[Owasp-board] [Governance] "Ring Fenced Funds" Discussion and Proposal

Tom Brennan tomb at proactiverisk.com
Fri Aug 28 21:40:48 UTC 2015


Every project has a chapter leader / people.  Every owasp member
should have a local chapter.   It appears that no one has thought
about mapping this yet as step #1

Project List
https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Quick_Guides_to_OWASP_Projects

Scoreboard
https://docs.google.com/a/proactiverisk.com/spreadsheets/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html#

So add a column of project leader and home chapter. We should be
tracking that in the CRM system.

Any project that needs services OR funding should solicit the home
chapter, region, county and finally IF denied then the project and the
chapter should be raised to the foundation for funding via the
community manager process.

If the chapter leader is a Ronin and without a chapter.... she /  he
should get social and attend a local chapter meeting speak on the
owasp project and recruit some people, funds etc..




On Fri, Aug 28, 2015 at 4:20 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> One small suggestion.  We should change item "C" (Contribute some of our
> 'excess' funds to selected PROJECTS as requested by Project leaders) to be
> more like item "G" (Contribute some of our excess funds to 'underfunded'
> Chapters for specific activities.  Lets call this the "adopt a chapter, or
> Sister-Chapter" concept) in that simply moving funds from one account to
> another only perpetuates the current issue.  To that point, I would suggest
> changing it from "PROJECTS" to "PROJECT INITIATIVES".
>
> ~josh
>
> On Fri, Aug 28, 2015 at 12:10 PM, Paul Ritchie <paul.ritchie at owasp.org>
> wrote:
>>
>> Hello team:
>>
>> One step we are taking at the Staff level to move all these great opinions
>> and suggestions into an 'action plan' is to engage all Chapters with greater
>> than $5,000 in their allocated budget in the 2016 budgeting process.
>>
>> Initially, I'm thinking of the following set of questions for those
>> Chapter leaders, so they can discuss with their Chapter Community, and as a
>> group, agree on how best to spend & invest & contribute their chapter funds.
>> Your input and support, as OWASP Leaders will be critical.
>> Obviously the goal is for Chapters to use their funds to help their local
>> community as well as the Global Community of projects, events, programs and
>> underfunded chapters.
>>
>> Questions to prompt Budget Planning at Chapter level.  (Staff will provide
>> reports showing current total balance of funds by Chapter, and 12 month
>> expenses or 'run-rate' by chapter).
>>
>> 1.  Currently your Chapter budget amount is XXX, and you spent about $YYY
>> or (AA%) of that amount in the past 12 month....while your new income into
>> the Chapter budget was about ($BBB).
>> Q1 - Do you expect these annual expenses to remain about the same, go up
>> or down?
>>
>> 2.  Of you total budget amount, what level of funds would you like to keep
>> in 'reserve' and carry over to 2017?  (10%, 25%, 50%)
>>
>> 3.  After subtracting your reserve, and your normal annual spending rate,
>> how would you like to use the remaining "funds available to use"?
>> >>  In each case, please simply answer:   Yes / No, and approximately how
>> >> much for the 2016 year.
>>
>> a.  Fund more frequent chapter meetings & Speakers
>> b.  Fund more Training sessions at Chapter meetings or local / regional
>> meetings
>> ---  This would include any local OWASP Days or Regional AppSec events
>> produced & hosted by the local Chapter.
>> c.  Fund leaders & Chapter members to attend outside AppSec conferences or
>> events as speakers or panelist.
>> d.  Contribute some of our 'excess' funds to selected PROJECTS as
>> requested by Project leaders
>> e.  Contribute some of our 'excess' funds to a PROJECT SUMMIT, either
>> large Global Summit or a smaller Regional Project Summit.
>> f.   Contribute some of our 'excess' funds to select PROGRAMS as requested
>> by others in the community.
>> ---  Women in AppSec
>> ---  University & Academic Supporter program
>> ---  Adopt a local University program.  Minor funding for a College
>> Chapter
>> ---  Contribute funds so Chapter members can co-market and liaison with
>> other AppSec organizations in our community.
>> ---  Contribute with funds or Chapter member's travel expenses for OWASP
>> Tours.  i.e. LATAM Tour, AsiaPac Tour, Africa Tour
>> ---  Other great ideas........
>> g.   Contribute some of our excess funds to 'underfunded' Chapters for
>> specific activities.  Lets call this the "adopt a chapter, or
>> Sister-Chapter" concept.
>>
>> I'd like to put more structure around this plan with your input and then
>> gain consensus during our Board meeting on Sept. 25.
>> These are just a few of the ways that 'we' as leaders can help our Chapter
>> community make decisions on how best to use their funds to better their
>> local community as well as the Global OWASP Community.
>> Paul
>>
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>>
>>
