Three questions for CEOs about third-party software programs and how these could raise operational risk

Most chief executives will be aware of their obligations under Section 424 of the South African Companies Act, which addresses the requirements for good governance and provides for the introduction of legal steps against senior executives who fail to carry out their company duties correctly. What the majority of CEOs may not appreciate, however, are the existence of possible operational risks related to third-party software systems operating within their organisations, and how these risks could compromise business continuity and thereby create serious complications for the executives in their personal capacities.

 

So says Andrew Stekhoven, managing director of the local subsidiary of Escrow Europe, an international leader in the provision of software escrow and related services. Stekhoven's premise is that even diligent and hands-on corporate executives might be overlooking a critical aspect of their company's software environment, and as a result inadvertently exposing the businesses to a high level of operational risk.

 

'This often-disregarded risk factor hinges on the fact that many companies' core, mission-critical systems are dependent on software which is licensed from third parties rather than owned in-house, and therefore subject to conditions or events beyond the licensees' control.

 

'Reliance on third parties may not immediately appear to present a problem,' Stekhoven continues, 'but an unforeseen development, such as a change of ownership or strategic priority on the part of the software licensor can have extremely serious, possibly catastrophic, effects on the health of the end-user organisation. Business continuity considerations associated with this risk should be a major concern for executives today.'

 

Stekhoven points out that traditionally the risks associated with third-party ownership of critical systems are addressed through so-called software source code escrow agreements, whereby a copy of the vital software program(s) is deposited with a neutral and independent escrow agent, and released by the agent to the end-user under conditions agreed upon by the supplier and end-user in the escrow contract. In theory it is possible for the licensee to simply take the deposit out of escrow, flick the switch and continue using the software unaffected.

 

'This may seem eminently sensible,' Stekhoven says, 'except for the fact that research shows that as many as nine out of every ten traditional source code deposits held in escrow are useless. They simply do not provide for a business's continuity should its software partner no longer be in a position to continue maintaining and supporting the systems it has provided.

 

'The reason for this potentially ruinous failure is that conventional (or passive) escrow deposits are not verified by technical specialists. The software is assumed to be complete and deployable, but usually there is no check on whether or not this is the case.

 

'Some may feel it is inconceivable that a company turning over possibly billions of rands a year would stake its future on what amounts to an honour system,' Stekhoven remarks. 'However, trust in the supplier to provide a fully "rehydratable" copy of his or her software is not the issue.

 

'The supplier probably is wholly trustworthy, and in all likelihood has the best intentions in the world. But most vendors are under pressure, and they might lack the time and resources to verify each and every source code deposit. Furthermore, today's software environments can be enormously complex, and it would be unrealistic to assume that large mission-critical systems will obligingly boot up and operate without skipping a beat. It doesn't often happen in the real world.'

 

An infinitely superior option to conventional passive escrow is the more rigorous active escrow. Here the escrow agent subjects the material on deposit to consistent standards of technical verification, at least once a year, and provides a report which warrants that the deposit contains what the supplier has committed to lodge, thereby providing proper reassurance that it is complete, up-to-date and is most likely to be usable.

 

'This is a sound, commonsense approach,' Stekhoven opines, 'based on the principle that an ounce of verification is better than a pound of conjecture. The objectives of active software escrow are rooted in promoting ICT good governance, and take cognisance of the fact that registered customers can be proactive in complying with current protocols and imperatives such as KingII, COSOII; Sarbanes-Oxley,ISO 17799, ITIL etc.

 

'Should executives have any doubt about the need to consider active escrow, I suggest they ask themselves the following three questions:

 

1. How many mission-critical applications currently running within your organisation are licensed, and therefore contain technology or intellectual property beyond your control?

2. How many different escrow arrangements do you have? And,

3. how certain are you that the current escrow arrangements will ensure business continuity in the event of a release event or condition?

 

'Frank and unequivocal answers to these important issues could prompt a rethink of existing unworkable escrow agreements, thus substantially lowering risk profiles and boosting sound corporate governance,' Stekhoven concludes.

 

End

Three questions CEOs need to ask

 

Issued by:	C-Cubed Communications
Contact:	Cathy van Zyl (021) 852-7198 Petra Peacock (011) 794-4665
On behalf of:	Escrow Europe (South Africa)
Contact:	Andrew Stekhoven
Date:	2 March 2005