The JISC OSS Watch service are running a workshop on “Risk Management in Open Source Procurement” which Ross Gardler describes in a blog post on the OSS Watch Team blog.

The background to this event, which will be held in Oxford on 18 March 2008, is described in an article on open source in HE and FE published in the October 2007 edition of JISC Inform in which Ross suggested that:

There is often a lack of understanding about how best to consider OSS as part of institutional IT procurement and development activities. Ross Gardler, manager of the HE and FE advisory service for open source software, believes such issues can be explained by difficulties surrounding evaluation techniques.

‘There often isn’t an established marketing department that will take you out for lunch and smooth talk you about the potential benefits, like there is with a commercial provider,’ he says.

I can recall that about 10 years ago there seemed to be a feeling that having source code available under an open source software licence was sufficient to guarantee sustainability of software. But you just have to look at example such as the ROADS software which drove a number of what are now know as the Intute hubs. Looking at the graveyard of many open source software projects which fail to be sustainable in the long term, you’ll find an area for ROADS. We do need to do the risk analysis and risk management.

So I’m pleased to see that OSS Watch are running a workshop which will cover the risks associated with procurement of open source software. In his blog post Ross goes on to describe how the OSS Watch service “provide[s] one-to-one consultancy services to help people understand how to evaluate open source and open source providers using frameworks such as the Business Readiness Rating and the Open Source Maturity Model.” The workshop will provide an opportunity for OSS Watch to share their expertise with a wider community.

Of course, there’s not risks risks aren’t only associated with open source software – there are risks associated with use of proprietary software. And also, it needs to be said, use of externally-hosted Web 2.0 services – as we saw recently with the recent downtime of the Amazon S3 service which affected other services including Twitter.

This doesn’t mean, however, that we shouldn’t use externally hosted Web 2.0 service – or, indeed, open source software. Similarly the recent crash of the Northern Rock Bank doesn’t mean that we should withdraw our savings and stuff the cash under our mattresses!

I suspect that a workshop on “Risk Management and Web 2.0” would be popular. I’ve posted previously on Your Views On Externally-Hosted Web 2.0 Services back in September 2007. But, apart from the risk assessment document which have been produced at the universities of Oxford and Edinburgh, have any other institutions published anything in this area?