This article “IBM IASP: The good, the bad, and the ugly” was submitted by Eric Chiu, Managing Director, Fisher ITS
The IBM Authorised SAM Provider (IASP) programme first came to my attention at the beginning of 2020, back before the world was turned on its head. Some ITAM Review readers may remember engaging in a lively debate about the merits of IASP, the purpose of which is to allow IBM accredited providers to perform ongoing IBM compliance services for IBM customers. As part of the deal, all customers who sign up to IASP will not be audited by IBM. You can find out more about the details of IASP here.
I received several questions on the merits of IASP and back in February I posted my sceptical opinion that IASP is essentially asking IBM customers to pay for auditing themselves, each quarter, using IBM’s official audit partners, with little obvious benefit in return apparent to me.
At first glance, it appears to be another attempt by IBM at the now cancelled License Management Option (“LMO”) – a “self-reporting for audit-waiver” deal that can only be made with IBM customers with an enterprise agreement (e.g. SSSO/ESSO) and ended up with very few adoptions globally.
The initial debate surrounding my comments delivered a fantastic opportunity to get a true understanding of the potential pros and cons of IASP, with IASP Global Programme Lead, Sanjay K Saxena, offering an open Q&A to the ITAM community. In the intervening global lockdown these questions have been collated and delivered to Sanjay, who has my sincere thanks for the openness of his communication around IASP.
So, now that we possess a more thorough understanding of IASP (you can review full Q&A transcript co-authored by FisherITS and IBM in the “further reading” section below) – has my mind been changed regarding the value of IASP?
In summary, I believe IASP will be worth considering for some organisations – but it is important to go into the programme with your eyes wide open to the potential costs and risks you may encounter, as well as the benefits offered. Upon reflection, I see this as a case of the good, the bad and the ugly of IASP.
On the good side, this is the best chance for IBM customers who have not invested and do not plan to invest in general Software Asset Management (SAM) to get a quick “out-of-jail-free-card” in IBM licence compliance; the main benefit of the programme is a historical non-compliance waiver – “You won’t be charged for what you accidentally deployed or mis-configured.” To encourage customers to come clean with their genuine licence shortfalls and join IASP, IBM has agreed in principle to waive penalty fees for any accidental deployments – which is not the case in traditional compliance audits as these are typically the main settlement drivers.
Sanjay, the architect behind IASP, has categorically stated that the IASP programme is not revenue motivated (for IBM) and the hope was to build and retain long-term client relationships.
Less good, is the cost of IASP to organisations. There are only four accredited providers globally and if you already run your own SAM programme or receive a SAM managed service then you could be making a double investment. IBM has firmly established that only the four accredited providers can ensure the quality of IBM licence management and is not expecting to extend its endorsement to the wider SAM market. That said, for organisations that never managed to get SAM to work properly internally, the cost of IASP can still be much lower than the cost to settle an IBM compliance audit.
Most concerning to me is the potential for conflict of interest. Two of the four IASP providers are IBM’s global licence compliance audit partners – rather than restricting them from providing IASP services at the back of a compliance audit, IBM has confirmed that “IASP is most likely to be provided by one of IBM(‘s) audit partners.”
Before I analyse the Q&A response in further detail, I want to highlight one important point up front. By entering into the IASP programme you are inviting IBM in to audit your business. This is always risky, and it will be down to the discretion of IBM whether you are charged for historical noncompliance issues. The response in the Q&A document is clear that IBM agree to waive compliance issues caused by accidental deployments or misconfigurations, providing the customer has not benefited from the way in which the deployment was made; this places an asterisk alongside one of the headline benefits of IASP.
It may be difficult to agree what is “accidental deployment” versus “genuine deployment”. IBM will have visibility of deployments and usage so room for negotiation for the customer can be limited. As an example, for Cognos deployments, if a user has been accidentally assigned admin rights and has unknowingly scheduled a number of BI reports which will trigger additional licence liability, it is unclear whether this would be treated as accidental deployment or not.
There is a misconception in the industry that IASP will make an organisation’s sub-capacity licensing issues disappear. IBM has made it very clear in their response that even during IASP, if you have any deployment of IBM software that does not meet sub-capacity criteria, e.g. a PVU software installation not covered by the ILMT agent, this will have to be reported by the auditor to IBM on a full capacity basis.
IASP does not make sub-capacity problems go away, instead it binds you to share every single sub-capacity violation you have with IBM every quarter. Again, you will be at IBM’s mercy to decide whether it is an accidental violation or not and then whether you need to pay for it.
A lack of safeguards around the potential for a conflict of interest using official IBM auditors to provide the IASP service is the most worrying part of the response in my view. There is no segregation between the role of auditing and the role of providing SAM (IASP) services – where there is a direct conflict of interest.
On the contrary, the design of the IASP programme is encouraging auditors to upsell IASP as a SAM service to IBM clients they audit. After some “off the record” discussions with a number of European IBM clients, it appears that IASP has actually been presented during audit settlement negotiations as a leverage or incentive by IBM and its auditors.
This brings significant concern over the independent status of IBM’s auditors when they are conducting IBM compliance audits; there is a natural incentive to report on non-compliance which can “only” be addressed by the subsequent IASP supplied by the same organisation.
Large international audit firms “low-balling” compliance services in exchange for more lucrative advisory work is no longer news, especially if you have watched how all of the Big Four “grew back” their advisory arms after they were cut off in the Enron scandal.
Granted that independence is neither a regulatory or a legal requirement in the SAM market, however it was still surprising to see that a major software publisher and two of the largest international accounting firms have chosen to enter such a framework.
Contrary to the misconception that in an audit you pay full list price for required licences, versus a discounted price in IASP, IBM has confirmed audit settlements can be negotiated in your normal discounted price band (Band H, I, J etc.). Of course, if you are a very large customer of IBM that usually receives significant “one-off” discounts on top of your already discounted price band, it seems that settling under IASP will be more attractive. For the vast majority of IBM customers who do not receive significant further discounts, the cost of settlement will be essentially the same as under an audit.
Also, bearing in mind that IASP providers may argue there is additional benefit in waiving back maintenance as part of IASP – if compliance is now being assessed on a quarterly basis under IASP, there will not be issues relating to outstanding back maintenance occurring, so this seems to be a false benefit.
If your organisation deems IBM to be an important strategic supplier and you do not have a mature SAM practice or service in place, possibly evidenced by failing compliance audits in the past, then IASP is definitely worth considering. I do believe in Sanjay and his team’s good intentions behind IASP, but when reality hits – auditors losing independence, revenue pressures hitting compliance teams etc – it will be interesting to monitor how the programme progresses.
Businesses must make up their own minds as to whether IASP is the right option for them, my advice is to be fully aware of the risk factors involved and to balance these against the benefits on offer.
It seems a further benefit is being added to IASP – the ability to use a wider range of tools for sub-capacity reporting. According to a LinkedIn post from Anglepoint president, Ron Brill, IASP customers will be able to use:
tools to perform their sub-capacity reporting. Given the overhead, and potential for errors, often associated with using IBM’s ILMT tool this is likely to be a welcome change. Flexera has long been a possible alternative to ILMT (via agreement and signing of an addendum) so whether this change will increase adoption of the IASP program remains to be seen.
IBM Authorised SAM Provider Offering QA Responses – FINAL