Risk Register
WMUK RISK MANAGEMENT FRAMEWORK - THIS DOCUMENT HAS SINCE BEEN REPLACED BY A MORE MODERN VERSION REPORTED QUARTERLY TO THE BOARD OF WMUK.
Introduction
At the 17 November 2012 WMUK Board meeting this policy and paper was agreed and that the Board delegate staff to assess our risks, create a strategy to deal with them and report back to the next board meeting.
Specifically:
- We formulated a general statement about risk culture.
- Agreed a format for staff and Board to oversee and manage risks.
- Agreed that a set of risks is identified and put through the impact/likelihood formula to become the risks that are monitored/managed.
- Agreed a frequency of CEO and Board oversight of risks.
Explanation of terms
Ways of looking at risk
The typology of risks aims to keep a focus on the big picture and to classify them in such a way as to seek to cover all major types of risks. This framework distinguishes between the sources of risk (risk from) and the impact of risk (risk to). Risk sources and impacts are of course interconnected – for example poor quality services can damage the charity financially and/or reputationally, while reputational impact can affect support for the organisation.
Categories
The proposed framework used the following categories of risk sources:
- Leadership (Strategic) risks: Risks arising from weak governance and leadership (Board and CEO), including poor strategy and planning. This category of risk includes missed opportunities and failures to anticipate changes in the environment of WMUK and Wikipedia – external risks.
- Operational: risks of systems, policies, communications or projects failing, or services/events/publications/campaigns being judged as of poor quality. Individually these are of lesser significance and would be dealt with through the management of staff and teams; but on a larger scale these may impact on WMUK as a whole. Includes sub-category ‘business continuity’.
- Support: risks arising from declining support from key constituencies such as members, community, media, partners decision-makers and the general public.
- Financial: unsuccessful fund-raising or poor returns/losses on reserves and invested money; also budgetary failures e.g. spending well over budget.
- Regulatory: failure to meet regulatory requirements, e.g. risks of losing at employment tribunal, charity commission investigations.
- People: failure to maximise staff performance or minimise poor performance; loss of capacity or organisational memory due to high turnover of staff; failure to maintain adequate volunteer contribution.
The proposed framework uses the following hierarchy of risk impacts: The risks facing WMUK are in many respects common to all UK charities and all organisations – risks to its existence, performance, reputation, income and activities.
- Identity and Existence – threats to the continued existence of the charity, or the Chapter or of its membership of the WM global community (?)
- Reputation – threats to WMUK’s reputation, integrity and influence; and to its support
- Performance – threats to WMUK’s ability to achieve its mission and major objectives
- Income – threats to fundraising and other income
- Project – threats to current or future activities
The risk management process has three aspects
- Risk assessment: identify all the factors, events and situations that could present a risk to the organisation
- Risk analysis: sort, score and rank risks and their impacts as the basis for making decisions about how to handle them
- Risk management: develop strategies and methods to avert or minimise risk, principally:
- Preventing negative change
- Mitigating impact of negative change
- Control e.g. of internal functions
- Planning for change
Explanations of sections in the paper
Underlying approach to risk: WMUK ‘Risk Appetite’
Prior to setting out and assessing the major risks, the WMUK’s board considered its approach to the main categories of risk impact. How willing is WMUK to countenance the threats that might arise, and therefore how will it determine its approach to mitigating and controlling them?
Discussions around the WMUK approach to risk and some measure of agreement on the general statement form a key part of WMUK’s ‘strategic planning’. The general statements help underpin the Risk Strategy, and enable staff to understand/influence the way the Board is thinking.
Risk assessment and analysis
Given the framework set out in the main paper, the Board agreed WMUK’s assessment analysis of significant risks. Some risks lend themselves to the risk register approach and traffic-light style reporting via CEO, but those risks that potentially arise at Board level concerning its leadership and strategy function need slightly different treatment.
- The analysis and actions were agreed by the Board.
Prototype Risk Register
The third section shows how the risk report will look each quarter with the top five, or more if the CEO feels necessary, being reported to the Board. Risk issues that score only ‘low’ in the analysis will continue to be managed but no need to report on them quarterly unless things change significantly. Those issues are listed in the bottom section of the risk report just to enable them to be tracked.
