OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
Prasad Iyer Director, Engineering - Product Operations
Email : prasadiy@... Phone: +1 (408) 315-5101 |
|
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
European Representative
Open Invention Network
+447718516954
On 21 Feb 2021, at 04:44, Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.Cheers,<image001.jpg>
Prasad IyerDirector, Engineering - Product OperationsEmail : prasadiy@...Phone: +1 (408) 315-5101 <image002.png>Hi Robert,This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.OpenChain conformance is not only about OSS compliance it is about license compliance in general.So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany (https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a caseI am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.CiaoOliverFrom: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business ValueRecently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached toIf customers are not asking for OpenChain certification, then it is not a must-have feature i.e. it is not a K.O. criterion that stops your sale.
Then, you can only convince your folks that being OC certified lets you position yourself as a premium provider (higher price). The value for customers of your OC certification is that of an exciter feature: It will reduce costs of their own (customer) compliance activities and the occasional audits they have to perform. So you can charge more money, if you can sell it right. I'm not aware of a study that shows how much customers in supply chains spend on license compliance for their suppliers, but that's the dollar amount you are asking for.
However, I assume that OC will morph into a must-have feature that customers are expecting from their suppliers. For me the obvious example is the automotive industry. Ten years ago I tried to convince the German OEMs I was working with to lighten their compliance and auditing load by using my services to create such a certification; back then they weren't interested (and I'm just a lonely professor...) but OpenChain really has made big advances here and I think this is the obvious future now.
I guess it will be similar to ASPICE.
Cheers, Dirk
compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates *tangible *business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
Sent: Sunday, February 21, 2021 7:18 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.
Kind regards,
Trent Allgood
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM
On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
Absolutely, I agree. Actually in some Orgs. that have a large Product foot-prints across various business models (On-Prem, SaaS, Enterprise, Managed XaaS etc.), OpenChain is part of the Organization’s broader Third Party Assets Initiative that not just includes Third party OpenSource (OS) components but also TP commercial assets that need to be regulated and validated for Security and Compliance. The actual Third Party Compliance processes are embedded within the Product’s Development life cycle in to what can be perceived as a fully integrated ‘Dev-Sec-Ops’ model that addresses these main goals (Not a complete list):
- Early identification of Third Party Component during Product life cycle (i.e. ‘Shift-left’ approach to TP Discovery)
- Manage/limit Third Party Asset data proliferation to improve Product security (Limiting the attack surface)
- Security reports – This can be used as a feedback source and help to derive quality exit criteria for Product ship
- Product Vulnerability reports – There is a growing demand from customers for this and depending on the industry, this will be getting much more prevalent in the coming days
- Third party license compliance – Apart from legal obligation, other aspects including Royalty calculation, contract terms & negotiations and TP external audits play a significant role in building Organization’s Trust and brand loyalty. There are some studies (such as https://www.sciencedirect.com/science/article/pii/S1877042812045867) that gives an idea on how these factors play a role when it comes to Customer retention and subscription renewal that is crucial for any Organization that is either transforming or already switched fully to XaaS business model.
Cheers,
Prasad Iyer Director, Engineering - Product Operations
Email : prasadiy@... Phone: +1 (408) 315-5101 |
|
From: <main@...> on behalf of "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
Reply-To: "main@..." <main@...>
Date: Sunday, February 21, 2021 at 9:20 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
Sent: Sunday, February 21, 2021 7:18 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.
Kind regards,
Trent Allgood
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM
On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
Confidentiality Note: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the original message. Thank you.
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
From: main@... <main@...> On Behalf Of Trent Allgood via lists.openchainproject.org
Sent: Sunday, February 21, 2021 7:18 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.
Kind regards,
Trent Allgood
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM
On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
On Feb 21, 2021, at 23:18, Trent Allgood <trentallgood@...> wrote:
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.Kind regards,Trent AllgoodISO/IEC JTC1 SC7/WG21, SecretaryAnglepoint, Director, ITAMOn Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
<image001.jpg>
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
<image002.png>
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
Hey hey!
I've been following this discussion now for a while and I'd like to add my 50 cents to it.
As I understood it is currently hard for some to get a grip on the business value of an OpenChain certification, or even the value of an OpenChain compliant program?
