• Share this article:

Cultivate Your Governance: Understanding OSPOs

Tuesday, October 15, 2024 - 12:37 by Florent Zara

This is the first blog post in a series about OSPOs.

An Open Source Program Office, aka OSPO, is the accepted name given to a designated group within an organisation that manages the use of open source software (OSS). Whether it is a dedicated team or a virtual team, the office is tasked with developing and implementing strategies and policies that maximise the benefits of open source engagement while managing risks. OSPOs usually serve as the central point of coordination and support for all open source activities, including, consumption of and contribution to open source projects, but also fostering community engagement.

You can see the OSPO as a kind of gardener nurturing a community (open source) garden, ensuring that everyone is following the rules, keeping the plants — your open source projects — healthy and ensuring the shared tools and resources are maintained and available to everyone.

Image
A woman wearing a wide-brimmed hat and apron is tending to plants inside a small greenhouse filled with lush green foliage. Shelves on both sides hold various potted plants, and the greenhouse structure is made of wooden beams with transparent walls, allowing natural light to flood in. https://unsplash.com/fr/photos/une-personne-dans-une-serre-rrBXHANGjng

Let’s have a closer look at our main gardener missions:

  • Cultivate: Just as a gardener cultivates plants, an OSPO promotes the adoption and contribution to open source projects within the organisation.
  • Maintain: In the same way a gardener ensures the garden remains healthy by pruning plants, removing weeds, and addressing pests, an OSPO  ensures the health of the organisation's open source involvement by managing compliance with open source licences, and addressing security vulnerabilities.
  • Harvest: Leveraging the innovations derived from open source for competitive advantage, akin to harvesting fruits and flowers.
  • Engage with communities:  Building and nurturing relationships with the broader open source community, which is vital for the cross-pollination of ideas and innovations.

Our OSPO gardener has to be multi-skilled, but it's more like a multidisciplinary team. This varies by organisation but it typically includes roles such as:

  • Program Manager who oversees the OSPO's activities and strategies.
  • Legal Advisor who ensures compliance with licences and legal obligations.
  • Security Expert who safeguards open source components against vulnerabilities, helps secure the software supply-chain and manages risks associated with integrating open source software.
  • Technical Leads, who are usually open source champions, provide guidance on technical aspects and integration of open source software. They’re often tasked with managing relationships with the open source community and internal developers.

Our gardeners may get ad hoc help from the communication department and human resources on a specific topic.

More Than Just a Compliance Office

These roles work together to ensure that the organisation's open source activities are sustainable and beneficial. At the same time, it's important to understand that an OSPO is not just a compliance office or a side project coordinator. It is a strategic asset that integrates open source software into the core business processes and innovation pipelines. An OSPO is not merely about avoiding legal issues; it's about actively engaging and giving back to the open source community.

An organisation might consider establishing an OSPO when it reaches a level of open source activity that requires formal management. This is particularly important when:

  • The organisation uses open source extensively across multiple projects.
  • There is a need to ensure compliance with diverse licensing requirements.
  • The company wants to influence open source communities or drive certain projects.

For smaller organisations or those with limited open source involvement (which is becoming a rarity these days), establishing a formal OSPO may not be necessary. In these cases, open source activities can be managed with existing resources without the need for a dedicated office, but rather a “virtual OSPO”, open source champions stepping up to influence and help their organisation make the right decision. Organisations should evaluate their level of open source engagement and the complexity of their needs before deciding to set up an OSPO.

TL;DR

To sum up, like our gardener who ensures that the garden is healthy, vibrant, and productive, an OSPO plays a critical role in managing an organisation's open source ecosystem. Whether your organisation needs such a gardener depends on the scale and nature of your open source activities. As open source continues to grow in importance, the role of the OSPO is becoming more crucial in ensuring that organisations reap the maximum benefits from their open source engagements.