Talk:Risk Register

Managing risk

This is a document that has emerged from a slow gestation. The board is keen for the community to have access to our risk register and statements. It will be reviewed by staff quarterly with a report to the board on the top five risks, or more should I consider there to be more.

It fits alongside the annual programme and work plan which is also going to be reported quarterly.

Any comments that will help this process welcome. Jon Davies WMUK (talk) 09:35, 19 February 2013 (UTC)

Can you clarify, is this a proposal from the staff to the board, or is this the final approved policy? The introduction only mentioned the board's request for the staff to prepare a first draft, it doesn't mention the board discussing it. It was in your report for the recent board meeting, but doesn't seem to have been on the agenda (the minutes aren't up yet). --Tango (talk) 12:50, 19 February 2013 (UTC)

It is a long document and it is possible that I did not fully update it to reflect the board decision - can you point to where this is please if you remember - many thanks in advance. Jon Davies (WMUK) (talk) 14:21, 19 February 2013 (UTC)

I just meant the introduction. It talks about the board requesting it and the staff preparing it, but then the story abruptly finishes. It just needs another sentence saying the board discussed it at their meeting on whatever date it was, amended it as they saw fit and then adopted it as formal policy. I have no idea is the changes they agreed to make were made, since I wasn't at the meeting. --Tango (talk) 17:31, 19 February 2013 (UTC)

Will do - we missed you - where were you? Jon Davies (WMUK) (talk) 17:50, 19 February 2013 (UTC)

I was doing coursework, unfortunately... The bit you've changed was right the first time! You're getting confused between the November 2012 meeting, where the board asked the staff to prepare something, and the February 2013 meeting where the board approved what the staff had prepared. --Tango (talk) 18:58, 19 February 2013 (UTC)

Hi Tom, it was discussed and agreed at the Board meeting (though you're right the document isn't updated to reflect this). The Land (talk) 14:13, 19 February 2013 (UTC)

Again, Myself and a volunteer went through it but if there are places that it is not updated please let me know. Thanks Jon Davies (WMUK) (talk) 14:21, 19 February 2013 (UTC)

Hi Tom, I would like to see slightly more precision here that will align with the board minutes when you see them published. The board did vote on the 9th February with respect to the Risk Register, however the draft minutes tell me that the board of trustees did not just agree, we actually voted on a more complex statement than just approving this Register, and during the vote 3 trustees supported the statement, 1 voted against and 1 abstained. I'm afraid I cannot advise you as to when the draft minutes will be moved from the office wiki to a public view. Thanks --Fæ (talk) 18:43, 19 February 2013 (UTC)

Visualisation

I have often found that a 5 x 5 grid, with red to show high values and green to show low values is helpful. This does appear in the document, but perhaps should be applied to tables such as "RISKS TO BE MONITORED QUARTERLY" Gordo (talk) 09:47, 19 February 2013 (UTC)

I agree. This has been prepared using a grid approach, so it might as well be presented that way. I would also suggest expanding the current 3x3 grid to a 5x5 grid when this is reviewed next year - that allows for a little more subtlety. Having all low probability events in lowest category regardless of potential impact is obviously not ideal - if "low" means "once in a century", then that may be fine, but when you only have three categories of probability "low" must mean quite a bit more likely that that (see my comments on quantification below). --Tango (talk) 13:00, 19 February 2013 (UTC)

I LOVE grids and use them on the original document. Thanks to Rexx the document s as lovely as it is. At annual revision will share the original document all being well.

Jon Davies (WMUK) (talk) 14:23, 19 February 2013 (UTC)

Quantification

I haven't had time to read through all the individual risks, but the general structure and approach looks good. My suggestion for when this is reviewed in a year's time is that you try and incorporate more quantification in terms of impact, probability and time horizons (more emphasis on time horizons is needed too - they are mentioned, but only in passing). Quantifying things can be very difficult (especially when your goals aren't profit based - most of your risks can't be quantified simply in money terms like they can for a for-profit business) so I don't think you should delay implementing this policy for it, but it will need to be introduced over time as you get used to thinking about risks and start taking more sophisticated approaches towards them. --Tango (talk) 12:55, 19 February 2013 (UTC)

FOI

I'm aware that we are subject to the Data Protection Act and therefore might receive Subject Access requests, but does the Freedom of Information Act actually cover charities like us or are we voluntarily being this open? WereSpielChequers (talk) 18:52, 19 February 2013 (UTC)

