[Owasp-board] [Governance] "Ring Fenced Funds" Discussion and Proposal

Jim Manico jim.manico at owasp.org
Thu Aug 27 06:24:37 UTC 2015

I think this is an important proposal from Josh, but I'm a little 
concerned of the pressure put on him to have to even build this proposal.

*I frankly think ring-fenced funds for chapters and the savings that 
each chapter has is a very good thing.*

Please take a moment to read this article about spending money at the 
"end of the year" for non profits.


Here area few takeaways:

1) Spending Down All Income Each Year is Fiscally Irresponsible
2) Maintaining a financial cushion (even at the chapter level) is good 
money-management and it’s legal.
3) A nonprofit can safely make a profit, as long as its primary purpose 
is to carry on and advance its tax-exempt goals and activities.

I think we should celebrate the fact that chapters have been responsible 
and hard working enough to build savings, even if those savings persist 
over a few years. We can always encourage chapters to spend those funds 
in certain ways, but to pressure them seems unjust.

Another thing, we made a very clear promise to chapters about ring 
fencing funds for each chapter. If we raid that coffer we will be 100% 
out of integrity and will be betraying some of the most active members 
of our community.

Please proceed with caution for those of you who want to raid the 
current chapter fund coffers.

- Jim

On 8/23/15 3:58 PM, Josh Sokol wrote:
> Board,
> _*Problem Statement*_
> There is no reason why we cannot tackle this issue in parallel with 
> the conversation around the Board Member Confidence discussion as, at 
> least to me, they appear to be unrelated.  The underlying issue here 
> is that we have $499,003.33 in funds that are allocated to chapters, 
> and $43,227.29 in funds that are allocated to projects, and at least 
> some portion of these funds are not getting spent.  When funds aren't 
> getting spent, then they aren't benefiting our mission.  And, when 
> they aren't benefiting our mission, then OWASP isn't living up to it's 
> fullest potential.
> _*Background*_
> I realize that this is a highly volatile conversation to have since 
> many people are passionate about the topic, myself being one of them.  
> And I will qualify my bias in this discussion since my roots with 
> OWASP came from being involved with OWASP Austin which has roughly 
> $16k of that funding and most would probably consider it one of these 
> "rich chapters".  But, it wasn't always that way.  In fact, when I 
> first got involved with OWASP Austin, we didn't have much (if any) 
> money in our account at all.  We were clearly lagging behind other 
> local organizations, such as ISSA, who provided lunch to members, 
> speaker gifts, attendee giveaways, and more. And when I took over the 
> chapter a few years later, I set out to change things to make OWASP 
> Austin more competitive.  Initially, that meant asking for funds from 
> the OWASP Foundation for every meeting that we had.  Lunch ranged from 
> $300-500 per meeting.  Throw in speaker gifts and a book giveaway and 
> we were probably averaging right around $500 per meeting.  With 
> monthly meetings, that number added up to a pretty hefty $6000 per 
> year for OWASP Austin alone.  If you do the math, if every chapter at 
> OWASP had these same needs, that's easily over half-a-million dollars 
> a year in expenses for chapter meetings alone.  Those kinds of numbers 
> may be more sustainable with today's revenue, but back then, they 
> would have bankrupted OWASP.  So, rather than be a part of the 
> problem, we decided that OWASP Austin needed to find a way to be a 
> self-sustaining chapter, and decided that hosting a conference would 
> be an ideal way to do that, while also accomplishing OWASP's mission 
> of education.  The Lonestar Application Security Conference (LASCON) 
> was born.
> The irony here is that OWASP Austin started LASCON as a means to raise 
> money so that we wouldn't have to take Foundation funds away from 
> others and now others are talking about taking the money away from 
> us.  All along the way, we have done the community-conscious thing and 
> split part of the money we raised with the Foundation.  We even 
> donated $10k of funds that we didn't think we would need to the Africa 
> Chapters for their conference and additional funds to the Cornucopia 
> project.  So, yes, we have $16k in the bank, but we are spending a 
> significant amount of money every month, and that number will go down 
> over the course of the year, and back up after LASCON in October.  The 
> money is not stagnant.  It is being spent, and then being refreshed.  
> I realize that the discussion here isn't focused on OWASP Austin, but 
> I use it as an example because it is one that I know very well, and I 
> think that many of our "rich chapters" fall into a similar boat.  They 
> have some events that raise money, some events that cost money, and 
> the result is that from the outside it looks like these funds are 
> stagnant, while in reality these funds are being used in more ways 
> than almost anywhere else in our organization.
> One of the best things about having money is that it allows you to 
> experiment with things that you wouldn't normally be able to using 
> Foundation funding sources.  For example, for years now the OWASP 
> Austin chapter has been recording it's chapter meetings and putting 
> the content online (https://vimeo.com/channels/owaspaustin). This 
> started as an experiment where we used some of our funds raised by 
> LASCON in order to purchase some audio-visual recording equipment.  It 
> was a bit rough at first, but we started developing best practices and 
> eventually put out a document guiding others on the equipment to 
> purchase, how to connect it, how to record, and how to put it online.  
> Now, between OWASP Austin and LASCON, we have a video library that 
> rivals what is in the OWASP Media Project as a whole.  Every time I 
> hear this "Ring Fenced Funds" discussion come up, what it really comes 
