Any company which is reliant on intellectual property (IP) belonging to third parties exposes itself to potential risk that needs to be appropriately managed. Particularly where this use of IP (such as proprietary software and systems) is related to critical business processes, functions and services. Moreover, keeping a business healthy requires prudent risk management processes and procedures which must be vigorously implemented and followed. These risk management 'ingredients' are, amongst other, the basic foundations for a sustainable, well governed business. That said, many companies -- particularly those who offer products and services -- unwittingly expose their company to unnecessary risk because they have limited or no control over the IP, which is owned by third parties, and is necessary for the ongoing generation of their revenues.
"Even though you may be a diligent and hands-on executive, you might be overlooking a critical aspect of your company's business and its supply chain by unintentionally exposing the company to a high level of operational risk", says Terry Booysen, the CEO of the well known governance research organisation, CGF Research Institute.
Clearly, while many executives may only see technology and or it's software as just another component of their business, the reality today is that IT and software indeed have become the entire backbone upon which business operates across the world. Of course with the increased accountability placed upon the board and its executive management to manage all its company's risks -- be these operational, legal or procedural -- company officers can no longer afford to dismiss the importance of managing the risk in the event where a third party software supplier can no longer supply its services for which the company has a critical dependency. Such an exposure, particularly in light of the imminent new Companies Act 2008 and King III scheduled this year, will quickly attract personal liability for those companies and their officers who show scant regard for this potential risk.
In the past decades, this exposure has been exacerbated by the effects that globalisation and the dissipation of boundaries across industries have had on the pursuit of operational efficiencies and competitive advantage.
Most corporate governance protocols, guidelines and imperatives hold directors personally accountable for the organisation's assets and reputation, including the assurance that systems and technology are adequate to run the organisation. In the US for example, Sarbanes-Oxley calls for an operational system of internal controls over financial information encompassing contracts for mission-critical software and their susceptibility to changes in vendor business conditions. Similarly, Turnbull and King III expects the board of directors of all companies to take a robust approach to risk management and particularly in relation to IT related risks.
"Companies who rely on third parties and supply organisations their critical mission software may not appear to be a problem, but companies must also take into account that such software is often subject to maintenance agreements and ongoing support by the software supplier," says the Managing Director of Escrow Europe (Pty) Ltd, Andrew Stekhoven. In other words, be aware that your company could be affected by an unforeseen development impacting on the software supplier’s business. For example, supplier insolvency, a change of ownership or a new strategic priority could lead to a discontinuation of support and maintenance, leaving you stranded with extremely serious -- possibly catastrophic -- impacts on the reputational and financial health of your company.
Such circumstances gives rise to major ICT operation risk considerations best encapsulated in one simple question: As we have no access to the source code of the software we use to run our business, would we be able to guarantee business as usual in the event that our software vendor was no longer available to fix, maintain and/or modify the software?
Continues Stekhoven, "The threat of business discontinuity -- and the revenues it would derail -- provides the imperative for the practice for underwriting technology dependent risk through what is known as an Escrow Agreement."
To safeguard the continuity of mission critical applications and mitigate the potentially devastating consequences of such risks materializing, it is essential to consider escrow on a proactive basis. Professional active escrow is a highly effective, low cost measure to mitigate against technology and its software related risks when it is in the control of third parties.
Finally, the guidelines in ISO9001 confirm source code escrow as a process whereby access to maintainable information systems can be guaranteed, irrespective of;
o the stability of the commercial status of the software supplier, or
o whether certain predefined commitments such as warranty, support and maintenance are not honoured.
The process of mitigating against these risks requires companies to take specific actions when they procure technology systems and or software and these must be able to withstand the scrutiny of an audit to provide the assurance sought by the company’s key stakeholders.