Background: A Swiss Wealth Manager Under IBM Audit Pressure
The firm is a well-established Swiss financial services company with a strong reputation in wealth management and investment banking. Its IT infrastructure supports the critical systems that underpin its business: transaction processing platforms, client portfolio management, regulatory compliance and reporting systems, secure communications, and the analytical tools that investment professionals rely on to serve high-net-worth clients.
The company's IBM software estate includes IBM middleware (WebSphere Application Server, MQ), database products (Db2), and systems management tools deployed across a combination of physical servers and virtualised environments. Operating within Switzerland's stringent financial regulatory framework (FINMA), the firm maintains rigorous IT governance standards — but the pace of infrastructure growth, driven by expanding client operations and evolving regulatory requirements, had created gaps between the firm's IBM software deployments and its licence entitlements.
When IBM initiated a formal software licence audit, the initial findings claimed CHF 25 million in non-compliance fees. For a wealth management firm where reputation, client trust, and regulatory standing are paramount, the audit represented not just a financial threat but a potential operational and reputational risk. The firm engaged Redress Compliance to conduct an independent assessment and manage the audit defence process.
"Financial services firms in Switzerland operate under some of the world's most stringent regulatory expectations — FINMA demands rigorous IT governance, and any software compliance issue can attract regulatory scrutiny beyond the vendor audit itself. This creates dual pressure: the IBM audit claim must be resolved on its commercial merits, and the resolution process must demonstrate the firm's commitment to compliance governance that satisfies both IBM and the regulator. Our approach addressed both dimensions simultaneously."
The Challenges: IBM's Audit Findings in a Regulated Environment
Sub-Capacity Licensing Overestimation
IBM's audit applied full-capacity PVU calculations to virtualised servers where the firm believed sub-capacity licensing should apply. ILMT (IBM Licence Metric Tool) was deployed but IBM's auditors identified reporting gaps — missing quarterly reports and configuration issues on certain server clusters — that allowed IBM to default to full-capacity calculations on those environments. The difference between full-capacity and sub-capacity for the firm's VMware infrastructure represented approximately CHF 12 million of the CHF 25 million claim.
Virtualisation Deployment Overages
The firm's virtualised environment had expanded to accommodate new regulatory reporting workloads and client-facing applications. IBM's audit counted all physical cores across VMware clusters where IBM products were present — a methodology that does not reflect the actual virtual resources allocated to IBM workloads. The over-counting was particularly significant on the firm's largest production clusters, where IBM middleware served only a fraction of the total virtualised workload capacity.
Entitlement Mismatches
Infrastructure growth over several years had created misalignments between deployed IBM software and recorded entitlements. Some Passport Advantage entitlements covered products on servers that had since been decommissioned, while newer deployments had not been fully reflected in the firm's entitlement records. IBM's audit identified only the gaps (deployments exceeding entitlements) without crediting the surpluses (entitlements exceeding deployments on other servers).
Regulatory Sensitivity
As a FINMA-regulated entity, the firm's software compliance posture is subject to regulatory expectations around IT governance and vendor management. An unresolved IBM audit with a CHF 25 million claim could attract FINMA scrutiny beyond the audit itself — raising questions about the firm's IT governance practices. The resolution needed to demonstrate not just commercial settlement but genuine compliance improvement that would satisfy regulatory expectations.
Phase 1: Independent Audit Review
Line-by-Line Audit Report Analysis
Redress reviewed every element of IBM's CHF 25 million claim — the specific PVU calculations, server inventories, virtualisation assumptions, and entitlement gaps behind each product category. This analysis identified three categories of overestimation: full-capacity calculations applied where sub-capacity was defensible, VMware cluster core counts that exceeded the actual IBM workload allocation, and product claims that existing entitlements already covered.
Entitlement and Agreement Reconciliation
Redress compiled the firm's complete IBM licence history — Passport Advantage records, historical agreements, and any special terms negotiated over the firm's long IBM relationship. This entitlement inventory was cross-referenced against IBM's deployment findings, identifying CHF 5 million in claims that were covered by existing entitlements IBM's auditors had not properly reconciled, plus unused entitlements on decommissioned servers that could be reallocated to cover active gaps.
