[Owasp-board] [Governance] "Ring Fenced Funds" Discussion and Proposal

Paul Ritchie paul.ritchie at owasp.org
Fri Aug 28 22:33:43 UTC 2015

Yep, another good suggestion Tom.

I'd like to see more suggestions on ways to improve awareness & education
at the chapter & project level, before leaping into another layer of
administrative process on our CRM system.   Frankly the CRM system via the
SalesForce tool, is an incomplete solution since it does not integrate very
well at all with all the data we keep on the Wiki, like Chapter membership
and all our Mailman group email lists.  I've spent the past 8 months
working with Kate & Noreen on possible integration tools but it is very
sparse, and would require fairly severe manual maintenance efforts.
 Solving this system issue is a problem for another day.

I pleased to see all the constructive contributions toward helping Chapters
& Project understand their funding options and how to access those funds
easily and rapidly.  Lets keep on that track, and I'm confident we will
have an improved process by implementing some of these recommendations, as
well as continued and consistent 'reminders' to the Community via the
Community Manager newsflash,  the OWASP Connector, and the associated
tweets on key articles.

Cheers, Paul

Best Regards, Paul Ritchie
OWASP Executive Director
paul.ritchie at owasp.org

On Fri, Aug 28, 2015 at 2:40 PM, Michael Coates <michael.coates at owasp.org>

> Great stuff! Can't wait to see how it turns out. This is a great first
> step to getting awareness of the issue out to the chapters
> On Aug 28, 2015, at 10:10 AM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
> Hello team:
> One step we are taking at the Staff level to move all these great opinions
> and suggestions into an 'action plan' is to engage all *Chapters with
> greater than $5,000 in their allocated budget* in the 2016 budgeting
> process.
> Initially, I'm thinking of the following set of questions for those
> Chapter leaders, so they can discuss with their Chapter Community, and as a
> group, agree on how best to spend & invest & contribute their chapter
> funds.   Your input and support, as OWASP Leaders will be critical.
> Obviously the goal is for Chapters to use their funds to help their local
> community as well as the Global Community of projects, events, programs and
> underfunded chapters.
> *Questions to prompt Budget Planning at Chapter level*.  (Staff will
> provide reports showing current total balance of funds by Chapter, and 12
> month expenses or 'run-rate' by chapter).
> 1.  Currently your Chapter budget amount is XXX, and you spent about $YYY
> or (AA%) of that amount in the past 12 month....while your new income into
> the Chapter budget was about ($BBB).
> Q1 - Do you expect these annual expenses to remain about the same, go up
> or down?
> 2.  Of you total budget amount, what level of funds would you like to keep
> in 'reserve' and carry over to 2017?  (10%, 25%, 50%)
> 3.  After subtracting your reserve, and your normal annual spending rate,
> how would you like to use the remaining "funds available to use"?
> >>  In each case, please simply answer:   Yes / No, and approximately how
> much for the 2016 year.
> a.  Fund more frequent chapter meetings & Speakers
> b.  Fund more Training sessions at Chapter meetings or local / regional
> meetings
> ---  This would include any local OWASP Days or Regional AppSec events
> produced & hosted by the local Chapter.
> c.  Fund leaders & Chapter members to attend outside AppSec conferences or
> events as speakers or panelist.
> d.  Contribute some of our 'excess' funds to selected PROJECTS as
> requested by Project leaders
> e.  Contribute some of our 'excess' funds to a PROJECT SUMMIT, either
> large Global Summit or a smaller Regional Project Summit.
> f.   Contribute some of our 'excess' funds to select PROGRAMS as requested
> by others in the community.
> ---  Women in AppSec
> ---  University & Academic Supporter program
> ---  Adopt a local University program.  Minor funding for a College Chapter
> ---  Contribute funds so Chapter members can co-market and liaison with
> other AppSec organizations in our community.
> ---  Contribute with funds or Chapter member's travel expenses for OWASP
> Tours.  i.e. LATAM Tour, AsiaPac Tour, Africa Tour
> ---  Other great ideas........
> g.   Contribute some of our excess funds to 'underfunded' Chapters for
> specific activities.  Lets call this the "adopt a chapter, or
> Sister-Chapter" concept.
> I'd like to put more structure around this plan with your input and then
> gain consensus during our Board meeting on Sept. 25.
> These are just a few of the ways that 'we' as leaders can help our Chapter
> community make decisions on how best to use their funds to better their
> local community as well as the Global OWASP Community.
> Paul
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org
> On Thu, Aug 27, 2015 at 5:32 PM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>> We have a problem where we have significant % of funds being added to