>> On Thu, Aug 27, 2015 at 5:32 PM, Andrew van der Stock <vanderaj at owasp.org>
>> wrote:
>>>
>>> We have a problem where we have significant % of funds being added to
>>> year on year in an area of completely stagnant spending. It's not being
>>> spent. The ratios were an EXPERIMENT, and it's obvious that there's two
>>> things we can do to help the situation.
>>>
>>> a) encourage chapters to spend their existing funds on stuff that
>>> advances our mission
>>> b) change the allocation ratio to spread the funds around OWASP more
>>> equally
>>>
>>> No one part of our mission is more important than another. All I'm asking
>>> for is a) and b) to be enacted after modelling to find a happy medium of
>>> chapter funding growth, and a discussion on governance over funds including
>>> just enough checks and balances to ensure that OWASP pays for things that
>>> advance our various missions, whilst minimising the chances for misuse of
>>> funds and maximising the chapter leaders ability to easily access and spend
>>> the funds.
>>>
>>> NO ONE IS TALKING ABOUT TAKING IT AWAY. I want it spent properly and
>>> effectively, which includes letting and encouraging chapters to adopt and
>>> fund projects, conferences, events, community and outreach. If we do
>>> nothing, we will have a bigger problem next year and the year after.
>>>
>>> thanks
>>> Andrew
>>>
>>>
>>>
>>> On Thu, Aug 27, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>
>>>> I don't think it shall be raided. We don't spend money very well :)
>>>>
>>>> I'm assuming some approval process shall still be in effect when
>>>> drawdown is requested?
>>>>
>>>>
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>>
>>>>
>>>>
>>>> On 27 Aug 2015, at 07:24, Jim Manico <jim.manico at owasp.org> wrote:
>>>>
>>>> I think this is an important proposal from Josh, but I'm a little
>>>> concerned of the pressure put on him to have to even build this proposal.
>>>>
>>>> I frankly think ring-fenced funds for chapters and the savings that each
>>>> chapter has is a very good thing.
>>>>
>>>> Please take a moment to read this article about spending money at the
>>>> "end of the year" for non profits.
>>>>
>>>> http://www.forpurposelaw.com/uh-oh-end-year-money-left/
>>>>
>>>> Here area few takeaways:
>>>>
>>>> 1) Spending Down All Income Each Year is Fiscally Irresponsible
>>>> 2) Maintaining a financial cushion (even at the chapter level) is good
>>>> money-management and it’s legal.
>>>> 3) A nonprofit can safely make a profit, as long as its primary purpose
>>>> is to carry on and advance its tax-exempt goals and activities.
>>>>
>>>> I think we should celebrate the fact that chapters have been responsible
>>>> and hard working enough to build savings, even if those savings persist over
>>>> a few years. We can always encourage chapters to spend those funds in
>>>> certain ways, but to pressure them seems unjust.
>>>>
>>>> Another thing, we made a very clear promise to chapters about ring
>>>> fencing funds for each chapter. If we raid that coffer we will be 100% out
>>>> of integrity and will be betraying some of the most active members of our
>>>> community.
>>>>
>>>> Please proceed with caution for those of you who want to raid the
>>>> current chapter fund coffers.
>>>>
>>>> - Jim
>>>>
>>>>
>>>>
>>>> On 8/23/15 3:58 PM, Josh Sokol wrote:
>>>>
>>>> Board,
>>>>
>>>> Problem Statement
>>>> There is no reason why we cannot tackle this issue in parallel with the
>>>> conversation around the Board Member Confidence discussion as, at least to
>>>> me, they appear to be unrelated.  The underlying issue here is that we have
>>>> $499,003.33 in funds that are allocated to chapters, and $43,227.29 in funds
>>>> that are allocated to projects, and at least some portion of these funds are
>>>> not getting spent.  When funds aren't getting spent, then they aren't
>>>> benefiting our mission.  And, when they aren't benefiting our mission, then
>>>> OWASP isn't living up to it's fullest potential.
>>>>
>>>> Background
>>>> I realize that this is a highly volatile conversation to have since many
>>>> people are passionate about the topic, myself being one of them.  And I will
>>>> qualify my bias in this discussion since my roots with OWASP came from being
>>>> involved with OWASP Austin which has roughly $16k of that funding and most
>>>> would probably consider it one of these "rich chapters".  But, it wasn't
>>>> always that way.  In fact, when I first got involved with OWASP Austin, we
>>>> didn't have much (if any) money in our account at all.  We were clearly
>>>> lagging behind other local organizations, such as ISSA, who provided lunch
>>>> to members, speaker gifts, attendee giveaways, and more.  And when I took
>>>> over the chapter a few years later, I set out to change things to make OWASP
>>>> Austin more competitive.  Initially, that meant asking for funds from the
>>>> OWASP Foundation for every meeting that we had.  Lunch ranged from $300-500
>>>> per meeting.  Throw in speaker gifts and a book giveaway and we were
>>>> probably averaging right around $500 per meeting.  With monthly meetings,
