Re: Compliance Office and Liaison Office


Andrew Katz
 

Thanks for the useful input, everyone.

I guess what I’m looking for is a simple way of explaining to a curious candidate what the difference between the roles is, understanding that they may be fulfilled by the same person. There are some great pointers in here.

- Andrew

On 9 Sep 2017, at 10:01, Steve Cropper <stcroppe@...> wrote:

I think it is easy to go overboard on trying to define the roles, though important to have a reasonable outline.

As I think I mentioned on other topics, the answer to the question depends a lot on the size and maturity of the organization you are dealing with AND whether or not they are bought into the OpenChain philosophy or testing it out.

Remember, doing this costs money and can take valuable resources away from something else so compromising on some starting point and plotting a ‘role evolution’ is probably the best approach.

Most of us who are passionate about this topic started with a sugar coating of responsibility, and ended up expanding that as we discovered how tracing software from ingress to delivery helped with many issues.

Compliance is a policy oversight role IMHO. Similar to a Quality Auditor, the role helps/leads the development of company policy and ensures it is implemented in collaboration with other core functions. They are responsible for interpreting policy as necessary and closed loop improvements as policy and processes need to be enhanced.

Liaison is about helping police the policy, similar to a Quality Engineer who needs to make sure that the developers have met their stated Quality objectives pre-delivery. No one wants to use or hear the ‘police’ word in a FOSS context but Open Chain is about enabling policing and oversight of software license application. The liaison supports the compliance role by helping translate policy into actionable tasks and bridges the gap between policy aspirations and reality on the ground. Liaison provides the feedback loop into policy making and process development activities to help tighten up compliance practices and uncover bad policies [e.g. ones that impede development unnecessarily :-)].

All previous discussion threads I think role up into this summary, I am sure you will let me know if not ;-).

Also what this means is that a small company can combine the roles (they have less ground to worry about and can probably engage everyone within the same building (physical or virtual).

In an enterprise, the roles need to scale and so may end up being more than two specific functions but aligned under these broad umbrellas.

Cheers!

Sent from my iPad

On Sep 8, 2017, at 6:17 AM, Jilayne Lovejoy <Jilayne.Lovejoy@...> wrote:

Well, it seems very aspirational, I guess.

I agree that these roles could be the same person and my thought from way-back-when we discussed this on the spec (or when I remember discussing it...) I think it is likely they'd be the same person. If you make the lists too different then it becomes harder to see it being the same person and if you put all of the attributes together as an expectation for one person you may end up with a rainbow-colored unicorn holding a pot of gold.

I think things like " May be involved in security/privacy/data protection compliance as well as licensing compliance." and " Shares their time with other compliance functions." are unnecessary – how else they share their job doesn’t matter, may vary, and by listing this, it only seems to limit the description.

I would never be so bold to say I have a "solid understanding of code development process", but I understand or seek to understand enough to apply the certainly necessary/required attribute of "solid understanding of potential open source legal issues" – if you are talking about a lawyer, they better have the "ability to communicate with engineers/developers" (b/c let's face it, many simply do not)

I'm not sure if "speaks at conferences" is really critical or indicative for either of these roles – it just happens to be the profile we all share (and largely why we know each other!) – but some companies are not too liberal with sending their people to conferences, so that can be a limiter that has nothing to do with ability.

"speed dial" – come on guys, are we dating ourselves here or what?

I have now only looked at Andrew's original list and feel really disappointed that some key attributes that I'd clearly qualify under: like XKCD, wears jean/t-shirts, skis (but has snowboarded in past), likes dinner parties (duh!) – are now gone... ;)

I have to say, my gut response to this and your responses back reminded me all too well of a talk I recently heard about hiring that quoted a statistic about how women will only apply for a job they feel they are 100% qualified for whereas men will apply where they are 60% qualified... so maybe this is a matter of perspective!

As to Andrew's original ponder as to what characteristics: I'd say the compliance role is more likely to be a lawyer. While I don't think this needs to be a hard-and-fast, the reality is that legal risk rolls up to the GC, so it's more likely responsibility roles down through the legal department for something that is a legal risk. I'd suspect that even where there are very savvy license compliance folks who are not lawyers, some accountability still rests on the legal department. The liaison can be considered a more outward facing role (and less "legal") as per the description, but isn't the liaison fielding requests regarding compliance from external parties? In which case, they'd better know the nuts and bolts about what is going on internally for compliance – shouldn't they?

Finally, if I was in a small company and you gave me this list as an example, I might be overwhelmed and give up.

That's all I have at this late hour!

J.

On 07/09/2017, 22:49, "David Marr" <dmarr@...> wrote:

Meanwhile I didn't read it as normative points, just illustrative esp. with regard to the external speaking aspects. In that light I thought it was a good set of descriptors that add color and not intended as a set of requirements. And Jilayne would think you'd qualify except we might need to check your speed dial as a new type of conformance artifact ;)

To Shane's point -- suggested tweaks?

Dave

-----Original Message-----
From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Shane Martin Coughlan
Sent: Thursday, September 7, 2017 9:42 PM
To: Jilayne Lovejoy <Jilayne.Lovejoy@...>
Cc: openchain@...
Subject: Re: [OpenChain] Compliance Office and Liaison Office

Hi Jilayne

If you don’t qualify then we are clearly doing something wrong!

