[Owasp-board] "Ring Fenced Funds" Discussion and Proposal

Josh Sokol josh.sokol at owasp.org
Sun Aug 23 20:58:27 UTC 2015


*Problem Statement*
There is no reason why we cannot tackle this issue in parallel with the
conversation around the Board Member Confidence discussion as, at least to
me, they appear to be unrelated.  The underlying issue here is that we have
$499,003.33 in funds that are allocated to chapters, and $43,227.29 in
funds that are allocated to projects, and at least some portion of these
funds are not getting spent.  When funds aren't getting spent, then they
aren't benefiting our mission.  And, when they aren't benefiting our
mission, then OWASP isn't living up to it's fullest potential.

I realize that this is a highly volatile conversation to have since many
people are passionate about the topic, myself being one of them.  And I
will qualify my bias in this discussion since my roots with OWASP came from
being involved with OWASP Austin which has roughly $16k of that funding and
most would probably consider it one of these "rich chapters".  But, it
wasn't always that way.  In fact, when I first got involved with OWASP
Austin, we didn't have much (if any) money in our account at all.  We were
clearly lagging behind other local organizations, such as ISSA, who
provided lunch to members, speaker gifts, attendee giveaways, and more.
And when I took over the chapter a few years later, I set out to change
things to make OWASP Austin more competitive.  Initially, that meant asking
for funds from the OWASP Foundation for every meeting that we had.  Lunch
ranged from $300-500 per meeting.  Throw in speaker gifts and a book
giveaway and we were probably averaging right around $500 per meeting.
With monthly meetings, that number added up to a pretty hefty $6000 per
year for OWASP Austin alone.  If you do the math, if every chapter at OWASP
had these same needs, that's easily over half-a-million dollars a year in
expenses for chapter meetings alone.  Those kinds of numbers may be more
sustainable with today's revenue, but back then, they would have bankrupted
OWASP.  So, rather than be a part of the problem, we decided that OWASP
Austin needed to find a way to be a self-sustaining chapter, and decided
that hosting a conference would be an ideal way to do that, while also
accomplishing OWASP's mission of education.  The Lonestar Application
Security Conference (LASCON) was born.

The irony here is that OWASP Austin started LASCON as a means to raise
money so that we wouldn't have to take Foundation funds away from others
and now others are talking about taking the money away from us.  All along
the way, we have done the community-conscious thing and split part of the
money we raised with the Foundation.  We even donated $10k of funds that we
didn't think we would need to the Africa Chapters for their conference and
additional funds to the Cornucopia project.  So, yes, we have $16k in the
bank, but we are spending a significant amount of money every month, and
that number will go down over the course of the year, and back up after
LASCON in October.  The money is not stagnant.  It is being spent, and then
being refreshed.  I realize that the discussion here isn't focused on OWASP
Austin, but I use it as an example because it is one that I know very well,
and I think that many of our "rich chapters" fall into a similar boat.
They have some events that raise money, some events that cost money, and
the result is that from the outside it looks like these funds are stagnant,
while in reality these funds are being used in more ways than almost
anywhere else in our organization.

One of the best things about having money is that it allows you to
experiment with things that you wouldn't normally be able to using
Foundation funding sources.  For example, for years now the OWASP Austin
chapter has been recording it's chapter meetings and putting the content
online (https://vimeo.com/channels/owaspaustin).  This started as an
experiment where we used some of our funds raised by LASCON in order to
purchase some audio-visual recording equipment.  It was a bit rough at
first, but we started developing best practices and eventually put out a
document guiding others on the equipment to purchase, how to connect it,
how to record, and how to put it online.  Now, between OWASP Austin and
LASCON, we have a video library that rivals what is in the OWASP Media
Project as a whole.  Every time I hear this "Ring Fenced Funds" discussion
come up, what it really comes down to, to me, is that somebody else thinks
that they will be able to put those funds to better use than we do.  They
put in none of the effort to raise the funds, but want to share in the
reward of spending them.  That just doesn't sit right with me.

As I said in my first paragraph, I agree that there is an issue here, but
let's not confuse ourselves.  The issue has NOTHING to do with revenue
sources for chapters or projects.  We should be encouraging our chapters
and projects to explore as many different revenue sources as possible as
long as they do not compromise our core values.  Every dollar that a
chapter or project goes out and gets on their own is another dollar that
the Foundation has available for another chapter or project to spend
elsewhere.  Even at the current 90/10 split on a chapter conference such as
LASCON, the Foundation gets 10% of the profit for an event that they
provided minimal support for (contracts, billing, payments, etc, all
required by our guidelines).  Revenue is a good thing, regardless of the
account that it falls into.

