Business ethics about risk mitigation

We are often asked what kind of risk mitigation and preventative actions we advise our clients to take. First and foremost: We don’t advise our clients to do anything! We only calculate the cost effect of each obvious option they might consider, identify the options which we think are also viable options, and create a list of pro’s and con’s for each option. As a result our clients can make their decision themselves. We have no part or stake in their eventual decision: That’s the beauty of being impartial!

Companies typically want to pay every penny that they owe for using third party software: We would never advise clients to take any other action. As an example however, at one point we found ourselves in the awkward situation where a client – for many internal political reasons – did not act upon the significant in-compliance that we discovered. We discussed it with our client’s project manager and even considered the termination our long-term relationship, because we did not want to be associated with such case. Eventually we sent a memo to the members of the board summarizing the risks and difficulties we had encountered and recommend to them to act upon it. Oddly enough, a day later all internal politics ceased to play part and the customer acted upon our advice and soon afterwards they were licensed correctly. Becoming properly licensed does not always imply the purchase of more licenses. We are in business because we are expert at advising effective approaches to licensing correctly other than simply shopping for huge discounts. The answer may include but is not necessarily limited to adjusting infrastructures, re-deployments of databases on the same infrastructures, migrating from license definition A to definition B, or to buying other (often cheaper) license options than would typically be proposed by Oracle. Often, each of the aforementioned options will constitute aspects of the optimal solution. To deceive Oracle’s auditors by changing or otherwise manipulating audit evidence is not an option.

Instead we find it very valuable to use the audit information pro-actively. Existing clients will agree that our value is not just in the actual work we deliver, but also in helping managing Oracle’s expectations / pipeline. For example, in our presentation during the webcast hosted by DBTA we illustrated a situation where a client who was accused by Oracle for using DataPump with an associated claim for $287,000.. In this case we were contracted ‘after the fact’. If we had been contacted earlier, we would have proactively recognized the presence of DataPump To alleviate the problem in a preventative mannerwe would have drafted an email to be sent from to Oracle by the client, explaining a) how surprised they were to find that feature in a database edition where it did not belong, b) the functionality was only tested and found to not live up to the expectations and costs. With this simple note, sent to Oracle prior to the collection of the actual audit data, the client may have prevented an opportunistic LMS or Sales rep from forecasting a new deal with a probability of 70%. The DataPump testing would have been a non-issue.

All risk mitigations we take are aimed at assuring compliance, whilst eliminating ‘sales-forecast-risks’. For example we make clients aware that Oracle’s own Grid Control software accepts and agrees to management targets by default, flagging the audit output being ‘Yes/Yes’ for ‘License Agreed / Access Granted’ in Grid Control (finally, in version 12, the customer can create a ‘default’ for this “feature” and we advise that the customers use this option!). Before running audit scripts we would ensure that the client has taken steps to properly configure that the Yes/Yes output reflects the intended use, therefore reflecting what they should be paying. By doing so, all discussions and efforts can be targeted towards issues that do matter. As another example we would verify that if Spatial option is only using the Locator function and not true geospatial data we would be informing Oracle accurately and actively: The problem is that Oracle’s audit scripts are incapable of making the distinction between these two, and we would like to prevent our clients from negotiating a 90% discount with an opportunistic sales-rep about licenses they didn’t require in the first place. Professional consulting in this area can prevent significant waste of time, effort and money.

There are always many considerations when examining audit output. After all we analyze a few hundred million rows of audit data every year. Our purpose is to always use that data do the right thing on behalf of our clients and make certain that they meet their legitimate licensing obligations to Oracle. But just as importantly that they are architected efficiently and that the customer only pays what the customer truly owes.


Speak Your Mind