[Governance] [Owasp-board] Bylaw Update Discussion - Board Member Confidence

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Aug 26 09:56:43 UTC 2015


Bill,

Has anyone reached out to the IRS and other NGO to discuss how they
solved this problem?

On Wed, Aug 26, 2015 at 1:36 AM, Bil Corry <bil.corry at owasp.org> wrote:
> Hi Fabio,
>
> The 75% figure came from the original bylaws which required attendance at 3
> out of 4 meetings.  I'm not opposed to changing the ratio, but it seems
> others are.  Perhaps the board can decide on a figure you're all comfortable
> with?
>
> As for the attendance in person, originally it was required to attend in
> person at least one meeting, but the thought was that if there's only one
> offered per year, and you're unable to attend for some reason, then it isn't
> really fair that you couldn't attend the single one offered.  Again, if the
> board wants to require at least one in-person meeting, please let me know -
> I can reword the proposed text.
>
>
> - Bil
>
>
> On Tue, Aug 25, 2015 at 12:08 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>>
>> Bill,
>>
>> Thanks for updating the wording in the clause below. I have some comments
>> regarding the 75% attendance requirement.
>>
>> Besides Josh, several board members already expressed a concern about this
>> requirement and are willing to lower/eliminate it.
>>
>> Just to give you an example: Michael and Andrew will trigger a vote of
>> CONFIDENCE if they miss another meeting during the calendar year.
>>
>>
>> https://docs.google.com/spreadsheets/d/1wpaOCBP-qrnde0sLiglDMJOUCtse6oB-zf3ONCkWgZk/edit?pli=1#gid=6
>>
>> I think that is counterproductive and will send us in a spiral of votes of
>> CONFIDENCE at every Board meeting. I would suggest to lower that requirement
>> or NOT making the vote of CONFIDENCE a requirement for meetings attendance.
>> The vote of CONFIDENCE should be a mechanism to expel a Board member if they
>> don’t fulfil their duties, misbehave with other members/staff of the
>> community, or they significantly do not show up at the Board meetings (e.g.
>> attendance less than 50%).
>>
>> Also, I believe the requirement to meet in person is quite vague as per
>> current statement below. I attended all in person meetings at AppSec USA &
>> AppSec EU and think they are very valuable. You have a chance to meet with
>> the community, talk about their needs, help them progress their projects,
>> and meet face-to-face with your fellow Board members. So if we are going to
>> change the Bylaws, I think we need to put a requirement for Board members to
>> meet in person at least ONCE a year. I will appreciate your feedback and
>> from the rest of the Governance list regarding this matter.
>>
>> Attendance in person or virtually by board members is required at no less
>> than 75% of the total meetings each year and shall be highly encouraged to
>> meet in person at least once annually at a date to be announced and agreed
>> upon.
>>
>> Thanks,
>>
>> Fabio Cerullo
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me at AppSecUSA 2015 in San Francisco!
>>
>> On 25 Aug 2015, at 10:22, Bil Corry <bil.corry at owasp.org> wrote:
>>
>> Hi Josh,
>>
>> Tabulation is described as thus (emphasis is mine):
>>
>> "Attendance is tabulated after every scheduled meeting for the purpose of
>> determining if the 75% attendance requirement has been met, and the
>> tabulation is based upon the entire calendar year."
>>
>> That means if there are 12 meetings during the year and you miss the first
>> meeting, your attendance is 11/12 or 92%.  No vote required.
>>
>> As far as your other concerns, I've updated the text below, hopefully I've
>> covered it all?  I pulled deadlines out of thin air, so feel free to tweak
>> the numbers and method of voting.
>>
>>
>> SECTION 3.03 Regular Meetings. The Board of Directors shall have regular
>> meetings as needed.  A link to the board meeting agenda’s and the historical
>> minutes is here: https://www.owasp.org/index.php/OWASP_Board_Meetings.
>> Meetings shall be at such dates, times, and places as the Board shall
>> determine in December of the preceding year and as amended by the Board. In
>> no event will there be less than one meeting per quarter.  These meetings
>> will be open to public attendance, however, certain portions of the meeting
>> may be closed to board members and their delegates when required for legal
>> reasons, or to shield liability, or to handle personnel issues, or similar.