The real issue here that we are trying to address is not "ring fenced
funds", but rather, "stagnant funds".  We shouldn't care that chapters or
projects HAVE money allocated to them.  We should care that they are
SPENDING it to further our mission.  We need a system in place that INFORMS
our leaders about how much money they have, that ENCOURAGES them to spend
their money, and that RECLAIMS money that becomes stagnant.  Thus, I would
like to propose the following changes to our policies regarding funds that
have been allocated to a specific chapter or project.

   - *Profit sharing splits will remain at their current levels.*  As I
   described above, the issue is not how money comes in, it is how it goes
   out.  We should be rewarding those chapters and projects who undertake
   fundraising initiatives by empowering them to spend the money that they
   raise.  This encourages them to continue with future initiatives and
   creates repeatable formulas that others can use to do the same.
   - *Leaders will regularly be made aware of their account balances.* One
   of the big problems that we have had in the past is that our leaders didn't
   even know that they had money in their account to spend.  How can we ever
   expect to get stagnant funds moving in that situation?  The OWASP staff
   will be responsible for sending out monthly e-mails to chapter and project
   leaders letting them know how much money they have in their account.  I
   would imagine that we could script this so that it happens automatically.
   Regardless, awareness of funds is key to the spending of funds.
   - *OWASP will maintain a list of things to spend money on.*  OK, so a
   leader now knows that they have money, what next?  In the past, we have had
   a list of pre-approved expenses, but it was basic things like room rental,
   meeting food, speakers gifts, etc.  We need to get a little bit unorthodox
   here and start maintaining a list of all expenses that were approved in the
   past.  I mentioned before that OWASP Austin purchased AV recording
   equipment; let's put that on the list.  One of our chapters was talking
   about building a library; sounds great, let's put it on the list.  This
   list should grow bigger and bigger as we experiment and innovate and will
   serve to show leaders examples of what others are doing with their funds.
   - *Initiatives, not donations, are key.*  Every time I hear someone say
   "We want a chapter to donate funds to project X", I cringe.  Not because I
   don't think that it is a worthwhile project, but because moving money from
   one account to another only changes the account balance, it doesn't make
   stagnant funds move.  Instead, I would like for us to think of things in
   terms of "initiatives".  An initiative is an idea that someone has that
   needs funding to make it happen.  It is a specific goal with a
   pre-identified budget needed to make it a reality.  We should never have a
   call for "Donate to Project X".  The call should be "Project X needs $Y to
   print 1000 copies to give away at conference Z."  An initiative gets funds
   moving by giving our leaders a reason to spend them.
   - *Highlight those who are making funds move.*  When OWASP Austin
   decided to donate $10k of it's chapter account balance back to the OWASP
   Foundation a year or so ago, it was a very sterile transaction.  The money
   was deducted from the LASCON profits before it even touched the chapter
   account and was included as part of the 10% profit share for the
   Foundation.  That was it.  There was literally no record that the
   transaction ever took place other than an accounting transaction that
   reflected $10k more than what was supposed to be.  When someone does
   something like this in our organization, we need to highlight it, because
   others will see it as a positive example and potentially follow suit.  Blog
   it, tweet it, put it in the connector, and make it a big deal.  If a
   chapter comes up with a creative way to spend their funds, highlight that
   to show others.  I cannot understate the importance of this as it sets the
   example that all others will follow.
   - *Budgeting at the micro level is a necessity.*  I really hate saying
   this because it makes me sound like an old man, but budgeting is
   important.  We do it at the macro level for the Foundation already.  It's a
   necessity to ensure that our funds are being spent in a responsible fashion
   in order to further our mission.  I'm open to suggestions on this one, but
   my initial thought is that any account (project, chapter, or otherwise)
   with more than $5,000 in it needs to have a plan for how to spend that
   money, and that plan comes in the form of a budget.  This move would affect
   20 chapters which hold a total of $355,847.21, or to put it another way,
   just over 71% of the total chapter "ring-fenced funds".   It would affect
   two projects which hold a total of $17,653.52, or just under under 41% of
   the project "ring-fenced funds".  Budgeting should happen in Q4 of each
   calendar year with the goal of each of these groups identifying how they
   plan to spend the money over the course of the next year.  If there were
