Leveraging FOSS is an attractive proposition, yet managing FOSS and licensing obligations is often an after thought. Business risks and negative branding impacts are ignored, or willingly glimpsed upon, when an organization is in startup mode, however in larger companies and organizations, no lines of code should be pushed upstreamed or shipped with product unless, development shouldn’t even begin unless a comprhensive and state of the art FOSS license compliance policy and practice is in place. So do you go about building a new one, when none exists yet. Which standard do you look at? Which best practices do you follow? What processes do you build to make sure that the policy ultimately folllows the busines needs while mitigating risks as opposed to blocking business completely?