>>>> that number added up to a pretty hefty $6000 per year for OWASP Austin
>>>> alone.  If you do the math, if every chapter at OWASP had these same needs,
>>>> that's easily over half-a-million dollars a year in expenses for chapter
>>>> meetings alone.  Those kinds of numbers may be more sustainable with today's
>>>> revenue, but back then, they would have bankrupted OWASP.  So, rather than
>>>> be a part of the problem, we decided that OWASP Austin needed to find a way
>>>> to be a self-sustaining chapter, and decided that hosting a conference would
>>>> be an ideal way to do that, while also accomplishing OWASP's mission of
>>>> education.  The Lonestar Application Security Conference (LASCON) was born.
>>>>
>>>> The irony here is that OWASP Austin started LASCON as a means to raise
>>>> money so that we wouldn't have to take Foundation funds away from others and
>>>> now others are talking about taking the money away from us.  All along the
>>>> way, we have done the community-conscious thing and split part of the money
>>>> we raised with the Foundation.  We even donated $10k of funds that we didn't
>>>> think we would need to the Africa Chapters for their conference and
>>>> additional funds to the Cornucopia project.  So, yes, we have $16k in the
>>>> bank, but we are spending a significant amount of money every month, and
>>>> that number will go down over the course of the year, and back up after
>>>> LASCON in October.  The money is not stagnant.  It is being spent, and then
>>>> being refreshed.  I realize that the discussion here isn't focused on OWASP
>>>> Austin, but I use it as an example because it is one that I know very well,
>>>> and I think that many of our "rich chapters" fall into a similar boat.  They
>>>> have some events that raise money, some events that cost money, and the
>>>> result is that from the outside it looks like these funds are stagnant,
>>>> while in reality these funds are being used in more ways than almost
>>>> anywhere else in our organization.
>>>>
>>>> One of the best things about having money is that it allows you to
>>>> experiment with things that you wouldn't normally be able to using
>>>> Foundation funding sources.  For example, for years now the OWASP Austin
>>>> chapter has been recording it's chapter meetings and putting the content
>>>> online (https://vimeo.com/channels/owaspaustin).  This started as an
>>>> experiment where we used some of our funds raised by LASCON in order to
>>>> purchase some audio-visual recording equipment.  It was a bit rough at
>>>> first, but we started developing best practices and eventually put out a
>>>> document guiding others on the equipment to purchase, how to connect it, how
>>>> to record, and how to put it online.  Now, between OWASP Austin and LASCON,
>>>> we have a video library that rivals what is in the OWASP Media Project as a
>>>> whole.  Every time I hear this "Ring Fenced Funds" discussion come up, what
>>>> it really comes down to, to me, is that somebody else thinks that they will
>>>> be able to put those funds to better use than we do.  They put in none of
>>>> the effort to raise the funds, but want to share in the reward of spending
>>>> them.  That just doesn't sit right with me.
>>>>
>>>> As I said in my first paragraph, I agree that there is an issue here,
>>>> but let's not confuse ourselves.  The issue has NOTHING to do with revenue
>>>> sources for chapters or projects.  We should be encouraging our chapters and
>>>> projects to explore as many different revenue sources as possible as long as
>>>> they do not compromise our core values.  Every dollar that a chapter or
>>>> project goes out and gets on their own is another dollar that the Foundation
>>>> has available for another chapter or project to spend elsewhere.  Even at
>>>> the current 90/10 split on a chapter conference such as LASCON, the
>>>> Foundation gets 10% of the profit for an event that they provided minimal
>>>> support for (contracts, billing, payments, etc, all required by our
>>>> guidelines).  Revenue is a good thing, regardless of the account that it
>>>> falls into.
>>>>
>>>> Proposal
>>>> The real issue here that we are trying to address is not "ring fenced
>>>> funds", but rather, "stagnant funds".  We shouldn't care that chapters or
>>>> projects HAVE money allocated to them.  We should care that they are
>>>> SPENDING it to further our mission.  We need a system in place that INFORMS
>>>> our leaders about how much money they have, that ENCOURAGES them to spend
>>>> their money, and that RECLAIMS money that becomes stagnant.  Thus, I would
>>>> like to propose the following changes to our policies regarding funds that
>>>> have been allocated to a specific chapter or project.
>>>>
>>>> Profit sharing splits will remain at their current levels.  As I
>>>> described above, the issue is not how money comes in, it is how it goes out.
>>>> We should be rewarding those chapters and projects who undertake fundraising
>>>> initiatives by empowering them to spend the money that they raise.  This
>>>> encourages them to continue with future initiatives and creates repeatable
