[Governance] [Owasp-board] Bylaw Update Discussion - Board Member Confidence

Fabio Cerullo fcerullo at owasp.org
Tue Aug 25 10:08:10 UTC 2015


Bill,

Thanks for updating the wording in the clause below. I have some comments regarding the 75% attendance requirement.

Besides Josh, several board members already expressed a concern about this requirement and are willing to lower/eliminate it.

Just to give you an example: Michael and Andrew will trigger a vote of CONFIDENCE if they miss another meeting during the calendar year.

https://docs.google.com/spreadsheets/d/1wpaOCBP-qrnde0sLiglDMJOUCtse6oB-zf3ONCkWgZk/edit?pli=1#gid=6 <https://docs.google.com/spreadsheets/d/1wpaOCBP-qrnde0sLiglDMJOUCtse6oB-zf3ONCkWgZk/edit?pli=1#gid=6>

I think that is counterproductive and will send us in a spiral of votes of CONFIDENCE at every Board meeting. I would suggest to lower that requirement or NOT making the vote of CONFIDENCE a requirement for meetings attendance. The vote of CONFIDENCE should be a mechanism to expel a Board member if they don’t fulfil their duties, misbehave with other members/staff of the community, or they significantly do not show up at the Board meetings (e.g. attendance less than 50%). 

Also, I believe the requirement to meet in person is quite vague as per current statement below. I attended all in person meetings at AppSec USA & AppSec EU and think they are very valuable. You have a chance to meet with the community, talk about their needs, help them progress their projects, and meet face-to-face with your fellow Board members. So if we are going to change the Bylaws, I think we need to put a requirement for Board members to meet in person at least ONCE a year. I will appreciate your feedback and from the rest of the Governance list regarding this matter. 
> Attendance in person or virtually by board members is required at no less than 75% of the total meetings each year and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon. 
> 

Thanks,

Fabio Cerullo
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015 <https://2015.appsecusa.org/> in San Francisco!

