Re: OpenChain Certification and Business Value
Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.
Global Open Source Practice Leader
Sent: Thursday, February 25, 2021 2:07 AM
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
Thanks Mary. An important point.
Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward.
Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.
The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).
I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.
We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.