Any ideas on how we could make these descriptions more accurate for real-world use?

Regards

Shane

On Sep 8, 2017, at 13:35, Jilayne Lovejoy <Jilayne.Lovejoy@...> wrote:

This seems like a very high threshold to me. I don't think I'm qualified and I thought I was before!

:)
Jilayne

On 07/09/2017, 21:25, "openchain-bounces@... on behalf of Shane Martin Coughlan" <openchain-bounces@... on behalf of coughlan@...> wrote:

Hi Andrew

This looks like a reasonable basis for describing the two job roles. I think adding something like this to our material - perhaps in the curriculum - makes sense. I took a stab at formalizing the wording slightly.

Compliance:

May be involved in security/privacy/data protection compliance as well as licensing compliance.
Needs solid overview understanding of code development process, but not necessarily a coder.
Needs solid understanding of potential open source legal issues.
Has PR, Legal and the Liaison Officer on speed dial.
Spends time talking to/understanding the needs and culture of Management and Coders.
Speaks at legal and compliance conferences.
Shares their time with other compliance functions.
Likely to frequently engage with business management and legal
representatives


Liaison:

More likely to be involved in the code development process.
May be a contributor/participant in open source projects, and possibly involved in governance of those projects.
Needs solid understanding of potential open source issues.
Natural consensus builder.
Has compliance and project managers on speed dial.
Acts as an advocate for developers and project managers towards business management.
Speaks at developer conferences.
Spends most of their time immersed in code/project/governance.
Likely to frequently engage with developers and project managers

Regards

Shane

On Sep 1, 2017, at 20:45, Andrew Katz <Andrew.Katz@...> wrote:

Hi All

I’m helping a client with on boarding at the moment, and they have queried the difference between the roles of FOSS Compliance Officer and FOSS Liaison. This got me thinking, and I’d like to provide further guidance to my client in terms of the characteristics that an appropriate person in each role would have.

I can see that in some organisations, they may be the same person. However, the skillsets are subtly different, although overlapping. I’d like to get some consensus on what we feel the criteria are, and then we can maybe formalise them (not necessarily as part of the curriculum or specification itself, but as guidance). The list below is *not* intended to be a formal definition, but is basically me trying to capture my gut instincts about the characteristics that such a person might have, for right or wrong, so we can formalise them (it’s slightly tongue-in-cheek, but it’s a way of kicking off a serious conversation):

Compliance:
May also be involved in compliance in other aspects of the business
(such as security/privacy/data protection) Needs solid overview
understanding of code development process, but not necessarily a
coder Needs solid understanding of potential FOSS legal issues Spends
time in the Legal Devroom at FOSDEM Responsive -has PR, Legal and the
Liaison Officer on speed dial Spends time talking to/understanding the needs and culture of Management and Coders.
Speaks at compliance conferences.
Shares their time with other compliance functions.
Likes dinner parties
Likes biographical movies
More likely to wear a suit/business casual Skis.


Liaison:

More likely to be involved in the code development process, May be a
contributor/participant in FOSS projects, and possibly involved in
governance of those projects Needs solid understanding of potential FOSS issues.
Spends time visiting the project booths at FOSDEM Natural consensus
builder.
Has Compliance on speed dial, as well as project leads for projects s/he is involved in.
Acts as an advocate for coders to management, and projects to management, as well as the benefits (e.g. upstreaming) of project involvement.
Has read Jono Bacon on community development.
Speaks at Dev conferences.
Spends most of their time immersed in code/project/governance.
Huge fan of XKCD and Rick and Morty
More likely to wear jeans/hoodie/tshirt Snowboards.


Any thoughts?

All the best


Andrew




_______________________________________________
OpenChain mailing list
OpenChain@...
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
sts.linuxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01
%7Cjilayne.lovejoy%40arm.com%7Ce4a5c894b0934828b57f08d4f66936b2%7Cf34
e597957d94aaaad4db122a662184d%7C0%7C0%7C636404379140021432&sdata=yTWn
2eTX9UK6NGythQjFYpnWidz%2FdsHcNV%2BwJQSOO%2F4%3D&reserved=0
_______________________________________________
OpenChain mailing list
OpenChain@...

https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
ts.linuxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01%7
Cjilayne.lovejoy%40arm.com%7Ce4a5c894b0934828b57f08d4f66936b2%7Cf34e59
7957d94aaaad4db122a662184d%7C0%7C0%7C636404379140021432&sdata=yTWn2eTX
9UK6NGythQjFYpnWidz%2FdsHcNV%2BwJQSOO%2F4%3D&reserved=0


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OpenChain mailing list
OpenChain@...
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.linuxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01%7CJilayne.Lovejoy%40arm.com%7C8245719dbda8495ab38f08d4f6750b4a%7Cf34e597957d94aaaad4db122a662184d%7C0%7C0%7C636404429955956425&sdata=IjD7uCFU044UPzSss%2BKv8LmatjqqNehdCmBGJX4VUqc%3D&reserved=0


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

Join main@lists.openchainproject.org to automatically receive all group messages.