The purchase of a software product usually means acquiring a license for the software: ie the right to use the software. An end-user, who acquires such a license, receives only a `compiled` version of the software; the machine code with which the computer operates in order to support a company`s business process/es.
However, to maintain, correct, modify and/or extend the software, the original programming sources and documentation are needed. As these sources and documentation are closely held by the supplier, the end-user will usually have a maintenance agreement with the supplier, under the terms of which the supplier is obliged to support the product which may also include adjusting and extending the software in order to accommodate the continuously changing business needs of the end-user.
What would be the position of an end-user if faced with problems in the software product and the supplier cannot or will not meet its support and maintenance obligations?
To give access to the relevant material (source code, technical documentation and essential environmental utilities) on such occasions, the end-user and supplier enter into an escrow agreement whereby a deposit is made of those materials; verified and administered by a professional Escrow Agent.
This trusted third party is authorised to release the material to the end-user under conditions agreed upon by the supplier and end-user in the escrow agreement. Upon release of the material, the end-user is able either to continue the maintenance of the software themselves, or to outsource the maintenance to a third party.
However, if the software deposit is out-of date, incomplete or, worse still, unusable, the end-user`s business continuity could be seriously compromised.
Furthermore, local and international formalities are starting to come into play in respect of corporate good governance and issues of compliance.
Today`s firms face an alphabet soup of compliance requirements - for companies doing business in or with the USA there`s Sarbanes-Oxley; globally there`s ISO 17799, Basel II and the IDC/BSA Piracy Report; and locally King II and the FAIS Bill to name but a few.
It is critical that CIOs realise that, at the same time as they become more reliant on IT to ensure their compliance with regulations such as those mentioned above, they are also becoming more dependent on software systems that do not `lock, stock and barrel` belong to them; ie they are licensed end-users and do not own the IP and know-how.
This dependence implies risk, particularly for systems that are directly related to core business processes. In this instance, it is crucial to minimise the company`s exposure to operational risk and to do this escrow is the pre-eminent vehicle for safeguarding business continuity.
Legal and corporate governance duty
Corporate governance guidelines such as King II require that a company`s board of directors:
* Ensures that procedures and practices are in place to protect the company`s assets and reputation.
* Ensures that the company complies with all laws, regulations and best business practice,
* Ensures that technology and systems in the company are adequate to run the company properly
* Identifies and addresses ICT and software risks.
Further, in terms of section 424 of the Companies Act, directors and managers may be liable in their personal capacities for failure to address these matters.
Business risks
Those businessmen who do not believe they need active escrow should ask themselves a few of questions before closing the door:
* Is the technical or IT know-how I use everyday critical to my business processes?
* Is this know-how easily replaceable by an alternative?
* Is the conversion to an alternative too costly or too lengthy?
* And is the training of staff to use this alternative too costly or too lengthy?
Consider the consequences the following events may have on the success of your business:
* The company that developed and now maintains one of your business critical software application goes out of business.
* The company that developed and now maintains one of your business critical software applications is taken over by one of your competitors.
* The company that developed and now maintains one of your business critical software applications is taken over by another vendor who either decommits to the product and/or proposes to maintain and support the product on commercially unacceptable terms.
* The source code released by your "passive" escrow agent is useless.
Does your business need active escrow?
If your answer to even one of these questions is `yes`, you should seriously consider protecting your business continuity by taking out active escrow:
* Our business is dependent on third party software and we would not be able to operate without the maintenance and support of that third party?
* This software is critical to our daily operations and/or communications?
* We would not be able to operate, support and update the software should the owner or licensor fail to update and support it?
* A large number of employees or departments in our business rely on this software?
* These software applications link with other missions critical systems or applications?
* This software is customised for our business?
* We use third parties to update and maintain the software?
* Time to replace the software and implement a similar mission critical solution will be longer than 30 days?
* New hardware will be required if we need to replace the software?
* Our licence agreements do not address active source code escrow?
* Should all of the employees operating the system resign or retire at the same time, there would be no other capable staff able to operate it without undergoing considerable and lengthy training?
With active escrow, an independent and neutral third party, the professional escrow agent, subjects the material on deposit to consistent standards of technical verification, at least once a year, providing a report that warrants that the deposit contains what the supplier has committed to lodge.
This provides proper reassurance that the material on deposit is complete, up-to-date and will be usable in the event of a release condition. The modern reality is that active escrow - which is specifically targeted at safeguarding business continuity - is now an urgent business necessity - not a nice to have because it provides proper reassurance that the material on deposit is complete, up-to-date and will be usable in the event of a release condition.
Share
Editorial contacts