Talk:Risk Register
Managing risk
This is a document that has emerged from a slow gestation. The board is keen for the community to have access to our risk register and statements. It will be reviewed by staff quarterly with a report to the board on the top five risks, or more should I consider there to be more.
It fits alongside the annual programme and work plan which is also going to be reported quarterly.
Any comments that will help this process welcome. Jon Davies WMUK (talk) 09:35, 19 February 2013 (UTC)
- Can you clarify, is this a proposal from the staff to the board, or is this the final approved policy? The introduction only mentioned the board's request for the staff to prepare a first draft, it doesn't mention the board discussing it. It was in your report for the recent board meeting, but doesn't seem to have been on the agenda (the minutes aren't up yet). --Tango (talk) 12:50, 19 February 2013 (UTC)
- It is a long document and it is possible that I did not fully update it to reflect the board decision - can you point to where this is please if you remember - many thanks in advance. Jon Davies (WMUK) (talk) 14:21, 19 February 2013 (UTC)
- I just meant the introduction. It talks about the board requesting it and the staff preparing it, but then the story abruptly finishes. It just needs another sentence saying the board discussed it at their meeting on whatever date it was, amended it as they saw fit and then adopted it as formal policy. I have no idea is the changes they agreed to make were made, since I wasn't at the meeting. --Tango (talk) 17:31, 19 February 2013 (UTC)
- It is a long document and it is possible that I did not fully update it to reflect the board decision - can you point to where this is please if you remember - many thanks in advance. Jon Davies (WMUK) (talk) 14:21, 19 February 2013 (UTC)
- Will do - we missed you - where were you? Jon Davies (WMUK) (talk) 17:50, 19 February 2013 (UTC)
- I was doing coursework, unfortunately... The bit you've changed was right the first time! You're getting confused between the November 2012 meeting, where the board asked the staff to prepare something, and the February 2013 meeting where the board approved what the staff had prepared. --Tango (talk) 18:58, 19 February 2013 (UTC)
- Will do - we missed you - where were you? Jon Davies (WMUK) (talk) 17:50, 19 February 2013 (UTC)
- Again, Myself and a volunteer went through it but if there are places that it is not updated please let me know. Thanks Jon Davies (WMUK) (talk) 14:21, 19 February 2013 (UTC)
- Hi Tom, I would like to see slightly more precision here that will align with the board minutes when you see them published. The board did vote on the 9th February with respect to the Risk Register, however the draft minutes tell me that the board of trustees did not just agree, we actually voted on a more complex statement than just approving this Register, and during the vote 3 trustees supported the statement, 1 voted against and 1 abstained. I'm afraid I cannot advise you as to when the draft minutes will be moved from the office wiki to a public view. Thanks --Fæ (talk) 18:43, 19 February 2013 (UTC)
- A minor update, the wording in the draft minutes of the resolution voted on is under discussion in-camera, this is already delaying getting the minutes issued and changes post-meeting may affect the statement I have made here.