>> year on year in an area of completely stagnant spending. It's not being
>> spent. The ratios were an EXPERIMENT, and it's obvious that there's two
>> things we can do to help the situation.
>> a) encourage chapters to spend their existing funds on stuff that
>> advances our mission
>> b) change the allocation ratio to spread the funds around OWASP more
>> equally
>> No one part of our mission is more important than another. All I'm asking
>> for is a) and b) to be enacted after modelling to find a happy medium of
>> chapter funding growth, and a discussion on governance over funds including
>> just enough checks and balances to ensure that OWASP pays for things that
>> advance our various missions, whilst minimising the chances for misuse of
>> funds and maximising the chapter leaders ability to easily access and spend
>> the funds.
>> NO ONE IS TALKING ABOUT TAKING IT AWAY. I want it spent properly and
>> effectively, which includes letting and encouraging chapters to adopt and
>> fund projects, conferences, events, community and outreach. If we do
>> nothing, we will have a bigger problem next year and the year after.
>> thanks
>> Andrew
>> On Thu, Aug 27, 2015 at 5:20 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> I don't think it shall be raided. We don't spend money very well :)
>>> I'm assuming some approval process shall still be in effect when
>>> drawdown is requested?
>>> Eoin Keary
>>> OWASP Volunteer
>>> @eoinkeary
>>> On 27 Aug 2015, at 07:24, Jim Manico <jim.manico at owasp.org> wrote:
>>> I think this is an important proposal from Josh, but I'm a little
>>> concerned of the pressure put on him to have to even build this proposal.
>>> *I frankly think ring-fenced funds for chapters and the savings that
>>> each chapter has is a very good thing.*
>>> Please take a moment to read this article about spending money at the
>>> "end of the year" for non profits.
>>> http://www.forpurposelaw.com/uh-oh-end-year-money-left/
>>> Here area few takeaways:
>>> 1) Spending Down All Income Each Year is Fiscally Irresponsible
>>> 2) Maintaining a financial cushion (even at the chapter level) is good
>>> money-management and it’s legal.
>>> 3) A nonprofit can safely make a profit, as long as its primary purpose
>>> is to carry on and advance its tax-exempt goals and activities.
>>> I think we should celebrate the fact that chapters have been responsible
>>> and hard working enough to build savings, even if those savings persist
>>> over a few years. We can always encourage chapters to spend those funds in
>>> certain ways, but to pressure them seems unjust.
>>> Another thing, we made a very clear promise to chapters about ring
>>> fencing funds for each chapter. If we raid that coffer we will be 100% out
>>> of integrity and will be betraying some of the most active members of our
>>> community.
>>> Please proceed with caution for those of you who want to raid the
>>> current chapter fund coffers.
>>> - Jim
>>> On 8/23/15 3:58 PM, Josh Sokol wrote:
>>> Board,
>>> *Problem Statement*
>>> There is no reason why we cannot tackle this issue in parallel with the
>>> conversation around the Board Member Confidence discussion as, at least to
>>> me, they appear to be unrelated.  The underlying issue here is that we have
>>> $499,003.33 in funds that are allocated to chapters, and $43,227.29 in
>>> funds that are allocated to projects, and at least some portion of these
>>> funds are not getting spent.  When funds aren't getting spent, then they
>>> aren't benefiting our mission.  And, when they aren't benefiting our
>>> mission, then OWASP isn't living up to it's fullest potential.
>>> *Background*
>>> I realize that this is a highly volatile conversation to have since many
>>> people are passionate about the topic, myself being one of them.  And I
>>> will qualify my bias in this discussion since my roots with OWASP came from
>>> being involved with OWASP Austin which has roughly $16k of that funding and
>>> most would probably consider it one of these "rich chapters".  But, it
>>> wasn't always that way.  In fact, when I first got involved with OWASP
>>> Austin, we didn't have much (if any) money in our account at all.  We were
>>> clearly lagging behind other local organizations, such as ISSA, who
>>> provided lunch to members, speaker gifts, attendee giveaways, and more.
>>> And when I took over the chapter a few years later, I set out to change
>>> things to make OWASP Austin more competitive.  Initially, that meant asking
>>> for funds from the OWASP Foundation for every meeting that we had.  Lunch
>>> ranged from $300-500 per meeting.  Throw in speaker gifts and a book
>>> giveaway and we were probably averaging right around $500 per meeting.
>>> With monthly meetings, that number added up to a pretty hefty $6000 per
>>> year for OWASP Austin alone.  If you do the math, if every chapter at OWASP
>>> had these same needs, that's easily over half-a-million dollars a year in
>>> expenses for chapter meetings alone.  Those kinds of numbers may be more
