Risk Register

From Wikimedia UK
Jump to navigation Jump to search



At the 17 November 2012 WMUK Board meeting this policy and paper was agreed and that the Board delegate staff to assess our risks, create a strategy to deal with them and report back to the next board meeting.


  • We formulated a general statement about risk culture.
  • Agreed a format for staff and Board to oversee and manage risks.
  • Agreed that a set of risks is identified and put through the impact/likelihood formula to become the risks that are monitored/managed.
  • Agreed a frequency of CEO and Board oversight of risks.

Explanation of terms

Ways of looking at risk

The typology of risks aims to keep a focus on the big picture and to classify them in such a way as to seek to cover all major types of risks. This framework distinguishes between the sources of risk (risk from) and the impact of risk (risk to). Risk sources and impacts are of course interconnected – for example poor quality services can damage the charity financially and/or reputationally, while reputational impact can affect support for the organisation.


The proposed framework used the following categories of risk sources:

  • Leadership (Strategic) risks: Risks arising from weak governance and leadership (Board and CEO), including poor strategy and planning. This category of risk includes missed opportunities and failures to anticipate changes in the environment of WMUK and Wikipedia – external risks.
  • Operational: risks of systems, policies, communications or projects failing, or services/events/publications/campaigns being judged as of poor quality. Individually these are of lesser significance and would be dealt with through the management of staff and teams; but on a larger scale these may impact on WMUK as a whole. Includes sub-category ‘business continuity’.
  • Support: risks arising from declining support from key constituencies such as members, community, media, partners decision-makers and the general public.
  • Financial: unsuccessful fund-raising or poor returns/losses on reserves and invested money; also budgetary failures e.g. spending well over budget.
  • Regulatory: failure to meet regulatory requirements, e.g. risks of losing at employment tribunal, charity commission investigations.
  • People: failure to maximise staff performance or minimise poor performance; loss of capacity or organisational memory due to high turnover of staff; failure to maintain adequate volunteer contribution.

The proposed framework uses the following hierarchy of risk impacts: The risks facing WMUK are in many respects common to all UK charities and all organisations – risks to its existence, performance, reputation, income and activities.

  • Identity and Existence – threats to the continued existence of the charity, or the Chapter or of its membership of the WM global community (?)
  • Reputation – threats to WMUK’s reputation, integrity and influence; and to its support
  • Performance – threats to WMUK’s ability to achieve its mission and major objectives
  • Income – threats to fundraising and other income
  • Project – threats to current or future activities

The risk management process has three aspects

  1. Risk assessment: identify all the factors, events and situations that could present a risk to the organisation
  2. Risk analysis: sort, score and rank risks and their impacts as the basis for making decisions about how to handle them
  3. Risk management: develop strategies and methods to avert or minimise risk, principally:
    • Preventing negative change
    • Mitigating impact of negative change
    • Control e.g. of internal functions
    • Planning for change

Explanations of sections in the paper

Underlying approach to risk: WMUK ‘Risk Appetite’

Prior to setting out and assessing the major risks, the WMUK’s board considered its approach to the main categories of risk impact. How willing is WMUK to countenance the threats that might arise, and therefore how will it determine its approach to mitigating and controlling them?

Discussions around the WMUK approach to risk and some measure of agreement on the general statement form a key part of WMUK’s ‘strategic planning’. The general statements help underpin the Risk Strategy, and enable staff to understand/influence the way the Board is thinking.

Risk assessment and analysis

Given the framework set out in the main paper, the Board agreed WMUK’s assessment analysis of significant risks. Some risks lend themselves to the risk register approach and traffic-light style reporting via CEO, but those risks that potentially arise at Board level concerning its leadership and strategy function need slightly different treatment.

  • The analysis and actions were agreed by the Board.

Prototype Risk Register

The third section shows how the risk report will look each quarter with the top five, or more if the CEO feels necessary, being reported to the Board. Risk issues that score only ‘low’ in the analysis will continue to be managed but no need to report on them quarterly unless things change significantly. Those issues are listed in the bottom section of the risk report just to enable them to be tracked.

Risk management framework

General statement on risk culture

The SORP 2005 puts the reporting of risk management firmly on the agenda of all auditable charities, and Charity Commission also strongly recommends it.

