The current global financial crisis demands that directors and managers of companies evaluate all the possible risks � not just financial � if they are to ensure their business continuity for the foreseeable future. In addition to taking stock of their financial stability, all commercial and governmental institutions need to take control of those parts of their business they have tended to 'outsource'.
The use of licensed software products effectively means that an organisation has 'outsourced' the ongoing maintenance and support of a vital component of their business � their mission critical software application/s. Many organisations may inadvertently be exposing themselves to a high level of operational risk when their core, mission-critical business processes, services and functions are dependent on software which they do not own but license for their use from third parties, and, therefore are subject to conditions or events beyond their control.
This reliance on third parties may not appear to present a problem, but companies who want to continue to use software important to their business where it needs ongoing support by a software supplier could be affected by an unforeseen development impacting on the software supplier's business. Supplier insolvency, a change of ownership or a new strategic priority (for example, discontinuation of support and maintenance) could leave the organisation stranded and have an extremely serious, possibly catastrophic, impact on the financial and business health of that organisation.
A possible means of mitigating the operational risk associated with dependency on software that the organisation does not own is for the organisation to purchase a source code licence, a situation actively discouraged (usually via an outrageously high licence fee) by the supplier/developer because it gives the purchasing organisation direct access to the 'secret code' in which the application is written.
An alternative with far more appeal, for both parties, is to enter into an escrow agreement so that access to maintainable information systems by the software end-user can be guaranteed:
- irrespective of the size and/or commercial stability of the software supplier/owner;
- should certain predefined commitments such as warranty, support and/or maintenance not be honoured.
From an operational risk perspective, a professional escrow arrangement is the only proper re-assurance that an organisation has that software that is vital to the survival of their business will not become 'orphanware'. Gartner, for example, describes technology escrow as a smart and effective component of a business continuity strategy designed to protect mission critical applications in an ever-changing environment because it mitigates the risk of a organisation or governmental institution being entirely dependent on software over which they have limited or no control.
Given the increasing importance of software escrow, a number of international professional escrow practitioners thought it pertinent to establish ISEA as a professional association.
ISEAs purpose is to:
- promote co-operation and synergies in the industry for the benefit of all who have an interest in information technology dependency, operation risk management and corporate good governance;
- agree guidelines and standards to the benefit of ISEA members and clients alike;
- provide for a body of knowledge that will assist ISEA members in maintaining the highest professional standards for delivering software escrow services;
- provide a platform for rendering cross border services to fellow ISEA members on a consistent and mutually supportive basis;
- monitor industry developments so that commercial and governmental organisations that are dependent on software products for their survival are assured of software escrow best practice when they elect to work with an ISEA member.
In their guidelines for professional escrow best practice (CWA 13620), the European Committee for Standardization makes the following definition:
- Escrow is an ancient legal term referring to a deed which only becomes effective upon the occurrence of a future event.
- This term has been applied to the deposit of source code by the software owner with an independent third party, known as the 'escrow agent'.
- Source code escrow is a disaster recovery and business continuity method that supports the procurement process and secures long term investment in information and communication technology.
Furthermore, CWA 13620 elaborates that the practice of professional software escrow constitutes an essential component of operational risk management in securing business continuity for mission critical business processes, services and functions.
As part of their operational risk management policy, this means that, via a competent software escrow arrangement, organizations are able to establish and maintain good governance standards:-
- for a configuration benchmark of the software which can be used for future support, maintenance, copyright protection etc.;
- for independent verification of the archived configuration;
- to safeguard the long term support and maintenance of the software should key development resources no longer be available;
- as part of the configuration management process whereby a complete version of the software, that has passed all configuration controls, verification, validation and user acceptance testing, should then be lodged as an escrow deposit;
- as part of their disaster recovery and business continuity plans so as to secure long term investment in information and communication technology through an independent, offsite escrow deposit of a complete set of software source code and related technical documentation;
- that, subject to the terms of the escrow arrangement, should the deposit be released, the software can be maintained by suitably qualified person/s in the absence of the original developers.
As such, software escrow is increasingly seen as an important - even vital - element of the agreement between the supplier of computer or other high technology and his or her customer.
However, while legal practitioners are correct to advise their clients to consider software escrow as a means of reducing risk and promoting continuity in a fluid business environment, lawyers, bankers and consultants should not make the mistake of naming themselves the escrow agent in the escrow agreement, as this could lead to serious complications of an ethical and fiduciary nature.
This word of caution was offered as part of a wider discussion on risk management by leading New York business law practitioner, Ronald D Coleman, a specialist in civil litigation and the law of trademarks and the Internet.
In a paper titled Managing Risk II: Litigation Prophylaxis in High-Tech Agreements (www.innovasafe.com/articles.html), Coleman looked at the value of escrow in high-tech agreements and makes the accurate and critically important point that 'the heart of the escrow issue is that it is the only hard solution to the distinct possibility that your software supplier may go out of business� [Escrow] is a life preserver'.
The role of the escrow agent as the trusted, neutral and independent, software escrow practitioner is therefore both highly specialised and vital in the management of corporate operational risk. Professional escrow best practice falls well beyond the scope of conventional lawyering, which makes Ronald Coleman's advice - to enlist the aid of an escrow professional - that much more sensible and constructive.
Evidence of this is that, for an escrow arrangement to be effective, ALL three of the following conditions should be met:
- The arrangement should be legally sound;
- All source code and relevant material should have been provided and subjected to technical verification;
- Source code and relevant material should be frequently updated as part of a robust and consistent administrative process.
On this basis, the members of ISEA are committed to promoting the delivery of the highest quality escrow arrangements that provide proper reassurance for their Clients so that their Clients are able to meet their specific requirements for operational risk management, business continuity, disaster recovery and corporate good governance.