>> Attendance in person or virtually by board members is required at no less
>> than 75% of the total meetings each year and shall be highly encouraged to
>> meet in person at least once annually at a date to be announced and agreed
>> upon.  Attendance is tabulated by the Executive Director or delegate within
>> seven days after every scheduled meeting for the purpose of determining if
>> the 75% attendance requirement has been met, and the tabulation is based
>> upon the entire calendar year.  Cancelled meetings are considered attended
>> for the purposes of the tabulation.  Failure by a board member to meet the
>> 75% attendance requirement after any tabulation will cause a mandatory vote
>> of confidence by the remaining board members, whose votes will be publicly
>> recorded.  The vote of confidence is to take place within 21 days, but not
>> sooner than 7 days, of notification by the Executive Director or delegate
>> that a board member has not met the attendance threshold.  During the first
>> seven days, the board member in question will have an opportunity to make
>> their case to their fellow board members.  The vote of confidence will take
>> place on the OWASP Board of Directors email list, unless the Board votes to
>> review the matter at their next meeting, so long as the next meeting occurs
>> within the 21-day window.  An overall vote of "confidence" is record if half
>> or more of the board members vote for it and it will prevent further votes
>> of confidence for the remainder of the year so long as the board member in
>> question does not miss any further meetings.  An overall vote of "no
>> confidence" is recorded if more than half of the board members vote for it,
>> which causes the board member in question to be instantly removed from their
>> seat on the board.  Vacancies on the board are handled as per Section 3.10.
>>
>>
>>
>>
>> 2 OWASP Board of Directors will hold quarterly board meetings lasting 4­6
>> hours each. The schedule of meetings will be set by the board in December
>> before the year. It is likely the the board meetings will take place on
>> Saturdays or on a dedicated day before a large OWASP conference. This change
>> is a result of the success of the longer format board meeting and also a
>> result of the Executive Director role that has enabled full time involvement
>> and focus on OWASP operations. Board members must attend (in person or
>> virtually) 3 of the 4 meetings to fulfill the attendance requirements. This
>> will take effect in January, 2014. Changes passed August 19, 2013.
>>
>> 3 “and shall be highly encouraged to meet in person at least once annually
>> at a date to be announced and agreed upon” amendment to document passed June
>> 10, 2013.
>>
>>
>>
>>
>>
>> - Bil
>>
>>
>> On Mon, Aug 24, 2015 at 2:31 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>> Bil,
>>>
>>> I initiated a Board vote on the new text that you had proposed back in
>>> April or May this year and the Board unanimously voted to approve.  Paul has
>>> been working to try to identify all of the changes that have been made
>>> (there's only been one or two this year) in order to get a new version of
>>> the Bylaws on the website.  Regardless, the one that is there is definitely
>>> out-of-date.
>>>
>>> With respect to your update, thank you, I was thinking something similar
>>> as well, but this doesn't address a few of my bullet points:
>>>
>>> The method of tabulation is unspecified.  If we are tabulating
>>> sequentially, then we have a situation where if a Board member missed their
>>> first meeting, a vote is required to be held for three tabulations (0%, 50%,
>>> and 66%) until they make it up over 75%.  I am guessing that the intent is
>>> for this to be tabulated assuming attendance for all future meetings and
>>> action would be taken if the person would be unable to maintain 75%
>>> attendance, but if anyone disagrees and has a different interpretation,
>>> please let me know.
>>> The timeframe for the vote is unspecified.  It just says that it will
>>> cause a mandatory vote of confidence, but never says when that vote is
>>> supposed to take place or who is supposed to initiate it.  Is it to be
>>> handled immediately at the time of tabulation?  Is it handled offline over
>>> e-mail as we recently did?  Is it handled at the next Board meeting?  Based
>>> on the current verbiage, technically the Board could drag it's heels on it
>>> indefinitely.  I would think that something reasonable would be having the
>>> vote initiated by our Executive Director within two weeks of the tabulation
>>> that found them to be not meeting their attendance requirements.  If there
>>> is a Board meeting during that window, then it could be handled then, or
>>> handled via the mailing list otherwise.  That provides time to handle the
>>> situation and removes any Board member bias from the initiation of the vote.
