In the wake of Hurricane Irene, National Public Radio ran a piece on the challenges of risk management. Government officials, right up to the President, took heat for over blowing the potential danger, whereas surely they'd have been vilified if things had gone the other way and people had died due to insufficient warning. Don't get me started on the riskless society. The public's reaction reminds me of when my youngest was four and I chided her about how dangerous it was to run into a parking lot without looking. "But I didn't get hit by a car," was her reaction.
So, your company develops software and you have legitimate concerns about loose open source management practices. How do you, on one hand, get people's attention so that the company can manage risks, and on the other, avoid the appearance of fear-mongering? It's a challenge the Black Duck (my employer) marketing group faces every day. I don't know that we've completely cracked the code, but here are some thoughts:
Don't be a "negative Nancy"- Similar to the conventional wisdom on giving feedback to kids or colleagues: "Here's what I like about what you did; here are areas that could be improved." Always emphasize first the big benefits of open source and that the reason to manage risks is so that the company can continue to enjoy those benefits.
Associate with the mainstream- Communicate that having policies and procedures for managing risk are a normal part of doing business. (That's what Sarbarnes Oxley is about.) Managing how open source is used in software development is just another process like managing requirements, quality, security or issue tracking.
Don't go it alone- A sole voice is lonely. Chicken Little would have done well to line up Ducky Lucky or Turkey Lurkey to support her position. Or should have relied on some industry experts. I remember Jim Zemlin, the executive director of the Linux Foundation, as part of introducing the Open Compliance Program, flashing a slide that listed all open source lawsuits and wagging a cautioning finger. My colleague, Peter Vescuso, and I both reacted that neither of us could get away with it, but Jim is so well-established as an open source supporter that it was taken as sage advice, not FUD.
Know your stuff- One erroneous claim or bad fact can undercut an otherwise cogent argument. Whether it's legal, security or operational risks you are discussing, don't go beyond what you can substantiate and explain.
So, be a knowledgeable supporter of open source and find respected allies to help you protect your organizations ability to leverage this great resource.