> On 25 Aug 2015, at 10:22, Bil Corry <bil.corry at owasp.org> wrote:
> 
> Hi Josh,
> 
> Tabulation is described as thus (emphasis is mine):
> 
> "Attendance is tabulated after every scheduled meeting for the purpose of determining if the 75% attendance requirement has been met, and the tabulation is based upon the entire calendar year."
> 
> That means if there are 12 meetings during the year and you miss the first meeting, your attendance is 11/12 or 92%.  No vote required.
> 
> As far as your other concerns, I've updated the text below, hopefully I've covered it all?  I pulled deadlines out of thin air, so feel free to tweak the numbers and method of voting.
> 
> 
> SECTION 3.03 Regular Meetings. The Board of Directors shall have regular meetings as needed.  A link to the board meeting agenda’s and the historical minutes is here: https://www.owasp.org/index.php/OWASP_Board_Meetings <https://www.owasp.org/index.php/OWASP_Board_Meetings>.  Meetings shall be at such dates, times, and places as the Board shall determine in December of the preceding year and as amended by the Board. In no event will there be less than one meeting per quarter.  These meetings will be open to public attendance, however, certain portions of the meeting may be closed to board members and their delegates when required for legal reasons, or to shield liability, or to handle personnel issues, or similar.  Attendance in person or virtually by board members is required at no less than 75% of the total meetings each year and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon.  Attendance is tabulated by the Executive Director or delegate within seven days after every scheduled meeting for the purpose of determining if the 75% attendance requirement has been met, and the tabulation is based upon the entire calendar year.  Cancelled meetings are considered attended for the purposes of the tabulation.  Failure by a board member to meet the 75% attendance requirement after any tabulation will cause a mandatory vote of confidence by the remaining board members, whose votes will be publicly recorded.  The vote of confidence is to take place within 21 days, but not sooner than 7 days, of notification by the Executive Director or delegate that a board member has not met the attendance threshold.  During the first seven days, the board member in question will have an opportunity to make their case to their fellow board members.  The vote of confidence will take place on the OWASP Board of Directors email list, unless the Board votes to review the matter at their next meeting, so long as the next meeting occurs within the 21-day window.  An overall vote of "confidence" is record if half or more of the board members vote for it and it will prevent further votes of confidence for the remainder of the year so long as the board member in question does not miss any further meetings.  An overall vote of "no confidence" is recorded if more than half of the board members vote for it, which causes the board member in question to be instantly removed from their seat on the board.  Vacancies on the board are handled as per Section 3.10.
> 
> 
> 
>  
> 
> 2 OWASP Board of Directors will hold quarterly board meetings lasting 4­6 hours each. The schedule of meetings will be set by the board in December before the year. It is likely the the board meetings will take place on Saturdays or on a dedicated day before a large OWASP conference. This change is a result of the success of the longer format board meeting and also a result of the Executive Director role that has enabled full time involvement and focus on OWASP operations. Board members must attend (in person or virtually) 3 of the 4 meetings to fulfill the attendance requirements. This will take effect in January, 2014. Changes passed August 19, 2013.
> 
> 3 “and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon” amendment to document passed June 10, 2013.
> 
> 
>  
> 
> 
> - Bil
> 
> 
> On Mon, Aug 24, 2015 at 2:31 PM, Josh Sokol <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
> Bil,
> 
> I initiated a Board vote on the new text that you had proposed back in April or May this year and the Board unanimously voted to approve.  Paul has been working to try to identify all of the changes that have been made (there's only been one or two this year) in order to get a new version of the Bylaws on the website.  Regardless, the one that is there is definitely out-of-date.  
> 
> With respect to your update, thank you, I was thinking something similar as well, but this doesn't address a few of my bullet points:
> The method of tabulation is unspecified.  If we are tabulating sequentially, then we have a situation where if a Board member missed their first meeting, a vote is required to be held for three tabulations (0%, 50%, and 66%) until they make it up over 75%.  I am guessing that the intent is for this to be tabulated assuming attendance for all future meetings and action would be taken if the person would be unable to maintain 75% attendance, but if anyone disagrees and has a different interpretation, please let me know.
> The timeframe for the vote is unspecified.  It just says that it will cause a mandatory vote of confidence, but never says when that vote is supposed to take place or who is supposed to initiate it.  Is it to be handled immediately at the time of tabulation?  Is it handled offline over e-mail as we recently did?  Is it handled at the next Board meeting?  Based on the current verbiage, technically the Board could drag it's heels on it indefinitely.  I would think that something reasonable would be having the vote initiated by our Executive Director within two weeks of the tabulation that found them to be not meeting their attendance requirements.  If there is a Board meeting during that window, then it could be handled then, or handled via the mailing list otherwise.  That provides time to handle the situation and removes any Board member bias from the initiation of the vote.
> This does not offer the offender an opportunity to explain why they failed to meet their attendance requirement.  I think that a reasonable process would assume that there is a rational explanation for why they did not attend.  Maybe it's because all of the meetings were being held at 2 AM in their timezone.  Maybe it's because of a death in the family.  I think this process should take the personal factor into consideration.
> Would you care to take a stab at addressing these?  If not, I can certainly take a shot at it as well.
> 
> ~josh
> 
> 
> On Mon, Aug 24, 2015 at 2:07 AM, Bil Corry <bil.corry at owasp.org <mailto:bil.corry at owasp.org>> wrote:
> Hi Josh,
> 
> The current bylaw I see is from last year, which doesn't have the text you quoted.  It's here:
> 
>      https://www.owasp.org/index.php/OWASP_Foundation_ByLaws <https://www.owasp.org/index.php/OWASP_Foundation_ByLaws>
> 