- The delay is a symptom of a different issue. We should probably start a community discussion in a better location than this page, and soon, on the new working practices the board of trustees has adopted on keeping the minutes in-camera from the open board meetings, rather than publishing a draft as early as possible on-wiki for the benefit of members, and the additional discussion in-camera that some feel that this means that the board may need to stop having any future webcast or video (and presumably by extension, any audio recording or live text summaries, such as our long term practice of keeping live etherpad notes) of our open board meetings. In such a scenario, I don't think we would claim to have "open" meetings any more, indeed as we could not stop an observer from writing about a meeting they attended in advance of the minutes being "legally" published, then I would question the consistency of inviting observers without having non-disclosure agreements in place. I suspect the effect of this shift in our values, would roll down to Committees for the reasons of the delegated powers we intend these to have. Personally, I will be reflecting more deeply on our current stated Values, at the moment I am finding it increasingly difficult as a trustee to reconcile these changes with our shared ethical values of openness and transparency, a situation I already regret. Thanks --Fæ (talk) 10:22, 23 February 2013 (UTC)
- That doesn't sound like a problem with your minutes. That's a problem with your meetings - the chair should make sure everyone knows what it is that is being voted on before the vote takes place. There should be no need to discuss it afterwards. (Problems can arise when you thought something was uncontested so didn't have an explicit vote but it turns out afterwards that people had different ideas about what it was that was being discussed - if there is an explicit vote, though, there should be no room for confusion.) --Tango (talk) 16:02, 23 February 2013 (UTC)
- Yes, that would be good practice. I would encourage more of our members to attend open board meetings to judge the performance of the board, it would illuminate the AGM process. Tom, you may want to reflect on what I was trying to achieve with creating a document to define the vote process, so that there would be far fewer "ambiguities", before I abandoned the attempt as a waste of my time due to the massive resistance I had. Perhaps someone else can have another stab at it? Thanks --Fæ (talk) 16:15, 23 February 2013 (UTC)
- That doesn't sound like a problem with your minutes. That's a problem with your meetings - the chair should make sure everyone knows what it is that is being voted on before the vote takes place. There should be no need to discuss it afterwards. (Problems can arise when you thought something was uncontested so didn't have an explicit vote but it turns out afterwards that people had different ideas about what it was that was being discussed - if there is an explicit vote, though, there should be no room for confusion.) --Tango (talk) 16:02, 23 February 2013 (UTC)
- Hi Tom, I would like to see slightly more precision here that will align with the board minutes when you see them published. The board did vote on the 9th February with respect to the Risk Register, however the draft minutes tell me that the board of trustees did not just agree, we actually voted on a more complex statement than just approving this Register, and during the vote 3 trustees supported the statement, 1 voted against and 1 abstained. I'm afraid I cannot advise you as to when the draft minutes will be moved from the office wiki to a public view. Thanks --Fæ (talk) 18:43, 19 February 2013 (UTC)
Visualisation
I have often found that a 5 x 5 grid, with red to show high values and green to show low values is helpful. This does appear in the document, but perhaps should be applied to tables such as "RISKS TO BE MONITORED QUARTERLY" Gordo (talk) 09:47, 19 February 2013 (UTC)
- I agree. This has been prepared using a grid approach, so it might as well be presented that way. I would also suggest expanding the current 3x3 grid to a 5x5 grid when this is reviewed next year - that allows for a little more subtlety. Having all low probability events in lowest category regardless of potential impact is obviously not ideal - if "low" means "once in a century", then that may be fine, but when you only have three categories of probability "low" must mean quite a bit more likely that that (see my comments on quantification below). --Tango (talk) 13:00, 19 February 2013 (UTC)
- I LOVE grids and use them on the original document. Thanks to Rexx the document s as lovely as it is. At annual revision will share the original document all being well.
Jon Davies (WMUK) (talk) 14:23, 19 February 2013 (UTC)
Quantification