>>> This does not offer the offender an opportunity to explain why they
>>> failed to meet their attendance requirement.  I think that a reasonable
>>> process would assume that there is a rational explanation for why they did
>>> not attend.  Maybe it's because all of the meetings were being held at 2 AM
>>> in their timezone.  Maybe it's because of a death in the family.  I think
>>> this process should take the personal factor into consideration.
>>>
>>> Would you care to take a stab at addressing these?  If not, I can
>>> certainly take a shot at it as well.
>>>
>>> ~josh
>>>
>>>
>>> On Mon, Aug 24, 2015 at 2:07 AM, Bil Corry <bil.corry at owasp.org> wrote:
>>>>
>>>> Hi Josh,
>>>>
>>>> The current bylaw I see is from last year, which doesn't have the text
>>>> you quoted.  It's here:
>>>>
>>>>      https://www.owasp.org/index.php/OWASP_Foundation_ByLaws
>>>>
>>>> I know we discussed changing the bylaws, but I don't know what was
>>>> ultimately adopted.  FWIW, this is the wording from last proposed text,
>>>> which is very clear on how tabulation is calculated, although it doesn't
>>>> give strict time limes for tabulation and confidence voting.  The thought
>>>> was to allow the Board some flexibility in how they want to execute it.  But
>>>> if you'd like it to be formally incorporated into the bylaws, then please
>>>> proposed some text.
>>>>
>>>>
>>>> SECTION 3.03 Regular Meetings. The Board of Directors shall have regular
>>>> meetings as needed.  A link to the board meeting agenda’s and the historical
>>>> minutes is here: https://www.owasp.org/index.php/OWASP_Board_Meetings.
>>>> Meetings shall be at such dates, times, and places as the Board shall
>>>> determine in December of the preceding year and as amended by the Board. In
>>>> no event will there be less than one meeting per quarter.  These meetings
>>>> will be open to public attendance, however, certain portions of the meeting
>>>> may be closed to board members  and their delegates when required for legal
>>>> reasons, or to shield liability, or to handle personnel issues, or similar.
>>>> Attendance in person or virtually by board members is required at no less
>>>> than 75% of the total meetings each year and shall be highly encouraged to
>>>> meet in person at least once annually at a date to be announced and agreed
>>>> upon.  Attendance is tabulated after every scheduled meeting for the purpose
>>>> of determining if the 75% attendance requirement has been met, and the
>>>> tabulation is based upon the entire calendar year.  Cancelled meetings are
>>>> considered attended for the purposes of the tabulation.  Failure by a board
>>>> member to meet the 75% attendance requirement after any tabulation will
>>>> cause a mandatory vote of confidence by the remaining board members, whose
>>>> votes will be publicly recorded.  An overall vote of "no confidence" is
>>>> recorded if half or more of the board members vote for it, which causes the
>>>> board member in question to be instantly removed from their seat on the
>>>> board.  Vacancies on the board are handled as per Section 3.10.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2 OWASP Board of Directors will hold quarterly board meetings lasting
>>>> 4­6 hours each. The schedule of meetings will be set by the board in
>>>> December before the year. It is likely the the board meetings will take
>>>> place on Saturdays or on a dedicated day before a large OWASP conference.
>>>> This change is a result of the success of the longer format board meeting
>>>> and also a result of the Executive Director role that has enabled full time
>>>> involvement and focus on OWASP operations. Board members must attend (in
>>>> person or virtually) 3 of the 4 meetings to fulfill the attendance
>>>> requirements. This will take effect in January, 2014. Changes passed August
>>>> 19, 2013.
>>>>
>>>> 3 “and shall be highly encouraged to meet in person at least once
>>>> annually at a date to be announced and agreed upon” amendment to document
>>>> passed June 10, 2013.