> I know we discussed changing the bylaws, but I don't know what was ultimately adopted.  FWIW, this is the wording from last proposed text, which is very clear on how tabulation is calculated, although it doesn't give strict time limes for tabulation and confidence voting.  The thought was to allow the Board some flexibility in how they want to execute it.  But if you'd like it to be formally incorporated into the bylaws, then please proposed some text.
> 
> 
> SECTION 3.03 Regular Meetings. The Board of Directors shall have regular meetings as needed.  A link to the board meeting agenda’s and the historical minutes is here: https://www.owasp.org/index.php/OWASP_Board_Meetings <https://www.owasp.org/index.php/OWASP_Board_Meetings>.  Meetings shall be at such dates, times, and places as the Board shall determine in December of the preceding year and as amended by the Board. In no event will there be less than one meeting per quarter.  These meetings will be open to public attendance, however, certain portions of the meeting may be closed to board members  and their delegates when required for legal reasons, or to shield liability, or to handle personnel issues, or similar.  Attendance in person or virtually by board members is required at no less than 75% of the total meetings each year and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon.  Attendance is tabulated after every scheduled meeting for the purpose of determining if the 75% attendance requirement has been met, and the tabulation is based upon the entire calendar year.  Cancelled meetings are considered attended for the purposes of the tabulation.  Failure by a board member to meet the 75% attendance requirement after any tabulation will cause a mandatory vote of confidence by the remaining board members, whose votes will be publicly recorded.  An overall vote of "no confidence" is recorded if half or more of the board members vote for it, which causes the board member in question to be instantly removed from their seat on the board.  Vacancies on the board are handled as per Section 3.10.
> 
>  
> 
>  
> 
> 2 OWASP Board of Directors will hold quarterly board meetings lasting 4­6 hours each. The schedule of meetings will be set by the board in December before the year. It is likely the the board meetings will take place on Saturdays or on a dedicated day before a large OWASP conference. This change is a result of the success of the longer format board meeting and also a result of the Executive Director role that has enabled full time involvement and focus on OWASP operations. Board members must attend (in person or virtually) 3 of the 4 meetings to fulfill the attendance requirements. This will take effect in January, 2014. Changes passed August 19, 2013.
> 
> 3 “and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon” amendment to document passed June 10, 2013.
> 
> 
> 
> 
> - Bil
> 
> 
> On Sat, Aug 22, 2015 at 6:01 PM, Josh Sokol <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
> Board,
> 
> As recently discussed and voted on in a separate thread, our current Bylaws state as follows:
> 
> Failure by a board member to meet the 75% attendance requirement after any tabulation will cause a mandatory vote of confidence by the remaining board members, whose votes will be publicly recorded.  An overall vote of "no confidence" is recorded if half or more of the board members vote for it, which causes the board member in question to be instantly removed from their seat on the board.
> 
> I see a few issues with this:
> The timeframe that this applies to is unspecified.  Is it per quarter?  Per calendar year?  Over the two year duration of a Board member term?  Over the cumulative time that a Board member is in office?  I'm guessing that the intent is for this to be over the calendar year, but if anyone disagrees and has a different interpretation, please let me know.
> The definition of "tabulation" is unspecified.  Who is doing the tabulation?  Is there a certain time that this tabulation is conducted?  I'm guessing that the intent is for this to be based on the attendance role that is captured during the Board meeting, but if anyone disagrees and has a different interpretation, please let me know.
> The method of tabulation is unspecified.  If we are tabulating sequentially, then we have a situation where if a Board member missed their first meeting, a vote is required to be held for three tabulations (0%, 50%, and 66%) until they make it up over 75%.  I am guessing that the intent is for this to be tabulated assuming attendance for all future meetings and action would be taken if the person would be unable to maintain 75% attendance, but if anyone disagrees and has a different interpretation, please let me know.
> The timeframe for the vote is unspecified.  It just says that it will cause a mandatory vote of confidence, but never says when that vote is supposed to take place or who is supposed to initiate it.  Is it to be handled immediately at the time of tabulation?  Is it handled offline over e-mail as we recently did?  Is it handled at the next Board meeting?  Based on the current verbiage, technically the Board could drag it's heels on it indefinitely.  I would think that something reasonable would be having the vote initiated by our Executive Director within two weeks of the tabulation that found them to be not meeting their attendance requirements.  If there is a Board meeting during that window, then it could be handled then, or handled via the mailing list otherwise.  That provides time to handle the situation and removes any Board member bias from the initiation of the vote.
> This does not offer the offender an opportunity to explain why they failed to meet their attendance requirement.  I think that a reasonable process would assume that there is a rational explanation for why they did not attend.  Maybe it's because all of the meetings were being held at 2 AM in their timezone.  Maybe it's because of a death in the family.  I think this process should take the personal factor into consideration.
> With the above in mind, I don't see a reason to lower the bar from 75%.  My thinking is that this is a reasonable expectation to have of a Board member with all things being equal.  It may not be the best measure of engagement, but it is still a responsibility that all Board members are aware of going into it, and I am not aware of it having been an issue in the past (until now), so I'm not sure why we would change it now that one Board member had a vote initiated for it.  I would propose that we update the language in order to better clarify my bullet points above, but leave the requirement itself in place.  Please provide your thoughts regarding each of these bullet points (or any other issues that you think need to be addressed here).  Once we have some level of agreement with these, I can take the action item of re-writing this section of the Bylaws in order to incorporate these changes.  Thanks.
> 
> ~josh
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board <https://lists.owasp.org/mailman/listinfo/owasp-board>
> 
> 
> 
> 
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20150825/a38f2431/attachment-0001.html>


More information about the Governance mailing list