverage opportunities to reputation and deliver credible assurance. 6. Willingness to learn, adapt and recalibrate in response to new issues, impacts, threats and opportunities. 7. An open and empowering organizational culture where employees feel valued, trusted and able to express their views. 8. Alignment of goals, roles and rewards so that employees throughout the business are aligned in pursuit of business goals and are recognized and rewarded in accordance with its values and ethos. 9. Extension of values and policies to business partners who participate in safeguarding and enhancing the business reputation. 10. Transparent and credible reporting and communications that meet stakeholder requirements and build trust and confidence 1 EY (2005). Investors on Risk: The need for transparency The retailer 5

6 How does risk management enable performance? Leading organizations recognize that effective risk management both protects and enables performance they recognize that better managing risk can create a competitive advantage. Business drivers Risks Comprehensive risk coverage across multiple functions Operations Corporate functions Risk functions Oversight Asset and capital management Strategic Research & Development Transactions Internal audit Executive management Business strategy Earnings and operating margins Revenue and market share Operations Financial Sales & Marketing Programming Service Delivery Operations Support IT Tax Finance Legal Compliance Internal control Board Audit committee Achieve business objectives Reputation Compliance Customer Service HR Risk management Other committees Enterprise performance enablement aligned to business objectives A practical approach 1. Develop risk assessment framework: Identify, assess and prioritize the key risks to achieving the organization s objectives. The core components of the risk framework include: a) A common definition of risk risk is what encourages the fullest possible capture of potential threats and opportunities for the business. The proven methodology of the risk assessment process will: b) Provide an insightful point of view on significant inherent risks from an industry perspective and link them to objectives, initiatives and business processes 6 The retailer

7 c) Efficiently capture insight from across the organization using a combination of web-enabled surveys, structured interviews and technology-enabled working sessions d) Validate and prioritize key risks for monitoring and testing 2. Testing internal control framework: Evaluate the internal control framework by testing. The process identifies opportunities to evaluate the design and application of the risk and control framework to define improvement opportunities for better coordination and alignment. The primary focus is on: Assess: Evaluate key risks and controls; validate and prioritize the risk profile and define improvement and monitoring efforts Improve: Improve the design and/or operating effectiveness of processes and controls; leverage leading practices and industry insights Monitor: Validate that processes are operating as designed, controls are effective, and risks are properly managed 3. Build an enterprise approach to align controls: define and prioritize opportunities to: Way forward A risk-based inside out and outside in approach to reputation, which takes into account the perceptions, needs and expectations of major stakeholders can help to rebuild that trust. A systematic assessment of the risks to reputation from financial performance, corporate governance and leadership, regulation, customer relations, workplace talent and culture, corporate social responsibility and from reporting and communications, will equip businesses to respond appropriately to the ever-changing impacts and issues they face. By adopting such an approach, they will automatically meet the exigencies of the evolving corporate governance, CSR, risk management and reputation agendas. Businesses, which act swiftly can reap the benefits of firstmover advantage, reinforce their legitimacy and create unique differentiators that will enable them to compete, grow and thrive. Those that lag behind and ignore these new imperatives may see their performance and their reputations dwindle. Positioning risk management and a robust internal control framework at the heart of your business activities, proactively seeking to curb the threats and leverage the opportunities that arise will provide organizations with the confidence and the sureness of touch to respond swiftly and decisively to the challenges and opportunities that lie ahead. Develop specific plans to improve and monitor significant reputational risks and controls Embed enhanced activities to manage reputational risk and control within existing functions and processes, Enhance framework components that support coordination and alignment for compliance risk management and internal control across the organization Implement practical solutions based on leading practices Kartikeya Chaturvedi Manager Kartikeya is a Manager in Retail & Consumer Products practice of EY and is based out of Mumbai. He leads several teams for process reviews and risk-based internal audit engagements for leading companies in the retail & consumer products sector. He has more than six years of experience in risk and controls review, process reviews, internal audit review/ SOP preparations. E: kartikeya.chaturvedi@in.ey.com P: The retailer 7

