An investigation into source code escrow as a controlling measure for operational risk contained in business critical software
Thesis (MBA)--Stellenbosch University, 2012.
This research report outlines corporate governance and information technology risk management frameworks and the use of software escrow within a holistic enterprise risk management strategy to maintain business continuity. Available risk mitigation tools and frameworks were analysed including the use of software escrow as an information technology risk mitigation tool and continuity instrument. The primary researched problem relates to how organisations can ensure business continuity through managing the risks surrounding business-critical software applications. Software escrow was identified in the literature review as a risk management tool used to mitigate operational risks residing in the licencing of mission-critical software applications. The primary research question is: “How can source code escrow contribute towards business continuity by limiting risks contained in licensed business critical software applications?” This study found that an escrow agreement ensures an end-user access to licenced mission-critical intellectual property in the event of the owner’s insolvency, acquisition or breach of maintenance agreements and thereby ensures continuity. The following secondary research questions were also answered: “What types of operational risks will be minimised using software escrow?” and “What constitutes an effective source code agreement in South Africa?” The research identified that the main driver for escrow was operational risk of a mission-critical system failure due to maintenance and upgrades not taking place. The reasons identified included insolvency of the software supplier, acquisition of the supplier, loss of key resources (developers) and breach of maintenance or development agreements. The research also identified some limitations to the application of escrow and the reasons for some agreements not being executed. Key escrow contract quality criteria were identified which ensure an effective agreement under South African law. The following essential quality criteria were found to improve the efficiency of execution of the escrow contract: - Frequency and quality of deposits; - Deposit verification to ensure usability of material post release; and - Well-defined release trigger events to avoid legal disputes regarding what constitutes a release. Case studies highlighted the main risks that drive the creation of escrow agreements and identified limitations to the execution of some escrow agreements. The software end-user operational risks mitigated by the use of escrow included: - Continued use of the software despite vendor bankruptcy; - Reducing the dependency on the supplier for maintenance and support of the software Safeguarding critical business processes; and - Return on investment (software implementation, hardware and training of staff). It was concluded that, despite the legal and practical complexities concerned with escrow, it remains the best instrument to ensure continuity when relying on licensed intellectual property used for business-critical functions and processes. Software escrow is therefore a vital component of a well-formulated license agreement to ensure access to mission-critical technology (including all related intellectual property) under pre-defined conditions of release to the end-user (licensee). In the event of a release, the escrow agent gives the end-user access to the deposited source code and related materials for the purposes of business continuity only and in no way affects the ownership rights of the supplier/owner.