Risk management framework
General statement on risk culture
The SORP 2005 puts the reporting of risk management firmly on the agenda of all auditable charities, and Charity Commission also strongly recommends it.
The Wikimedia movement is based on high risk very effectively managed – that is: the libel/slander risks of open creation of Wikipedia have been put securely at safe distance away from the Foundation and its chapters, through effective risk management.
Underlying approach to risk: WMUK ‘Risk Appetite’
Like any organisation WMUK has to countenance volatility and uncertainty. It will not accept - and will take all possible steps to reduce - impact on its existence and identity, and its reputation. It is strategically ambitious and is prepared therefore for some variation in its performance in achieving its strategic objectives. WMUK accepts that income and operational activities will always have a medium/high degree of uncertainty.
| Low | Medium | High | |||
| Item | 1 | 2 | 3 | 4 | 5 |
|---|---|---|---|---|---|
| Identity & Existence | √ | ||||
| Reputation | √ | ||||
| Strategic Performance | √ | ||||
| Income | √ | ||||
| Project – Operational performance | √ |
Comments relating to WMUK’s risk appetite.
- Threats to WMUK’s have become a reality in recent months, and are sharper than to most charities, owing to its dual identity, UK charity and Internationally recognised websites – how much risk can it countenance to its future as a WM ‘Chapter’ or as a significant member of the global community? Being a relatively new charity means that turbulence is inevitable in the process of becoming established as a well-run charity. Actions to show best practice, such as working through PQASSO, have managed some of those risks well.
- Reputation – operating very transparently in a very interactive community will mean that reputational issues are always alive. WMUK’s reputation is essential to its success and is the subject of much effort by staff and Board to grow it and defend it. Key audiences: Foundation, community, media, partners, public.
- Strategic Performance – in spite of current focus on identity and existence issues, the 2013 programme plan and budget have been approved. WMUK’s strategy is likely to become more ambitious over the coming years, which may involve greater risk – for a greater potential prize.
- WMUK Board is moderately risk averse on income, but could in fact be more ambitious and successful. Risk aversion on income can constrain strategic performance. Income uncertainty is the natural state, and many charities build their confidence over time by making progressive increases. Need to concentrate on our fundraising strengths rather than spread ourselves too thinly to little effect.
- Board risk aversion on Project performance is shown in the detailed control it requires. Accepting that project success and failure can be delegated effectively down the line of management will free the Board and staff.
The quarterly reporting system linked to KPI’s will assist this. Items that need board approval need to have a clear decision system with timely deadlines.
How WMUK will manage risk: roles, responsibility and accountability
WMUK Trustees set the climate regarding risk and establish policies and procedures for identifying and managing risks in all aspects of their organisation. Each year they review the risks facing the organisation and approve priorities for the risk register.
Oversight of risk management will remain a board responsibility. Some leadership and strategic risks will be assessed and managed directly by the Board annually as part of the progress review, strategic planning process or Board performance self-review.
Risks that are delegated by the Board to the CEO will be reported on to the Board in the agreed format risk register at 3 month intervals by the CEO. The risk register will monitor risk management actions and changes to the probability of all ‘medium’ or ‘high’ risks. Risks assessed as ‘low’ will continue to be managed by CEO and staff but will not be reported quarterly unless there is a change to their status. The CEO will carry out all related Board policies and procedures and draw attention to changes in the (external) strategic risk environment as part of his quarterly report. The top five, or more depending on the judgement of the CEO, will be reported to the board.
Annually the CEO will prepare a report to the Board to update the assessment and analysis of the risks facing WMUK. The CEO will be held accountable through their annual appraisal for their delivery of effective risk management.
Operational risks will largely be delegated via the CEO to staff and they will be held accountable through their quarterly and annual plans and supervision and appraisal. `The top five significant operational risks, or more of the CEO judges it necessary, will routinely come to the Board, via the risk register and quarterly programme reports. Any significant operational risk issues that arise will be passed up the line of management, and to the Board where necessary and highlighted in quarterly progress reports.
