Re: OpenChain Certification and Business Value


reza.alavi@wipro.com
 

Hi Jan,

 

I take your point of corporate change and thank you for highlighting change management as one of the critical issues. In my experience, I’ve seen many enterprises are struggling in their change management challenges while technology is continually changing. During the rise of regulation and linear software development, enterprises tend to demonstrate that they have fully auditable IT controls and regulate release into production systems. Therefore, they adopted a rigorous and sometimes entirely inflexible IT change management process approach. Some of the best practice frameworks, such as ITIL, are considered to create a responsible team (change advisory board) to assess requests for change against risk and their impacts and collision avoidance. The purpose of this is to balance the stability of enterprises and innovation.  However, this traditional approach to change management created several challenges, such as increased overhead costs and, more importantly, the frustration for developments and operations teams. So, instead of change management being an enabler, it became a constraint.

 

The open source software compliance regime may not go smoothly to the RFC (request for change) process in many enterprises and creates a pain point for development, operation, security teams. Thus, open source compliance is seen as unmanageable and detriment to business.

 

I think it is time for some changes in the change management approach!

 

Warm regards,

Reza

 

Reza Alavi

Managing Consultant, UK&I/CE

Security, Risk, Compliance & Assurance

M: +44 7890 636734

Wipro Limited

3 Sheldon Square, London W2 6HY

                                             

             

signature_1775046155 

 

 

From: main@... <main@...> On Behalf Of Jan Thielscher via lists.openchainproject.org
Sent: 25 February 2021 16:07
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hello Aitken,

 

thank you for pointing this out. I can underline this experience as well.

My suspicion is, that project ownership and traditional corporate structures are root causes of this.

 

We try to organize projects from the beginning as corporate change projects. This does not make it easier to sell, but it sets the right expectations at sponsor level. When starting a project initiated in corporate legal, you may succeed in IT / Dev but might fail in corporate purchase or later in HR, when it comes to adjusting developer contracts concerning contributions…

 

Thus I would suggest to frame it from the beginning as a corporate change.

 

Best regards

Jan

 

Von: <main@...> im Auftrag von "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
Antworten an: "main@..." <main@...>
Datum: Donnerstag, 25. Februar 2021 um 15:36
An: "main@..." <main@...>
Betreff: Re: [openchain] OpenChain Certification and Business Value

 

Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.

 

 

Regards,

 

Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat

650-704-6321

1494361338303_PastedImage

 

 

 

 

Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Thanks Mary. An important point.

 

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

 

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

 

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

 

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

 

Regards

 

Shane 

 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:

To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

Join main@lists.openchainproject.org to automatically receive all group messages.