Heads of businesses risk breaching the Companies Act, fines, or a possible jail sentence if they fail to take software licensing risks into account

A new report has highlighted the potential risks business leaders face from their trusted software suppliers.

As businesses become more digitally enabled, their operations and profitability will rely increasingly on software. But as the leading software companies migrate to cloud computing with subscription-based licensing, their traditional on-premise licence customers are caught in a tricky situation.

Smith & Williamson/Cerno’s Software risk report 2017 warned that company directors are ultimately responsible for the commercial agreements associated with the purchase and use of software by their organisations.

Specifically, the report urged company chief to look seriously at all risks associated with under-licensed software both within their own companies and any organisation they acquire or merge with.

Robin Fry, legal director at Cerno, said that as the main software providers come under more pressure from newer cloud providers, they are increasingly dependent on their existing customer base to generate new revenue. He warned that even trivial under-licensing infractions could lead to huge penalties.

“What is worrying for many customers is unpredictability in software licensing because it depends on the supplier’s own interpretation of ambiguous and opaque licence agreements,” he said. “This is the major IT risk for companies.”

The report used the recent National Association for Adult Vocational Training (AFPA) case as an example of how software suppliers can go after customers. As Computer Weekly has previously reported, Oracle went after the AFPA, claiming that it was not authorised to run the purchasing module for 885 named users. Smith & Williamson/Cerno’s report warned: “This case highlights the continuing jeopardy of even the most diligent of customers to high-value claims by software suppliers even where, in the end, the claim is found to be highly inflated and ultimately unfounded.”

Highlighting the importance of board-level visibility of software licensing, Fry said: “Quite often, it is disregarded as a CIO issue. But when you look at the prices businesses are being called on to pay, both auditors and the full board need to realise there is an impact on their balance sheet and profit and loss.”

In one case involving a mid-sized European retailer, Fry said the assessed software licensing risk was more than £160m, representing a quarter of the group’s turnover. “This isn’t just a rounding error in management accounts,” he said. “It can be devastating – and it is critical that it is identified and then remediated, in advance of any supplier licence audit, in a controlled manner.”

Fry said software licensing issues tend to get elevated to C-level only when people get their fingers burnt lower down the organisation in an unexpected audit and the penalties then spiral. In his experience, companies can often get caught out by fairly innocuous add-ons to a core product, run in virtualised IT environments.

“What might seem like a small and inadvertent infraction to the IT team can readily elevate to six or seven figures,” said Fry.

The report warned that even the best-managed businesses, with absolute regard to compliance in their software licensing, are being confronted with shortfalls, often resulting in very high unbudgeted demands to be paid immediately.