8 2 Recognizing the importance of business continuity in retail In a recent incident at a retail outlet, the point of sale or billing machines suddenly stopped working during peak SALE period. The store switched to manual billing eventually leading to two hours of long queue for customer billing. Naturally, the question arises what precautions can be taken, and what standards can be followed so that such incidents are not repeated. Simple things such as point of sale machine not working or the network break down can lead to significant customer dissatisfaction. The relationship between businesses and their customers has become more complicated over the past few years, as new technologies, social media and changing attitudes continue to redefine the customer experience. The retail sector, more than any other, understands how these changes have made business continuity more challenging in the modern age. Changes in retail technology, the shift toward online shopping and the insatiable demand for omni-channel retailing have made many traditional approaches to business continuity challenging to implement. As a result, businesses are being forced to rely on partnerships and external suppliers to provide services that are either completely new or which had previously been controlled in-house. Imagine if one of the following scenarios has to happen to you: 1. A company has done poor forecast of product requirement based on a market study. Is the retail company ready to accept revenue loss due to non-availability of products to customers? 2. A company has not analyzed customer requirements adequately. Is the retail company prepared for product recall and in turn loss of revenue, brand image and customer dis-satisfaction? 3. There is a transport strike in the city and no road transport is available. Is the retail company ready with multiple transport means (such as rail route, water route etc.) to help ensure continuous availability of products to its customer? 4. A third party vendor from whom the products were purchased has shut down and products are not available. Is there a tie-up with multiple vendors to help ensure continuous availability of products in the store? EY s point of view on retail value chain The image below highlights the dynamics of retail s value chain and the various areas that could go wrong: Supplier 1 Product availability 3 Orders Deliveries 3 Marketing Marketing Advertising Merchandising Replenishment parameters Approved suppliers Annual merchandising 3 Supply chain management Merchandise Replenishment orders Store operations 4 Strategy Demographics and demand Requirements 2 Merchandise Payment Customer 6 Support functions 5 Projects Admin Legal IT Loss prevention Investor relationship HR Finance Corporate relations 8 The retailer

9 5. There is a large fire at one of the warehouse or store. Is the retail company ready with adequate evacuation mechanism to help ensure there is no loss of life? 6. An IT system is not adequately configured for auto replenishment leading to non-availability of product. Is the retail company ready with alternative mechanism to ensure customer satisfaction? Retail companies need to address three critical questions: Is the company prepared to respond to such disaster events and continue to serve customers? How does the company ensure that impact of such disasters is minimized? In case of a disaster, does the company have ways to evacuate staff and customers? Based on the recent Global Information Security Survey (GISS) conducted by EY, 58% of the retail companies mentioned business continuity/disaster recovery as their priority. Refer the summary below: Business continuity/disaster recovery 58% 13% 8% 10% 11% Compliance monitoring 14% 36% 11% 18% 21% Cyber risks/cyber threats 14% 21% 14% 22% 29% Data leakage/data loss prevention 27% 29% 22% 11% 11% Forensics/fraud support 14% 14% 29% 43% Identity and access management Implementing security standards (e.g., ISO/IEC 27002:2005) 9% 8% 26% 17% 33% 28% 16% 34% 21% 8% Incident response capabilities 8% 33% 17% 25% 17% Information security risk management Information security transformation (fundamental redesign) Offshoring/outsourcing security activities, including third-party supplier risk Privacy 12% 19% 20% 20% 28% 11% 11% 17% 19% 10% 29% 22% 20% 34% 43% 39% 30% 16% Recruiting security resources Secure development processes (e.g., secure coding, QA process) Securing emerging technologies (e.g., cloud computing, virtualization, mobile computing) Security awareness and training Security governance and management (e.g., metrics and reporting, architecture, program management) 40% 25% 12% 15% 26% 17% 14% 29% 5% 24% 19% 25% 19% 40% 22% 17% 33% 20% 38% 18% 28% 14% Security incident and event management (SIEM) 29% 21% 14% 29% 7% Security operations (e.g., antivirus, IDS, IPS, patching, encryption) 12% 19% 36% 21% 12% Security testing (e.g., attack and penetration) Threat and vulnerability management (e.g., security analytics, threat intelligence) 7% 10% 14% 21% 32% 36% 58% 22% 1st 2nd 3rd 4th 5th The retailer 9

10 Preparedness is the key to effectively manage crisis and continue to provide customer satisfaction. Such incidents can be avoided and impact can be minimized, if retail companies take precautionary measures against internal and external threats. Retail companies will need to start embedding business continuity and customer satisfaction measures as part of larger strategic imperatives. As the traditional retail environment continues to evolve, more of the core business functions will move out of retailers control. While only very minimal retail sales are currently made online, there is a definite growth and online sales will increase significantly over time. As a result, the problems discussed above will only be intensified. The real winners in this battle will therefore, be the retail companies that are best able to overcome the potential business continuity challenges that arise, since those that fail to prepare for these issues will very quickly fall behind. Implementing BCP: unveiling the layers Companies often consider their disaster recovery plan (DRP) as BCP. BCP encompasses people, processes and infrastructure (the business layer) while a DRP addresses the technology layer. Furthermore, BCP is proactive and aims to keep the business running during a disruption. A DRP is reactive and usually focuses on recovering the IT environment and network infrastructure. In a nut shell disaster recovery is a critical sub-component of an organization s business continuity management. We believe a top-driven business continuity program taking into account customer satisfaction, customer/staff safety and continuity is a need of the hour. Continuity of retail business requires thoughtful planning, setup, response, and followup to ensure everything runs according to plan even if the world around the retail store is completely out of control. The continuity plan should provide an enterprise-wide risk-based Business continuity program Incident management plan Emergency response plan Crisis management plan BRP Operations resumption plan Supply chain recovery plan Premises recovery plan Personnel recovery plan Business layer Recover DRP IT recovery plan Network recovery plan Technology layer Protect, sustain, respond, resume, recover, restore and return BRP Business Recovery Plan DRP Disaster Recovery Plan 10 The retailer

11 approach, covering people, processes, technology and extended enterprise to ensure continuing availability of business support systems and minimize disruption risks. At a broader lever, retail companies should perform adequate risk assessment, have a dedicated crisis management team and make the entire staff aware of the continuity program. A threat and risk assessment will provide retail companies with an ability to understand how natural and man-made threats can affect store operations. This will aid retail companies in defining ways to minimize impact of such threats. For instance, stores prone to floods will do well by performing regular building maintenance and keeping drainage system clear of all debris and obstructions. Potential impact of a fire can be averted by appropriately implementing fire safety measures and identifying potential flammable items that need to be appropriately stored at the warehouse or store. Non availability of the products can be averted by identifying multiple vendors/suppliers. Retail companies will need to deploy a crisis management to quickly respond to the disaster situation. An effective plan will clearly define roles, responsibilities, and protocols for all those involved, and enable everyone to automatically act in accordance with the defined mechanism. Critical success of the crisis management plan will be the awareness and understanding of the activities by all concerned staff, customers, etc. This will ensure optimization of time, space and resources. For instance, at some point during an emergency or a disaster, it may be necessary to evacuate customers and staff. This will be more complex if disaster occurs suddenly or on a weekend or sales time when there are many customers who are generally unfamiliar with evacuation procedures. Therefore, retail companies must keep up-to-date information and floor plans of their buildings architectural, engineering and technical design in a safe and accessible place. The emergency contact list with numbers of fire brigade, police, and crisis management team etc. should be displayed at all key locations for easy access to the staff. The protocols in crisis management plan should not substantially differ from the daily practice and vice versa. By doing so, the planned actions will be more effective in one or the other situation. Moreover, adhering to crisis management plan will enable retail companies to achieve control of the crisis. Remember that the key to successfully managing a crisis is to Be Prepared. Benefits of robust BCP Reduces risk Helps in understanding existing exposures which form the basis for developing a focused strategy for reducing risk. Assists in analyzing current state by looking at key business drivers, critical business processes and significant interdependencies with business partners and third-party organizations. Benefits of a robust BCP Minimizes downtime Guides in implementing effective recovery strategies and a comprehensive business continuity program which minimizes downtime and reduces exposure. Lower downtime translates into increased revenue and helps create long-term values. Financial and market-share losses as a result of prolonged downtime can be devastating. Protects brand and image Assists in protecting brand and preserving company value by implementing a comprehensive business continuity program to respond quickly and effectively to an incident or potential incident. Safeguarding brand and image is essential to preserve customer confidence and allegiance. Improves readiness Improves the readiness to respond to a disaster or interruption and brings a heightened level of confidence to employees, management, customers and shareholders. Helps to establish a process for maintaining and updating plans for continuously improving readiness. The retailer 11

