Here Today . . . Gone Tomorrow?

It's never going to happen is it? No IT supplier is ever going to cook the books and end up in the hands of liquidators. No software company is ever going to run out of cash and be hung out to dry. No hardware supplier is going to see its systems discontinued after a hostile takeover.

So stop reading right now . . .

. . . because really, there is no need for due diligence to be performed every time you purchase a mission-critical application. There must be truly very little requirement to have source code held in trust for your security - in escrow - in case of a vendor's collapse. And to have lawyers draft a contract that allows you a graceful exit should there be a change of control at your supplier, is surely overkill.

In fact it is not. Increasingly, purchasing mission-critical systems is a risky business, and CIOs are fully aware of this.

Fiona Balfour, CIO of Qantas, says the potential for a supplier to collapse for any number of reasons is a concern to large corporate computer users. Qantas, like most corporations, is heavily reliant on its information systems. Should a vendor go belly up, the airline would still need to support, run, modify and enhance those systems - or see its own revenue streams threatened. In order to protect itself, Qantas has a fairly sophisticated approach to analysing the viability of its suppliers, and also uses a variety of legal mechanisms.

"For example," says Balfour, "you can arrange to have software held in escrow at a mutually agreed place." In fact, it's a policy Qantas has had in place for some years with certain key and specialised software. The rationale is that even if the supplier goes out of business, the source code can still be accessed. She says, however, that with other less specialised software there are different issues to contemplate.

"Say Oracle went broke, what would happen? They have an extraordinary asset base in terms of their customers and the revenues from those customers. When a company like that goes broke, a white knight would acquire the company. Then you have an interesting issue. If it is friendly, you can renegotiate the contract; but if not - you can have problems," Balfour says. "Qantas has a change of control provision in its contracts. If there is a change of control and we are uncomfortable with the new owner then we can buy some time to migrate off the platform. I've been using contracts like that for most of my career and Westpac or BHP would do that. You would find most law firms have standard clauses for contracts."

Brian Mitchell, managing director of Oracle in Australia and New Zealand, has so far successfully withstood Balfour's hypothetical collapse, and says that in fact it is not the large companies that are vulnerable - rather the smaller suppliers. He has noted since the dotcom crash a flight to quality on the part of consumers of IT products and services. Although there was a willingness during the dotcom era to give smaller suppliers a go - the reasoning being that even if they went bust someone else would pick up the company and its IP - that is no longer the case, he says.

"All that has gone. If it is a weak company, then people need to look at it many times before they invest in their products. This [scepticism] commenced at the end of the dotcom boom and accelerated massively with Enron. People are now seeking transparency and better corporate governance," Mitchell says.

"Companies have also moved to rationalise their supplier group. They no longer have 20 to 30 suppliers - they are down to two to five maximum," he adds. Of course this strategy, while sensible when suppliers are efficient and effective, might potentially make the user more vulnerable should one of those handful of suppliers stumble or suffer a change in ownership, changing the product mix or service offered.

Mitchell begs to differ. He says that placing all your eggs in just a couple of baskets is not necessarily risky (although that's not all that surprisingly since he's the local head of a top tier supplier). "Because of the longevity and security of the supplier, and the recognition that the industry is rationalising very quickly, there will be two to three suppliers in most areas. Corporations need to get on board with that dynamic and align with those companies," he argues.

Of course Enron, from a distance, looked like one of the big, safe players in a similarly rationalising industry sector. The maggoty core of the business was not evident for years. And although corporate regulators are putting regimes in place aimed at ensuring better disclosure and transparency, the federal government's CLERP 9 proposals and even prescriptive black letter law such as the US' Sarbanes-Oxley Act are no guarantee companies cannot fail.

Chris Bennett, managing director of SAP in Australia, while prefacing his comments with, "That is never going to happen to SAP", acknowledges that no matter how thorough a customer's due diligence is on a supplier, it will only uncover what the company has allowed onto the public record. "Unfortunately there is not much that anyone can do about deceitful conduct except perform some degree of due diligence and take advice from analysts and hope that they are better at it than they have been in the past," says Bennett. "Every company has to weigh up the benefits and the costs. Basically it is a return on investment decision."

Bennett also points to the quality of the product itself being a good indicator of whether it will survive regardless of the fortunes or failings of the supplier. "In the last 10 years there are not too many examples where the vendor in the ERP space collapsed with no future direction for the company. One reason is because the most valuable asset of the software company is in the client base," he says. And that base, the argument follows, would be picked up by that theoretical white knight.

Page Break


Product, Product, Product

According to Greta James, research director with Gartner, this focus on the product rather than the vendor can be effective on a number of fronts. "Look at your exposure," she says. "How much of your budget is with a vendor? It's a crude measure, but it's a reasonable indicator of your exposure. I would suggest that if it's 10 per cent or more then it is pretty significant, given the number of vendors that most companies have relationships with these days."