I think Oliver's initial question states it quite cleary: "What
is the business justification not to breaking the law?" I'd
like to add, what is the business value to be sure that you don't
violate legal rules by accident? If you violate the license
obligations of the components you use in your product, regardless
if you did it on purpose or because of your ingorance of the
obligations, you simply have no legal right to sell your product
anymore - as you never had the right to do so anyway. This means
all your invest to develop your product, all production costs you
had for manufacturing, shipping etc - you could have burnt that
money, you are definitly not getting any revenue out of your
product anymore. You might even have cost for the legal procedings
and charges, compensation payments to the rights holders, maybe
even costs for the disposal of your now useless product. Maybe
even damage compensation for your customers, as they also cannot
use your product anymore in their products. As Oliver already
stated that the value for sure is "less damages, settlements
and lawsuits => cost reduction.".
And thinking of the OpenChain compliant program as a risk
management measure clearly shows that this risk must be managed in
your complete supply chain. And will lead to the question how to
prove to your business partners that you are compliant - and
likewise how to ask for compliance evidence. So there you have the
value of certifications - it is a standardized evidence that you
are compliant.
So there is a clear value in certifications. Which of the three
certification models offered by OpenChain is the most valueable
for your business case is up to you. Usually that is a matter of
trust - if you know your partners quite well you will be ok with
self certification. It becomes more complicated if you want to
demonstrate your compliance to a bigger audience, be it in
concrete sales discussions or to position your product or services
on the market. As already stated by Dirk, this could help a
positioning as a premium provider on the market. And there might
come the day, that compliance to OpenChain will be a fixed staple
in every RFQ, like A-SPICE is now in certain markets.
Anyway: @Dirk Riehle: regading "The missing part seem
to be the certification agencies (and their assessors). The
people who drove forward the TUEV certification mark have left;
not sure much is going on there. Any other agencies?" - Yes,
we have left, but we have now established a cooperation with our
ex-colleagues at TÜV SÜD to support them to continue with the
OpenChain 3rd party certification - so if anybody is interessted
in getting a TÜV mark on their compliance activities, please feel
free to contact me, I'm still the main driver of their 3rd party
certification. And regarding your question of an ISO standard how
to set up certification agencies - it's the ISO/IEC 17065:2012.
That's the one you can go for e.g. by asking the Dakks for
accreditation. Additionally to this accreditation the value of the
certificate you issue as a certification body will still only be
as valuable as the level of trust the market has in your
certification brand.
The question that's coming into my mind now is: How can we
establish trust in the assessment and certication programs? How
can we ensure the quality of Independent Compliance Assessment and
OpenChain 3rd party certifications? The certification based on the
standard can be done by everybody, but does anybody see a value in
having something like an "OpenChain project accredited Assessment
Partner"? Or a training and personal certification program for
OpenChain assessors, similar to what's there for A-SPICE?
Maybe it's worth to discuss this all in one of our regular calls?
BR,
Nicole
All, fantastic discussion thus far. I am jumping in at Trent’s email because it touches on a strategic development and - indeed - target for the project.
Today open source exists both inside the practice of SAM but somewhat dislocated from the discussion. Open source is sometimes perceived as different from “normal” software, and therefore potentially possessing some risk that stands apart. This potential perception, naturally, runs against the streams of the industry itself, whereby open source is embedded into the fabric of all software deployment today.
The fate of open source is rightfully in SAM, and ISO 5230 is a significant step towards this clear normalization of open source compliance in this manner. Adjacent to this we see other initiatives, most notably SPDX - provisionally due as an ISO standard around June - and advanced discussions with automation vendors and open source tooling projects regarding transparent interoperability.
The OpenChain Project has no specific insight into any business plan or decision by any company (naturally), we do have insight into the trends unfolding. The quip that ISO 5230 can replace 12 pages of bespoke contract language (and work better) is growing closer to a crescendo. The standard is also being applied in production to assist security, export control and M&A. The uptick of enquiries from suppliers thinking about sales optics is noticeable since graduating from ISO.
My baseline prediction is the ISO 5230 will enter a substantial number of purchasing negotiations this year, with the majority probably offering a preferred status, and a minority leaning towards a required status. These metrics will adjust with bias towards requirements in 2022.
