Process of the Month – Corporate Governance Process

10 October 2013
5 minute read
Best practice

Process of the Month – Corporate Governance Process

10 October 2013
5 minute read

A post started by Lori Levenson in the Software Asset Management group on LinkedIn, asked the question what are the top three processes needed for a successful SAM implementation?  Answers were varied, (and some longer than others – Thanks Steve O’Halloran!) but an observation by Petr Silhan raised the point about securing Corporate Governance, and so this acted as the inspiration for this month’s Process of the Month – Thank you Petr.

Corporate Governance Process

Primary Objective:

  1.  To ensure that Senior Management Buy-in is secured prior to the start of a Software Asset Management System being created

Secondary Objectives: 

  1. To warrant that the SAM Policy is informed by a Risk Assessment
  2. That the SAM policy is subject to annual review to make sure it remains fit for purpose


  1. That corporate approval has been granted to initiate this process

Function Step Overview:

1.10 Having secured approval to initiate a risk assessment, an appointed SAM Champion is charged with overseeing a risk assessment.  A word of caution here; the risk assessment may form part of a wider scope than purely a SAM related review; this is no bad thing – as the more IT risks SAM can address, the greater the chance any resulting SAM Policy will have of being accepted.  Inputs to this function step include the risk analysis criteria (scope of assessment, budget to conduct the assessment, personnel to conduct the assessment etc.)  ISO 19770-1: 2012 (Page 9) as this offers guidance on expected outcomes for any SAM based corporate governance process and so can lend assistance to the risk assessment, and finally Proposed SAM Policy Amendments (these are brought in for consideration after an annual review of the SAM Policy at function step 1.80, and so has been starred as this document won’t likely exist the first time this process is run)
1.20 The board reviews the findings of the risk assessment as carried out at 1.10

Having rejected the findings of the risk assessment at 1.20, the SAM Champion is required to revise those findings to re-present to the board
1.40 The SAM Champion is required to oversee the creation of a SAM Policy document; again guidance is offered from ISO 19770-1: 2012 (page 9) as to what might reasonably expected to be included in a SAM Policy.
1.50 The Board are required to review the SAM Policy to ensure that it adequately addresses the risks highlighted in the risk assessment
1.60 Here the SAM Champion is required to revise the SAM Policy to address any shortfalls the Board highlighted at function step 1.50
1.70 With the Board having accepted the SAM Policy as being fit for purpose, the SAM Champion is required to promote the SAM Policy throughout the company.  For this, he/she might call upon support from either a communications department and/or a HR department.  From here, the SAM Champion can instigate a new process:  To create a SAM Plan Process (to use the ISO parlance).
1.80 As mentioned at function step 1.10; an annual review should be time-tabled to ensure that the SAM Policy still addresses the risks formerly highlighted by the risk assessment.  Any proposed revisions/exposures should be fed back to the risk assessment function step, so that they can be incorporated into the next risk assessment.  We also have our first risk of this feature:  And that is to ensure that sufficient time is factored into a review to enable such amendments to be included in a revised SAM Policy as closely as possible to the one year anniversary of the original publication.

The eventual landing spot of any revisions to the SAM Policy is a subjective one; I placed it at the point where another risk assessment took place as otherwise a SAM Policy could run the risk of being isolated from the business and address risks that were highlighted perhaps 3 or 4 years ago and so fail to keep pace with current management beliefs as to where risks currently reside.  Some might argue that such revisions could side-step another risk assessment and feed back into the process prior to function step 1.40.

I also have to offer my apologies to the process purists out there – I was unable to add a page connector between function step 1.20 and 1.40 (Between Page A and B)

Other processes

The other processes that I have addressed in this series so far are as follows:

The process kit by Rory Canavan is available from

Can’t find what you’re looking for?