>>> sustainable with today's revenue, but back then, they would have bankrupted
>>> OWASP.  So, rather than be a part of the problem, we decided that OWASP
>>> Austin needed to find a way to be a self-sustaining chapter, and decided
>>> that hosting a conference would be an ideal way to do that, while also
>>> accomplishing OWASP's mission of education.  The Lonestar Application
>>> Security Conference (LASCON) was born.
>>> The irony here is that OWASP Austin started LASCON as a means to raise
>>> money so that we wouldn't have to take Foundation funds away from others
>>> and now others are talking about taking the money away from us.  All along
>>> the way, we have done the community-conscious thing and split part of the
>>> money we raised with the Foundation.  We even donated $10k of funds that we
>>> didn't think we would need to the Africa Chapters for their conference and
>>> additional funds to the Cornucopia project.  So, yes, we have $16k in the
>>> bank, but we are spending a significant amount of money every month, and
>>> that number will go down over the course of the year, and back up after
>>> LASCON in October.  The money is not stagnant.  It is being spent, and then
>>> being refreshed.  I realize that the discussion here isn't focused on OWASP
>>> Austin, but I use it as an example because it is one that I know very well,
>>> and I think that many of our "rich chapters" fall into a similar boat.
>>> They have some events that raise money, some events that cost money, and
>>> the result is that from the outside it looks like these funds are stagnant,
>>> while in reality these funds are being used in more ways than almost
>>> anywhere else in our organization.
>>> One of the best things about having money is that it allows you to
>>> experiment with things that you wouldn't normally be able to using
>>> Foundation funding sources.  For example, for years now the OWASP Austin
>>> chapter has been recording it's chapter meetings and putting the content
>>> online (https://vimeo.com/channels/owaspaustin).  This started as an
>>> experiment where we used some of our funds raised by LASCON in order to
>>> purchase some audio-visual recording equipment.  It was a bit rough at
>>> first, but we started developing best practices and eventually put out a
>>> document guiding others on the equipment to purchase, how to connect it,
>>> how to record, and how to put it online.  Now, between OWASP Austin and
>>> LASCON, we have a video library that rivals what is in the OWASP Media
>>> Project as a whole.  Every time I hear this "Ring Fenced Funds" discussion
>>> come up, what it really comes down to, to me, is that somebody else thinks
>>> that they will be able to put those funds to better use than we do.  They
>>> put in none of the effort to raise the funds, but want to share in the
>>> reward of spending them.  That just doesn't sit right with me.
>>> As I said in my first paragraph, I agree that there is an issue here,
>>> but let's not confuse ourselves.  The issue has NOTHING to do with revenue
>>> sources for chapters or projects.  We should be encouraging our chapters
>>> and projects to explore as many different revenue sources as possible as
>>> long as they do not compromise our core values.  Every dollar that a
>>> chapter or project goes out and gets on their own is another dollar that
>>> the Foundation has available for another chapter or project to spend
>>> elsewhere.  Even at the current 90/10 split on a chapter conference such as
>>> LASCON, the Foundation gets 10% of the profit for an event that they
>>> provided minimal support for (contracts, billing, payments, etc, all
>>> required by our guidelines).  Revenue is a good thing, regardless of the
>>> account that it falls into.
>>> *Proposal*
>>> The real issue here that we are trying to address is not "ring fenced
>>> funds", but rather, "stagnant funds".  We shouldn't care that chapters or
>>> projects HAVE money allocated to them.  We should care that they are
>>> SPENDING it to further our mission.  We need a system in place that INFORMS
>>> our leaders about how much money they have, that ENCOURAGES them to spend
>>> their money, and that RECLAIMS money that becomes stagnant.  Thus, I would
>>> like to propose the following changes to our policies regarding funds that
>>> have been allocated to a specific chapter or project.
>>>    - *Profit sharing splits will remain at their current levels.*  As I
>>>    described above, the issue is not how money comes in, it is how it goes
>>>    out.  We should be rewarding those chapters and projects who undertake
>>>    fundraising initiatives by empowering them to spend the money that they
>>>    raise.  This encourages them to continue with future initiatives and
>>>    creates repeatable formulas that others can use to do the same.
>>>    - *Leaders will regularly be made aware of their account balances.*
>>>    One of the big problems that we have had in the past is that our leaders