Meanwhile, the project will collaborate with experts in the SAM space, both user companies and vendors, to place ISO 5230 in a clear context with all the other standards companies use for effectiveness, from ISO 9001 through to ISO 26262. We will seek to become as boring as possible as quickly as possible, a reflection of ensuring OpenChain is the solution adopted with as little disturbance but as much benefit as possible.
Regards
Shane
On Feb 21, 2021, at 23:18, Trent Allgood <trentallgood@...> wrote:
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.
Kind regards,
Trent Allgood
ISO/IEC JTC1 SC7/WG21, SecretaryAnglepoint, Director, ITAM
On Sat, Feb 20, 2021 at 9:44 PM Prasad Iyer via lists.openchainproject.org <prasadiy=cisco.com@...> wrote:
This is an interesting question and really valid points from Oliver. In any major organization like ours, it is common for the portfolio governance Team to get the relevant justifications on the business(financial) value before they make a call to invest on any major initiative/projects. When it comes to Compliance related initiatives, it is really difficult to quantify in actual dollars the business value-add.
Here are some thoughts that I would like to share on this -- Apart from the legal obligation, Compliance can be considered more as an insurance policy for the larger organization that offers protection from any potential license violation related liabilities/law suits and leakage of IPs in the future. In addition to this, having a robust compliance process is fundamental to generating and maintaining the most accurate Bill Of Materials (BOMs) for a given Product that may improve corresponding organization’s Supply chain forecasting accuracy. A stable and well managed Compliance program helps major organizations to ensure not to miss or over pay on their royalty payment obligations which at times can lead to major financial losses or litigations. So just to summarize, one may not be able to tag a given dollar amount as the Business value-add for having a dynamic and effective compliance program since it may not be realized accurately in a short term. However, Organization’s overall Productivity and improved forecasting accuracy are the most certain business values one may realize due to Compliance in addition to legal and liability protection that can’t be quantified and may vary from case to case as appropriate.
Cheers,
<image001.jpg>
Prasad Iyer
Director, Engineering - Product Operations
Email : prasadiy@...
Phone: +1 (408) 315-5101
<image002.png>
From: <main@...> on behalf of Oliver Fendt <oliver.fendt@...>
Reply-To: "main@..." <main@...>
Date: Saturday, February 20, 2021 at 8:52 AM
To: "main@..." <main@...>
Subject: Re: [openchain] OpenChain Certification and Business Value
Hi Robert,
This is a kind of strange question – it sounds to me like – What is the business justification not to breaking the law?
Would this organization do business with organizations which do not care about law? Or put it the other way – Are they a serious business partner, with such kind of attitude?
But coming back to your question, I am not aware about studies in this regard, I think it is to early for existing studies, it is an ISO standard since 2 months now.
OpenChain conformance is not only about OSS compliance it is about license compliance in general.
So the business justification is less damages, settlements and lawsuits => cost reduction. The copyright act defines strong measures against entities, which are not in compliance with law at least in Germany ( https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0561 – this has to be taken seriously, think about the consequences in such a case
I am sure that we will see more and more companies requiring OpenChain conformance in their supplier conditions. Especially those companies, which integrate supplier goods in their own offerings will require OpenChain conformance. It might be that the public sector will also require it.
The business justification is that this organization will be able to do business with companies that will require OpenChain conformance.
Ciao
Oliver
From: main@... <main@...> On Behalf Of Robert via lists.openchainproject.org
Sent: Samstag, 20. Februar 2021 03:09
To: main@...
Subject: [openchain] OpenChain Certification and Business Value
Recently, I was asked whether I could supply a business justification for OpenChain certification. "Business justification," in this case, means will it have any effect on sales. Is there a dollar amount that can be attached to compliance? Have we lost or gained a sale by compliance/certification? Personally, I do not know. Has there been a study that demonstrates tangible business value? Does anyone have experience with a sale that depended on having OpenChain compliance? Or a well-defined Open Source program?
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
Jan Thielscher
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51
EACG GmbH
Enterprise Architecture Consulting Group
Taunus Tor 1 (TaunusTurm), 60310 Frankfurt am Main
Handelsregister Frankfurt am Main HRB 84852
Geschäftsführer: Jan Thielscher, Dr.-Ing. Stefan Pokorny
MASTERING DIGITAL TRANSFORMATION - GET THE eBOOK: https://www.eacg.de/ebook
Am 22.02.2021 um 19:14 schrieb Robert via lists.openchainproject.org <Rob_marion=protonmail.com@...>:
Thank you to Shane and everyone who took the time to respond to my question.
