[Owasp-board] [Governance] "Ring Fenced Funds" Discussion and Proposal

Michael Coates michael.coates at owasp.org
Sun Aug 23 22:21:44 UTC 2015


Great work articulating an issue with multiple items that need consideration. I agree that this is a spending problem and stagnant funds are the issue. 

Overall I agree with this direction. I imagine we'll find a few more scenarios to consider and talk through more. 

I also do like the idea that chapters should spend their chapter funds first. Great idea on the preamp proved spending list too. Regarding the "challenges" to spending money (administratively) I think we should handle that separately and also strive to make it as easy as possible. I'd be interested in specific feedback from those that found it hard. I've done it many times and find it very easy. But, this is a minor issue and shouldn't distract from the major points that you suggested. 

Overall I'm in favor of moving this direction and think it will empower the chapters to use funds to benefit Owasp overall. 


> On Aug 23, 2015, at 1:58 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Board,
> Problem Statement
> There is no reason why we cannot tackle this issue in parallel with the conversation around the Board Member Confidence discussion as, at least to me, they appear to be unrelated.  The underlying issue here is that we have $499,003.33 in funds that are allocated to chapters, and $43,227.29 in funds that are allocated to projects, and at least some portion of these funds are not getting spent.  When funds aren't getting spent, then they aren't benefiting our mission.  And, when they aren't benefiting our mission, then OWASP isn't living up to it's fullest potential.  
> Background
> I realize that this is a highly volatile conversation to have since many people are passionate about the topic, myself being one of them.  And I will qualify my bias in this discussion since my roots with OWASP came from being involved with OWASP Austin which has roughly $16k of that funding and most would probably consider it one of these "rich chapters".  But, it wasn't always that way.  In fact, when I first got involved with OWASP Austin, we didn't have much (if any) money in our account at all.  We were clearly lagging behind other local organizations, such as ISSA, who provided lunch to members, speaker gifts, attendee giveaways, and more.  And when I took over the chapter a few years later, I set out to change things to make OWASP Austin more competitive.  Initially, that meant asking for funds from the OWASP Foundation for every meeting that we had.  Lunch ranged from $300-500 per meeting.  Throw in speaker gifts and a book giveaway and we were probably averaging right around $500 per meeting.  With monthly meetings, that number added up to a pretty hefty $6000 per year for OWASP Austin alone.  If you do the math, if every chapter at OWASP had these same needs, that's easily over half-a-million dollars a year in expenses for chapter meetings alone.  Those kinds of numbers may be more sustainable with today's revenue, but back then, they would have bankrupted OWASP.  So, rather than be a part of the problem, we decided that OWASP Austin needed to find a way to be a self-sustaining chapter, and decided that hosting a conference would be an ideal way to do that, while also accomplishing OWASP's mission of education.  The Lonestar Application Security Conference (LASCON) was born.
> The irony here is that OWASP Austin started LASCON as a means to raise money so that we wouldn't have to take Foundation funds away from others and now others are talking about taking the money away from us.  All along the way, we have done the community-conscious thing and split part of the money we raised with the Foundation.  We even donated $10k of funds that we didn't think we would need to the Africa Chapters for their conference and additional funds to the Cornucopia project.  So, yes, we have $16k in the bank, but we are spending a significant amount of money every month, and that number will go down over the course of the year, and back up after LASCON in October.  The money is not stagnant.  It is being spent, and then being refreshed.  I realize that the discussion here isn't focused on OWASP Austin, but I use it as an example because it is one that I know very well, and I think that many of our "rich chapters" fall into a similar boat.  They have some events that raise money, some events that cost money, and the result is that from the outside it looks like these funds are stagnant, while in reality these funds are being used in more ways than almost anywhere else in our organization.  
> One of the best things about having money is that it allows you to experiment with things that you wouldn't normally be able to using Foundation funding sources.  For example, for years now the OWASP Austin chapter has been recording it's chapter meetings and putting the content online (https://vimeo.com/channels/owaspaustin).  This started as an experiment where we used some of our funds raised by LASCON in order to purchase some audio-visual recording equipment.  It was a bit rough at first, but we started developing best practices and eventually put out a document guiding others on the equipment to purchase, how to connect it, how to record, and how to put it online.  Now, between OWASP Austin and LASCON, we have a video library that rivals what is in the OWASP Media Project as a whole.  Every time I hear this "Ring Fenced Funds" discussion come up, what it really comes down to, to me, is that somebody else thinks that they will be able to put those funds to better use than we do.  They put in none of the effort to raise the funds, but want to share in the reward of spending them.  That just doesn't sit right with me.