> down to, to me, is that somebody else thinks that they will be able to 
> put those funds to better use than we do.  They put in none of the 
> effort to raise the funds, but want to share in the reward of spending 
> them.  That just doesn't sit right with me.
> As I said in my first paragraph, I agree that there is an issue here, 
> but let's not confuse ourselves.  The issue has NOTHING to do with 
> revenue sources for chapters or projects.  We should be encouraging 
> our chapters and projects to explore as many different revenue sources 
> as possible as long as they do not compromise our core values. Every 
> dollar that a chapter or project goes out and gets on their own is 
> another dollar that the Foundation has available for another chapter 
> or project to spend elsewhere.  Even at the current 90/10 split on a 
> chapter conference such as LASCON, the Foundation gets 10% of the 
> profit for an event that they provided minimal support for (contracts, 
> billing, payments, etc, all required by our guidelines).  Revenue is a 
> good thing, regardless of the account that it falls into.
> _*Proposal*_
> The real issue here that we are trying to address is not "ring fenced 
> funds", but rather, "stagnant funds".  We shouldn't care that chapters 
> or projects HAVE money allocated to them. We should care that they are 
> SPENDING it to further our mission.  We need a system in place that 
> INFORMS our leaders about how much money they have, that ENCOURAGES 
> them to spend their money, and that RECLAIMS money that becomes 
> stagnant. Thus, I would like to propose the following changes to our 
> policies regarding funds that have been allocated to a specific 
> chapter or project.
>   * *Profit sharing splits will remain at their current levels.*  As I
>     described above, the issue is not how money comes in, it is how it
>     goes out.  We should be rewarding those chapters and projects who
>     undertake fundraising initiatives by empowering them to spend the
>     money that they raise.  This encourages them to continue with
>     future initiatives and creates repeatable formulas that others can
>     use to do the same.
>   * *Leaders will regularly be made aware of their account balances.*
>     One of the big problems that we have had in the past is that our
>     leaders didn't even know that they had money in their account to
>     spend.  How can we ever expect to get stagnant funds moving in
>     that situation?  The OWASP staff will be responsible for sending
>     out monthly e-mails to chapter and project leaders letting them
>     know how much money they have in their account.  I would imagine
>     that we could script this so that it happens automatically. 
>     Regardless, awareness of funds is key to the spending of funds.
>   * *OWASP will maintain a list of things to spend money on.* OK, so a
>     leader now knows that they have money, what next? In the past, we
>     have had a list of pre-approved expenses, but it was basic things
>     like room rental, meeting food, speakers gifts, etc.  We need to
>     get a little bit unorthodox here and start maintaining a list of
>     all expenses that were approved in the past.  I mentioned before
>     that OWASP Austin purchased AV recording equipment; let's put that
>     on the list.  One of our chapters was talking about building a
>     library; sounds great, let's put it on the list.  This list should
>     grow bigger and bigger as we experiment and innovate and will
>     serve to show leaders examples of what others are doing with their
>     funds.
>   * *Initiatives, not donations, are key.*  Every time I hear someone
>     say "We want a chapter to donate funds to project X", I cringe. 
>     Not because I don't think that it is a worthwhile project, but
>     because moving money from one account to another only changes the
>     account balance, it doesn't make stagnant funds move.  Instead, I
>     would like for us to think of things in terms of "initiatives". 
>     An initiative is an idea that someone has that needs funding to
>     make it happen.  It is a specific goal with a pre-identified
>     budget needed to make it a reality.  We should never have a call
>     for "Donate to Project X".  The call should be "Project X needs $Y
>     to print 1000 copies to give away at conference Z."  An initiative
>     gets funds moving by giving our leaders a reason to spend them.
>   * *Highlight those who are making funds move.*  When OWASP Austin
>     decided to donate $10k of it's chapter account balance back to the
>     OWASP Foundation a year or so ago, it was a very sterile
>     transaction.  The money was deducted from the LASCON profits
>     before it even touched the chapter account and was included as
>     part of the 10% profit share for the Foundation.  That was it. 
>     There was literally no record that the transaction ever took place
>     other than an accounting transaction that reflected $10k more than
>     what was supposed to be.  When someone does something like this in
>     our organization, we need to highlight it, because others will see
>     it as a positive example and potentially follow suit.  Blog it,
>     tweet it, put it in the connector, and make it a big deal.  If a
>     chapter comes up with a creative way to spend their funds,
>     highlight that to show others.  I cannot understate the importance
>     of this as it sets the example that all others will follow.
>   * *Budgeting at the micro level is a necessity.*  I really hate
>     saying this because it makes me sound like an old man, but
>     budgeting is important.  We do it at the macro level for the
>     Foundation already.  It's a necessity to ensure that our funds are
>     being spent in a responsible fashion in order to further our
>     mission.  I'm open to suggestions on this one, but my initial
>     thought is that any account (project, chapter, or otherwise) with
>     more than $5,000 in it needs to have a plan for how to spend that
>     money, and that plan comes in the form of a budget.  This move
>     would affect 20 chapters which hold a total of $355,847.21, or to