I would like to clear one thing up. When I asked to justify compliance with the ISO standard from a business perspective, I did not mean to imply that my organization does not comply with open source licensing issues or that we do not have an internal program for making sure we are in compliance. We certainly do. Also, I believe everyone on this mailing list is, in some way, involved in Open Source compliance so I think we are mostly on the same page as to the need for compliance from a legal and ethical perspective.
From a business perspective, however, if I want to show data (and some data has been quoted in the replies to my original question -- thanks). Showing data in any compliance related effort is challenging. Furthermore, the amount of effort it takes to produce the data may exceed the amount of effort to simply implement ISO compliance. I smell a research paper.
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Thanks Mary. An important point.
Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward.
Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.
The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).
I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.
We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?
Regards
Shane
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
Hello Aitken,
thank you for pointing this out. I can underline this experience as well.
My suspicion is, that project ownership and traditional corporate structures are root causes of this.
We try to organize projects from the beginning as corporate change projects. This does not make it easier to sell, but it sets the right expectations at sponsor level. When starting a project initiated in corporate legal, you may succeed in IT / Dev but might fail in corporate purchase or later in HR, when it comes to adjusting developer contracts concerning contributions…
Thus I would suggest to frame it from the beginning as a corporate change.
Best regards
Jan
Von: <main@...> im Auftrag von "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
Antworten an: "main@..." <main@...>
Datum: Donnerstag, 25. Februar 2021 um 15:36
An: "main@..." <main@...>
Betreff: Re: [openchain] OpenChain Certification and Business Value
Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Thanks Mary. An important point.
Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward.
Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.
The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).
I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.
We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?
Regards
Shane
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'
Hi Jan,
I take your point of corporate change and thank you for highlighting change management as one of the critical issues. In my experience, I’ve seen many enterprises are struggling in their change management challenges while technology is continually changing. During the rise of regulation and linear software development, enterprises tend to demonstrate that they have fully auditable IT controls and regulate release into production systems. Therefore, they adopted a rigorous and sometimes entirely inflexible IT change management process approach. Some of the best practice frameworks, such as ITIL, are considered to create a responsible team (change advisory board) to assess requests for change against risk and their impacts and collision avoidance. The purpose of this is to balance the stability of enterprises and innovation. However, this traditional approach to change management created several challenges, such as increased overhead costs and, more importantly, the frustration for developments and operations teams. So, instead of change management being an enabler, it became a constraint.
The open source software compliance regime may not go smoothly to the RFC (request for change) process in many enterprises and creates a pain point for development, operation, security teams. Thus, open source compliance is seen as unmanageable and detriment to business.
I think it is time for some changes in the change management approach!
Warm regards,
Reza
|
Sent: 25 February 2021 16:07
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Hello Aitken,
thank you for pointing this out. I can underline this experience as well.
My suspicion is, that project ownership and traditional corporate structures are root causes of this.
We try to organize projects from the beginning as corporate change projects. This does not make it easier to sell, but it sets the right expectations at sponsor level. When starting a project initiated in corporate legal, you may succeed in IT / Dev but might fail in corporate purchase or later in HR, when it comes to adjusting developer contracts concerning contributions…
Thus I would suggest to frame it from the beginning as a corporate change.
Best regards
Jan
Von: <main@...> im Auftrag von "Andrew Aitken via lists.openchainproject.org"
<andrew.aitken=wipro.com@...>
Antworten an: "main@..." <main@...>
Datum: Donnerstag, 25. Februar 2021 um 15:36
An: "main@..." <main@...>
Betreff: Re: [openchain] OpenChain Certification and Business Value
Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.
Regards,
Andrew Aitken
Global Open Source Practice Leader
in/opensourcestrategy AndrewOSS_Strat
650-704-6321
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
Thanks Mary. An important point.
Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward.
Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.
The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).
I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.
We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?
Regards
Shane
On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer. My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews. So, we don't break the law. OC Compliance is not a law. It is a standard for having a robust compliance program. If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?" An important question for companies to answer.
My company supplies automotive subsystems to auto manufacturers. The auto manufacturers are starting to ask about our plans to be OC compliant. It is a business-to-business question, and easier for us to answer. If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'