12 BCP in retail: final words Organizations that invest in the maintenance and testing of BCP are confident that BCP will make the organization more resilient in the face of disaster. Focused organizations maintain a welldocumented history of disruption and remedies. More often than not, a tried and tested BCP has worked well for an organization when continuity was at stake. Companies can make use of leading standards such as ISO to design and build robust business continuity management framework and take proactive steps to minimize the impact of the incidents. Pointers for an effective BCP Commitment from senior management: Management should establish and demonstrate commitment to a business continuity management policy. Senior management is responsible for the BCP of the organization and should provide necessary support. The onus lies on senior management to ensure that there is no ambiguity in the ownership of responsibility of BCP. Be meticulous: An adequate resource allocation is only the beginning of a complete business continuity initiative. As a company develops a BCP, every aspect must be covered meticulously. Effective emergency/crisis response: A response depends on the detection of an emergency or crisis. Early detection of an event might prevent it from becoming a disaster. 12 The retailer

13 Sneha Gandhi Manager Effective response ensures the safety of employees and customers and effective incident handling. Emergency/crisis communication: BCP needs various communication channels with the related stakeholders. Communication must be shared with customers, employees and media when a disaster is declared. Employee awareness: It is important to complement a comprehensive BCP with adequate level of employee awareness. It is essential that employees know the company s business continuity procedures and the role they are to play in a recovery situation. Assessment of vendor risks: An organization should identify vendor/partner dependencies for their core/support processes. Effective BCP addresses vendor risks and ensures that they become a part of overall planning and business continuity arrangements. Up to date: BCP should be upgraded and well maintained. Hence, it also becomes mandatory that the organization is prompt in the testing and maintenance of BCP. BCP drills must be conducted regularly with simulation. Sneha is a Manager with the IT Risk and Assurance (ITRA) service line within the Advisory Practice of Ernst and Young LLP. She has diversified experience across industries like industrial products, chemicals, life sciences, automotive, financial services, FMCG, retail, consumer product and technology. She has more than eight years of experience in the I.T. industry which includes a hybrid experience in Information Risk Consulting, Security audits, Designing and implementing security and network solutions and internal audits. As part of EY, she has lead multiples engagements that include ISO27001 framework development, data migration review, internal audits, IT roadmap development, PCI-DSS reviews, IT due diligence, Software Development Life Cycle review, ISAE3402/ SSAE16 engagements, Business continuity management review, Sarbanes Oxley readiness assistance et E: sneha.gandhi@in.ey.com P: Inputs from Nitin Mehta, Associate Director, ITRA The retailer 13

14 3 Software asset management Would you tell me, please, which way I ought to go from here? That depends a good deal on where you want to get to. I don t much care where Then it doesn t matter which way you go. Lewis Carroll, Alice in Wonderland EY s recent Enterprise IT trends and investment report 1 shows several positive and interesting trends within Indian markets. This survey aims to capture key IT priorities and initiatives taken by organizations across various sectors. It also captures investment patterns, and their variations from previous years. The CIO of 2014 is optimistic and looking forward to making significant investments for the development of IT and new solutions to achieve business expansion and customer satisfaction. However, the survey also noticed a distinct trend where the respondents have consistently selected fundamental solutions over fancy futuristic technologies. What this tells us is that after the slump of the past couple of years, CIOs will need to revamp their fundamentals, and get them right before moving on to more complex solutions. Talking about fundamentals, Software Asset Management (SAM) is an area, which CIOs are forced to think about. Leading IT directors and CIOs are realizing that effectively managing software assets can be a strategic advantage and can lead to stronger corporate governance. IT leaders, members of the C-suite, and shareholders have come to expect increasingly more from investments, including those which rely on IT functions. An effective SAM can make a significantly positive impact by helping to reduce license-related expenses, better manage compliance-related risk, and even improve overall operating efficiencies. Absence of an effective software asset management may result in: Increased procurement cost due to unavailability of accurate purchased inventory Increased financial exposure during vendor-driven spot audits due to over usage of licenses Increased cost of maintenance due to non-standard version of product used Increased risk to reputation Increased threat to information security due to cracks and keys Increased IT support costs Lack of control and productivity (absence of automated controls, increased FTEs) With an increase in focus toward technology enablement to easily reach out to customers, it is common for an organization to have 50+ software vendors and hundreds of contracts. As the number of implementations increase, management of contracts and deployment of software gets even more complex. Increasing complexity of the IT infrastructure (virtualization, cloud, outsourcing, bring your own device etc.), software providers have propagated potentially confusing and complex licensing metrics in existing agreements, which have made entitlement tracking by far more difficult to handle in even an simplistic IT environment. In this scenario, any technology refreshes, environment upgrades or optimizations is likely to pose a high risk of non-compliance. There are steps an organization can take before they are exposed to potential damages, from choices made during contracting to management of the software life cycle to preparing for the audit itself. A Gartner survey 2 (Software Vendor Auditing Trends: What to Watch for and How to Respond, May 23, 2012) revealed increasing license reviews and respondents said they had been audited by at least one software vendor during the past 12 months. While companies are able to clear these audits, the report further reiterates that a mature SAM program can save 3% 5% of your IT spend. 1 Ernst & Young and CIOKLUB s sixth Enterprise IT Trends and Investment Survey, was conducted from 14 February 2014 to 06 March 2014 and gauges current investment patterns, IT priorities and upcoming investment plans of organizations. More than 210 CIOs from various organizations across major industries participated in the survey The retailer

