Re: Compliance Office and Liaison Office


Jim Hutchison
 

In previous reads, I enjoyed a simple view of a Liaison as public-facing and the definition in 1.1 seems pretty good for that usage
* FOSS Liaison - a designated person who is assigned to receive external FOSS inquires

The "Internal FOSS Compliance Role(s)" appear to be flexibly-staffed, and more of a goal focus than a role focus.

Quality Auditor is not always ideal for a liaison role, some folks might choose another means to staff that as separate people.
I would not always mix ecosystem relations with compliance roles, some flexibility there might match many use-cases.
I can see Liaison as a scalable outward-facing role (could be more than 1 person for larger entities), and the compliance role(s) being very
inward-facing on products/training/review/oversight.

For a one-person company, it would be outward and inward activities.

Perhaps we can talk more on this at today's call,

Regards,

Jim Hutchison

-----Original Message-----
From: openchain-bounces@... [mailto:openchain-
bounces@...] On Behalf Of Andrew Katz
Sent: Thursday, September 14, 2017 9:38 AM
To: Steve Cropper <stcroppe@...>
Cc: openchain@...
Subject: Re: [OpenChain] Compliance Office and Liaison Office

Thanks for the useful input, everyone.

I guess what I’m looking for is a simple way of explaining to a curious candidate
what the difference between the roles is, understanding that they may be
fulfilled by the same person. There are some great pointers in here.

- Andrew

On 9 Sep 2017, at 10:01, Steve Cropper <stcroppe@...> wrote:

I think it is easy to go overboard on trying to define the roles, though
important to have a reasonable outline.

As I think I mentioned on other topics, the answer to the question depends a
lot on the size and maturity of the organization you are dealing with AND
whether or not they are bought into the OpenChain philosophy or testing it out.

Remember, doing this costs money and can take valuable resources away
from something else so compromising on some starting point and plotting a
‘role evolution’ is probably the best approach.

Most of us who are passionate about this topic started with a sugar coating of
responsibility, and ended up expanding that as we discovered how tracing
software from ingress to delivery helped with many issues.

Compliance is a policy oversight role IMHO. Similar to a Quality Auditor, the
role helps/leads the development of company policy and ensures it is
implemented in collaboration with other core functions. They are responsible
for interpreting policy as necessary and closed loop improvements as policy and
processes need to be enhanced.

Liaison is about helping police the policy, similar to a Quality Engineer who
needs to make sure that the developers have met their stated Quality objectives
pre-delivery. No one wants to use or hear the ‘police’ word in a FOSS context
but Open Chain is about enabling policing and oversight of software license
application. The liaison supports the compliance role by helping translate policy
into actionable tasks and bridges the gap between policy aspirations and reality
on the ground. Liaison provides the feedback loop into policy making and
process development activities to help tighten up compliance practices and
uncover bad policies [e.g. ones that impede development unnecessarily :-)].

All previous discussion threads I think role up into this summary, I am sure you
will let me know if not ;-).

Also what this means is that a small company can combine the roles (they have
less ground to worry about and can probably engage everyone within the same
building (physical or virtual).

In an enterprise, the roles need to scale and so may end up being more than
two specific functions but aligned under these broad umbrellas.

Cheers!

Sent from my iPad

On Sep 8, 2017, at 6:17 AM, Jilayne Lovejoy <Jilayne.Lovejoy@...>
wrote:

Well, it seems very aspirational, I guess.

I agree that these roles could be the same person and my thought from way-
back-when we discussed this on the spec (or when I remember discussing it...) I
think it is likely they'd be the same person. If you make the lists too different
then it becomes harder to see it being the same person and if you put all of the
attributes together as an expectation for one person you may end up with a
rainbow-colored unicorn holding a pot of gold.

I think things like " May be involved in security/privacy/data protection
compliance as well as licensing compliance." and " Shares their time with other
compliance functions." are unnecessary – how else they share their job doesn’t
matter, may vary, and by listing this, it only seems to limit the description.