>     put it another way, just over 71% of the total chapter
>     "ring-fenced funds".   It would affect two projects which hold a
>     total of $17,653.52, or just under under 41% of the project
>     "ring-fenced funds".  Budgeting should happen in Q4 of each
>     calendar year with the goal of each of these groups identifying
>     how they plan to spend the money over the course of the next
>     year.  If there were some sort of event or longer-term goal that
>     needs to be considered, a future projection budget could be
>     included as well.  We can tweak the $5,000 bar in the future if we
>     find that it is too high or too low, but it seems like a good
>     target to me, at least to start with.
>   * *Money with no plan for spending needs to be re-purposed.*  The
>     net result of the budgeting process is that we identify money
>     being spent or saved with a plan vs money that is just sitting
>     there stagnant with no plan for spending.  Money with no plan for
>     spending, should go back into the community engagement funds pool
>     for others to spend as needed.
>   * *Negative account balances need to be wiped clean.* I'm not sure
>     how it happened, but I see a number of chapters and projects who
>     have negative account balances.  I find myself wondering how it
>     would make me feel as a leader to look at the scoreboard or get an
>     e-mail and see that I'm actually in the red.  How humiliating. 
>     And what a huge barrier for a new leader to overcome.  However
>     this practice got started, nobody should ever be able to go below
>     0.  We need to wipe these deficits clean and give them a fresh
>     start.  We're talking less than $750.  We can figure out a way to
>     make this happen.  In the future, any amounts over what a chapter
>     has available needs to come from the Foundation.
>   * *Account balances should be the start of all funding efforts.* 
>     Let's be clear, there is no shortage of money at OWASP for those
>     who need it.  The community engagement funds pool has plenty of
>     money in it that hasn't been used up in years past.  That said,
>     the intent of this pool of funds should be to provide money to
>     those who don't have it, not to supplement those who do.  I've
>     seen at least one initiative recently where the proposal ignored
>     the fact that the projects involved all had positive account
>     balances, and effectively gifted them the money for the
>     initiative, rather than having them spend their funds first.  With
>     the underlying issue here being one of stagnant funds, how can we
>     possibly justify gifting this money, when they all had their own
>     money that could have been used?  I heard the excuse in this
>     particular situation that they likely would not have participated
>     if they had to spend their own money, but in that case, what does
>     that say about how much those projects valued the initiative?  No
>     leader should be able to receive Foundation funding unless they no
>     longer have "ring-fenced funds" to spend.  Otherwise, we are just
>     further perpetuating this problem.
>   * *Spending money needs to be easy.*  There is plenty of money
>     available at OWASP for those who need it.  Between the chapters,
>     projects, and community funding, we're looking at over $600k.  So,
>     when people tell me that they have a hard time spending money at
>     OWASP, I wonder why that is.  I suggest that if a chapter or
>     project has a desire to do something that is either on the
>     approved list, or that any other chapter or project has done in
>     the past (ie. is on that list of things we are spending money on),
>     and they have the funds in their account, they can do it, no
>     questions asked.  With every approval, we need to be conscious
>     that we are setting the precedent that this is an approved expense
>     for everyone.  For those without money in their account, they can
>     follow the community engagement process, or see my proposal below.
>   * *Anyone can budget for the future.*  I talked above about the idea
>     of micro-budgets for anyone with over $5000 in their account. 
>     This helps to recoup the money that isn't getting spent, but it
>     doesn't do anything for those who don't have any money, but have
>     things that they want to spend it on.  Thus, I propose the idea
>     that any chapter, project, committee, etc can create a budget in
>     Q4 for an initiative, or other spending needs, that they would
>     like to cover the following year, but do not have the funds to do
>     so.  The budget would be reviewed by the Executive Director and
>     Board, and, if approved, incorporated into the overall OWASP
>     Foundation budget for the following year.  This would effectively
>     set aside the funds to use at the appropriate period of time, in
>     the future, with no further approvals necessary.  It creates
>     empowerment for use of funds and allows the Foundation to approve
>     them and plan for them in a responsible manner.  Funds are
>     allocated in a "Use them or lose them" fashion, however, and go
>     back to the Foundation pool for other initiatives if they are not
>     spent when planned.
> I did my best here to outline each of the problems that I see with 
> respect to how OWASP funds are spent today and to come up with 
> reasonable solutions to each.  I don't claim for this to be a 
> comprehensive solution, and I hope that you all will help me to 
> further flush out these ideas in order to create a long-term vision 
> that will empower our leaders and get our money moving for our mission 
> while still maintaining a sense of fiscal responsibility.  I am very 
> interested in hearing your thoughts and feedback on it.  Thanks.
> ~josh
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

Jim Manico
Global Board Member
OWASP Foundation
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150827/7434c899/attachment-0001.html>

More information about the Owasp-board mailing list