Assessing and analysing the risks
In the risk assessment that follows, current judgements on probability and impact are shown clearly. The following matrix shows how the risk register will correlate impact and probability. Those risks that fall in the low score parts of the matrix will not be covered by the risk register, though they will continue to be managed, and brought to the Board’s attention if their rating increases to medium or high.
| Impact | Low probability | Medium probability | High probability |
|---|---|---|---|
| High | Low score | Medium score | High score |
| Medium | Low score | Low score | Medium score |
| Low | Low score | Low score | Low score |
High and medium score to be monitored quarterly with top five, or more should the CEO deem it necessary, being reported to the board.
Risk assessment and analysis
Major Risk source 1: leadership and strategy
Lack of clear strategy, or the wrong strategy, or the failure to identify opportunities and take advantage
- Current analysis
- Strategy to establish WMUK with growth within capacity of small staff team is modest but probably right; now that the Plan and budget for 2013 has been agreed, there is low probability but impact would be high on Performance and Reputation over the medium to long term. This low risk score means this risk will not be included in risk register.
- Preventive and mitigation action
- Plan for strong strategic planning process late in 2013 ready for 2014-15, with adequate time allocated, CEO and staff involved, good environmental analysis – plus some outside stakeholder/partner perspectives. More ambitious plans for 2014-2018 through 5 year plan.
- Control and planning action
- Quarterly reports from CEO linked to progress towards strategic objectives; quarterly, CEO to report on change or no change in risks from the external environment.
- To delegate more, to higher value threshold, with appropriate reporting back (as in Compass report) unless failure or success threatens WMUK reputation, performance etc.; System of committees established to share decision making.
- Consult community on forward planning and create five year plan.
Governance and leadership is ineffective
- Current Analysis
- Compass review has identified areas of strength and weakness that need addressing. As of January 2013 High probability of medium-high impact on Identity and Reputation in the short to medium term, and action urgently needed to address Compass recommendations.
- Preventive Action
- The Compass Review provides proposals to prevent this pressure affecting the work of WMUK. Board will need to respond positively to recommendations. This will in the short term bring heavy work-load for Board and there may be a need to bring in more capacity. (See Risk 3 below)
- Mitigation action
- WMUK Board and staff to keep communicating positive elements of WMUK’s work and strengthening links with Foundation and other partners
- Control action
- Ensure all meetings extremely well run, with excellent papers, agendas, minutes, decisions
- Planning action
- Plan for annual self-review of Board performance, and periodic independent assessment. In paricular development of functions of an Audit Committee and a Governance Committee.
Board capacity is insufficient for short term governance challenges
- Current analysis
- Following on directly from the above risk, the recommendations of the Compass Report will make serious demands on Board members’ time and on Board meetings over the coming months – to make key decisions, establish new policies and procedures, and rebuild WMUK confidence. There are current vacancies, pressure on individual trustees’ time and tensions in Board meetings. High probability and medium/high impact on identity/existence and performance.
- Preventive and mitigation action
- Fill vacancies urgently
- Mitigation action
- Delegate effectively to the CEO and staff and release Board time to concentrate Board agenda on strategic issues.
- Control Action
- Prioritise Board agenda very firmly, end meetings on time.
- Planning Action
- Amend Board size, and add new routes onto the Board as per the Compass Report. Focus agenda on most important high-level decision making.
Current environment risks
- Current analysis
- Foundation and WMUK have reflected on the risk of public loss of interest or confidence in Wikipedia – for example via emergence of alternative technologies, competitors. Staff rate this as currently Medium probability, with high impact – some preventive action already in hand. Longer term, the probability is likely to rise. Action is not urgent but needs an on-going and strategic approach.
- Preventive Action
- Outreach and partnership work to improve the quality of Wikipedia and other WM projects; also, tailor programme of activities to maintain confidence and usage. See also 6.2
- Mitigation action
- Build programme of activities to address these issues.
- Control Action
- Monitor efficacy against these aims with clear measurement and KPI’s
Planning action: Use Staff and programme planning tools to ensure issues being addressed.
Disagreements between Wikimedia UK and the Wikimedia Foundation (and international movement)
- Current analysis
- In some ways this is an extension of Strategic risk 2 above, and many actions are similar. A previous paper identified a situation where ‘The WMF takes actions which WMUK opposes’ & ‘WMUK takes actions which WMF opposes’. There remains a low probability of not fully resolving the dispute, but the impact would be high on the identity and existence of WMUK. Actions suggested have included:
- Preventive Action
- Board members to build relationships with Foundation Board and other Chapters and encourage all WMUK’s members to participate in WMFs consultations. WMUK staff to maintain good relations with WMF staff.