ILMT Gap Remediation
Where IBM had identified ILMT reporting gaps (triggering full-capacity defaults), Redress worked with the firm's IT team to remediate the gaps immediately and produce retroactive sub-capacity data for the affected periods. This included correcting ILMT configurations on the problem clusters, generating the missing quarterly reports, and documenting the actual sub-capacity PVU consumption that should have been reported. With this data, the sub-capacity eligibility argument was substantially strengthened.
Phase 2: Dismantling IBM's CHF 25 M Claim
| Claim Element | IBM's Calculation | Redress Validated Position | Reduction Achieved |
|---|---|---|---|
| Sub-capacity overestimation | Full-capacity PVU on all virtualised servers due to ILMT gaps | ILMT gaps remediated; retroactive sub-capacity data validated for affected clusters | CHF 12 M eliminated |
| VMware over-counting | All physical cores in production clusters counted for IBM licensing | Actual vCPU allocations to IBM workloads documented; non-IBM workloads excluded | CHF 6 M eliminated |
| Entitlement reconciliation | Several product categories claimed without crediting existing Passport Advantage entitlements | Existing entitlements matched to active deployments; surplus entitlements from decommissioned servers reallocated | CHF 5 M eliminated |
| Licence reallocation | Unused licences on retired infrastructure not credited | Reallocated to cover active compliance gaps at zero additional cost | CHF 500 K eliminated |
| Remaining genuine exposure | Actual compliance gap after all corrections — new deployments requiring licensing | ~CHF 1.5 M | |
Phase 3: Negotiation — Regulatory-Aware Settlement Strategy
CHF 25 M — Full-Capacity Claim
IBM's audit team presented the CHF 25 million as the firm's compliance exposure, applying pressure to settle quickly and suggesting that the regulatory environment made rapid resolution advisable. IBM positioned the audit as a compliance issue that could attract wider attention if not settled promptly — a tactic designed to leverage the firm's regulatory sensitivity into a faster, less-scrutinised settlement at a higher amount.
CHF 1.5 M — Evidence-Based Resolution
Redress countered IBM's pressure with a comprehensive, technically documented position that demonstrated the firm's genuine compliance posture: corrected sub-capacity calculations, documented VMware allocations, complete entitlement reconciliation, and evidence of proactive ILMT remediation. This approach reframed the narrative from "non-compliant firm needing urgent settlement" to "well-governed institution that had identified and remediated a limited number of licensing gaps through rigorous independent assessment."
The negotiation produced a settlement of CHF 1.5 million — structured as a forward-looking licence investment covering new deployments needed for the firm's growth, with zero penalties and zero retroactive fees. Critically, the settlement documentation demonstrated the firm's proactive compliance posture — a factor that mattered as much for FINMA governance as for the commercial outcome.
📊 Complete Engagement Outcomes
- IBM audit claim: Reduced from CHF 25 million to CHF 1.5 million — 94 % reduction
- Penalties: Zero — no penalties or retroactive fees imposed
- Settlement structure: Forward-looking — covers licences for new deployments, not punitive back-charges
- ILMT compliance: Fully remediated — sub-capacity eligibility established across all eligible environments
- Entitlement reconciliation: Complete — all Passport Advantage records matched to current deployments
- Regulatory posture: Audit resolution documented as proactive compliance — supporting FINMA governance expectations
- Compliance governance: Automated monitoring and quarterly internal review framework established
- Business continuity: Zero disruption to wealth management or investment banking operations
Client Testimonial
"Redress Compliance's expertise was critical in navigating a complex and high-stakes audit. Their guidance saved us millions and left us with stronger compliance and governance practices. They were a true partner in protecting our business."
— Chief Information Officer, Swiss Financial Services Firm
Need Expert Software Licensing Guidance?
Redress Compliance provides independent software licensing advisory services — fixed-fee, no vendor affiliations. Our specialists have defended hundreds of IBM audits across every major product line — Db2, MQ, WebSphere, Cloud Pak, and mainframe. We know IBM's audit methodology inside out and consistently achieve 80–97% reductions in initial claims.
