I blogged a couple weeks ago about the OpenLogic-hosted panel at OSBC consisting of three enterprise visionaries sharing advice on creating open source policies and managing open source risks.  In Part 2, I wanted to share the highlights from their advice on open source policies.

Policies should address acquisition, usage and contributions of open source

Jon Stumpf, AIG: “The policies that you need to create need to address three distinct buckets: the acquisition of the technology, governing what you will do with open source technology inside your company, and the rules by which you will give back to the community.”

Repositories are important

William Hurley, BMC:  “I would say the most important thing around policy is having some sort of central repository for all of this knowledge and information that is easily accessible so you have a policy that empowers the individuals to adopt open source and drive things forward.”

Make your approval processes repeatable 

Tim Golden, Bank of America: “A [policy] review board has to learn to ‘templatize’ their behavior. If they’ve done a pattern once, then that pattern has to be wholly applicable to everything that comes afterward.”

William Hurley, BMC: "You also should have a way of keeping track so that you don't get a lot of situations where the same thing is created over and over again."

Leverage existing processes where you can

Jon Stumpf, AIG: "In dealing with the minor variations that open source brings, the majority of the processes you’re supposed to have will suit you well when bringing new technology in.  We don’t have a specific open source review board…. We forced open source into the processes that we had. Looking at open source as a being technology that will flow through these processes will tend to expose gaps or deficiencies in the processes you have for closed source. It actually helps improve those processes. Using the processes we had was more cost effective.

Create lightweight processes that can scale

Tim Golden, Bank of America: “Something that looks really good on paper doesn’t exactly scale in reality. As you’re writing the policy, if you want to save yourself two or three downstream revisions, you really need to be thinking about the greater context and whether your policy can scale.”

Don't forget the lawyers

Tim Golden, Bank of America: “You need legal advice through all of this. If you have a bunch of technologists sitting around creating a policy and they think they are doing the right thing and they think they are acting on behalf of the legal department, when you actually go to enact the policy, the lawyers are going to show up and you’re going to slow down. Have a process where lawyers are engaged, early and often, and you usually have a much better outcome.”

Thanks to Tim, Jon and Bill for sharing their experience.