The Wikimedia movement is based on high risk very effectively managed – that is: the libel/slander risks of open creation of Wikipedia have been put securely at safe distance away from the Foundation and its chapters, through effective risk management.

Underlying approach to risk: WMUK ‘Risk Appetite’

Like any organisation WMUK has to countenance volatility and uncertainty. It will not accept - and will take all possible steps to reduce - impact on its existence and identity, and its reputation. It is strategically ambitious and is prepared therefore for some variation in its performance in achieving its strategic objectives. WMUK accepts that income and operational activities will always have a medium/high degree of uncertainty.

Willingness to accept risk/volatility
Low Medium High
Item 1 2 3 4 5
Identity & Existence
Strategic Performance
Project – Operational performance

Comments relating to WMUK’s risk appetite.

  • Threats to WMUK’s have become a reality in recent months, and are sharper than to most charities, owing to its dual identity, UK charity and Internationally recognised websites – how much risk can it countenance to its future as a WM ‘Chapter’ or as a significant member of the global community? Being a relatively new charity means that turbulence is inevitable in the process of becoming established as a well-run charity. Actions to show best practice, such as working through PQASSO, have managed some of those risks well.
  • Reputation – operating very transparently in a very interactive community will mean that reputational issues are always alive. WMUK’s reputation is essential to its success and is the subject of much effort by staff and Board to grow it and defend it. Key audiences: Foundation, community, media, partners, public.
  • Strategic Performance – in spite of current focus on identity and existence issues, the 2013 programme plan and budget have been approved. WMUK’s strategy is likely to become more ambitious over the coming years, which may involve greater risk – for a greater potential prize.
  • WMUK Board is moderately risk averse on income, but could in fact be more ambitious and successful. Risk aversion on income can constrain strategic performance. Income uncertainty is the natural state, and many charities build their confidence over time by making progressive increases. Need to concentrate on our fundraising strengths rather than spread ourselves too thinly to little effect.
  • Board risk aversion on Project performance is shown in the detailed control it requires. Accepting that project success and failure can be delegated effectively down the line of management will free the Board and staff.

The quarterly reporting system linked to KPI’s will assist this. Items that need board approval need to have a clear decision system with timely deadlines.

How WMUK will manage risk: roles, responsibility and accountability

WMUK Trustees set the climate regarding risk and establish policies and procedures for identifying and managing risks in all aspects of their organisation. Each year they review the risks facing the organisation and approve priorities for the risk register.

Oversight of risk management will remain a board responsibility. Some leadership and strategic risks will be assessed and managed directly by the Board annually as part of the progress review, strategic planning process or Board performance self-review.

Risks that are delegated by the Board to the CEO will be reported on to the Board in the agreed format risk register at 3 month intervals by the CEO. The risk register will monitor risk management actions and changes to the probability of all ‘medium’ or ‘high’ risks. Risks assessed as ‘low’ will continue to be managed by CEO and staff but will not be reported quarterly unless there is a change to their status. The CEO will carry out all related Board policies and procedures and draw attention to changes in the (external) strategic risk environment as part of his quarterly report. The top five, or more depending on the judgement of the CEO, will be reported to the board.

Annually the CEO will prepare a report to the Board to update the assessment and analysis of the risks facing WMUK. The CEO will be held accountable through their annual appraisal for their delivery of effective risk management.

Operational risks will largely be delegated via the CEO to staff and they will be held accountable through their quarterly and annual plans and supervision and appraisal. `The top five significant operational risks, or more of the CEO judges it necessary, will routinely come to the Board, via the risk register and quarterly programme reports. Any significant operational risk issues that arise will be passed up the line of management, and to the Board where necessary and highlighted in quarterly progress reports.

Assessing and analysing the risks

In the risk assessment that follows, current judgements on probability and impact are shown clearly. The following matrix shows how the risk register will correlate impact and probability. Those risks that fall in the low score parts of the matrix will not be covered by the risk register, though they will continue to be managed, and brought to the Board’s attention if their rating increases to medium or high.

Impact against likelihood scoring
Impact Low probability Medium probability High probability
High Low score Medium score High score
Medium Low score Low score Medium score
Low Low score Low score Low score

High and medium score to be monitored quarterly with top five, or more should the CEO deem it necessary, being reported to the board.