It fits our Values to be this open. The FOI does not apply as we are not a public authority, I have made this point in the past by email, but it has not been picked up to change this document, I suggest it is to avoid any confusion. Thanks --Fæ (talk) 18:56, 19 February 2013 (UTC)

I'm very happy that we have opted in to the Freedom of Information Act, but yes it would make sense to say that this was our choice. WereSpielChequers (talk) 19:08, 19 February 2013 (UTC)

Hi All - yes, quite right, we're not subject to FOI as a charity per say (for those of you with time to spare, the act lists the organisations by name and type it does apply to: http://www.legislation.gov.uk/ukpga/2000/36/schedule/1) However, it's worth nothing that through partnership work with local and parish councils, schools, or statutorily funded bodies/institutions this would apply to documentation regarding, for example, negotiations around WiRs, discussions about project work, funding agreements (whether them donating to us, or us granting to them) etc etc. So, as WSC says, its a good thing we're happy to uphold the same principles to the same standards as a matter of course :-) Katherine Bavage (WMUK) (talk) 12:08, 21 February 2013 (UTC)

Incidents at Events

We hold a number of events each year, some public, some invitation only, some limited to people who signup and some open to all. Some of the attendees have been legally minors, some of our critics and at least one banned editor have attended events or signed up to attend them. Wikipedia gets a steady stream of controversial editors and the UK probably has its fair share of the millions of editors who have been blocked or had their work deleted. So I suggest that one risk which should be on the list is the risk of an incident occurring at one of our events. WereSpielChequers (talk) 18:52, 19 February 2013 (UTC)

We've got a banned editor who keeps turning up to board meetings! ;) --Tango (talk) 19:01, 19 February 2013 (UTC)

Come on Tango please can we differentiate between people's roles - some may think this a joke but it isn't really. The person concerned puts a lot of time into Cahpter work and that should be appreciated. Jon Davies (WMUK) (talk) 14:58, 22 February 2013 (UTC)

How about you concentrate on the serious deficiencies in this document that have been pointed out further down the page and stop worrying about a throwaway comment that very clearly does not suggest that Fae's work is not appreciated? My comment was a light-hearted way of pointing out that "banned users" is not a particularly useful differentiator. --Tango (talk) 15:14, 22 February 2013 (UTC)

Oh I wasn't thinking of that case, I was thinking of people whose bans were justified. WereSpielChequers (talk) 19:23, 19 February 2013 (UTC)

Risk at events is something that is a day-to-day operational activity. We do need, however, to develop a more consistent risk assessment system and this has been under discussion. They need to be proportionate and shared so that we do not keep re-inventing wheels. We made sure we had public liability insurance as soon as I started but obviously we need to show that we take our responsibilities seriously. With new staff starting and a gear change in our programme we need to formalise this process and I know it is in Daria's agenda. As to banned editors - very much a matter for the community to take a view on. Jon Davies (WMUK) (talk) 12:05, 21 February 2013 (UTC)

Different versions?

This page seems to be different from that presented at the board meeting. In particular, the factual corrections I made to the introduction seem to have been lost. Please could the differences be reconciled here? Thanks. Mike Peel (talk) 19:11, 19 February 2013 (UTC)

Office

We have an office, therefore we are at risk of burglary, fire etc there (though hopefully we have insurance). I'm assuming that we got a pretty good deal because the place is full of charities and not for profits. So we presumably have a risk that any subsidy we get might end if the landlord decides to be more commercial or to cease supporting our sort of charity. We can mitigate that sort of risk by agreeing long lease terms, but that then builds in an inflexibility if the office ceases to meet our needs. We could variously outgrow it, shrink to need less space or have a board that decided to relocate outside London and found any lease a bit of a millstone; Any of those eventualities would become more expensive if we minimised our risk of rent rises by agreeing a longer lease. We also have a risk that someone incompatible with us could move in to the secure area that we have, as currently we only have part of an open plan floor and other organisations are in the same office. WereSpielChequers (talk) 19:23, 19 February 2013 (UTC)

Thanks WSC - good points. We do have fire insurance, as does - I believe - the building. We're going to get a fireproof safe to help prevent any key data loss from fire or theft. As to the lease, our landlord is Ethical Property, who design their business model around our sort of charity, so I think the risk of them changing that is very low. We're also one of their larger tenants, so we're much-loved by them, and have already done things like offer us reduced rent. The risk of outgrowing the office is already covered in the register - the risk of shrinking or relocating is balanced by the fact that it would take some time for those things to come into effect, and they'd need consultation with staff - but they are risks. As to the area we have, we're actually in the process of having the floor redesigned... see Media:Possible_office_plan.jpg for a possible plan. In a few months, they may move us to our own space on the same floor, depending on what happens with the other tenants in the building. Richard Symonds (WMUK) (talk) 16:46, 20 February 2013 (UTC)