- Mitigation action
- Develop WMUK's reputation for good day-to-day management and address the issues raised in the governance report.
- Planning Action
- Develop programme of re-building confidence and carry out actions e.g. arising from Compass review. Consult with our partners before decisions are made, if practical. Encourage exchanges and other communications between staff and board members.
Major Risk Source 2: operational risks
Business capacity: inadequate to achieve our mission/goals (business continuity)
- Current Analysis
- Running out of office space would be high impact but current arrangements are flexible enough to make this a very low probability.
- IT Capacity risks – staff believe are low probability, but would have high impact on performance, reputation and operations. Actions already in hand including:
- Provision of professional IT contractor support have mitigated many of the IT and security risks.
- Provision of welcoming space for volunteers needs to be enhanced.
Systems or policies risks: an excess of detailed, defensive policies
- Current analysis
- risk of developing too many detailed and defensive policies as issues arise and Board pursue a risk averse micro-management agenda. Medium probability of medium impact on performance and project activities e.g. by damping down staff initiative.
- Preventive action
- avoid resolving every concern with policy legislation; and delegate effectively to CEO and staff, holding to account for performance, business decisions.
- Control action
- annual review of policies to identify duplication and redundancy.
Conflict of interest problems recur
- Current Analysis
- Medium probability, high risk. CoI issues have been taken very seriously by WMUK and extensive work done to create gold standard policies. There is a danger that fear of CoI’s can lead to inertia.
- Preventative action
- Use the procedures consistently. Make sure everyone in the community understands them
- Mitigation action
- Ensure all staff and trustee induction explains the CoI issues thoroughly.
- Control action
- Policies applied sensibly and consistently. Formal agreements help minimise risks.
- Current analysis
- this has happened in last 12 months. Probability medium, impact high to reputation – though greater impact if numbers of scandals rise in one time period.
- Preventive Action
- Support and monitor editors.
- Mitigation action
- Training of staff and trustees in media interview techniques and work with public relations volunteers to make sure our response is reliable and available.
Major Risk Source 3: we have insufficient support to achieve our mission and strategy
Community fracture
- Analysis
- The UK community fractures or atrophies with disagreements between its members and constituent parts. Probability medium, impact medium
- Preventive Action
- Develop membership involvement and participation.
- Widening participation especially within under-represented groups.
- Mitigation Action
- Offer feedback to comments from community in a timely and honest fashion.
- Control action
- Continue open and transparent systems to allow open debate whilst encouraging a presumption of good faith.
Hostile or apathetic media
- Analysis
- Media receptivity or support insufficient to achieve mission/strategy – risk is medium probability, high impact on reputation. For example inaccurate Telegraph articles. Media love Jimmy Wales and Wikipedia though; high impact because credibility is crucial.
- Preventative
- Be pro-active in making relationships with top 20 relevant journalists. Ensure consistent messages come from staff and board.
- Mitigation action
- Have responsive communications strategy, offer training to community members. Explain quickly to membership when things happen.
- Planning action
- Annual communications plan to complement comms strategy.
External opinion formers
- Analysis
- Decision-makers' receptivity or support insufficient to achieve mission– support and awareness building slowly, and it's right to be cautious – low probability but medium impact as major political decisions not crucial in short term.
- Preventative
- Build relationships with sympathetic organisations.
External supportive organisations
- Analysis
- Partners’ receptivity or support insufficient to achieve mission – WMUK has lack of capacity to develop outstanding partnerships, so medium probability that some will end badly, but low/medium impact. Board members setting up events with partners without involvement of staff will increase probability of breakdown in relationships;
- Preventive action
- proceed cautiously, ensure good communication between Board and staff.
- Planning Action
- invest in capacity for partnership work.
- Ensure clear system of central referral to avoid duplication or inappropriate relationships.
Major Risk Source 4: financial risks
Poor financial performance or control presents risks to WMUK’s reputation and to its achievement of its plans for the future
Funding income risks: the WMF funding arrangements for Chapters changes
- Current analysis
- This has happened once although seems settled so this must be viewed in risk terms as both high impact, and medium probability. However impact has been cushioned because of mitigation action already taken to maintain a reserve fund so WMUK has time to downsize to a size appropriate to our new resource base after this change. WMUK needs to work to develop own direct fundraising.