>>>    didn't even know that they had money in their account to spend.  How can we
>>>    ever expect to get stagnant funds moving in that situation?  The OWASP
>>>    staff will be responsible for sending out monthly e-mails to chapter and
>>>    project leaders letting them know how much money they have in their
>>>    account.  I would imagine that we could script this so that it happens
>>>    automatically.  Regardless, awareness of funds is key to the spending of
>>>    funds.
>>>    - *OWASP will maintain a list of things to spend money on.*  OK, so
>>>    a leader now knows that they have money, what next?  In the past, we have
>>>    had a list of pre-approved expenses, but it was basic things like room
>>>    rental, meeting food, speakers gifts, etc.  We need to get a little bit
>>>    unorthodox here and start maintaining a list of all expenses that were
>>>    approved in the past.  I mentioned before that OWASP Austin purchased AV
>>>    recording equipment; let's put that on the list.  One of our chapters was
>>>    talking about building a library; sounds great, let's put it on the list.
>>>    This list should grow bigger and bigger as we experiment and innovate and
>>>    will serve to show leaders examples of what others are doing with their
>>>    funds.
>>>    - *Initiatives, not donations, are key.*  Every time I hear someone
>>>    say "We want a chapter to donate funds to project X", I cringe.  Not
>>>    because I don't think that it is a worthwhile project, but because moving
>>>    money from one account to another only changes the account balance, it
>>>    doesn't make stagnant funds move.  Instead, I would like for us to think of
>>>    things in terms of "initiatives".  An initiative is an idea that someone
>>>    has that needs funding to make it happen.  It is a specific goal with a
>>>    pre-identified budget needed to make it a reality.  We should never have a
>>>    call for "Donate to Project X".  The call should be "Project X needs $Y to
>>>    print 1000 copies to give away at conference Z."  An initiative gets funds
>>>    moving by giving our leaders a reason to spend them.
>>>    - *Highlight those who are making funds move.*  When OWASP Austin
>>>    decided to donate $10k of it's chapter account balance back to the OWASP
>>>    Foundation a year or so ago, it was a very sterile transaction.  The money
>>>    was deducted from the LASCON profits before it even touched the chapter
>>>    account and was included as part of the 10% profit share for the
>>>    Foundation.  That was it.  There was literally no record that the
>>>    transaction ever took place other than an accounting transaction that
>>>    reflected $10k more than what was supposed to be.  When someone does
>>>    something like this in our organization, we need to highlight it, because
>>>    others will see it as a positive example and potentially follow suit.  Blog
>>>    it, tweet it, put it in the connector, and make it a big deal.  If a
>>>    chapter comes up with a creative way to spend their funds, highlight that
>>>    to show others.  I cannot understate the importance of this as it sets the
>>>    example that all others will follow.
>>>    - *Budgeting at the micro level is a necessity.*  I really hate
>>>    saying this because it makes me sound like an old man, but budgeting is
>>>    important.  We do it at the macro level for the Foundation already.  It's a
>>>    necessity to ensure that our funds are being spent in a responsible fashion
>>>    in order to further our mission.  I'm open to suggestions on this one, but
>>>    my initial thought is that any account (project, chapter, or otherwise)
>>>    with more than $5,000 in it needs to have a plan for how to spend that
>>>    money, and that plan comes in the form of a budget.  This move would affect
>>>    20 chapters which hold a total of $355,847.21, or to put it another way,
>>>    just over 71% of the total chapter "ring-fenced funds".   It would affect
>>>    two projects which hold a total of $17,653.52, or just under under 41% of
>>>    the project "ring-fenced funds".  Budgeting should happen in Q4 of each
>>>    calendar year with the goal of each of these groups identifying how they
>>>    plan to spend the money over the course of the next year.  If there were
>>>    some sort of event or longer-term goal that needs to be considered, a
>>>    future projection budget could be included as well.  We can tweak the
>>>    $5,000 bar in the future if we find that it is too high or too low, but it
>>>    seems like a good target to me, at least to start with.
>>>    - *Money with no plan for spending needs to be re-purposed.*  The
>>>    net result of the budgeting process is that we identify money being spent
>>>    or saved with a plan vs money that is just sitting there stagnant with no
>>>    plan for spending.  Money with no plan for spending, should go back into
>>>    the community engagement funds pool for others to spend as needed.
>>>    - *Negative account balances need to be wiped clean.*  I'm not sure