Risk assessment and analysis

Major Risk source 1: leadership and strategy

Lack of clear strategy, or the wrong strategy, or the failure to identify opportunities and take advantage

Current analysis
Strategy to establish WMUK with growth within capacity of small staff team is modest but probably right; now that the Plan and budget for 2013 has been agreed, there is low probability but impact would be high on Performance and Reputation over the medium to long term. This low risk score means this risk will not be included in risk register.
Preventive and mitigation action
Plan for strong strategic planning process late in 2013 ready for 2014-15, with adequate time allocated, CEO and staff involved, good environmental analysis – plus some outside stakeholder/partner perspectives. More ambitious plans for 2014-2018 through 5 year plan.
Control and planning action
Quarterly reports from CEO linked to progress towards strategic objectives; quarterly, CEO to report on change or no change in risks from the external environment.
To delegate more, to higher value threshold, with appropriate reporting back (as in Compass report) unless failure or success threatens WMUK reputation, performance etc.; System of committees established to share decision making.
Consult community on forward planning and create five year plan.

Governance and leadership is ineffective

Current Analysis
Compass review has identified areas of strength and weakness that need addressing. As of January 2013 High probability of medium-high impact on Identity and Reputation in the short to medium term, and action urgently needed to address Compass recommendations.
Preventive Action
The Compass Review provides proposals to prevent this pressure affecting the work of WMUK. Board will need to respond positively to recommendations. This will in the short term bring heavy work-load for Board and there may be a need to bring in more capacity. (See Risk 3 below)
Mitigation action
WMUK Board and staff to keep communicating positive elements of WMUK’s work and strengthening links with Foundation and other partners
Control action
Ensure all meetings extremely well run, with excellent papers, agendas, minutes, decisions
Planning action
Plan for annual self-review of Board performance, and periodic independent assessment. In paricular development of functions of an Audit Committee and a Governance Committee.

Board capacity is insufficient for short term governance challenges

Current analysis
Following on directly from the above risk, the recommendations of the Compass Report will make serious demands on Board members’ time and on Board meetings over the coming months – to make key decisions, establish new policies and procedures, and rebuild WMUK confidence. There are current vacancies, pressure on individual trustees’ time and tensions in Board meetings. High probability and medium/high impact on identity/existence and performance.
Preventive and mitigation action
Fill vacancies urgently
Mitigation action
Delegate effectively to the CEO and staff and release Board time to concentrate Board agenda on strategic issues.
Control Action
Prioritise Board agenda very firmly, end meetings on time.
Planning Action
Amend Board size, and add new routes onto the Board as per the Compass Report. Focus agenda on most important high-level decision making.

Current environment risks

Current analysis
Foundation and WMUK have reflected on the risk of public loss of interest or confidence in Wikipedia – for example via emergence of alternative technologies, competitors. Staff rate this as currently Medium probability, with high impact – some preventive action already in hand. Longer term, the probability is likely to rise. Action is not urgent but needs an on-going and strategic approach.
Preventive Action
Outreach and partnership work to improve the quality of Wikipedia and other WM projects; also, tailor programme of activities to maintain confidence and usage. See also 6.2
Mitigation action
Build programme of activities to address these issues.
Control Action
Monitor efficacy against these aims with clear measurement and KPI’s

Planning action: Use Staff and programme planning tools to ensure issues being addressed.

Disagreements between Wikimedia UK and the Wikimedia Foundation (and international movement)

Current analysis
In some ways this is an extension of Strategic risk 2 above, and many actions are similar. A previous paper identified a situation where ‘The WMF takes actions which WMUK opposes’ & ‘WMUK takes actions which WMF opposes’. There remains a low probability of not fully resolving the dispute, but the impact would be high on the identity and existence of WMUK. Actions suggested have included:
Preventive Action
Board members to build relationships with Foundation Board and other Chapters and encourage all WMUK’s members to participate in WMFs consultations. WMUK staff to maintain good relations with WMF staff.
Mitigation action
Develop WMUK's reputation for good day-to-day management and address the issues raised in the governance report.
Planning Action
Develop programme of re-building confidence and carry out actions e.g. arising from Compass review. Consult with our partners before decisions are made, if practical. Encourage exchanges and other communications between staff and board members.