   some sort of event or longer-term goal that needs to be considered, a
   future projection budget could be included as well.  We can tweak the
   $5,000 bar in the future if we find that it is too high or too low, but it
   seems like a good target to me, at least to start with.
   - *Money with no plan for spending needs to be re-purposed.*  The net
   result of the budgeting process is that we identify money being spent or
   saved with a plan vs money that is just sitting there stagnant with no plan
   for spending.  Money with no plan for spending, should go back into the
   community engagement funds pool for others to spend as needed.
   - *Negative account balances need to be wiped clean.*  I'm not sure how
   it happened, but I see a number of chapters and projects who have negative
   account balances.  I find myself wondering how it would make me feel as a
   leader to look at the scoreboard or get an e-mail and see that I'm actually
   in the red.  How humiliating.  And what a huge barrier for a new leader to
   overcome.  However this practice got started, nobody should ever be able to
   go below 0.  We need to wipe these deficits clean and give them a fresh
   start.  We're talking less than $750.  We can figure out a way to make this
   happen.  In the future, any amounts over what a chapter has available needs
   to come from the Foundation.
   - *Account balances should be the start of all funding efforts.*  Let's
   be clear, there is no shortage of money at OWASP for those who need it.
   The community engagement funds pool has plenty of money in it that hasn't
   been used up in years past.  That said, the intent of this pool of funds
   should be to provide money to those who don't have it, not to supplement
   those who do.  I've seen at least one initiative recently where the
   proposal ignored the fact that the projects involved all had positive
   account balances, and effectively gifted them the money for the initiative,
   rather than having them spend their funds first.  With the underlying issue
   here being one of stagnant funds, how can we possibly justify gifting this
   money, when they all had their own money that could have been used?  I
   heard the excuse in this particular situation that they likely would not
   have participated if they had to spend their own money, but in that case,
   what does that say about how much those projects valued the initiative?  No
   leader should be able to receive Foundation funding unless they no longer
   have "ring-fenced funds" to spend.  Otherwise, we are just further
   perpetuating this problem.
   - *Spending money needs to be easy.*  There is plenty of money available
   at OWASP for those who need it.  Between the chapters, projects, and
   community funding, we're looking at over $600k.  So, when people tell me
   that they have a hard time spending money at OWASP, I wonder why that is.
   I suggest that if a chapter or project has a desire to do something that is
   either on the approved list, or that any other chapter or project has done
   in the past (ie. is on that list of things we are spending money on), and
   they have the funds in their account, they can do it, no questions asked.
   With every approval, we need to be conscious that we are setting the
   precedent that this is an approved expense for everyone.  For those without
   money in their account, they can follow the community engagement process,
   or see my proposal below.
   - *Anyone can budget for the future.*  I talked above about the idea of
   micro-budgets for anyone with over $5000 in their account.  This helps to
   recoup the money that isn't getting spent, but it doesn't do anything for
   those who don't have any money, but have things that they want to spend it
   on.  Thus, I propose the idea that any chapter, project, committee, etc can
   create a budget in Q4 for an initiative, or other spending needs, that they
   would like to cover the following year, but do not have the funds to do
   so.  The budget would be reviewed by the Executive Director and Board, and,
   if approved, incorporated into the overall OWASP Foundation budget for the
   following year.  This would effectively set aside the funds to use at the
   appropriate period of time, in the future, with no further approvals
   necessary.  It creates empowerment for use of funds and allows the
   Foundation to approve them and plan for them in a responsible manner.
   Funds are allocated in a "Use them or lose them" fashion, however, and go
   back to the Foundation pool for other initiatives if they are not spent
   when planned.

I did my best here to outline each of the problems that I see with respect
to how OWASP funds are spent today and to come up with reasonable solutions
to each.  I don't claim for this to be a comprehensive solution, and I hope
that you all will help me to further flush out these ideas in order to
create a long-term vision that will empower our leaders and get our money
moving for our mission while still maintaining a sense of fiscal
responsibility.  I am very interested in hearing your thoughts and feedback
on it.  Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150823/ec695981/attachment-0001.html>

More information about the Owasp-board mailing list