Managing project risk
when using open source
Software Failure
• Sainsbury write of $526M invested in supply-chain automation
• Hershey unable to fulfil $100M of orders due to failure of $112M IT
system
• 60,000 pensions and benefits claims unprocessed in UK due to IT
failure on a budget of £413M
• Sift (UK SME) wasted £1M on cancelled IT rewrite
Source:http://lessons-from-history.com/node/89
It should only cost 7p
• Proper
• Planning
• (and) Preparation
• Prevents
• Piss
• Poor
• Performance
Source: British Army
Ross Gardler
• Co-founder of OpenDirective
• Consultancy specialising in open innovation of software
• Open source developer since 1995
• Executive Vice President of The Apache Software Foundation
• Mentor to projects large and small
• in companies large and small
Managing risk
• Emphasis on MANAGING
• Need to:
1. Understand common risk factors
2. Evaluate candidates against those factors
3. Understand risk management strategies
4. Allocate project resources to manage risk
5. Repeat
Common Open Source Risk
Legal
• Does the licence allow you to…?
• Can the software be released under that license?
• Can you release your software under the chosen licence?
• Are there fees associated with the software?
• Are contribution terms acceptable?
• Can the software be bought and removed?
Standards
• Does the software play nicely with other software?
• Can you move away from the software?
• Are the standards used encumbered?
• Who owns and manages the standards?
• Can you influence the standards?
Knowledge
• Can your people work with the software?
• Can your people or sub-contractors adapt the software?
• Can you add to the knowledge?
• Is there a restricted group who control critical project information?
• Is there a paywall to critical information?
Governance
• Can the project pivot without your knowledge?
• Can you influence project strategy?
• Can your interests be blocked?
• Is the playing field level?
• Will your contributions be accepted?
• Will contributions be managed for the good of the project?
Market
• Is there (potentially) multiple suppliers?
• Can newcomers enter the market with new product/services?
• Does one supplier have an unfair competitive advantage?
• Do the majority of project committers work for a single company?
• Is there a supplier who understands your market?
Measuring risk
Apache project
• Labs
• High risk
• Incubator
• At your own risk
• Top level projects
• Managed risk
• Attic
• At your own risk
What does the incubator do?
• Community development
• Ensure the project is governed according to the Apache Way
• No BDs
• Clean IP
• Supportive and open community
• Etc.
What if it’s not an Apache project?
• Openness Rating
• Evaluates development model
• Identifies areas of potential risk
• Plan for risk management
• One part of a larger evaluation process
• Software Sustainability Maturity Model
• In addition to development model evaluation
• Fitness
• Reusability
• Capability
Evaluating Openness
More open projects = more flexibility for users
Conducting an openness evaluation
• Series of questions in five categories
• License
• Standards
• Knowledge
• Governance
• Market
• Decide on acceptable risk profile
• Weight categories of evaluation
• Weight individual questions
Result is a “score”
• Quantitative evaluation
• numbers are indicators only
• Need to ensure consistency in the evaluation responses
• Low scores indicate areas of risk
• Compare risk across different alternatives
• Invest resources to mitigate risk?
Layered evaluation
SSMM
• Maturity of project
Openness
Rating
• Freedom to engage
Openness
Categories
• Areas in need
Specific
Questions
• Actions
The Categories
License
• What kind of license?
• IP due diligence
• Traceability
Standards
• Standards compliance
• Openness of standards used
• Royalty or Patent requirements
• Recognised governance body
Knowledge
• How we got here
• Where we are going
• User support
• Developer support
Governance
• Structure
• Succession
• Codes of behaviour
• Transparency
• Accountability
• Who can participate
• Roles of project participants
Market
• Money makes the world go round
• Money pays for developers
• Money raises awareness
• Money provides better user support
• Is there a healthy commercial ecosystem?
Can I use it?
Can I use it?
