[ARIN-consult] Consultation on Approaches for Adjusting the ARIN Registration Services Plan Fee Schedule

[John Curran]

> On Apr 6, 2024, at 10:49 AM, Andrew Dul <andrew.dul at quark.net> wrote:
> 
> While this consultation is specifically for fee increases, we also in some ways should consider how the services Arin should or shouldn’t provide should factor into this discussion. Specifically are there services that Arin today is providing that perhaps it shouldn’t in the future or areas of expenses that should be cut or trimmed.

Indeed - we definitely do consider whether there are any services that can be retired in our planning processes and that has led to deprecation of services where possible.  (For example, this year will finally be the one that we retire template processing 
but that hasn’t been an expense concern so much as a tech debt/maintenance/security driven item.)

> Arin as an organization has grown significantly over the past two plus decades and while most of that is desired and maybe even required to meet Arin’s mission. I believe there are probably some areas where Arin could be more efficient with its spending and also some areas that perhaps could be cut.

Great question.   We have added or significant upgraded many services based on community requests (IRR -> authenticated IRR, RPKI services, Qualified Facilitator program), and that does impact 
our cost base.  In addition, there’s quite a bit of difference in the cost model between “doing a job, doing a good job, 
and doing a provably good job” (even when describing the very same service.)

ARIN has been doing quite a bit of work in the recent years working on having demonstrably good operations 
and governance – for example, when the community asked to undertake more robust security auditing, 
it was not driven by any material gap or incident, but rather driven by the desire to be able to provide 
better reassurance of our security posture. This has led to us bringing on a CISO and having dedicated 
security personal, doing updates to our internal documentation, and ultimately the achieving of both 
PCI and SOC 2 certifications. Even now, we are continuing to strengthen our posture via holding security exercises – as it is the only way to test how the organization might really fare in a major cybersecurity incident.  None of this substantially changes the services that ARIN offers, but does impact our cost model. 

Note that it’s not just technical areas that we’ve ended up incurring costs as we have matured our practices;
for example, our engagement in good governance of the organization has meant a more traditional committee 
structure, additional support staff, training costs for bringing on new trustees, attention to best practices for non-for-profit 
governance, formal risk management process, etc.  Even improvements with more professional execution of existing functions – such as ARIN now having an 
Ombudsperson at our meetings (in order to be able to provide impartial conflict resolution and informal 
assistance to our community and maintain a healthy and inclusive conference environment) – end up 
adding to the cost base for the organization.

While not elected, I am an ARIN Trustee – and I can say that one of the hardest aspects of the role is 
weighing the very real cost tradeoffs between "organizational leanness/efficiency” versus the adoption 
of best practices that improve our readiness, our professionalism, and our resilience. (and I am _very_ thankful for having great trustees elected by the community to help in considering such matters.) 

I would welcome any/all input into either activities that ARIN should not be doing, and/or things we could
be doing more efficiently – please provide such to me (or any trustee) and know that it will be seriously
considered.

> To the specific question at hand. I’m not specifically opposed to a yearly standard increase but it does in someways remove an incentive to try and meet Arin’s mission within the funds provided by the membership under a not constantly growing revenue stream. 
> 
> I think the board should enforce some disciple on itself to not just increase fees because that is easier than trimming some expenses. 
> 
> For example, the board might ask the staff each year to provide an expense budget that provides for zero annual fee increase in addition to a budget that has a “cpi” increase.

As noted earlier, we do build a zero-based budget up each year based the coming year’s activity plan;
 this generally comes up slightly ahead of the previous year since: a) the activities required are always a superset of the prior year, and b) even if activity level were to be unchanged, the underlying costs of both in-house staff and contracted services increase.  It would not be difficult to build a budget that was flat year of year, but doing so would require some very clear direction as activities to be cut and activities to be delivered under a more "lean
“ approach. 

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers