Risk & Economy » Compliance » Indirect access: the SAP term costing businesses millions

Matt Fisher, VP at Snow Software, with almost two decades of experience in the tech sector, explains how to steer clear of the indirect access trap that could see your business fined millions

As purchasing increases, the business community continues its Marmite-like relationship with software providers – it fluctuates between love and hate. Though grumblings over rising costs remain widespread, technology can drive greater efficiencies in business processes, while also enabling them to stay one-step ahead of their competition.

SAP, the long-standing integral piece of the business technology puzzle, responsible for enabling companies to run their business processes, be they accounting, sales, production, human resources or payment in an integrated environment, is so often seen as a necessary evil for those CFOs expected to manage its ever-growing cost. The software giant’s relationship with its customers, however, is gradually becoming one to make Chief Financial Officers across the board sit up and listen.

It has become particularly apparent that SAP’s approach to what the industry terms Indirect Access, has gathered pace recently, as it appears to be pursuing its own clients for what it stipulates are unpaid fees in this area.

This year, the UK High Court ruled in favour of SAP against British multinational alcoholic beverages firm, Diageo, for £54 million, in an indirect licensing case stemming from unpaid fees.

In May 2017, SAP went further still, when brewing giant Anheuser-Busch InBev (AB InBev) revealed in a US Securities and Exchange Commission filing that SAP is seeking £471 million ($600 million US) in compensation for unlicensed use of its software.

But, what is Indirect Access, and how can other multinationals avoid becoming tangled up in the same trap?

 

Indirect Access – an overview

While no two contracts are the same, the fundamentals are. SAP licensing is based on number of users and their type of access. This usage licensing ranges from professional users, to workers, and even shop floor users. SAP licensing fundamentally means that you must pay for every type of usage – even Indirect Access.

Previously licensing reviews and system measurements for SAP focussed on direct usage for an organisation’s SAP environment. The definition of direct usage is a single user accessing SAP data directly through the SAP interface. Indirect Access can arise when an SAP system is accessed or queried via a third-party application. For example, if a Salesforce report is tied back to an organisation’s SAP system to generate a weekly performance report, every sales person may be able to access it even though they’re not listed as a paid-for user.

As the SAP definition for Indirect Access varies between customers, with the need for additional licences dependent on whether the interaction originates from users’ actions, if the data is engineered differently, or altered from inside the SAP system itself.

Confusion is rife in the user community, increasing risk as SAP ramps up its activity around Indirect Access.

 

Are you at risk? 

Any SAP customer is as much at risk of falling victim to indirect access as Diageo and AB Inbev. Those at the greatest risk are undoubtedly those organisations with operations typically involving higher volumes of Indirect Access, for instance those with complex supply chains or partner networks, such as in the Consumer Packaged Goods (CPG) industry.

The risks are also heightened for SAP’s larger users, who have often upped their investment in SAP systems year-on-year, to the point that it has become a business-critical piece of IT infrastructure. As such, replacing SAP systems with a different ERP system is comparable to the relocation of both the offices of an entire organisation and its partnering outposts simultaneously – an unthinkable task.

In a public statement from AB Inbev, the firm’s clear reliance on SAP systems is highlighted, leaving the world’s largest brewer wedded to the multinational software giant. While it intends to ‘vigorously defend’ the licence and damages claims, it will not want to risk providing SAP with any subsequent cause or reason to refuse to support its core systems from this point on.

The number of IT professionals that have centralised their careers on harnessing their SAP expertise only serves to tighten SAP’s stranglehold over large SAP customers. Implementing, configuring, customising and administering the software hegemon internally now forms a staple of their day-to-day roles, which is why they won’t encourage their organisation to give it up.

 

How to respond

Bill McDermott, SAP’s CEO recently announced the firm’s first pricing scenarios to tackle Indirect Access at SAPPHIRENOW, SAP’s annual global gathering of business and IT executives. These new models will see value measured on outcomes – flat fees for usage of SAP engines – and won’t reflect a one-size fits all solution.

As no two contracts are the same, organisations will now need to consider carefully their own specific circumstances in order to verify whether these new proposals present reasonable licensing measures that are appropriate to their business model. As a result, uncertainty continues to linger around other Indirect Access scenarios that were not covered by these initial proposals.

When push comes to shove, what tangible steps can customers take to ensure they are not liable for Indirect Access?

One approach that could mitigate the risks could be to revisit a trend from the early 2000s, which saw Governments worldwide appointing ‘Tsars’ that were empowered to operate outside the constraints of bureaucracy, qualifying them to take swift and decisive action on policy areas in desperate need of reform and change, such as trade, crime and information security.

By appointing an individual to such a position, it allows them to oversee an organisation’s dependency on and costs associated with SAP. Inside the larger contingent of customers, this would break down internal siloes, identify key areas of exposure, and enhance and promote a cross-functional understanding of SAP.

An appointee of this nature would then not only be able to account for financial scrutiny, but also potential legal implications too.

What comes next?

Many organisations have long approached SAP as a necessary evil, signing off rising costs without great scrutiny. But now it’s time for the CFO and the finance team to take a deeper dive into the SAP usage throughout the business, to ensure that Indirect Access is not putting their company at undue risk.

Only with greater visibility into how SAP is being used in the organisation can CFOs hope to mitigate the threat of facing a similar case to AB Inbev or Diageo. Only by doing this can they reduce the business’s immediate financial vulnerability, as well as the ability to uncover future risks before they emerge.

 

Matt Fisher is VP at Snow Software.

 

Read more