Major Risk Source 2: operational risks

Business capacity: inadequate to achieve our mission/goals (business continuity)

Current Analysis
Running out of office space would be high impact but current arrangements are flexible enough to make this a very low probability.
IT Capacity risks – staff believe are low probability, but would have high impact on performance, reputation and operations. Actions already in hand including:
  • Provision of professional IT contractor support have mitigated many of the IT and security risks.
  • Provision of welcoming space for volunteers needs to be enhanced.

Systems or policies risks: an excess of detailed, defensive policies

Current analysis
risk of developing too many detailed and defensive policies as issues arise and Board pursue a risk averse micro-management agenda. Medium probability of medium impact on performance and project activities e.g. by damping down staff initiative.
Preventive action
avoid resolving every concern with policy legislation; and delegate effectively to CEO and staff, holding to account for performance, business decisions.
Control action
annual review of policies to identify duplication and redundancy.

Conflict of interest problems recur

Current Analysis
Medium probability, high risk. CoI issues have been taken very seriously by WMUK and extensive work done to create gold standard policies. There is a danger that fear of CoI’s can lead to inertia.
Preventative action
Use the procedures consistently. Make sure everyone in the community understands them
Mitigation action
Ensure all staff and trustee induction explains the CoI issues thoroughly.
Control action
Policies applied sensibly and consistently. Formal agreements help minimise risks.

Project risks - scandal related to sensitive content or other issue on Wikimedia projects or WMUK sites

Current analysis
this has happened in last 12 months. Probability medium, impact high to reputation – though greater impact if numbers of scandals rise in one time period.
Preventive Action
Support and monitor editors.
Mitigation action
Training of staff and trustees in media interview techniques and work with public relations volunteers to make sure our response is reliable and available.

Major Risk Source 3: we have insufficient support to achieve our mission and strategy

Community fracture

The UK community fractures or atrophies with disagreements between its members and constituent parts. Probability medium, impact medium
Preventive Action
Develop membership involvement and participation.
Widening participation especially within under-represented groups.
Mitigation Action
Offer feedback to comments from community in a timely and honest fashion.
Control action
Continue open and transparent systems to allow open debate whilst encouraging a presumption of good faith.

Hostile or apathetic media

Media receptivity or support insufficient to achieve mission/strategy – risk is medium probability, high impact on reputation. For example inaccurate Telegraph articles. Media love Jimmy Wales and Wikipedia though; high impact because credibility is crucial.
Be pro-active in making relationships with top 20 relevant journalists. Ensure consistent messages come from staff and board.
Mitigation action
Have responsive communications strategy, offer training to community members. Explain quickly to membership when things happen.
Planning action
Annual communications plan to complement comms strategy.

External opinion formers

Decision-makers' receptivity or support insufficient to achieve mission– support and awareness building slowly, and it's right to be cautious – low probability but medium impact as major political decisions not crucial in short term.
Build relationships with sympathetic organisations.

External supportive organisations

Partners’ receptivity or support insufficient to achieve mission – WMUK has lack of capacity to develop outstanding partnerships, so medium probability that some will end badly, but low/medium impact. Board members setting up events with partners without involvement of staff will increase probability of breakdown in relationships;
Preventive action
proceed cautiously, ensure good communication between Board and staff.
Planning Action
invest in capacity for partnership work.
Ensure clear system of central referral to avoid duplication or inappropriate relationships.

Major Risk Source 4: financial risks

Poor financial performance or control presents risks to WMUK’s reputation and to its achievement of its plans for the future

Funding income risks: the WMF funding arrangements for Chapters changes

Current analysis
This has happened once although seems settled so this must be viewed in risk terms as both high impact, and medium probability. However impact has been cushioned because of mitigation action already taken to maintain a reserve fund so WMUK has time to downsize to a size appropriate to our new resource base after this change. WMUK needs to work to develop own direct fundraising.
Preventive action
Maintain positive relations with Foundation and wider community.

Ensure WMUK governance conforms to highest standards.

Control action
Maintain all best practice
Planning action
Follow good governance advice. Maintain current management and financial systems.

Economic downturn reduces flow of support from individuals

(high impact, low probability)

Fundraising Manager reports no significant decline in support
Develop diverse income sources.