- Preventive action
- Maintain positive relations with Foundation and wider community.
Ensure WMUK governance conforms to highest standards.
- Control action
- Maintain all best practice
- Planning action
- Follow good governance advice. Maintain current management and financial systems.
Economic downturn reduces flow of support from individuals
(high impact, low probability)
- Analysis
- Fundraising Manager reports no significant decline in support
- Action
- Develop diverse income sources.
Fundraising risk: Poor donor stewardship
Probability medium, impact medium
- Analysis
- Still losing some potential income, need to steward donors and over long term could make a big difference though.
- Preventive actions
- Fundraising Manager to plan how staff and volunteer resources to manage queries. Fundraising Manager to organise refreshed templates for thanking donors and trial bulk mailings. Fundraising Manager to schedule communications are timely and relevant to avoid 'spamming' audiences
Financial control risk: weak financial reporting reduces confidence in WMUK and impacts on income
- Current analysis
- Staff report difficulty in securing funders confidence to raise money because financial reporting weak. in the past accounts have not been produced on time, but current systems now working well.Therefore low probability, medium impact
- Control Action
- Create and adhere to good practice financial systems and protocols. Regular financial reporting to Board. Sign off accounts and get them audited on time.
- Preventive Action
- Build in contingency planning to budget Create reserves to ensure at least one year of continuing activities. Build capacity of a Finance Sub-Committee.
Financial Control risk: WMUK is subject to fraudulent activity
- Current analysis
- Control systems working well so Low probability but high impact.
- Preventive Action
- Maintain exemplary financial systems and ensure they are adhered to through regular monitoring and professional external audit.
- Control Action
- Have regular external overview of our activities and practices – e.g. via auditor.
Major Risk Source 5: regulatory risks
Data protection issues
- Current analysis
- Loss or theft of data. Most of the necessary tasks done but probability still medium and needs to go lower – potential impact high to an organisation such as WMUK, its reputation especially.
- Preventative Actions
- Have valid data protection insurance (complete). Have valid and sufficient SSL certification in place (complete). Fundraising Manager to have oversight of those with differing access to different areas of managing the fundraiser, and ensure appropriate agreements are signed and access in line with Caldicott principles.
- Planning action
- Complete audit and further plans for Data Protection.
- Control action
- formulate and use appropriate policies.
Data Protection Act issues
- Current analysis
- Fundraising Manager works with CEO to manage responses to any Subject Access Requests to ensure compliance. Probability medium and impact medium on WMUK's reputation.
- Preventive Actions
- Fundraising Manager to draw up process to responding to Subject Access Requests. Fundraising Manager to seek to pre-empt requests by timely sharing of anonymised data and results through public wiki whenever appropriate and in a planned fashion.
- Planning and control actions
- Incorporate into ongoing security review.
Non-compliance with charity or company law
- Conflict of interest see 2.3.
Employment law compliance
- Current Analysis
- Recent report from external HR agency reported that our procedures were up to date and of good quality. Low risk, low probability.
- Mitigation and control
- We have minimised issues around staff by building sound HR strategies.
- Control Action
- Ensure policies adhered to.
False membership applications
- Current Analysis
- No evidence that applications are being made using false name or address data. If were successfully made in sufficient number, possibility of disrupting democratic process of PLC business Low risk, low probability.
- Mitigation and control
- Control - board to apply Article of Association of 4.4 - Termination of Membership if a membership was accepted under false pretence discovered and Article of Association 2.3(a) - Members if an application is made under false pretence; Mitigation - charity to focus on increasing size and engagement of membership base to remove effectiveness of disruption of this kind.
- Control Action
- Application of existing articles of association and pursue agreed goals to expand membership.
Major risk source 6: people risks
Inadequate volunteer base
For example, low numbers and lack of diversity of volunteers
- Current analysis
- WMUK aware of the problem and addressing it through programme. Probability medium impact high on engagement with sectors and capacity to generate projects, edit WP.
- Planning
- Build programmes to focus on and develop, support and retain volunteer base: Monitor impact of programmes and activities on volunteer base. Ensure all voices heard, not just the loudest.