15 Typical software asset life cycle Due to the complex nature of software assets (licenses and maintenance contracts, associated IT infrastructure, etc.), SAM needs to be a comprehensive solution that integrates asset planning, purchasing, maintaining inventory, financial, maintenance and contract management into one management approach. That approach should cover software assets in all organization areas of the company, and consider the complete life cycle of the company s software assets. The below representation shows bifurcation of the SAM processes at an overall level: Where to start from While the aim is to establish an effective SAM, organizations have a common question Where do we start from? Below are our thoughts: Identify all license purchases till date Build an exhaustive software license inventory (what is used, how much is used and who are using) Reconcile and assess current software utilization vis-à-vis software license entitlements Identify software cracks and pirates used within the network Restrict administrative access on end-user machines Limit deployment of software through central IT helpdesk only Implement ITIL-based tools to monitor and control software deployment and utilization Use software metering to identify unused licenses over a period of time, excess licenses and optimization of purchase of licenses Control Enterprise Resource Planning (ERP) application licensing through end-user classification and minimal usage of interfaces Define an Software Asset Management framework to govern the software life cycle SAM Organization Management Process Corporate governance process for SAM Roles and responsibilities for SAM Policies, processes and procedures for SAM Competence in SAM Planning implementation, monitoring and review mechanism, and Continuous Improvement for SAM. Core SAM processes Inventory processes Verification and compliance process Operations management processes SAM Primary process interface Change management, Software development, Software deployment, Problem management, Acquisition process, Software release management, incident management, and Retirement Process The retailer 15

16 Software Asset Management (SAM) is the entire infrastructure and processes necessary for the effective management, controls and protection of software assets within an organization, throughout all stages of their lifecycle Processes can be established based on available standards such as ISO/IEC , ISO/IEC and ITIL and would primarily revolve around a five-stage life cycle model as below. Retire Plan ITIL Best Practices Guide: Software Asset Management 3 Monitoring and controlling Manage Acquire Deploy Plan: Activities performed prior to software procurement, such as evaluating technical and organizational requirements, planning the required quality and quantity (which impacts scale of discount), make-or-buy decisions, reviewing the inventory, etc. This step also includes software portfolio rationalization. Acquire: Identification of potential vendors and negotiation of the most cost-efficient contract and volume license deal are vital in this stage. At this time, the purchases/leases are executed; received goods are checked, tagged and entered into the software asset inventory. Deploy: Deployment begins when the software asset is made available for use. Effective deployment helps to ensure that the usage is recorded properly within the databases as the foundation for many SAM procedures. Manage: The keys to effective management are enhancing productivity within the existing infrastructure and sustaining user satisfaction. Increased transparency can be established by managing the distribution of software assets, license inventory, software upgrades and maintenance activities. More sophisticated SAM facilities enable organizations to monitor usage of software, enabling them to revoke software where it is not used and redeploy it to another user, or to a license pool for future deployment. Retire: Software asset retirement involves the planning and execution of orderly disposal of the software assets, closing of contracts and licenses and proper de-installation. Where licenses can be re-used, organizations should ensure software license availability is captured for use by others in the organization. At the end of this stage, software assets may be disposed of, sold or donated if feasible within the license contract. When are vendor license compliance audits conducted? Companies should be prepared for audits at any point in time, since they are aware that scrutiny has increased. Reasons could range from a vendor deciding it to be your turn as a part of their annual monitoring activity or an IT compliance agency selected your enterprise as part of a random series of audits or a compete or just a disgruntled employee acting out of revenge. The bottom line is, there is no escape. Such routine periodic audits are the only way for software companies to ensure full payment for their intellectual property, and they are counted on as a new revenue source when new license revenue is decreasing. Sooner or later, your company can be expected to be selected for audit. Are you ready for it? 3 The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. 16 The retailer