I would never be so bold to say I have a "solid understanding of code
development process", but I understand or seek to understand enough to apply
the certainly necessary/required attribute of "solid understanding of potential
open source legal issues" – if you are talking about a lawyer, they better have
the "ability to communicate with engineers/developers" (b/c let's face it, many
simply do not)

I'm not sure if "speaks at conferences" is really critical or indicative for either
of these roles – it just happens to be the profile we all share (and largely why we
know each other!) – but some companies are not too liberal with sending their
people to conferences, so that can be a limiter that has nothing to do with
ability.

"speed dial" – come on guys, are we dating ourselves here or what?

I have now only looked at Andrew's original list and feel really disappointed
that some key attributes that I'd clearly qualify under: like XKCD, wears jean/t-
shirts, skis (but has snowboarded in past), likes dinner parties (duh!) – are now
gone... ;)

I have to say, my gut response to this and your responses back reminded me
all too well of a talk I recently heard about hiring that quoted a statistic about
how women will only apply for a job they feel they are 100% qualified for
whereas men will apply where they are 60% qualified... so maybe this is a matter
of perspective!

As to Andrew's original ponder as to what characteristics: I'd say the
compliance role is more likely to be a lawyer. While I don't think this needs to be
a hard-and-fast, the reality is that legal risk rolls up to the GC, so it's more likely
responsibility roles down through the legal department for something that is a
legal risk. I'd suspect that even where there are very savvy license compliance
folks who are not lawyers, some accountability still rests on the legal
department. The liaison can be considered a more outward facing role (and less
"legal") as per the description, but isn't the liaison fielding requests regarding
compliance from external parties? In which case, they'd better know the nuts
and bolts about what is going on internally for compliance – shouldn't they?

Finally, if I was in a small company and you gave me this list as an example, I
might be overwhelmed and give up.

That's all I have at this late hour!

J.

On 07/09/2017, 22:49, "David Marr" <dmarr@...> wrote:

Meanwhile I didn't read it as normative points, just illustrative esp. with
regard to the external speaking aspects. In that light I thought it was a good set
of descriptors that add color and not intended as a set of requirements. And
Jilayne would think you'd qualify except we might need to check your speed dial
as a new type of conformance artifact ;)

To Shane's point -- suggested tweaks?

Dave

-----Original Message-----
From: openchain-bounces@... [mailto:openchain-
bounces@...] On Behalf Of Shane Martin Coughlan
Sent: Thursday, September 7, 2017 9:42 PM
To: Jilayne Lovejoy <Jilayne.Lovejoy@...>
Cc: openchain@...
Subject: Re: [OpenChain] Compliance Office and Liaison Office

Hi Jilayne

If you don’t qualify then we are clearly doing something wrong!

Any ideas on how we could make these descriptions more accurate for real-
world use?

Regards

Shane

On Sep 8, 2017, at 13:35, Jilayne Lovejoy <Jilayne.Lovejoy@...>
wrote:

This seems like a very high threshold to me. I don't think I'm qualified and I
thought I was before!

:)
Jilayne

On 07/09/2017, 21:25, "openchain-bounces@... on
behalf of Shane Martin Coughlan" <openchain-
bounces@... on behalf of coughlan@...> wrote:

Hi Andrew

This looks like a reasonable basis for describing the two job roles. I think
adding something like this to our material - perhaps in the curriculum - makes
sense. I took a stab at formalizing the wording slightly.

Compliance:

May be involved in security/privacy/data protection compliance as well as
licensing compliance.
Needs solid overview understanding of code development process, but not
necessarily a coder.
Needs solid understanding of potential open source legal issues.
Has PR, Legal and the Liaison Officer on speed dial.
Spends time talking to/understanding the needs and culture of
Management and Coders.
Speaks at legal and compliance conferences.
Shares their time with other compliance functions.
Likely to frequently engage with business management and legal
representatives


Liaison:

More likely to be involved in the code development process.
May be a contributor/participant in open source projects, and possibly
involved in governance of those projects.
Needs solid understanding of potential open source issues.
Natural consensus builder.
Has compliance and project managers on speed dial.
Acts as an advocate for developers and project managers towards business
management.
Speaks at developer conferences.
Spends most of their time immersed in code/project/governance.
Likely to frequently engage with developers and project managers

Regards

Shane

On Sep 1, 2017, at 20:45, Andrew Katz <Andrew.Katz@...>
wrote:

Hi All

I’m helping a client with on boarding at the moment, and they have
queried the difference between the roles of FOSS Compliance Officer and FOSS
Liaison. This got me thinking, and I’d like to provide further guidance to my
client in terms of the characteristics that an appropriate person in each role
would have.

I can see that in some organisations, they may be the same person.
However, the skillsets are subtly different, although overlapping. I’d like to get
some consensus on what we feel the criteria are, and then we can maybe
formalise them (not necessarily as part of the curriculum or specification itself,
but as guidance). The list below is *not* intended to be a formal definition, but
is basically me trying to capture my gut instincts about the characteristics that
such a person might have, for right or wrong, so we can formalise them (it’s
slightly tongue-in-cheek, but it’s a way of kicking off a serious conversation):

Compliance:
May also be involved in compliance in other aspects of the business
(such as security/privacy/data protection) Needs solid overview
understanding of code development process, but not necessarily a
coder Needs solid understanding of potential FOSS legal issues Spends
time in the Legal Devroom at FOSDEM Responsive -has PR, Legal and the
Liaison Officer on speed dial Spends time talking to/understanding the
needs and culture of Management and Coders.
Speaks at compliance conferences.
Shares their time with other compliance functions.
Likes dinner parties
Likes biographical movies
More likely to wear a suit/business casual Skis.


Liaison:

More likely to be involved in the code development process, May be a
contributor/participant in FOSS projects, and possibly involved in
governance of those projects Needs solid understanding of potential FOSS
issues.
Spends time visiting the project booths at FOSDEM Natural consensus
builder.
Has Compliance on speed dial, as well as project leads for projects s/he is
involved in.
Acts as an advocate for coders to management, and projects to
management, as well as the benefits (e.g. upstreaming) of project involvement.
Has read Jono Bacon on community development.
Speaks at Dev conferences.
Spends most of their time immersed in code/project/governance.
Huge fan of XKCD and Rick and Morty
More likely to wear jeans/hoodie/tshirt Snowboards.


Any thoughts?

All the best


Andrew




_______________________________________________
OpenChain mailing list
OpenChain@...
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
sts.linuxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01
%7Cjilayne.lovejoy%40arm.com%7Ce4a5c894b0934828b57f08d4f66936b2%7Cf
34
e597957d94aaaad4db122a662184d%7C0%7C0%7C636404379140021432&sdat
a=yTWn
2eTX9UK6NGythQjFYpnWidz%2FdsHcNV%2BwJQSOO%2F4%3D&reserved=0

_______________________________________________
OpenChain mailing list
OpenChain@...

https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
ts.linuxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01%7
Cjilayne.lovejoy%40arm.com%7Ce4a5c894b0934828b57f08d4f66936b2%7Cf34
e59
7957d94aaaad4db122a662184d%7C0%7C0%7C636404379140021432&sdata=yT
Wn2eTX
9UK6NGythQjFYpnWidz%2FdsHcNV%2BwJQSOO%2F4%3D&reserved=0


IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.

_______________________________________________
OpenChain mailing list
OpenChain@...
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.lin
uxfoundation.org%2Fmailman%2Flistinfo%2Fopenchain&data=02%7C01%7CJila
yne.Lovejoy%40arm.com%7C8245719dbda8495ab38f08d4f6750b4a%7Cf34e59
7957d94aaaad4db122a662184d%7C0%7C0%7C636404429955956425&sdata=Ij
D7uCFU044UPzSss%2BKv8LmatjqqNehdCmBGJX4VUqc%3D&reserved=0


IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

Join main@lists.openchainproject.org to automatically receive all group messages.