2025-03-10 –, Auditorium
We introduce a publicly-available capability model to assess management of FOSS compliance risk. Developed in conjunction with both the OpenChain project and active FOSS-using businesses, this model, based on ISO 5230:2020, provides an intuitive and practical framework for assessing FOSS risk, and developing a roadmap to improve it.
The Education Workgroup of the Linux Foundation’s OpenChain project has developed a capability model that enables an organisation's leadership to assess how good they are at managing FOSS risk and compliance across complex supply chains. This model was developed to help people and organisations share and learn from best practice techniques rapidly.
It enables organisations to take a quick snapshot across all their open source operations and decide where they need to focus next to strengthen their governance and capabilities. It can be used to develop a road map for improvements. It is based upon the industry proven ISO standard 5230:2020 (OpenChain standard for a quality open source compliance program).
The model looks at three main layers of organisational capability; governance and strategy, enablement and performance management, and technical delivery. The model has been used in practice with large and small organisations, and tested across a wide range of technologies and open source projects.
This talk introduces the version 1.0 of the model, which is free to use, modify, remix and adopt and is released under a CC0 licence. While the model is already proving useful to businesses who have adopted it during the testing phase, we have a number of ideas about how it can be improved and extended.
Accordingly, we are looking for consultation and contribution from others. We are looking for wider collaboration to develop focussed heat maps that demonstrate how to solve particular challenges: for example AIBOMs, .CRA compliance, security and vulnerability management and assessment and toolchain automation.
Stephen Pollard – Director & FOSS Management advisor.
Stephen is a director at Orcro Ltd. His skillset and experience are focused on the capabilities needed to put new strategies into action. Stephen advises clients on how to achieve their strategic goals and acts as a partner in helping drive through change. Originally a systems architect Stephen has been a technology management consultant for over 30 years.
He is leading the work in the development of the OpenChain capability model - which is the focus of the presentation.
Andrew Katz is a lawyer who has been practising in open source and other open technologies for over 30 years. He is on the core drafting team of the CERN Open Hardware License, drafted the Solderpad Hardware License, and has advised companies, foundations, projects, academia and governments on open source and open technology issues worldwide.
He founded and runs the FOSS consultancy Orcro Limited, as well as continuing his legal practice as a consultant at leading London IP law firm Bristows LLP, where he heads the firm's open source specialist group.
He is heavily involved in the Linux Foundation's OpenChain project, where he heads the UK WorkGroup and the Education WorkGroup. He wrote the OpenChain template Open Source Policy, which has been translated into multiple languages.
He regularly speaks at conferences internationally, and his client base is worldwide. He is a visiting researcher on open technologies and standards at the University of Skövde in Sweden, and is visiting lecturer at Queen Mary, University of London. His work has been published by the Oxford University Press, Springer and the Edinburgh University Press. He is co-author (and lead of the open hardware section) of the major European Commission publication on the Impact of Open Source Software and Hardware on the European Union, published in 2021.
Sascha Pudenz helps organizations implement governance, processes, and technology for Open Source compliance management and IT asset management systems. He has been advising private and public sector organizations of all sizes for over 12 years. As a team member of Deloitte's Extended Enterprise practice, he identifies, assesses and manages the risks that organizations face from external business relationships, such as license agreements.