This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications
on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization
that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials
(BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which
at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a
short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case
to case as appropriate.
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance
with law at least in Germany (
https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their
own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales.
Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates
tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?