>>>> formulas that others can use to do the same.
>>>> Leaders will regularly be made aware of their account balances. One of
>>>> the big problems that we have had in the past is that our leaders didn't
>>>> even know that they had money in their account to spend.  How can we ever
>>>> expect to get stagnant funds moving in that situation?  The OWASP staff will
>>>> be responsible for sending out monthly e-mails to chapter and project
>>>> leaders letting them know how much money they have in their account.  I
>>>> would imagine that we could script this so that it happens automatically.
>>>> Regardless, awareness of funds is key to the spending of funds.
>>>> OWASP will maintain a list of things to spend money on.  OK, so a leader
>>>> now knows that they have money, what next?  In the past, we have had a list
>>>> of pre-approved expenses, but it was basic things like room rental, meeting
>>>> food, speakers gifts, etc.  We need to get a little bit unorthodox here and
>>>> start maintaining a list of all expenses that were approved in the past.  I
>>>> mentioned before that OWASP Austin purchased AV recording equipment; let's
>>>> put that on the list.  One of our chapters was talking about building a
>>>> library; sounds great, let's put it on the list.  This list should grow
>>>> bigger and bigger as we experiment and innovate and will serve to show
>>>> leaders examples of what others are doing with their funds.
>>>> Initiatives, not donations, are key.  Every time I hear someone say "We
>>>> want a chapter to donate funds to project X", I cringe.  Not because I don't
>>>> think that it is a worthwhile project, but because moving money from one
>>>> account to another only changes the account balance, it doesn't make
>>>> stagnant funds move.  Instead, I would like for us to think of things in
>>>> terms of "initiatives".  An initiative is an idea that someone has that
>>>> needs funding to make it happen.  It is a specific goal with a
>>>> pre-identified budget needed to make it a reality.  We should never have a
>>>> call for "Donate to Project X".  The call should be "Project X needs $Y to
>>>> print 1000 copies to give away at conference Z."  An initiative gets funds
>>>> moving by giving our leaders a reason to spend them.
>>>> Highlight those who are making funds move.  When OWASP Austin decided to
>>>> donate $10k of it's chapter account balance back to the OWASP Foundation a
>>>> year or so ago, it was a very sterile transaction.  The money was deducted
>>>> from the LASCON profits before it even touched the chapter account and was
>>>> included as part of the 10% profit share for the Foundation.  That was it.
>>>> There was literally no record that the transaction ever took place other
>>>> than an accounting transaction that reflected $10k more than what was
>>>> supposed to be.  When someone does something like this in our organization,
>>>> we need to highlight it, because others will see it as a positive example
>>>> and potentially follow suit.  Blog it, tweet it, put it in the connector,
>>>> and make it a big deal.  If a chapter comes up with a creative way to spend
>>>> their funds, highlight that to show others.  I cannot understate the
>>>> importance of this as it sets the example that all others will follow.
>>>> Budgeting at the micro level is a necessity.  I really hate saying this
>>>> because it makes me sound like an old man, but budgeting is important.  We
>>>> do it at the macro level for the Foundation already.  It's a necessity to
>>>> ensure that our funds are being spent in a responsible fashion in order to
>>>> further our mission.  I'm open to suggestions on this one, but my initial
>>>> thought is that any account (project, chapter, or otherwise) with more than
>>>> $5,000 in it needs to have a plan for how to spend that money, and that plan
>>>> comes in the form of a budget.  This move would affect 20 chapters which
>>>> hold a total of $355,847.21, or to put it another way, just over 71% of the
>>>> total chapter "ring-fenced funds".   It would affect two projects which hold
>>>> a total of $17,653.52, or just under under 41% of the project "ring-fenced
>>>> funds".  Budgeting should happen in Q4 of each calendar year with the goal
>>>> of each of these groups identifying how they plan to spend the money over
>>>> the course of the next year.  If there were some sort of event or
>>>> longer-term goal that needs to be considered, a future projection budget
>>>> could be included as well.  We can tweak the $5,000 bar in the future if we
>>>> find that it is too high or too low, but it seems like a good target to me,
>>>> at least to start with.
>>>> Money with no plan for spending needs to be re-purposed.  The net result
>>>> of the budgeting process is that we identify money being spent or saved with
>>>> a plan vs money that is just sitting there stagnant with no plan for
>>>> spending.  Money with no plan for spending, should go back into the
>>>> community engagement funds pool for others to spend as needed.
>>>> Negative account balances need to be wiped clean.  I'm not sure how it