- Preventive Action
- Target hitherto under-represented groups.
- Have more chances for community to meet in person.
- Control Action
- Monitor trends in volunteer numbers & profiles every quarter.
Collapsing editor base
- Current analysis
- this has been on WMUK radar for some time and is in 2013 Activity Plan. Probability medium impact high Impact on reputation and projects though we can only make a contribution.
- Planning Action
- Build significant amount of activity plan around this issue e.g.
2013 Activity Plan contains work strands on editor retention and development.
- Preventive action
- Train the Trainers courses will build new capacity for example.
- Monitor community activity and measure.
- Control Action
- Monitor active editor numbers/trends quarterly.
Poor staff performance
- Current analysis
- although a relatively new team, each appointment is crucial in a small team.
- Current risk levels are low probability, medium risk to performance, reputation, income.
- Prevention action
- good support and performance management
- Management planning systems used consistently.
- Planning action
- ensure roles can develop as staff show leadership and success.
- Control action
- CEO to raise any significant risks as they arise.
High/unplanned turnover of staff
- Current analysis
- in a small team if one person moves on it can leave a gap in terms of expertise and capacity– particularly for key roles such as CEO. High turnover could hold WMUK back significantly. Currently staff are committed, but until governance & leadership is clearer risk probability medium, impact high on performance reputation, income, activities.
- Prevention action
- good people management and good approach to reward, motivation, scope for job growth; good communication between Board and staff. Giving staff a feeling of responsibility and empowerment.
- Avoid bunker mentality.
- Planning action
- succession planning for CEO – possibly for other posts. Job ghosting within team.
- Creating a culture of thanks.
Risk register
Risk register for quarterly monitoring
(Those risks scoring low have been included on the lower half of the grid below.)
| Risk | Prob | Impact | Score | Response |
|---|---|---|---|---|
| 1.1 Lack of strategy, poor strategy, or failure to take opportunities | Low | High | Low |
|
| 1.2 Ineffective governance and leadership | High | Medium-high | Medium-high |
|
| 1.3 Board capacity insufficient for short term challenges | High | Medium-high | Medium-high |
|
| 1.4 Environment risk – loss of Wikipedia status | Medium | High | Medium |
|
| 1.5 Division or disharmony between WMUK & WMF | Medium | High | Medium |
|
| 2.2 Excess of detailed, defensive policies | Medium | Medium | Low |
|
| 2.3 Conflict of Interest issues | Medium | High | Medium |
|
| 3.1 Fractured UK Community | Medium | Medium | Low |
|
| 4.1 Restrictions to fund-raising via Foundation | High | High | High |
|
| 4.2 Threats to individual funding | Low | High | Low |
|
| 4.3 Poor donor stewardship | Medium | Medium | Low |
|
| 4.4. Inadequate fund-raising strategy/delegation | High | Medium-high | Medium-high |
|
| 4.5 Financial control, weak monitoring and evaluation | Low | High | Low |
|
| 5.1 Data Protection | Medium | High | Medium |
|
| 5.3 Charity Compliance Conflict of interest policy and practice weak (or perceived to be weak) | High | High | High |
|
| 6.1 Inadequate volunteer workforce | Medium | High | Medium |
|
| 6.2 Collapsing editor base | Medium | High | Medium |
|
| 6.4 High/unplanned turnover of staff | Medium | High | Medium |
|
| Risk | Prob | Impact | Score | Response |
|---|---|---|---|---|
| 2.1 Inadequate office Capacity | Low | High | Low |
|
| 2.1 Inadequate IT capacity | Low | High | Low |
|
| 2.5 Scandal on sites | Medium | High | Medium |
|
| 3.2 Negative media | Medium | High | Medium |
|
| 3.3 Negative decision-makers | Low | Medium | Low |
|
| 3.4 Negative partners | Medium | Medium-low | Low |
|
| 4.7 Inadequate funds in year | Low | High | Low |
|
| 4.8 External & Internal fraud | Low | High | Low |
|
| 5.2 Non-compliant FoI | Medium | Medium | Low |
|
| 5.4 Employment Law compliance | Low | Low | Low |
|
| 5.5 False membership application | Low | Medium | Low |
|
| 6.3 poor staff performance | Low | Medium | Low |
|