> As I said in my first paragraph, I agree that there is an issue here, but let's not confuse ourselves.  The issue has NOTHING to do with revenue sources for chapters or projects.  We should be encouraging our chapters and projects to explore as many different revenue sources as possible as long as they do not compromise our core values.  Every dollar that a chapter or project goes out and gets on their own is another dollar that the Foundation has available for another chapter or project to spend elsewhere.  Even at the current 90/10 split on a chapter conference such as LASCON, the Foundation gets 10% of the profit for an event that they provided minimal support for (contracts, billing, payments, etc, all required by our guidelines).  Revenue is a good thing, regardless of the account that it falls into.  
> Proposal
> The real issue here that we are trying to address is not "ring fenced funds", but rather, "stagnant funds".  We shouldn't care that chapters or projects HAVE money allocated to them.  We should care that they are SPENDING it to further our mission.  We need a system in place that INFORMS our leaders about how much money they have, that ENCOURAGES them to spend their money, and that RECLAIMS money that becomes stagnant.  Thus, I would like to propose the following changes to our policies regarding funds that have been allocated to a specific chapter or project.
> Profit sharing splits will remain at their current levels.  As I described above, the issue is not how money comes in, it is how it goes out.  We should be rewarding those chapters and projects who undertake fundraising initiatives by empowering them to spend the money that they raise.  This encourages them to continue with future initiatives and creates repeatable formulas that others can use to do the same.
> Leaders will regularly be made aware of their account balances. One of the big problems that we have had in the past is that our leaders didn't even know that they had money in their account to spend.  How can we ever expect to get stagnant funds moving in that situation?  The OWASP staff will be responsible for sending out monthly e-mails to chapter and project leaders letting them know how much money they have in their account.  I would imagine that we could script this so that it happens automatically.  Regardless, awareness of funds is key to the spending of funds.
> OWASP will maintain a list of things to spend money on.  OK, so a leader now knows that they have money, what next?  In the past, we have had a list of pre-approved expenses, but it was basic things like room rental, meeting food, speakers gifts, etc.  We need to get a little bit unorthodox here and start maintaining a list of all expenses that were approved in the past.  I mentioned before that OWASP Austin purchased AV recording equipment; let's put that on the list.  One of our chapters was talking about building a library; sounds great, let's put it on the list.  This list should grow bigger and bigger as we experiment and innovate and will serve to show leaders examples of what others are doing with their funds.  
> Initiatives, not donations, are key.  Every time I hear someone say "We want a chapter to donate funds to project X", I cringe.  Not because I don't think that it is a worthwhile project, but because moving money from one account to another only changes the account balance, it doesn't make stagnant funds move.  Instead, I would like for us to think of things in terms of "initiatives".  An initiative is an idea that someone has that needs funding to make it happen.  It is a specific goal with a pre-identified budget needed to make it a reality.  We should never have a call for "Donate to Project X".  The call should be "Project X needs $Y to print 1000 copies to give away at conference Z."  An initiative gets funds moving by giving our leaders a reason to spend them.
> Highlight those who are making funds move.  When OWASP Austin decided to donate $10k of it's chapter account balance back to the OWASP Foundation a year or so ago, it was a very sterile transaction.  The money was deducted from the LASCON profits before it even touched the chapter account and was included as part of the 10% profit share for the Foundation.  That was it.  There was literally no record that the transaction ever took place other than an accounting transaction that reflected $10k more than what was supposed to be.  When someone does something like this in our organization, we need to highlight it, because others will see it as a positive example and potentially follow suit.  Blog it, tweet it, put it in the connector, and make it a big deal.  If a chapter comes up with a creative way to spend their funds, highlight that to show others.  I cannot understate the importance of this as it sets the example that all others will follow.