>>>> happened, but I see a number of chapters and projects who have negative
>>>> account balances.  I find myself wondering how it would make me feel as a
>>>> leader to look at the scoreboard or get an e-mail and see that I'm actually
>>>> in the red.  How humiliating.  And what a huge barrier for a new leader to
>>>> overcome.  However this practice got started, nobody should ever be able to
>>>> go below 0.  We need to wipe these deficits clean and give them a fresh
>>>> start.  We're talking less than $750.  We can figure out a way to make this
>>>> happen.  In the future, any amounts over what a chapter has available needs
>>>> to come from the Foundation.
>>>> Account balances should be the start of all funding efforts.  Let's be
>>>> clear, there is no shortage of money at OWASP for those who need it.  The
>>>> community engagement funds pool has plenty of money in it that hasn't been
>>>> used up in years past.  That said, the intent of this pool of funds should
>>>> be to provide money to those who don't have it, not to supplement those who
>>>> do.  I've seen at least one initiative recently where the proposal ignored
>>>> the fact that the projects involved all had positive account balances, and
>>>> effectively gifted them the money for the initiative, rather than having
>>>> them spend their funds first.  With the underlying issue here being one of
>>>> stagnant funds, how can we possibly justify gifting this money, when they
>>>> all had their own money that could have been used?  I heard the excuse in
>>>> this particular situation that they likely would not have participated if
>>>> they had to spend their own money, but in that case, what does that say
>>>> about how much those projects valued the initiative?  No leader should be
>>>> able to receive Foundation funding unless they no longer have "ring-fenced
>>>> funds" to spend.  Otherwise, we are just further perpetuating this problem.
>>>> Spending money needs to be easy.  There is plenty of money available at
>>>> OWASP for those who need it.  Between the chapters, projects, and community
>>>> funding, we're looking at over $600k.  So, when people tell me that they
>>>> have a hard time spending money at OWASP, I wonder why that is.  I suggest
>>>> that if a chapter or project has a desire to do something that is either on
>>>> the approved list, or that any other chapter or project has done in the past
>>>> (ie. is on that list of things we are spending money on), and they have the
>>>> funds in their account, they can do it, no questions asked.  With every
>>>> approval, we need to be conscious that we are setting the precedent that
>>>> this is an approved expense for everyone.  For those without money in their
>>>> account, they can follow the community engagement process, or see my
>>>> proposal below.
>>>> Anyone can budget for the future.  I talked above about the idea of
>>>> micro-budgets for anyone with over $5000 in their account.  This helps to
>>>> recoup the money that isn't getting spent, but it doesn't do anything for
>>>> those who don't have any money, but have things that they want to spend it
>>>> on.  Thus, I propose the idea that any chapter, project, committee, etc can
>>>> create a budget in Q4 for an initiative, or other spending needs, that they
>>>> would like to cover the following year, but do not have the funds to do so.
>>>> The budget would be reviewed by the Executive Director and Board, and, if
>>>> approved, incorporated into the overall OWASP Foundation budget for the
>>>> following year.  This would effectively set aside the funds to use at the
>>>> appropriate period of time, in the future, with no further approvals
>>>> necessary.  It creates empowerment for use of funds and allows the
>>>> Foundation to approve them and plan for them in a responsible manner.  Funds
>>>> are allocated in a "Use them or lose them" fashion, however, and go back to
>>>> the Foundation pool for other initiatives if they are not spent when
>>>> planned.
>>>>
>>>> I did my best here to outline each of the problems that I see with
>>>> respect to how OWASP funds are spent today and to come up with reasonable
>>>> solutions to each.  I don't claim for this to be a comprehensive solution,
>>>> and I hope that you all will help me to further flush out these ideas in
>>>> order to create a long-term vision that will empower our leaders and get our
>>>> money moving for our mission while still maintaining a sense of fiscal
>>>> responsibility.  I am very interested in hearing your thoughts and feedback
>>>> on it.  Thanks.
>>>>
>>>> ~josh
>>>>
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me at AppSecUSA 2015!
>>>>
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>

-- 
WARNING: E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses. The sender therefore does 
not accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. No employee or 
agent is authorized to conclude any binding agreement on behalf of 
ProactiveRISK with another party by email.



More information about the Owasp-board mailing list