Hey hey!
I've been following this discussion now for a while and I'd like
to add my 50 cents to it.
As I understood it is currently hard for some to get a grip on
the business value of an OpenChain certification, or even the
value of an OpenChain compliant program?
I think Oliver's initial question states it quite cleary: "What
is the business justification not to breaking the law?" I'd
like to add, what is the business value to be sure that you don't
violate legal rules by accident? If you violate the license
obligations of the components you use in your product, regardless
if you did it on purpose or because of your ingorance of the
obligations, you simply have no legal right to sell your product
anymore - as you never had the right to do so anyway. This means
all your invest to develop your product, all production costs you
had for manufacturing, shipping etc - you could have burnt that
money, you are definitly not getting any revenue out of your
product anymore. You might even have cost for the legal procedings
and charges, compensation payments to the rights holders, maybe
even costs for the disposal of your now useless product. Maybe
even damage compensation for your customers, as they also cannot
use your product anymore in their products. As Oliver already
stated that the value for sure is "less damages, settlements
and lawsuits => cost reduction.".
And thinking of the OpenChain compliant program as a risk
management measure clearly shows that this risk must be managed in
your complete supply chain. And will lead to the question how to
prove to your business partners that you are compliant - and
likewise how to ask for compliance evidence. So there you have the
value of certifications - it is a standardized evidence that you
are compliant.
So there is a clear value in certifications. Which of the three
certification models offered by OpenChain is the most valueable
for your business case is up to you. Usually that is a matter of
trust - if you know your partners quite well you will be ok with
self certification. It becomes more complicated if you want to
demonstrate your compliance to a bigger audience, be it in
concrete sales discussions or to position your product or services
on the market. As already stated by Dirk, this could help a
positioning as a premium provider on the market. And there might
come the day, that compliance to OpenChain will be a fixed staple
in every RFQ, like A-SPICE is now in certain markets.
Anyway: @Dirk Riehle: regading "The missing part seem
to be the certification agencies (and their assessors). The
people who drove forward the TUEV certification mark have left;
not sure much is going on there. Any other agencies?" - Yes,
we have left, but we have now established a cooperation with our
ex-colleagues at TÜV SÜD to support them to continue with the
OpenChain 3rd party certification - so if anybody is interessted
in getting a TÜV mark on their compliance activities, please feel
free to contact me, I'm still the main driver of their 3rd party
certification. And regarding your question of an ISO standard how
to set up certification agencies - it's the ISO/IEC 17065:2012.
That's the one you can go for e.g. by asking the Dakks for
accreditation. Additionally to this accreditation the value of the
certificate you issue as a certification body will still only be
as valuable as the level of trust the market has in your
certification brand.
The question that's coming into my mind now is: How can we
establish trust in the assessment and certication programs? How
can we ensure the quality of Independent Compliance Assessment and
OpenChain 3rd party certifications? The certification based on the
standard can be done by everybody, but does anybody see a value in
having something like an "OpenChain project accredited Assessment
Partner"? Or a training and personal certification program for
OpenChain assessors, similar to what's there for A-SPICE?
Maybe it's worth to discuss this all in one of our regular calls?
BR,
Nicole
Am 22.02.21 um 09:38 schrieb Shane
Coughlan:
toggle quoted message
Show quoted text
All, fantastic discussion thus far. I am jumping in at Trent’s
email because it touches on a strategic development and - indeed -
target for the project.
Today open source exists both inside the practice of SAM but
somewhat dislocated from the discussion. Open source is
sometimes perceived as different from “normal” software, and
therefore potentially possessing some risk that stands apart.
This potential perception, naturally, runs against the streams
of the industry itself, whereby open source is embedded into the
fabric of all software deployment today.
The fate of open source is rightfully in SAM, and ISO 5230 is
a significant step towards this clear normalization of open
source compliance in this manner. Adjacent to this we see other
initiatives, most notably SPDX - provisionally due as an ISO
standard around June - and advanced discussions with automation
vendors and open source tooling projects regarding transparent
interoperability.
The OpenChain Project has no specific insight into any
business plan or decision by any company (naturally), we do have
insight into the trends unfolding. The quip that ISO 5230 can
replace 12 pages of bespoke contract language (and work better)
is growing closer to a crescendo. The standard is also being
applied in production to assist security, export control and
M&A. The uptick of enquiries from suppliers thinking about
sales optics is noticeable since graduating from ISO.
My baseline prediction is the ISO 5230 will enter a
substantial number of purchasing negotiations this year, with
the majority probably offering a preferred status, and a
minority leaning towards a required status. These metrics will
adjust with bias towards requirements in 2022.
Meanwhile, the project will collaborate with experts in the
SAM space, both user companies and vendors, to place ISO 5230 in
a clear context with all the other standards companies use for
effectiveness, from ISO 9001 through to ISO 26262. We will seek
to become as boring as possible as quickly as possible, a
reflection of ensuring OpenChain is the solution adopted with as
little disturbance but as much benefit as possible.
Regards
Shane
I agree with the previous statements as well.
In addition, it might be hard to find current statements
on Open Chain itself due to its relative infancy,
especially as an ISO PAS, but Gartner has said a lot over
the years about the business value of proper IT Asset
Management (ITAM) & Software Asset Management (SAM)
governance. ITAM includes SAM which itself includes
Software License Management & Compliance which itself
includes Open Source License Management & Compliance.
One of the most common statistics used from Gartner
(paraphrased) is: 'companies with mature Software Asset
Management practices can recognize 30% cost savings the
first year and 5% cost savings in each of the subsequent 5
years' (See G00214140 for the exact language). Gartner has
also made several statements on the trend of IT Security
concerns being the main driver for adopting proper SAM
governance programs. An organization can't manage and
mitigate what it is not aware of (e.g. the Equifax breach;
the congressional report directly blames the lack of
knowledge of what Software was running in the
environment). This is commonly referred to as 'shadow IT'
and Gartner states that it expects a third of future cyber
security breaches to be facilitated by unmanaged shadow IT
('Gartner Predictions for IT Infrastructure and Operations
2016'). So depending on if your organization's scope is
more broad than Open Source License Compliance, you may
find additional compelling reasons and statistics. Keep in
mind, there is also a family of ISO Standards for IT Asset
Management: ISO/IEC 19770-1:2017.
Kind regards,
Trent Allgood
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM
This is an interesting question
and really valid points from Oliver. In any major
organization like ours, it is common for the
portfolio governance Team to get the relevant
justifications on the business(financial) value
before they make a call to invest on any major
initiative/projects. When it comes to Compliance
related initiatives, it is really difficult to
quantify in actual dollars the business value-add.
Here are some thoughts that I
would like to share on this -- Apart from the
legal obligation, Compliance can be considered
more as an insurance policy for the larger
organization that offers protection from any
potential license violation related
liabilities/law suits and leakage of IPs in the
future. In addition to this, having a robust
compliance process is fundamental to generating
and maintaining the most accurate Bill Of
Materials (BOMs) for a given Product that may
improve corresponding organization’s Supply chain
forecasting accuracy. A stable and well managed
Compliance program helps major organizations to
ensure not to miss or over pay on their royalty
payment obligations which at times can lead to
major financial losses or litigations. So just to
summarize, one may not be able to tag a given
dollar amount as the Business value-add for having
a dynamic and effective compliance program since
it may not be realized accurately in a short term.
However, Organization’s overall Productivity and
improved forecasting accuracy are the most certain
business values one may realize due to Compliance
in addition to legal and liability protection that
can’t be quantified and may vary from case to case
as appropriate.
Cheers,
Hi Robert,
This is a kind of strange
question – it sounds to me like – What is the
business justification not to breaking the law?
Would this organization do
business with organizations which do not care
about law? Or put it the other way – Are they a
serious business partner, with such kind of
attitude?
But coming back to your
question, I am not aware about studies in this
regard, I think it is to early for existing
studies, it is an ISO standard since 2 months now.
OpenChain conformance is not
only about OSS compliance it is about license
compliance in general.
So the business justification
is less damages, settlements and lawsuits =>
cost reduction. The copyright act defines strong
measures against entities, which are not in
compliance with law at least in Germany (
https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561
– this has to be taken seriously, think about the
consequences in such a case
I am sure that we will see more
and more companies requiring OpenChain conformance
in their supplier conditions. Especially those
companies, which integrate supplier goods in their
own offerings will require OpenChain conformance.
It might be that the public sector will also
require it.
The business justification is
that this organization will be able to do business
with companies that will require OpenChain
conformance.
Ciao
Oliver
Recently, I was asked whether
I could supply a business justification for
OpenChain certification. "Business
justification," in this case, means will it have
any effect on sales. Is there a dollar amount
that can be attached to compliance? Have we lost
or gained a sale by compliance/certification?
Personally, I do not know. Has there been a
study that demonstrates
tangible business value? Does anyone
have experience with a sale that depended on
having OpenChain compliance? Or a well-defined
Open Source program?
|