> Budgeting at the micro level is a necessity.  I really hate saying this because it makes me sound like an old man, but budgeting is important.  We do it at the macro level for the Foundation already.  It's a necessity to ensure that our funds are being spent in a responsible fashion in order to further our mission.  I'm open to suggestions on this one, but my initial thought is that any account (project, chapter, or otherwise) with more than $5,000 in it needs to have a plan for how to spend that money, and that plan comes in the form of a budget.  This move would affect 20 chapters which hold a total of $355,847.21, or to put it another way, just over 71% of the total chapter "ring-fenced funds".   It would affect two projects which hold a total of $17,653.52, or just under under 41% of the project "ring-fenced funds".  Budgeting should happen in Q4 of each calendar year with the goal of each of these groups identifying how they plan to spend the money over the course of the next year.  If there were some sort of event or longer-term goal that needs to be considered, a future projection budget could be included as well.  We can tweak the $5,000 bar in the future if we find that it is too high or too low, but it seems like a good target to me, at least to start with.
> Money with no plan for spending needs to be re-purposed.  The net result of the budgeting process is that we identify money being spent or saved with a plan vs money that is just sitting there stagnant with no plan for spending.  Money with no plan for spending, should go back into the community engagement funds pool for others to spend as needed.  
> Negative account balances need to be wiped clean.  I'm not sure how it happened, but I see a number of chapters and projects who have negative account balances.  I find myself wondering how it would make me feel as a leader to look at the scoreboard or get an e-mail and see that I'm actually in the red.  How humiliating.  And what a huge barrier for a new leader to overcome.  However this practice got started, nobody should ever be able to go below 0.  We need to wipe these deficits clean and give them a fresh start.  We're talking less than $750.  We can figure out a way to make this happen.  In the future, any amounts over what a chapter has available needs to come from the Foundation.
> Account balances should be the start of all funding efforts.  Let's be clear, there is no shortage of money at OWASP for those who need it.  The community engagement funds pool has plenty of money in it that hasn't been used up in years past.  That said, the intent of this pool of funds should be to provide money to those who don't have it, not to supplement those who do.  I've seen at least one initiative recently where the proposal ignored the fact that the projects involved all had positive account balances, and effectively gifted them the money for the initiative, rather than having them spend their funds first.  With the underlying issue here being one of stagnant funds, how can we possibly justify gifting this money, when they all had their own money that could have been used?  I heard the excuse in this particular situation that they likely would not have participated if they had to spend their own money, but in that case, what does that say about how much those projects valued the initiative?  No leader should be able to receive Foundation funding unless they no longer have "ring-fenced funds" to spend.  Otherwise, we are just further perpetuating this problem.
> Spending money needs to be easy.  There is plenty of money  available at OWASP for those who need it.  Between the chapters, projects, and community funding, we're looking at over $600k.  So, when people tell me that they have a hard time spending money at OWASP, I wonder why that is.  I suggest that if a chapter or project has a desire to do something that is either on the approved list, or that any other chapter or project has done in the past (ie. is on that list of things we are spending money on), and they have the funds in their account, they can do it, no questions asked.  With every approval, we need to be conscious that we are setting the precedent that this is an approved expense for everyone.  For those without money in their account, they can follow the community engagement process, or see my proposal below.
> Anyone can budget for the future.  I talked above about the idea of micro-budgets for anyone with over $5000 in their account.  This helps to recoup the money that isn't getting spent, but it doesn't do anything for those who don't have any money, but have things that they want to spend it on.  Thus, I propose the idea that any chapter, project, committee, etc can create a budget in Q4 for an initiative, or other spending needs, that they would like to cover the following year, but do not have the funds to do so.  The budget would be reviewed by the Executive Director and Board, and, if approved, incorporated into the overall OWASP Foundation budget for the following year.  This would effectively set aside the funds to use at the appropriate period of time, in the future, with no further approvals necessary.  It creates empowerment for use of funds and allows the Foundation to approve them and plan for them in a responsible manner.  Funds are allocated in a "Use them or lose them" fashion, however, and go back to the Foundation pool for other initiatives if they are not spent when planned.
> I did my best here to outline each of the problems that I see with respect to how OWASP funds are spent today and to come up with reasonable solutions to each.  I don't claim for this to be a comprehensive solution, and I hope that you all will help me to further flush out these ideas in order to create a long-term vision that will empower our leaders and get our money moving for our mission while still maintaining a sense of fiscal responsibility.  I am very interested in hearing your thoughts and feedback on it.  Thanks.
> ~josh
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150823/ab6c681f/attachment-0001.html>

More information about the Owasp-board mailing list