I haven't had time to read through all the individual risks, but the general structure and approach looks good. My suggestion for when this is reviewed in a year's time is that you try and incorporate more quantification in terms of impact, probability and time horizons (more emphasis on time horizons is needed too - they are mentioned, but only in passing). Quantifying things can be very difficult (especially when your goals aren't profit based - most of your risks can't be quantified simply in money terms like they can for a for-profit business) so I don't think you should delay implementing this policy for it, but it will need to be introduced over time as you get used to thinking about risks and start taking more sophisticated approaches towards them. --Tango (talk) 12:55, 19 February 2013 (UTC)
FOI
I'm aware that we are subject to the Data Protection Act and therefore might receive Subject Access requests, but does the Freedom of Information Act actually cover charities like us or are we voluntarily being this open? WereSpielChequers (talk) 18:52, 19 February 2013 (UTC)
- It fits our Values to be this open. The FOI does not apply as we are not a public authority, I have made this point in the past by email, but it has not been picked up to change this document, I suggest it is to avoid any confusion. Thanks --Fæ (talk) 18:56, 19 February 2013 (UTC)
- I'm very happy that we have opted in to the Freedom of Information Act, but yes it would make sense to say that this was our choice. WereSpielChequers (talk) 19:08, 19 February 2013 (UTC)
Hi All - yes, quite right, we're not subject to FOI as a charity per say (for those of you with time to spare, the act lists the organisations by name and type it does apply to: http://www.legislation.gov.uk/ukpga/2000/36/schedule/1) However, it's worth nothing that through partnership work with local and parish councils, schools, or statutorily funded bodies/institutions this would apply to documentation regarding, for example, negotiations around WiRs, discussions about project work, funding agreements (whether them donating to us, or us granting to them) etc etc. So, as WSC says, its a good thing we're happy to uphold the same principles to the same standards as a matter of course :-) Katherine Bavage (WMUK) (talk) 12:08, 21 February 2013 (UTC)
- Just to clarify, this has never happened. I suspect it never will happen and so should not be in the risk plan. I believe there is no organization that we are talking to, even those in receipt of state funding in various forms, that has yet suggested that we must comply with FOI requests. Were I negotiating, I would advise that this is a matter for the public authority, who should be capable of retaining a system of records for all shared documents and communications as part of the partnership or JV variant, rather than this being a long term burden on our system. Thanks --Fæ (talk) 19:38, 22 February 2013 (UTC)
Incidents at Events
We hold a number of events each year, some public, some invitation only, some limited to people who signup and some open to all. Some of the attendees have been legally minors, some of our critics and at least one banned editor have attended events or signed up to attend them. Wikipedia gets a steady stream of controversial editors and the UK probably has its fair share of the millions of editors who have been blocked or had their work deleted. So I suggest that one risk which should be on the list is the risk of an incident occurring at one of our events. WereSpielChequers (talk) 18:52, 19 February 2013 (UTC)
- We've got a banned editor who keeps turning up to board meetings! ;) --Tango (talk) 19:01, 19 February 2013 (UTC)
- Come on Tango please can we differentiate between people's roles - some may think this a joke but it isn't really. The person concerned puts a lot of time into Chapter work and that should be appreciated. Jon Davies (WMUK) (talk) 14:58, 22 February 2013 (UTC)
- How about you concentrate on the serious deficiencies in this document that have been pointed out further down the page and stop worrying about a throwaway comment that very clearly does not suggest that Fae's work is not appreciated? My comment was a light-hearted way of pointing out that "banned users" is not a particularly useful differentiator. --Tango (talk) 15:14, 22 February 2013 (UTC)
- Come on Tango please can we differentiate between people's roles - some may think this a joke but it isn't really. The person concerned puts a lot of time into Chapter work and that should be appreciated. Jon Davies (WMUK) (talk) 14:58, 22 February 2013 (UTC)
- Oh I wasn't thinking of that case, I was thinking of people whose bans were justified. WereSpielChequers (talk) 19:23, 19 February 2013 (UTC)
- Risk at events is something that is a day-to-day operational activity. We do need, however, to develop a more consistent risk assessment system and this has been under discussion. They need to be proportionate and shared so that we do not keep re-inventing wheels. We made sure we had public liability insurance as soon as I started but obviously we need to show that we take our responsibilities seriously. With new staff starting and a gear change in our programme we need to formalise this process and I know it is in Daria's agenda. As to banned editors - very much a matter for the community to take a view on. Jon Davies (WMUK) (talk) 12:05, 21 February 2013 (UTC)
Different versions?