17 EY s point of view Organizations can use the below EY model to evaluate their SAM maturity. The below model is in line with ISO/IEC The maturity can be assessed based on an organization s processes and policies surrounding Software Asset Management governing acquisition, deployment and retirement of software assets. Key competency Basic Standardized Rationalized Dynamic SAM throughout the organization SAM improvement plan Hardware and software inventory Accuracy of inventory License entitlement records Periodic evaluation Operations Management Interfaces Acquisition process Deployment process Retirement process Project Manager assigned but SAM roles and responsibilities not defined No SAM Development or communication plan No centralized inventory or <68% assets in central inventory Manual inventory, no discovery tools Procurement manages contracts, not accessed by IT Managers IT Operations managed on ad-hoc basis SAM not considered part of M&A risk plan and company integration Assets purchased on a per process basis, without review of current availability Assets deployed by end users in distributed locations, no centralized IT No organized retirement process Direct SAM responsibility is identified throughout the organization SAM is defined and approved Between 68% and 95% of assets in inventory Inventory sources reconciled manually Complete entitlement records exist across organization Annual sign-off on SAM reports Operations manages separate asset inventories Software purchases used approved vendors Only approved software is deployed Software retirement is tracked Each functional group actively manages SAM SAM improvement is demonstrated Between 96% and 99% of assets in inventory Inventory sources reconciled quarterly Entitlement records reconciled with vendor records Quarterly sign-off on SAM reports Operations manages associated asset inventories Software purchases based on deployment/entitlement reconciliation Software deployment reports are accessible to stakeholders Retired software is reused SAM responsibilities defined in job descriptions across organizations SAM goals part of executive score card; reviewed regularly >99% of assets in inventory Dynamic discovery tools provide near real time deployment details SAM entitlement system interfaces with vendor entitlement to track usage System reconciliations and ITAM report available on demand All business units manage the same strategy, process and technology for SAM All purchases are made using a pre-defined asset catalogue based on metered usage Software is dynamically available to users on demand Software is retired using a comprehensive, automated process 4 ISO/IEC is a framework of Software Asset Management (SAM) processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. The retailer 17

18 Many organizations wrongly assume that they comply with software licenses through information security policies that restrict the installation or use of authorized software. However, any enterprise can inadvertently be non-compliant over time for a variety of reasons including: Lack of monitoring Licensing rules changing dynamically from vendor to vendor and product to product Software company mergers True-up clauses in licensing agreements Outsourcing Use of new hardware Changes in IT environment Decentralized software procurements Use of virtual machines Outdated software that lack security updates can make your organization vulnerable to malware and other security breaches. Installation of unauthorized software is not only likely to increase your IT support costs but also further increase legal and financial exposure during external vendor licensing audits. It is important, that with each change in IT environment cloud, virtualization, BYOD etc., companies should be forced to think about the impact on their license agreements and metrics, eventually helping in always being in a compliant state. An effective software asset management program will not only help you save software spends, but also give you a realistic picture of your true cost of ownership (TOC). Furthermore, it would help in better control over latest software and security updates and help in staying compliant. 18 The retailer

19 Heena Vazirani Manager Heena Vazirani is a Manager with the IT Risk and Assurance (ITRA) service line within the Advisory practice. She joined EY in 2008 and has more than 10 years of experience in Information Technology services and consulting. She is an engineering graduate and a Certified Information Privacy Professional (CIPP).Heena primarily focuses on the IT Risk and Assurance services in consumer products and life sciences sectors. She has led several Information Security and Privacy engagements for leading consumer products and pharmaceutical companies in India. She has an extensive experience in evaluating IT environments, assessing business and IT risks and formulating control and governance frameworks. Her areas of expertise include information security, privacy, program and project management, system lifecycle management, application risks and controls and IT governance. E: heena.vazirani@in.ey.com P: Inputs from Nitin Mehta, Associate Director, ITRA The retailer 19

