Re: OpenChain Certification and Business Value


Dear All,

I wrote for Open Source For you Magazine February Edition covering the risk and legal action across and the cost of non compliance. The Article Titled " check before you ship Software" attempts to capture broadly the various non compliance risks.

Warm Regards

Biju K Nair


Confidentiality Note: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the original message. Thank you.

On Sun, Feb 21, 2021 at 10:50 PM Andrew Aitken via <> wrote:

A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.





Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat







Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Trent Allgood via
Sent: Sunday, February 21, 2021 7:18 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value


CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.

I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.


Kind regards,


Trent Allgood

ISO/IEC JTC1 SC7/WG21, Secretary

Anglepoint, Director, ITAM


On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via <> wrote:

This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.


Here are some thoughts that I would like to share  on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program  since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.





Prasad Iyer

Director, Engineering - Product Operations


Email : prasadiy@...

Phone: +1 (408) 315-5101






From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value


Hi Robert,


This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?

Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?

But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.

OpenChain conformance is not only about OSS compliance it is about license compliance in general.

So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( – this has to be taken seriously, think about the consequences in such a case

I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.

The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.







From: main@... <main@...> On Behalf Of Robert via
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value


Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?




'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.'

Join to automatically receive all group messages.