• In constant development
• Use it and help us improve it
• Open Content (CC-BY-SA)
• Mail me at [email protected] for a copy
• The sales pitch
• 1, 2 and 4 day training
• Consultancy services
Discussion
• Ross Gardler
• @rgardler
• [email protected]
doc_530130092.pptx
when using open source
Software Failure
• Sainsbury write of $526M invested in supply-chain automation
• Hershey unable to fulfil $100M of orders due to failure of $112M IT
system
• 60,000 pensions and benefits claims unprocessed in UK due to IT
failure on a budget of £413M
• Sift (UK SME) wasted £1M on cancelled IT rewrite
Source:http://lessons-from-history.com/node/89
It should only cost 7p
• Proper
• Planning
• (and) Preparation
• Prevents
• Piss
• Poor
• Performance
Source: British Army
Ross Gardler
• Co-founder of OpenDirective
• Consultancy specialising in open innovation of software
• Open source developer since 1995
• Executive Vice President of The Apache Software Foundation
• Mentor to projects large and small
• in companies large and small
Managing risk
• Emphasis on MANAGING
• Need to:
1. Understand common risk factors
2. Evaluate candidates against those factors
3. Understand risk management strategies
4. Allocate project resources to manage risk
5. Repeat
Common Open Source Risk
Legal
• Does the licence allow you to…?
• Can the software be released under that license?
• Can you release your software under the chosen licence?
• Are there fees associated with the software?
• Are contribution terms acceptable?
• Can the software be bought and removed?
Standards
• Does the software play nicely with other software?
• Can you move away from the software?
• Are the standards used encumbered?
• Who owns and manages the standards?
• Can you influence the standards?
Knowledge
• Can your people work with the software?
• Can your people or sub-contractors adapt the software?
• Can you add to the knowledge?
• Is there a restricted group who control critical project information?
• Is there a paywall to critical information?
Governance
• Can the project pivot without your knowledge?
• Can you influence project strategy?
• Can your interests be blocked?
• Is the playing field level?
• Will your contributions be accepted?
• Will contributions be managed for the good of the project?
Market
• Is there (potentially) multiple suppliers?
• Can newcomers enter the market with new product/services?
• Does one supplier have an unfair competitive advantage?
• Do the majority of project committers work for a single company?
• Is there a supplier who understands your market?
Measuring risk
Apache project
• Labs
• High risk
• Incubator
• At your own risk
• Top level projects
• Managed risk
• Attic
• At your own risk
What does the incubator do?
• Community development
• Ensure the project is governed according to the Apache Way
• No BDs
• Clean IP
• Supportive and open community
• Etc.
What if it’s not an Apache project?
• Openness Rating
• Evaluates development model
• Identifies areas of potential risk
• Plan for risk management
• One part of a larger evaluation process
• Software Sustainability Maturity Model
• In addition to development model evaluation
• Fitness
• Reusability
• Capability
Evaluating Openness
More open projects = more flexibility for users
Conducting an openness evaluation
• Series of questions in five categories
• License
• Standards
• Knowledge
• Governance
• Market
• Decide on acceptable risk profile
• Weight categories of evaluation
• Weight individual questions
Result is a “score”
• Quantitative evaluation
• numbers are indicators only
• Need to ensure consistency in the evaluation responses
• Low scores indicate areas of risk
• Compare risk across different alternatives
• Invest resources to mitigate risk?
Layered evaluation
SSMM
• Maturity of project
Openness
Rating
• Freedom to engage
Openness
Categories
• Areas in need
Specific
Questions
• Actions
The Categories
License
• What kind of license?
• IP due diligence
• Traceability
Standards
• Standards compliance
• Openness of standards used
• Royalty or Patent requirements
• Recognised governance body
Knowledge
• How we got here
• Where we are going
• User support
• Developer support
Governance
• Structure
• Succession
• Codes of behaviour
• Transparency
• Accountability
• Who can participate
• Roles of project participants
Market
• Money makes the world go round
• Money pays for developers
• Money raises awareness
• Money provides better user support
• Is there a healthy commercial ecosystem?
Can I use it?
Can I use it?
• In constant development
• Use it and help us improve it
• Open Content (CC-BY-SA)
• Mail me at [email protected] for a copy
• The sales pitch
• 1, 2 and 4 day training
• Consultancy services
Discussion
• Ross Gardler
• @rgardler
• [email protected]
doc_530130092.pptx