A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.

 

 

Regards,

 

Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat

650-704-6321

 

 

 

 

Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Trent Allgood via lists.openchainproject.org
Sent: Sunday, February 21, 2021 7:18 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.

 

Kind regards,

 

Trent Allgood

ISO/IEC JTC1 SC7/WG21, Secretary

Anglepoint, Director, ITAM

 

On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:

This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.

 

Here are some thoughts that I would like to share  on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program  since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.

 

Cheers,

 

Prasad Iyer Director, Engineering - Product Operations   Email : prasadiy@... Phone: +1 (408) 315-5101

 

 

 

 

From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value

 

Hi Robert,

 

This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?

Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?

But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.

OpenChain conformance is not only about OSS compliance it is about license compliance in general.

So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case

I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.

The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.

 

Ciao

Oliver

 

 

 

From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value

 

Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?

 

 

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'