Fundraising risk: Poor donor stewardship

Probability medium, impact medium

Still losing some potential income, need to steward donors and over long term could make a big difference though.
Preventive actions
Fundraising Manager to plan how staff and volunteer resources to manage queries. Fundraising Manager to organise refreshed templates for thanking donors and trial bulk mailings. Fundraising Manager to schedule communications are timely and relevant to avoid 'spamming' audiences

Financial control risk: weak financial reporting reduces confidence in WMUK and impacts on income

Current analysis
Staff report difficulty in securing funders confidence to raise money because financial reporting weak. in the past accounts have not been produced on time, but current systems now working well.Therefore low probability, medium impact
Control Action
Create and adhere to good practice financial systems and protocols. Regular financial reporting to Board. Sign off accounts and get them audited on time.
Preventive Action
Build in contingency planning to budget Create reserves to ensure at least one year of continuing activities. Build capacity of a Finance Sub-Committee.

Financial Control risk: WMUK is subject to fraudulent activity

Current analysis
Control systems working well so Low probability but high impact.
Preventive Action
Maintain exemplary financial systems and ensure they are adhered to through regular monitoring and professional external audit.
Control Action
Have regular external overview of our activities and practices – e.g. via auditor.

Major Risk Source 5: regulatory risks

Data protection issues

Current analysis
Loss or theft of data. Most of the necessary tasks done but probability still medium and needs to go lower – potential impact high to an organisation such as WMUK, its reputation especially.
Preventative Actions
Have valid data protection insurance (complete). Have valid and sufficient SSL certification in place (complete). Fundraising Manager to have oversight of those with differing access to different areas of managing the fundraiser, and ensure appropriate agreements are signed and access in line with Caldicott principles.
Planning action
Complete audit and further plans for Data Protection.
Control action
formulate and use appropriate policies.

Data Protection Act issues

Current analysis
Fundraising Manager works with CEO to manage responses to any Subject Access Requests to ensure compliance. Probability medium and impact medium on WMUK's reputation.
Preventive Actions
Fundraising Manager to draw up process to responding to Subject Access Requests. Fundraising Manager to seek to pre-empt requests by timely sharing of anonymised data and results through public wiki whenever appropriate and in a planned fashion.
Planning and control actions
Incorporate into ongoing security review.

Non-compliance with charity or company law

Conflict of interest see 2.3.

Employment law compliance

Current Analysis
Recent report from external HR agency reported that our procedures were up to date and of good quality. Low risk, low probability.
Mitigation and control
We have minimised issues around staff by building sound HR strategies.
Control Action
Ensure policies adhered to.

False membership applications

Current Analysis
No evidence that applications are being made using false name or address data. If were successfully made in sufficient number, possibility of disrupting democratic process of PLC business Low risk, low probability.
Mitigation and control
Control - board to apply Article of Association of 4.4 - Termination of Membership if a membership was accepted under false pretence discovered and Article of Association 2.3(a) - Members if an application is made under false pretence; Mitigation - charity to focus on increasing size and engagement of membership base to remove effectiveness of disruption of this kind.
Control Action
Application of existing articles of association and pursue agreed goals to expand membership.

Major risk source 6: people risks

Inadequate volunteer base

For example, low numbers and lack of diversity of volunteers

Current analysis
WMUK aware of the problem and addressing it through programme. Probability medium impact high on engagement with sectors and capacity to generate projects, edit WP.
Build programmes to focus on and develop, support and retain volunteer base: Monitor impact of programmes and activities on volunteer base. Ensure all voices heard, not just the loudest.
Preventive Action
Target hitherto under-represented groups.
Have more chances for community to meet in person.
Control Action
Monitor trends in volunteer numbers & profiles every quarter.

Collapsing editor base

Current analysis
this has been on WMUK radar for some time and is in 2013 Activity Plan. Probability medium impact high Impact on reputation and projects though we can only make a contribution.
Planning Action
Build significant amount of activity plan around this issue e.g.

2013 Activity Plan contains work strands on editor retention and development.

Preventive action
Train the Trainers courses will build new capacity for example.
Monitor community activity and measure.
Control Action
Monitor active editor numbers/trends quarterly.

Poor staff performance

Current analysis
although a relatively new team, each appointment is crucial in a small team.
Current risk levels are low probability, medium risk to performance, reputation, income.
Prevention action
good support and performance management
Management planning systems used consistently.
Planning action
ensure roles can develop as staff show leadership and success.
Control action
CEO to raise any significant risks as they arise.

