The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Process of the Month – Corporate Governance Process

A post started by Lori Levenson in the Software Asset Management group on LinkedIn, asked the question what are the top three processes needed for a successful SAM implementation?  Answers were varied, (and some longer than others – Thanks Steve O’Halloran!) but an observation by Petr Silhan raised the point about securing Corporate Governance, and so this acted as the inspiration for this month’s Process of the Month – Thank you Petr.

Corporate Governance Process

Primary Objective:

  1.  To ensure that Senior Management Buy-in is secured prior to the start of a Software Asset Management System being created

Secondary Objectives: 

  1. To warrant that the SAM Policy is informed by a Risk Assessment
  2. That the SAM policy is subject to annual review to make sure it remains fit for purpose


  1. That corporate approval has been granted to initiate this process

Function Step Overview:

1.10 Having secured approval to initiate a risk assessment, an appointed SAM Champion is charged with overseeing a risk assessment.  A word of caution here; the risk assessment may form part of a wider scope than purely a SAM related review; this is no bad thing – as the more IT risks SAM can address, the greater the chance any resulting SAM Policy will have of being accepted.  Inputs to this function step include the risk analysis criteria (scope of assessment, budget to conduct the assessment, personnel to conduct the assessment etc.)  ISO 19770-1: 2012 (Page 9) as this offers guidance on expected outcomes for any SAM based corporate governance process and so can lend assistance to the risk assessment, and finally Proposed SAM Policy Amendments (these are brought in for consideration after an annual review of the SAM Policy at function step 1.80, and so has been starred as this document won’t likely exist the first time this process is run)
1.20 The board reviews the findings of the risk assessment as carried out at 1.10

Having rejected the findings of the risk assessment at 1.20, the SAM Champion is required to revise those findings to re-present to the board
1.40 The SAM Champion is required to oversee the creation of a SAM Policy document; again guidance is offered from ISO 19770-1: 2012 (page 9) as to what might reasonably expected to be included in a SAM Policy.
1.50 The Board are required to review the SAM Policy to ensure that it adequately addresses the risks highlighted in the risk assessment
1.60 Here the SAM Champion is required to revise the SAM Policy to address any shortfalls the Board highlighted at function step 1.50
1.70 With the Board having accepted the SAM Policy as being fit for purpose, the SAM Champion is required to promote the SAM Policy throughout the company.  For this, he/she might call upon support from either a communications department and/or a HR department.  From here, the SAM Champion can instigate a new process:  To create a SAM Plan Process (to use the ISO parlance).
1.80 As mentioned at function step 1.10; an annual review should be time-tabled to ensure that the SAM Policy still addresses the risks formerly highlighted by the risk assessment.  Any proposed revisions/exposures should be fed back to the risk assessment function step, so that they can be incorporated into the next risk assessment.  We also have our first risk of this feature:  And that is to ensure that sufficient time is factored into a review to enable such amendments to be included in a revised SAM Policy as closely as possible to the one year anniversary of the original publication.

The eventual landing spot of any revisions to the SAM Policy is a subjective one; I placed it at the point where another risk assessment took place as otherwise a SAM Policy could run the risk of being isolated from the business and address risks that were highlighted perhaps 3 or 4 years ago and so fail to keep pace with current management beliefs as to where risks currently reside.  Some might argue that such revisions could side-step another risk assessment and feed back into the process prior to function step 1.40.

I also have to offer my apologies to the process purists out there – I was unable to add a page connector between function step 1.20 and 1.40 (Between Page A and B)

Other processes

The other processes that I have addressed in this series so far are as follows:

The process kit by Rory Canavan is available from

About Rory Canavan

With a technical background in business and systems analysis, Rory has a wide range of first-hand experience advising numerous companies and organisations on the best practices and principles pertaining to software asset management.

This experience has been gained in both military and civil organisations, including the Royal Navy, Compaq, HP, the Federation Against Software Theft (FAST) and several software vendors


  1. I always admire how draft these processes with such clarity, it has clearly taken a lot of time and thought.

    It suggest adding input from legal or at least notifying them on page 3 if these processes are likely to be referred to in the event of an audit defence.

    I’d also consider reducing the tasks in the annual review, possibly skipping the board review. You need to keep those reviews as light as possible.

    All and all excellent as usual

  2. Rory Canavan says:

    Thanks Piaras, the board reviews should be light touch as hopefully changes/new risks will be incremental only. I like the legal aspect you mentioned, and I would certainly expect documentation to be maintained around who the board members were that signed off on the risk assessment and the SAM plan. And so, to the next process….!

  3. Grant Brierley says:

    Hi Rory, another great process! I would also suggest that procurement get involved with the risk assessment. They are often batting blind when negotiating with software publishers and if they buy into the SAM process then they deliver much of the ROI from the programme as a whole. Lastly, from a personal point of view I would introduce the idea of selling license surpluses to help increase ROI.

Leave a Comment