James suggests CIOs need to develop a triage approach to gauging risk, assessing which products are most important to the smooth running of the business, and then tackling them in priority order. "Are they high availability systems? This will influence your dependence on the vendor and backup they provide," James says. Similarly, she suggests that customer-facing systems would also lead to a good deal of pain if they were disrupted for any reason.

"Certainly you should be looking at the financial viability of the vendor," says James, spruiking Gartner's magic quadrant mapping technique, which takes into account vendors' financial performance, but also suggesting CIOs keep a weather eye on what financial analysts have to say about suppliers.

Once the decision has been made to purchase, she suggests vigilance is still required, and support levels for the product or service ought to be closely monitored. James says that if support levels drop off or good people leave and are not replaced by other good people, it can be an early indicator that all is not well with the supplier. Similarly, equity market analyst reports can be a good early alert to problems. "It's a question of getting all the facts and then forming a view," she says.

But for James, product remains the linchpin. "Even if you have concerns, that is not a reason [not] to proceed if it is a really good product," she says. "You should put a plan in place in case the vendor goes bankrupt or is bought, but if it is a good product, then the product or the entire company will be bought. If it is a good product it is likely to be supported."

That's all well and good if you're a betting CIO, but even James acknowledges that new owners may have different priorities about which products ought to be supported and which might be allowed to wither, however good they are technically. She offers the example of Sybase, which took over the Neon (New Era of Networks) application integration product only to allow it for the most part to lie fallow for 18 months.

Nevertheless, she says, "It is very rare for vendors - if they have been successful with at least one product - to totally go out of business. It's much more likely that the product or organisation would be bought. On the other hand . . . products that are mature may not be actively enhanced or sold. Therefore you should consider what would happen if your vendor dropped support."

Qantas certainly considers such issues. Balfour says good software houses do not have any problems accepting the tighter purchase contracts now in favour. "Occasionally you do see a naivety rather than an unwillingness to accept the terms, particularly in sole practitioner or single product firms. But I think that the IT industry is radically changing at the moment and some smaller organisations are starting to struggle with these requirements and [are] being bought by bigger companies," she says.

Qantas, however, sticks to its guns and, for example, almost always demands source code be held in escrow when it makes a software purchase. "Ten years ago it would not have been as big a problem [because] the code wasn't as wrapped as it is today," says Balfour. "Now we are more concerned with intellectual property rights. We find that companies are less willing to simply hand over the access to source code so there is the need for escrow."

In addition, Qantas performs significant due diligence, both off its own bat, and through its membership of the Research Board, an invitation-only community of CIOs who share inside information worldwide. Qantas is the only Australian member of the community, "although BHP's been making enquiries and I'm having coffee with [CIO] Cassandra Matthews soon to discuss it with her," Balfour says. Indeed, Qantas was a founding member of the organisation . Through this community of global CIOs, Balfour is able to access referenced information from case studies from the members.

"I can, as a CIO, put in a question to my Research Board colleagues," she says. "There are 100 of us, with a number of CIOs from similar organisations. What we are finding is that this is very, very useful and helps us with due diligence. For example, when we were choosing between Oracle, SAP and PeopleSoft, I put in a request to the CIOs for information. Now their response is not publicly available and I can't share any of that ever, but our due diligence was over in a very much shorter timeframe." (Oracle was finally selected for Qantas' EQ enhancement program along with IBM GSA and PricewaterhouseCoopers Consulting.)"I ask my peers at big companies and they say frankly what they think," says Balfour. "For every software company with a contract of over $1 million we do due diligence on their financial viability and the analysis is very, very thorough. We haven't always been, but for the past half-dozen years we have been, and now increasingly so."

Page Break


Bring in the Lawyers

Gartner's James believes that CIOs are fully aware of the risks involved when selecting a new product or supplier. But, she adds, "Many push it to one side because it's difficult to deal with." Often, in pushing it off to one side, the CIOs abdicate to the contracts people. Ultimately the contracts people are the lawyers.

Bernadette Jew is a partner in the communications and technology team of law firm Gilbert Tobin. Corporate Australia, she says, is far more aware of the risks associated with IT purchases than ever before, but perhaps not as aware of the practical steps that can be taken to ameliorate those risks. "In the past the sector was buoyant. This is the first time that many corporations have realised that IT vendors are vulnerable." She believes this has prompted a sea change in the way in which technology contracts are constructed.

"In the past business didn't contemplate the risks, and nor did lawyers, so you tended to find contracts that were formulaic with no real practical remedies. Now lawyers are reworking their contracts. The dotcom crash was the trigger," Jew says. "For example, with Web hosting services, in the dotcom crash companies had huge investments in co-location facilities. The competition became fierce and these businesses became non-viable.

"When you looked at the hosting agreements they did not deal with the practical issues of when your hosting provider goes under what happens if the equipment lessor takes back the equipment and the hosting company is kicked out by the property lessor? Your data is all on their equipment and many times it is too late to get it. The administrator treats it as a low priority," explains Jew.

"Following the [dotcom] crash, business realised that they were vulnerable in ways that they weren't before. There may be contracts, which theoretically address the issue of insolvency, but offer no practical remedies," she says.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams