Re: OpenChain Certification and Business Value

Jan Thielscher

Hi Robert,

I followed the conversation and can confirm that the question of certification in the sense of „certify that I am compliant“ vs. „I verified that we do the right things to comply“ is a hard one. Most likely the existence of the standard will justify the certification over time. Why do I believe this?

Given you are about to make a multi-million, several years supplier deal within the automative industry but the requirement is to be ISO 5230 compliant. If  your org isn’t ready at the time of tender, probably you will not make it to the bid. What’s the opportunity costs for that? Well, probably the discounted ebit of the project? enough for a certification?

I do not know what the ticket sizes for your company are, but I would suggest to think in that direction to make a first step. There is one thing for sure: The demand for this sort of certification will grow because it exists. It will bring the buyer in a better position than if he does not request it while in the same time the costs are on the sellers side. Thus a buyer not requesting it, does a bad job. 

Back to your question: Depending on your ticket size the answer might be a multi step approach. As Mary said: a single use case / request will most likely not make a business case. But preparing the organisation based on what you already have will reduce the efforts and time required to achieve the cert, whenever required. So even smaller tickets allow a justification. The path to describe it will be specific to your company.

Following the above logic the decision will anyhow evolve from a „whether“ to  a „when" …   

Mit freundlichem Gruß / kind regards
Jan Thielscher
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51
Enterprise Architecture Consulting Group
Taunus Tor 1 (TaunusTurm), 60310 Frankfurt am Main
Handelsregister Frankfurt am Main HRB 84852
Geschäftsführer: Jan Thielscher, Dr.-Ing. Stefan Pokorny


Am 22.02.2021 um 19:14 schrieb Robert via <>:

Thank you to Shane and everyone who took the time to respond to my question.
I would like to clear one thing up. When I asked to justify compliance with the ISO standard from a business perspective, I did not mean to imply that my organization does not comply with open source licensing issues or that we do not have an internal program for making sure we are in compliance. We certainly do. Also, I believe everyone on this mailing list is, in some way, involved in Open Source compliance so I think we are mostly on the same page as to the need for compliance from a legal and ethical perspective.

From a business perspective, however, if I want to show data (and some data has been quoted in the replies to my original question -- thanks). Showing data in any compliance related effort is challenging. Furthermore, the amount of effort it takes to produce the data may exceed the amount of effort to simply implement ISO compliance. I smell a research paper.

Join to automatically receive all group messages.