Explore Software Licensing Advisory Services →Phase 4: Compliance Governance Framework
Automated Licence Monitoring
Redress implemented automated monitoring tools providing real-time visibility into IBM licence consumption across the firm's infrastructure. The system tracks PVU usage, deployment changes, and ILMT reporting status — alerting the IT team to any new compliance gaps immediately so they can be addressed before they accumulate into material exposure.
Quarterly ILMT Reporting and Internal Audits
The governance framework includes quarterly ILMT report generation and verification (maintaining sub-capacity eligibility) plus quarterly internal compliance reviews that compare entitlements against current deployments. These reviews produce documentation that satisfies both IBM's sub-capacity requirements and FINMA's IT governance expectations — serving dual compliance purposes.
IT and Procurement Team Training
Redress delivered targeted training covering IBM licensing policies, sub-capacity rules, virtualisation implications, and the governance procedures for approving new IBM deployments. For a FINMA-regulated firm, embedding licensing governance into standard IT change management processes ensures that compliance is maintained as infrastructure evolves — preventing the deployment-entitlement drift that caused the original exposure.
Outcome: Before and After
| Metric | Before Redress Engagement | After Redress Engagement |
|---|---|---|
| IBM audit claim | CHF 25 million in alleged non-compliance | CHF 1.5 million — 94 % reduction |
| Penalties | IBM seeking penalties and backdated support fees | Zero penalties; zero retroactive fees |
| Sub-capacity licensing | Full-capacity applied due to ILMT gaps | ILMT fully remediated; sub-capacity eligibility confirmed |
| Entitlement visibility | Incomplete reconciliation; gaps and surpluses untracked | Complete entitlement-to-deployment mapping established |
| Compliance governance | Manual tracking; no automated monitoring | Automated monitoring, quarterly ILMT reporting, internal audit programme |
| Total liability avoided | CHF 23.5 million (94 % of original claim) | |
Lessons for Financial Services Firms Facing IBM Audits
Don't Let Regulatory Sensitivity Drive a Premature Settlement
IBM's audit teams understand that regulated firms are sensitive to compliance findings — and they use this awareness to pressure faster, larger settlements. The correct response is not urgency but rigour: an independent, evidence-based assessment that demonstrates proactive compliance governance actually strengthens your regulatory position, while a premature settlement at an inflated amount provides no governance benefit and wastes capital. In this case, taking the time to validate IBM's claim produced a 94 % reduction and a compliance posture that satisfied FINMA expectations.
ILMT Gaps Are Expensive — But Remediable
The single largest component of IBM's claim (CHF 12 million) stemmed from ILMT reporting gaps that triggered full-capacity calculations. Remediating ILMT gaps and producing retroactive sub-capacity data is the highest-ROI defence action in any IBM audit. Even if ILMT was not perfectly maintained, demonstrating remediation and providing validated data for the affected periods substantially strengthens the sub-capacity argument — and IBM's auditors are often willing to accept corrected data when it is technically sound and well-documented.
Frame the Resolution for Both IBM and Your Regulator
For FINMA-regulated firms (and equivalents in other jurisdictions), the audit resolution must serve two audiences: IBM (commercial settlement) and the regulator (governance demonstration). A forward-looking settlement with documented compliance remediation achieves both — it satisfies IBM's commercial interest, demonstrates to the regulator that the firm identified and resolved compliance gaps proactively, and establishes governance processes that prevent recurrence. A punitive, adversarial settlement achieves only the first.
Engage Independent Expertise Before Responding to IBM
The most expensive mistake in an IBM audit is responding to IBM's initial findings without independent validation. IBM's audit methodology consistently produces inflated claims — typically 3–10× higher than actual exposure — through full-capacity defaults, cluster-wide counting, and incomplete entitlement reconciliation. An independent advisor identifies these overestimations, prepares the technical counter-evidence, and manages the negotiation from a position of documented fact. The advisory investment typically delivers 10–20× return based on claim reduction.