>>>    how it happened, but I see a number of chapters and projects who have
>>>    negative account balances.  I find myself wondering how it would make me
>>>    feel as a leader to look at the scoreboard or get an e-mail and see that
>>>    I'm actually in the red.  How humiliating.  And what a huge barrier for a
>>>    new leader to overcome.  However this practice got started, nobody should
>>>    ever be able to go below 0.  We need to wipe these deficits clean and give
>>>    them a fresh start.  We're talking less than $750.  We can figure out a way
>>>    to make this happen.  In the future, any amounts over what a chapter has
>>>    available needs to come from the Foundation.
>>>    - *Account balances should be the start of all funding efforts.*
>>>    Let's be clear, there is no shortage of money at OWASP for those who need
>>>    it.  The community engagement funds pool has plenty of money in it that
>>>    hasn't been used up in years past.  That said, the intent of this pool of
>>>    funds should be to provide money to those who don't have it, not to
>>>    supplement those who do.  I've seen at least one initiative recently where
>>>    the proposal ignored the fact that the projects involved all had positive
>>>    account balances, and effectively gifted them the money for the initiative,
>>>    rather than having them spend their funds first.  With the underlying issue
>>>    here being one of stagnant funds, how can we possibly justify gifting this
>>>    money, when they all had their own money that could have been used?  I
>>>    heard the excuse in this particular situation that they likely would not
>>>    have participated if they had to spend their own money, but in that case,
>>>    what does that say about how much those projects valued the initiative?  No
>>>    leader should be able to receive Foundation funding unless they no longer
>>>    have "ring-fenced funds" to spend.  Otherwise, we are just further
>>>    perpetuating this problem.
>>>    - *Spending money needs to be easy.*  There is plenty of money
>>>    available at OWASP for those who need it.  Between the chapters, projects,
>>>    and community funding, we're looking at over $600k.  So, when people tell
>>>    me that they have a hard time spending money at OWASP, I wonder why that
>>>    is.  I suggest that if a chapter or project has a desire to do something
>>>    that is either on the approved list, or that any other chapter or project
>>>    has done in the past (ie. is on that list of things we are spending money
>>>    on), and they have the funds in their account, they can do it, no questions
>>>    asked.  With every approval, we need to be conscious that we are setting
>>>    the precedent that this is an approved expense for everyone.  For those
>>>    without money in their account, they can follow the community engagement
>>>    process, or see my proposal below.
>>>    - *Anyone can budget for the future.*  I talked above about the idea
>>>    of micro-budgets for anyone with over $5000 in their account.  This helps
>>>    to recoup the money that isn't getting spent, but it doesn't do anything
>>>    for those who don't have any money, but have things that they want to spend
>>>    it on.  Thus, I propose the idea that any chapter, project, committee, etc
>>>    can create a budget in Q4 for an initiative, or other spending needs, that
>>>    they would like to cover the following year, but do not have the funds to
>>>    do so.  The budget would be reviewed by the Executive Director and Board,
>>>    and, if approved, incorporated into the overall OWASP Foundation budget for
>>>    the following year.  This would effectively set aside the funds to use at
>>>    the appropriate period of time, in the future, with no further approvals
>>>    necessary.  It creates empowerment for use of funds and allows the
>>>    Foundation to approve them and plan for them in a responsible manner.
>>>    Funds are allocated in a "Use them or lose them" fashion, however, and go
>>>    back to the Foundation pool for other initiatives if they are not spent
>>>    when planned.
>>> I did my best here to outline each of the problems that I see with
>>> respect to how OWASP funds are spent today and to come up with reasonable
>>> solutions to each.  I don't claim for this to be a comprehensive solution,
>>> and I hope that you all will help me to further flush out these ideas in
>>> order to create a long-term vision that will empower our leaders and get
>>> our money moving for our mission while still maintaining a sense of fiscal
>>> responsibility.  I am very interested in hearing your thoughts and feedback
>>> on it.  Thanks.
>>> ~josh
>>> _______________________________________________
>>> Governance mailing listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundationhttps://www.owasp.org
>>> Join me at AppSecUSA 2015!
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150828/792ad9ce/attachment-0001.html>

More information about the Owasp-board mailing list