Risk not to be monitored quarterly

Any reason that these risks, at the bottom of the page, aren't being monitored quarterly? I'm sure there is a good reason, I was just wondering what it is. Yaris678 (talk) 17:59, 20 February 2013 (UTC)

Because they are either low impact or low probability, therefore aren't worth monitoring quarterly. --Tango (talk) 19:59, 20 February 2013 (UTC)

A cursory inspection of the table gives several exceptions to that statement. 'Negative media' and 'scandal on sites' are the biggest exceptions. Yaris678 (talk) 20:20, 20 February 2013 (UTC)

Hmmm... that looks like an error to me. Those should be "medium" risks, so should be monitored quarterly according to the "Assessing and analysing the risks" section. (Those are the only two exceptions - there are a couple of medium/medium risks, but that is categorised as a low score as well, which I missed in my explanation.) --Tango (talk) 12:33, 21 February 2013 (UTC)

Cool. I get it now. It was supposed to have been separated to fit with Risk Register#Assessing and analysing the risks, but those two have been misplaced. Shall we just move them? Yaris678 (talk) 13:18, 21 February 2013 (UTC)

The reputation and negative publicity risks are crucial and are part of what we monitor every day and manage when they come under our WMUK remit. To be clear everything on the register is monitored and we try and establish safeguarding systems to mitigate the risks. The most pressing risks are monitored more closely and the most, most pressing risks reported to the board.Jon Davies (WMUK) (talk) 13:48, 21 February 2013 (UTC)

Yes, we understand that, but the policy clearly says that medium and high score risks should be part of the quarterly monitoring process, so why have these two been missed out? Most of the risks will be monitored in an informal way on an ongoing basis, but that doesn't mean the more formal monitoring isn't also required. --Tango (talk) 15:32, 21 February 2013 (UTC)

There is limited value in "monitoring" something unless there is data to monitor. One can look at the RIA inflation figures, for example, every quarter. However considering that there is little actual harm in a report that says "negative publicity this quarter, nil." and that there are people out there briefing against WMUK/WMF it would seem worthwhile to have a regular review on "negative media." The risk register (or associated documents) should also identify possible actions to avoid, reduce or eliminate risk, to mitigate, alleviate or avoid the effects, with an indication of which are and are not worth pursuing, and the reasoning. Some of this is there, but there could be more coverage. Of course, there are some areas where publishing the risk strategies in detail defeats them, so despite our open leanings we need to be careful about that too. Rich Farmbrough, 20:27, 21 February 2013 (UTC).

Hi Rich, on this specific risk (we are drifting away from the original topic) as we have a Communications specialist in our staff, we already have an excellent process for being alerted to media stories, both positive and negative, as they happen and in our regular staff reports at board meetings. This is an easy one to publicly explain that we have an operational process that counts as our contingency plan. As for your other point that all risks "above the water margin" should have contingency plans, that's a point I have made in-camera before this was published, so as usual, great minds think alike ;-) Cheers --Fæ (talk) 20:35, 21 February 2013 (UTC)

I have just expanded the single "Prob/Impact" column into three columns. Apart from being a lot clearer than the previous presentation, this has also highlighted a number of risks that are down as being monitored quarterly but have a low score. Do these want to be moved down into "risk not to be monitored quarterly"?

Looking at it another way... we currently have risks in both parts which should be in the other part if we follow Risk Register#Assessing and analysing the risks. Does this mean that there is something missing from Risk Register#Assessing and analysing the risks?

Yaris678 (talk) 13:13, 22 February 2013 (UTC)

Comments

This document needs a copy-edit. Something we're calling a policy should be professionally written. This is all over the place with capitalisation, grammar, shorthand, sentences that sound like bullet points, and it's full of typos. It's also completely unreadable in parts. For example, what is Fundraising Manager to have oversight of those with differing access to different areas of managing the fundraiser trying to say? [D]iffering access to different areas in particular seems to be using a lot of words to say very little. I've fixed a few issues, but this really does need looking at. This website is what the outside world sees of the charity, and sloppy writing in formal documents doesn't exactly inspire confidence in the charity as a professional organisation. Harry Mitchell | Penny for your thoughts? 18:39, 21 February 2013 (UTC)