This page seems to be different from that presented at the board meeting. In particular, the factual corrections I made to the introduction seem to have been lost. Please could the differences be reconciled here? Thanks. Mike Peel (talk) 19:11, 19 February 2013 (UTC)
Office
We have an office, therefore we are at risk of burglary, fire etc there (though hopefully we have insurance). I'm assuming that we got a pretty good deal because the place is full of charities and not for profits. So we presumably have a risk that any subsidy we get might end if the landlord decides to be more commercial or to cease supporting our sort of charity. We can mitigate that sort of risk by agreeing long lease terms, but that then builds in an inflexibility if the office ceases to meet our needs. We could variously outgrow it, shrink to need less space or have a board that decided to relocate outside London and found any lease a bit of a millstone; Any of those eventualities would become more expensive if we minimised our risk of rent rises by agreeing a longer lease. We also have a risk that someone incompatible with us could move in to the secure area that we have, as currently we only have part of an open plan floor and other organisations are in the same office. WereSpielChequers (talk) 19:23, 19 February 2013 (UTC)
- Thanks WSC - good points. We do have fire insurance, as does - I believe - the building. We're going to get a fireproof safe to help prevent any key data loss from fire or theft. As to the lease, our landlord is Ethical Property, who design their business model around our sort of charity, so I think the risk of them changing that is very low. We're also one of their larger tenants, so we're much-loved by them, and have already done things like offer us reduced rent. The risk of outgrowing the office is already covered in the register - the risk of shrinking or relocating is balanced by the fact that it would take some time for those things to come into effect, and they'd need consultation with staff - but they are risks. As to the area we have, we're actually in the process of having the floor redesigned... see Media:Possible_office_plan.jpg for a possible plan. In a few months, they may move us to our own space on the same floor, depending on what happens with the other tenants in the building. Richard Symonds (WMUK) (talk) 16:46, 20 February 2013 (UTC)
Risk not to be monitored quarterly
Any reason that these risks, at the bottom of the page, aren't being monitored quarterly? I'm sure there is a good reason, I was just wondering what it is. Yaris678 (talk) 17:59, 20 February 2013 (UTC)
- Because they are either low impact or low probability, therefore aren't worth monitoring quarterly. --Tango (talk) 19:59, 20 February 2013 (UTC)
- A cursory inspection of the table gives several exceptions to that statement. 'Negative media' and 'scandal on sites' are the biggest exceptions. Yaris678 (talk) 20:20, 20 February 2013 (UTC)
- Hmmm... that looks like an error to me. Those should be "medium" risks, so should be monitored quarterly according to the "Assessing and analysing the risks" section. (Those are the only two exceptions - there are a couple of medium/medium risks, but that is categorised as a low score as well, which I missed in my explanation.) --Tango (talk) 12:33, 21 February 2013 (UTC)
- Cool. I get it now. It was supposed to have been separated to fit with Risk Register#Assessing and analysing the risks, but those two have been misplaced. Shall we just move them? Yaris678 (talk) 13:18, 21 February 2013 (UTC)
- Hmmm... that looks like an error to me. Those should be "medium" risks, so should be monitored quarterly according to the "Assessing and analysing the risks" section. (Those are the only two exceptions - there are a couple of medium/medium risks, but that is categorised as a low score as well, which I missed in my explanation.) --Tango (talk) 12:33, 21 February 2013 (UTC)
- A cursory inspection of the table gives several exceptions to that statement. 'Negative media' and 'scandal on sites' are the biggest exceptions. Yaris678 (talk) 20:20, 20 February 2013 (UTC)
- The reputation and negative publicity risks are crucial and are part of what we monitor every day and manage when they come under our WMUK remit. To be clear everything on the register is monitored and we try and establish safeguarding systems to mitigate the risks. The most pressing risks are monitored more closely and the most, most pressing risks reported to the board.Jon Davies (WMUK) (talk) 13:48, 21 February 2013 (UTC)
- Yes, we understand that, but the policy clearly says that medium and high score risks should be part of the quarterly monitoring process, so why have these two been missed out? Most of the risks will be monitored in an informal way on an ongoing basis, but that doesn't mean the more formal monitoring isn't also required. --Tango (talk) 15:32, 21 February 2013 (UTC)
- The reputation and negative publicity risks are crucial and are part of what we monitor every day and manage when they come under our WMUK remit. To be clear everything on the register is monitored and we try and establish safeguarding systems to mitigate the risks. The most pressing risks are monitored more closely and the most, most pressing risks reported to the board.Jon Davies (WMUK) (talk) 13:48, 21 February 2013 (UTC)
- There is limited value in "monitoring" something unless there is data to monitor. One can look at the RIA inflation figures, for example, every quarter. However considering that there is little actual harm in a report that says "negative publicity this quarter, nil." and that there are people out there briefing against WMUK/WMF it would seem worthwhile to have a regular review on "negative media." The risk register (or associated documents) should also identify possible actions to avoid, reduce or eliminate risk, to mitigate, alleviate or avoid the effects, with an indication of which are and are not worth pursuing, and the reasoning. Some of this is there, but there could be more coverage. Of course, there are some areas where publishing the risk strategies in detail defeats them, so despite our open leanings we need to be careful about that too. Rich Farmbrough, 20:27, 21 February 2013 (UTC).
