Corporate governance - the software perspective
When speaking about corporate governance there is a buzzword that is doing the rounds that is sure to raise some eyebrows. All business people have heard about hardware and software, and possibly even vapourware, but what about ‘orphanware’?
Andrew Stekhoven, director at Escrow Europe explains says that ‘orphanware’ is the name given by IT industry analysts to a software product in which you have made significant investment, depend upon for the day-day operation of your business, but whose owner has abandoned it due to insolvency, sale of the company or any other reason that leaves you with an unsupported, un-maintainable product.
It is worse than our old friend ‘vapourware’, which is typically software that is never delivered or installed or taken live. With vapourware at least your business has not developed an absolute commercial dependency on the technology concerned.
Perhaps the concept of ‘orphanware’ is easier to spot by way of example. Say you are the IT director of an insurance brokerage firm and you’ve been tasked with finding and implementing a specialised policy and claims management platform. There are established players offering solutions, but they come at a high price.
There is also a neat product being offered at a price well below those systems from a smaller local supplier that seems to offer both an excellent fit as well as a real value-for-money software licensing model. You go the low-cost route and invest heavily in, not so much in licence fees, but in the implementation project, database conversion, perhaps even going as far as creating a specialised database, new hardware platforms and, of course, people training.
Next, the vendor runs into financial difficulty and is acquired by one of the established solutions vendors that promptly pulls the plug on the software product that has now become mission critical to your business processes and functions. In one fell swoop you’ve become the proud owner of orphanware.
Not far-fetched
We have a local example. Prestasi lost its entire customer database in a highly publicised dispute with Dexdata, its IT outsource provider. Prestasi was reduced to managing its business without access to its own customer database. A court order eventually compelled Dexdata to return the data, but the returned tapes were unreadable.
The reason that orphanware has become part of today’s operational risk and good governance language is that it isn’t just the off-spring of small, under-funded developers but, in the dog-eat-dog world of mergers and acquisitions, can easily be the prodigy of even a well-established parent.
Take Oracle’s acquisition of Hyperion, for instance. In both international and local user communities there’s a fear that – in order to migrate users to Oracle solutions – the company will turn existing Hyperion installations into orphans either by upping maintenance rates until they are too onerous for even the most-dedicated Hyperion user to continue paying, or by discontinuing the maintenance and support of these systems. There’s even suspicion that Oracle will simply kill the product range.
What compounds this sort of problem is that you will also discover (too late) that neither D&O insurance or Multimark commercial insurance policies provide you with cover for this kind of business disaster.
Got protection?
So, given the very real incidence of orphanware out there, how do you protect your company against being left holding the baby?
You can avoid contracting with smaller companies or start-ups, especially for mission-critical functions, and opt for established companies with lengthy track records. But, as the Oracle-Hyperion acquisition alludes, this is not always an option. And, what if the established companies can’t offer you the custom-fit system that you need.
Certainly, one of the most elegant ways of managing the risk of your business’s absolute dependence on information technology is active software escrow.
Internationally speaking
In a recent survey conducted by the Chartered Management Institute in the UK, only 48% of businesses questioned had business continuity plans in place, highlighting a worrying complacency around planning for the unexpected. This finding is representative of trends in developed countries; unfortunately there is no doubt that South African companies are way below the 48% mark.
In the US and Europe, companies have been forced to adopt certain standards with the introduction of legislation like the Sarbanes-Oxley Act (SOX), for example. SOX instructs executive management of publicly held companies in the USA to evaluate and report on the effectiveness of their internal controls over financial reporting, and have independent auditors substantiate the effectiveness of these controls.
In South Africa, we are more fortunate to have King and the Institute of Directors. Together, they have addressed corporate governance in a very practical manner and King III – which will stress the value of active software escrow – is certain to be even more pragmatic in that it will focus on duty of care rather than a complex tick list which could, even with full compliance, be way off the actual target in respect of competent operational risk management.
Active escrow is a cornerstone for competent risk management because it provides a cost effective ICT solution, because it appears that 98% of all organisations in our country depend on software technology for mission critical business processes and functions.
Navigating the compliance issues around protecting strategic assets is not easy. Compliance is more than documentation; it also includes the control testing of systems, the tighter management of critical third party services, and the near real-time ability to report on all events that ‘materially affect’ the business.
However, there is an upshot of compliance mandates. As companies incorporate best practices to meet regulatory requirements, they are also creating the basis for a solid business continuity strategy.