Step One:

Create an internal advisory team and management objectives

Management must create a cross functional governance team to formulate and implement compliance policies and take responsibility for audits and other due diligence matters.

Members of the team should be chosen for their communications skills and interest in the subject matter. They should be willing to have others seek their advice. It is reasonable to have the team headed by someone with audit or accounting background. Other members of the team may include developers, managers, and administrators who represent the subjects of the compliance regime. While legal issues touch many aspects of compliance, whether to include an attorney on the team remains an open question.

In organizations, people are understandably concerned about their job performance, relationships with co-workers and a multitude of other work pressures. Organizations that are concerned about governance must create an environment that is free from conflicts of interest. It makes sense to establish a small team of people who represent the developers and who will have to implement and abide by the compliance rules. Managers from other parts of the business can participate on the team. Someone with systems integration background is needed to advise the team on productivity tools, database and business process development. Allow the team to propose policies and procedures they deem workable as representatives of the users. Consider using lawyers as external advisors, like other consultants, and not as primary team members. Instead, allow auditors and specialists, including legal counsel, to give recommendations to the team, provide audit data, and refine and approve policy proposals rather than establishing them.

Executive management is responsible for protecting the assets of the organization. In many organizations, assets include intangibles such as software, data and processes. Every software vendor and most hardware vendors need a comprehensive software governance program.

Being proactive about open source compliance can facilitate business with customers, reduce the risk of litigation, increase an organization's valuation, remove financing impediments, and prepare an organization for acquisition. Executive management is responsible for generally setting priorities and controlling costs and risks. By comparison, the compliance advisory team is responsible for creating actual policy, engaging specialists, implementing processes, measuring compliance, and taking corrective action when needed.

When surveying the organization's state of software governance, executive management should apply grades using the following guidelines:

Incomplete - Software tracking activities are ad hoc and typically triggered only by a need to involve counsel or purchasing in contract review or qualifying a vendor. Rules, if any are based on institutional knowledge. Processes lack consistency across developers, and are undocumented and invariably subject to lapse.

Improvement Needed - Problems and gaps have been identified. Processes are proposed or being implemented. Cooperation from developers is well underway. Compliance and license review is taken seriously. Management is making the necessary investment of time and money.

Satisfactory - Processes are in place and working. Compliance team, management and engineering staff are in agreement. Developers are properly trained on policies and incented to follow them. Productivity tools are functional and accessible. Procedures are broadly adopted and enforced.

Step Two