- There is limited value in "monitoring" something unless there is data to monitor. One can look at the RIA inflation figures, for example, every quarter. However considering that there is little actual harm in a report that says "negative publicity this quarter, nil." and that there are people out there briefing against WMUK/WMF it would seem worthwhile to have a regular review on "negative media." The risk register (or associated documents) should also identify possible actions to avoid, reduce or eliminate risk, to mitigate, alleviate or avoid the effects, with an indication of which are and are not worth pursuing, and the reasoning. Some of this is there, but there could be more coverage. Of course, there are some areas where publishing the risk strategies in detail defeats them, so despite our open leanings we need to be careful about that too. Rich Farmbrough, 20:27, 21 February 2013 (UTC).
- Hi Rich, on this specific risk (we are drifting away from the original topic) as we have a Communications specialist in our staff, we already have an excellent process for being alerted to media stories, both positive and negative, as they happen and in our regular staff reports at board meetings. This is an easy one to publicly explain that we have an operational process that counts as our contingency plan. As for your other point that all risks "above the water margin" should have contingency plans, that's a point I have made in-camera before this was published, so as usual, great minds think alike ;-) Cheers --Fæ (talk) 20:35, 21 February 2013 (UTC)
I have just expanded the single "Prob/Impact" column into three columns. Apart from being a lot clearer than the previous presentation, this has also highlighted a number of risks that are down as being monitored quarterly but have a low score. Do these want to be moved down into "risk not to be monitored quarterly"?
Looking at it another way... we currently have risks in both parts which should be in the other part if we follow Risk Register#Assessing and analysing the risks. Does this mean that there is something missing from Risk Register#Assessing and analysing the risks?
Yaris678 (talk) 13:13, 22 February 2013 (UTC)
Comments
This document needs a copy-edit. Something we're calling a policy should be professionally written. This is all over the place with capitalisation, grammar, shorthand, sentences that sound like bullet points, and it's full of typos. It's also completely unreadable in parts. For example, what is Fundraising Manager to have oversight of those with differing access to different areas of managing the fundraiser trying to say? [D]iffering access to different areas in particular seems to be using a lot of words to say very little. I've fixed a few issues, but this really does need looking at. This website is what the outside world sees of the charity, and sloppy writing in formal documents doesn't exactly inspire confidence in the charity as a professional organisation. Harry Mitchell | Penny for your thoughts? 18:39, 21 February 2013 (UTC)
Risk numbering
While I can see what Harry is getting at with this edit, there is the issue that the risk numbering allows a cross referencing between the contents of penultimate and final sections. Anyone got any clever suggestions of how to fix this? Maybe just link to the appropriate subsection of the analysis from each row of the table. Yaris678 (talk) 18:10, 22 February 2013 (UTC)
- It is common good practice for a risk register to act as a register. This means giving each risk a new persistent sequential number as it is identified so it can be tracked in the register, project plans, contingency plans, resource plans, budget, staff reports, performance reviews and board meetings - all of which may be relevant. I have said this before in meetings discussing our risk and more general management methods, but it never seemed to affect the different documents produced over the last year, which instead have a preference for textual descriptions as the identification system. However this is also true for Actions, Budget lines and Resolutions, all of which I personally find it hard to keep track of without any unique identifiers, and instead we have to use sentences or paragraphs of text to identify them, or even worse, numbers which vary in each document they appear in.
- At the moment the numbering appears to be in the form m.n where m is the "risk source" and "n" is a list number, but not unique. This system may look okay in this document, but when we decide next year that the staff day analysing risk did not result in a final solution that all stakeholders would accept in years to come as a constraint, we may find this model revised and these numbers suddenly become an obstacle rather than helpful. I always recommend unique persistent identifiers for every system I have designed over the last quarter of a century, I have never regretted doing so. --Fæ (talk) 19:31, 22 February 2013 (UTC)