High/unplanned turnover of staff

Current analysis
in a small team if one person moves on it can leave a gap in terms of expertise and capacity– particularly for key roles such as CEO. High turnover could hold WMUK back significantly. Currently staff are committed, but until governance & leadership is clearer risk probability medium, impact high on performance reputation, income, activities.
Prevention action
good people management and good approach to reward, motivation, scope for job growth; good communication between Board and staff. Giving staff a feeling of responsibility and empowerment.
Avoid bunker mentality.
Planning action
succession planning for CEO – possibly for other posts. Job ghosting within team.
Creating a culture of thanks.

Risk register

Risk register for quarterly monitoring

(Those risks scoring low have been included on the lower half of the grid below.)

Risk Prob Impact Score Response
1.1 Lack of strategy, poor strategy, or failure to take opportunities Low High Low
  • Quarterly reports from CEO on objectives
  • Consult community on creating five year plan
1.2 Ineffective governance and leadership High Medium-high Medium-high
  • Respond to Compass review
  • Communicate positives
  • Manage meetings well
  • Review Board performance
1.3 Board capacity insufficient for short term challenges High Medium-high Medium-high
  • fill vacancies urgently
  • delegate effectively to the CEO and staff
  • amend Board size,
  • Manage Board agenda and meetings
1.4 Environment risk – loss of Wikipedia status Medium High Medium
  • Long term action by world community
1.5 Division or disharmony between WMUK & WMF Medium High Medium
  • Respond to Compass review
  • Develop independent fund-raising
  • Build links with Foundation and other chapters
2.2 Excess of detailed, defensive policies Medium Medium Low
  • Falls outside risk register
2.3 Conflict of Interest issues Medium High Medium
  • Follow procedures and understand them.
3.1 Fractured UK Community Medium Medium Low
  • Increase membership meetings
  • Timely, honest feedback to community comments
  • Monitor temperature as an additional traffic light?
4.1 Restrictions to fund-raising via Foundation High High High
  • Reserve fund to soften future impact
  • Rebuild fences with Foundation
  • Maintain good governance
  • Diversify funding base
4.2 Threats to individual funding Low High Low
  • Falls outside register
4.3 Poor donor stewardship Medium Medium Low
  • Falls outside register
4.4. Inadequate fund-raising strategy/delegation High Medium-high Medium-high
  • Ambitious and varied strategy
  • Increase autonomy of FR manager
  • Monitor income and sources
4.5 Financial control, weak monitoring and evaluation Low High Low
  • Develop framework and systems
  • Monitor available results
5.1 Data Protection Medium High Medium
  • FR manager oversight of access
  • Plan DP audit
5.3 Charity Compliance Conflict of interest policy and practice weak (or perceived to be weak) High High High
  • Respond to Compass review
  • Convince others
6.1 Inadequate volunteer workforce Medium High Medium
  • Planned development of volunteer base
  • Target under-represented groups
  • Monitor trends in numbers and profile
6.2 Collapsing editor base Medium High Medium
  • Plan editor retention & development
  • Run train the trainers to build capacity
  • Monitor active editor numbers /trends
6.4 High/unplanned turnover of staff Medium High Medium
  • Develop good reward, motivation framework
  • Succession planning for CEO and other posts
Risk Prob Impact Score Response
2.1 Inadequate office Capacity Low High Low
  • Falls outside register
2.1 Inadequate IT capacity Low High Low
  • Falls outside register
2.5 Scandal on sites Medium High Medium
  • Falls outside register
3.2 Negative media Medium High Medium
  • Falls outside register
3.3 Negative decision-makers Low Medium Low
  • Falls outside register
3.4 Negative partners Medium Medium-low Low
  • Falls outside register
4.7 Inadequate funds in year Low High Low
  • Falls outside register
4.8 External & Internal fraud Low High Low
  • Falls outside register
5.2 Non-compliant FoI Medium Medium Low
  • Falls outside register
5.4 Employment Law compliance Low Low Low
  • Falls outside register
5.5 False membership application Low Medium Low
  • Falls outside register
6.3 poor staff performance Low Medium Low
  • Falls outside register