20 4 Innovation board 1Retailers invest for 2Walmart and shaping the retail GE partner to experience of innovate future 3E-commerce in India John Lewis, the leading chain of department stores in Great Britain, has launched a technology incubator, JLAB. JLAB aims to identify and develop technology innovations that will shape the shopping experience of the future. Each business, which is accepted into JLAB, receives rewards and share in equity, while one winner will be offered a chance to supply the John Lewis estate with their technology. Five start-up companies will be working with John Lewis this year, to support and develop their products and solutions across three main areas. These areas are store innovations and products that will improve customer experience across all channels, innovations around the internet by assessing techniques to use data on real-time basis and in-store personalization for customers. The applications currently received range from virtual fashion assistants to social interactions. They are constantly looking for ways to enhance shopping experience and communicate with customers online and in stores. Other retailers such as Tesco, Marks & Spencer and Argos have also invested in similar digital hubs. ( business/2014/mar/02/john-lewis-digitalinnovation-next-big-thing-retail, accessed on 20 April 2014) Walmart announced usage of its new fixture, i.e., LED ceiling lights, which will reduce energy costs. This will be done for its stores across Asia, Latin America, the US and the UK. The new fixture, which will use 40% less energy, is designed by its supply partner GE. They have collaborated to find and scale energy-efficient LED lighting solutions that are cost effective and are of high quality. Currently, Walmart plans to make this a mainstream solution for the retail industry. This is a classic example for partnership innovation. Walmart aims to eliminate a significant number of carbon dioxide emissions over the next few years through this energy investment. This will also enable companies to achieve its goal of cost savings in electricity ( node/32613#, accessed on 20 April 2014) The ease of shopping from home is driving the growth of e-commerce in India. Indian and global retailers have invested significantly in e-commerce expecting a sevenfold growth in India s e-commerce market in the next five years. This growth is expected to be driven by increasing numbers of shoppers who buy on mobile, growing influence of women shoppers in categories such as fashion, home decor, jewelry and baby care. Additionally e-commerce sites can tailor a more personalized experience for shoppers by effectively using big data through analyzing shopping trends and consumer preferences. However there are challenges such as poor internet infrastructure, existing regulations and legal regime for the Indian e-commerce market. ( Trends-That-Will-Shape-ECommerce-In- India-In, accessed on 20 April 2014) 20 The retailer

21 The retailer 21

22 Notes 22 The retailer

23 Our offices Ahmedabad 2 nd floor, Shivalik Ishaan Near C.N. Vidhyalaya Ambawadi Ahmedabad Tel: Fax: Bengaluru 6 th, 12 th & 13 th floor UB City, Canberra Block No.24 Vittal Mallya Road Bengaluru Tel: Fax: (6 th & 12 th floor) Fax: (13 th floor) 1 st Floor, Prestige Emerald No. 4, Madras Bank Road Lavelle Road Junction Bengaluru Tel: Fax: Chandigarh 1 st Floor, SCO: Sector 9-C, Madhya Marg Chandigarh Tel: Fax: Chennai Tidel Park, 6 th & 7 th Floor A Block (Module 601, ) No.4, Rajiv Gandhi Salai, Taramani Chennai Tel: Fax: Hyderabad Oval Office, 18, ilabs Centre Hitech City, Madhapur Hyderabad Tel: Fax: Kochi 9 th Floor, ABAD Nucleus NH-49, Maradu PO Kochi Tel: Fax: Kolkata 22 Camac Street 3 rd floor, Block C Kolkata Tel: Fax: Mumbai 14 th Floor, The Ruby 29 Senapati Bapat Marg Dadar (W), Mumbai Tel: Fax: th Floor, Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai Tel: Fax: NCR Golf View Corporate Tower B Near DLF Golf Course Sector 42 Gurgaon Tel: Fax: th floor, HT House Kasturba Gandhi Marg New Delhi Tel: Fax: th & 5 th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA Gautam Budh Nagar, U.P. India Tel: Fax: Pune C-401, 4 th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune Tel: Fax: The retailer 23

24 Ernst & Young LLP EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata Ernst & Young LLP. Published in India. All Rights Reserved. EYIN ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. EY refers to the global organization, and/ or one or more of the independent member firms of Ernst & Young Global Limited