Re: OpenChain Certification and Business Value

Nicole Pappler

Hey hey!

I've been following this discussion now for a while and I'd like to add my 50 cents to it.

As I understood it is currently hard for some to get a grip on the business value of an OpenChain certification, or even the value of an OpenChain compliant program?

I think Oliver's initial question states it quite cleary: "What is the business justification not to breaking the law?" I'd like to add, what is the business value to be sure that you don't violate legal rules by accident? If you violate the license obligations of the components you use in your product, regardless if you did it on purpose or because of your ingorance of the obligations, you simply have no legal right to sell your product anymore - as you never had the right to do so anyway. This means all your invest to develop your product, all production costs you had for manufacturing, shipping etc - you could have burnt that money, you are definitly not getting any revenue out of your product anymore. You might even have cost for the legal procedings and charges, compensation payments to the rights holders, maybe even costs for the disposal of your now useless product. Maybe even damage compensation for your customers, as they also cannot use your product anymore in their products. As Oliver already stated that the value for sure is "less damages, settlements and lawsuits => cost reduction.".

And thinking of the OpenChain compliant program as a risk management measure clearly shows that this risk must be managed in your complete supply chain. And will lead to the question how to prove to your business partners that you are compliant - and likewise how to ask for compliance evidence. So there you have the value of certifications - it is a standardized evidence that you are compliant.

So there is a clear value in certifications. Which of the three certification models offered by OpenChain is the most valueable for your business case is up to you. Usually that is a matter of trust - if you know your partners quite well you will be ok with self certification. It becomes more complicated if you want to demonstrate your compliance to a bigger audience, be it in concrete sales discussions or to position your product or services on the market. As already stated by Dirk, this could help a positioning as a premium provider on the market. And there might come the day, that compliance to OpenChain will be a fixed staple in every RFQ, like A-SPICE is now in certain markets.

Anyway: @Dirk Riehle: regading "The missing part seem to be the certification agencies (and their assessors). The people who drove forward the TUEV certification mark have left; not sure much is going on there. Any other agencies?" - Yes, we have left, but we have now established a cooperation with our ex-colleagues at TÜV SÜD to support them to continue with the OpenChain 3rd party certification - so if anybody is interessted in getting a TÜV mark on their compliance activities, please feel free to contact me, I'm still the main driver of their 3rd party certification. And regarding your question of an ISO standard how to set up certification agencies - it's the ISO/IEC 17065:2012. That's the one you can go for e.g. by asking the Dakks for accreditation. Additionally to this accreditation the value of the certificate you issue as a certification body will still only be as valuable as the level of trust the market has in your certification brand.

The question that's coming into my mind now is: How can we establish trust in the assessment and certication programs? How can we ensure the quality of Independent Compliance Assessment and OpenChain 3rd party certifications? The certification based on the standard can be done by everybody, but does anybody see a value in having something like an "OpenChain project accredited Assessment Partner"? Or a training and personal certification program for OpenChain assessors, similar to what's there for A-SPICE?

Maybe it's worth to discuss this all in one of our regular calls?



Am 22.02.21 um 09:38 schrieb Shane Coughlan:

All, fantastic discussion thus far. I am jumping in at Trent’s email because it touches on a strategic development and - indeed - target for the project.

Today open source exists both inside the practice of SAM but somewhat dislocated from the discussion. Open source is sometimes perceived as different from “normal” software, and therefore potentially possessing some risk that stands apart. This potential perception, naturally, runs against the streams of the industry itself, whereby open source is embedded into the fabric of all software deployment today.

The fate of open source is rightfully in SAM, and ISO 5230 is a significant step towards this clear normalization of open source compliance in this manner. Adjacent to this we see other initiatives, most notably SPDX - provisionally due as an ISO standard around June - and advanced discussions with automation vendors and open source tooling projects regarding transparent interoperability.

The OpenChain Project has no specific insight into any business plan or decision by any company (naturally), we do have insight into the trends unfolding. The quip that ISO 5230 can replace 12 pages of bespoke contract language (and work better) is growing closer to a crescendo. The standard is also being applied in production to assist security, export control and M&A. The uptick of enquiries from suppliers thinking about sales optics is noticeable since graduating from ISO.

My baseline prediction is the ISO 5230 will enter a substantial number of purchasing negotiations this year, with the majority probably offering a preferred status, and a minority leaning towards a required status. These metrics will adjust with bias towards requirements in 2022.

Meanwhile, the project will collaborate with experts in the SAM space, both user companies and vendors, to place ISO 5230 in a clear context with all the other standards companies use for effectiveness, from ISO 9001 through to ISO 26262. We will seek to become as boring as possible as quickly as possible, a reflection of ensuring OpenChain is the solution adopted with as little disturbance but as much benefit as possible.



On Feb 21, 2021, at 23:18, Trent Allgood <trentallgood@...> wrote:

I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.

Kind regards,

Trent Allgood
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM

On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via <> wrote:

This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.


Here are some thoughts that I would like to share  on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program  since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.





Prasad Iyer

Director, Engineering - Product Operations


Email : prasadiy@...

Phone: +1 (408) 315-5101






From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value


Hi Robert,


This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?

Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?

But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.

OpenChain conformance is not only about OSS compliance it is about license compliance in general.

So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( – this has to be taken seriously, think about the consequences in such a case

I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.

The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.







From: main@... <main@...> On Behalf Of Robert via
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value


Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?




Join to automatically receive all group messages.