Companies are under enormous stresses in 2009 and their ability to monitor risk is wavering, writes Andrew Stekhoven, MD of Escrow Europe.
In hard times one expects business's to suffer and even, many smaller companies to disappear completely, but we have also witnessed leading IT companies sink into financial black holes which is disconcerting to say the least.
Never before has the need to ensure information security and integrity been so vital, with safeguards like active escrow – a vital operational risk management measure – necessary to mitigate disaster.
Today, there is an ever increasing risk of your technology provider going out of business, merging or being acquired by another company, laying off key technical staff, or failing to support their (your) technology, and savvy organisations need to protect themselves from such unforeseen circumstances with active escrow agreements.
COBIT 4.1 says: “Identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider non-disclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc.”
This recession should bring out the worrier in corporate procurement officers and CIO's. In alignment with COBIT, the third “Draft King Report on Corporate Governance in South Africa” (King III) released by the Institute of Directors (IoD), says that the risks involved in IT governance have become significant and clearly states that every company's board should ensure that ICT is aligned with business objectives and sustainability.
In addition, it expects that a company’s approach to ICT governance should be based on the business needs and reliance on ICT to drive and support the company’s objectives. The latest IoD Audit Committee Forum Alert which lists the top ten Good Governance "to do's", critically says: “Assess the company's exposure to third parties in financial distress.”
Three lines of defence for risk management are cited for all companies in the draft King III report: line management, risk experts and then assurance functions. Endorsed by the IoD, active escrow is a crucial assurance function. Both King and Gartner regard technology escrow as a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment.
A big question that has been overlooked by South African Directors and Officers when it comes to Enterprise Risk Management in the context of mission critical ICT is "What are our annual revenues streams that are dependent on technology platforms over which we have limited or no control" – for corporate entities this is to be measured in millions of Rands and therefore provides the imperative for the practice of active source code escrow in underwriting technology dependent risk.
Software products are never “bug-free”, complete or static in their development cycle. If there is to be any form of maintenance and/or development of the software – eg. business continuity – there has to be access to the source code of that mission critical software. In the event that your software supplier is no longer able or willing to maintain and support the mission critical software platform that you are licensed to use, active escrow provides you with proper access to the source code and related technical documentation – you can control your own destiny in respect of ongoing support and maintenance and can guarantee the continuity of your vital business processes, functions and service delivery.
COBIT 4.1 specifically deals with resources acquisition and says: “Protect and enforce the organisation’s interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services.”
A watertight contract for your company's relationship with its software vendor must ensure that all the escrow deposits are technically verified and tested. Only an active escrow arrangement ensures that all of the necessary components are included in the deposit, and are in working order, so that when disaster happens, there is no down time.
From an operational risk perspective, an active escrow arrangement is the only proper re-assurance that an organisation has that software that is vital to the survival of their business will not become "orphanware". Reasons for orphanware range from the obvious, for instance, bankruptcy on the part of the supplier, to the more subtle – when a competitor acquires your supplier with the sole purpose of killing a competitive product.
Until recently, this operational risk has generally been underestimated if not ignored because either the protection that “active” escrow offers was not readily available to South African organisations or it was only available based on contracts governed by foreign legal jurisdiction. It also seems that South African Directors and Officers suffer from short-term memory loss about the nightmare that Prestasi went through with DexData – a disaster that is never far away without a smart risk management strategy.
Active software escrow is well used in Europe and the US to manage risks and comply with good governance regulations, but many local companies either ignore its potential for managing the multifaceted risks and due diligence obligations facing their company directors and/or officers, or they mistakenly believe that a passive escrow arrangement offers the same protection as one that is active.
We often use the analogy of the fire extinguishers in your building – neither you as the tenant, nor the owner of the building, nor the supplier of the fire extinguisher is wishing for a fire. However, in the event that there is a fire – a. the extinguishers better be there and b. they had better been subjected to regular, expert scrutiny to make sure that they are always in proper working order.
Not only does active escrow provide a safety net that allows your company to hit the ground running if the worst happens, but it can also be used to woo customers and succeed in business ventures despite the ailing economy. Assuring customers about the stability of applications and therefore providing good risk governance helps retain existing business and close new deals. Software escrow – which was previously seen as a deal sweetener – in a down economy, has become a deal closer.
In line with international accepted practice, active escrow meets industry best practice standards and is compliant with SAS 70 and type II audited, HIPAA and PCI DSS. Companies will come and go, and you don't want to get caught in the vacuum they leave behind – active software escrow is the most elegant way of making sure that you don’t.