>>>>
>>>>
>>>>
>>>>
>>>> - Bil
>>>>
>>>>
>>>> On Sat, Aug 22, 2015 at 6:01 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>>
>>>>> Board,
>>>>>
>>>>> As recently discussed and voted on in a separate thread, our current
>>>>> Bylaws state as follows:
>>>>>
>>>>> Failure by a board member to meet the 75% attendance requirement after
>>>>> any tabulation will cause a mandatory vote of confidence by the remaining
>>>>> board members, whose votes will be publicly recorded.  An overall vote of
>>>>> "no confidence" is recorded if half or more of the board members vote for
>>>>> it, which causes the board member in question to be instantly removed from
>>>>> their seat on the board.
>>>>>
>>>>> I see a few issues with this:
>>>>>
>>>>> The timeframe that this applies to is unspecified.  Is it per quarter?
>>>>> Per calendar year?  Over the two year duration of a Board member term?  Over
>>>>> the cumulative time that a Board member is in office?  I'm guessing that the
>>>>> intent is for this to be over the calendar year, but if anyone disagrees and
>>>>> has a different interpretation, please let me know.
>>>>> The definition of "tabulation" is unspecified.  Who is doing the
>>>>> tabulation?  Is there a certain time that this tabulation is conducted?  I'm
>>>>> guessing that the intent is for this to be based on the attendance role that
>>>>> is captured during the Board meeting, but if anyone disagrees and has a
>>>>> different interpretation, please let me know.
>>>>> The method of tabulation is unspecified.  If we are tabulating
>>>>> sequentially, then we have a situation where if a Board member missed their
>>>>> first meeting, a vote is required to be held for three tabulations (0%, 50%,
>>>>> and 66%) until they make it up over 75%.  I am guessing that the intent is
>>>>> for this to be tabulated assuming attendance for all future meetings and
>>>>> action would be taken if the person would be unable to maintain 75%
>>>>> attendance, but if anyone disagrees and has a different interpretation,
>>>>> please let me know.
>>>>> The timeframe for the vote is unspecified.  It just says that it will
>>>>> cause a mandatory vote of confidence, but never says when that vote is
>>>>> supposed to take place or who is supposed to initiate it.  Is it to be
>>>>> handled immediately at the time of tabulation?  Is it handled offline over
>>>>> e-mail as we recently did?  Is it handled at the next Board meeting?  Based
>>>>> on the current verbiage, technically the Board could drag it's heels on it
>>>>> indefinitely.  I would think that something reasonable would be having the
>>>>> vote initiated by our Executive Director within two weeks of the tabulation
>>>>> that found them to be not meeting their attendance requirements.  If there
>>>>> is a Board meeting during that window, then it could be handled then, or
>>>>> handled via the mailing list otherwise.  That provides time to handle the
>>>>> situation and removes any Board member bias from the initiation of the vote.
>>>>> This does not offer the offender an opportunity to explain why they
>>>>> failed to meet their attendance requirement.  I think that a reasonable
>>>>> process would assume that there is a rational explanation for why they did
>>>>> not attend.  Maybe it's because all of the meetings were being held at 2 AM
>>>>> in their timezone.  Maybe it's because of a death in the family.  I think
>>>>> this process should take the personal factor into consideration.
>>>>>
>>>>> With the above in mind, I don't see a reason to lower the bar from 75%.
>>>>> My thinking is that this is a reasonable expectation to have of a Board
>>>>> member with all things being equal.  It may not be the best measure of
>>>>> engagement, but it is still a responsibility that all Board members are
>>>>> aware of going into it, and I am not aware of it having been an issue in the
>>>>> past (until now), so I'm not sure why we would change it now that one Board
>>>>> member had a vote initiated for it.  I would propose that we update the
>>>>> language in order to better clarify my bullet points above, but leave the
>>>>> requirement itself in place.  Please provide your thoughts regarding each of
>>>>> these bullet points (or any other issues that you think need to be addressed
>>>>> here).  Once we have some level of agreement with these, I can take the
>>>>> action item of re-writing this section of the Bylaws in order to incorporate
>>>>> these changes.  Thanks.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Governance mailing list