[Foundation-l] Risks

Gerard Meijssen gerard.meijssen at gmail.com
Thu Apr 19 07:46:23 UTC 2007 

Hoi,
Risk management is an activity that has a forerunner. This is risk 
analysis. From everything I understand from what is happening, the 
situation in the management and operations of the WMF is fluid. Many 
aspects of risk aversion are hard or impossible to do because they are 
like shooting at a moving target. When you engage in risk management, it 
is like many other aspects of security; something you have to integrate 
it into your organisational operations to do it well. Risk assessment 
and analysis should be part of the implementation of and the changes to 
procedures.

The question: "Who is willing to take responsibility?" is imho not 
necessarily valid at this time. Risk management is an essential part of 
the whole management and operations set up and consequently the 
responsibility  remains with every manager for the security issues in 
his domain. When you have a security officer in your organisation, in 
essence all he can do is coordinate and integrate the efforts in all 
domains and coordinate and monitor how well relevant issues are handled. 
As security is often seen as key to the health of the organisation, the 
security officer is necessarily a senior manager in an organisation. It 
is important to note that many of the tasks that need to be done in the 
WMF are not filled in. This is a consequence of the seriously 
underfunded and understaffed organisation that is the WMF. The question 
is, is it more important to get the base work done or is having someone 
tasked for security the priority. This is a management question and 
decision.

When an organisation takes security serious, the risk factors are taken 
serious. This already happens. Brion has stated repeatedly that the 
quality of the back-ups has a high priority for him. He has reported 
repeatedly on improvements made in order to improve its quality. David 
Gerard has raised the quality of back-ups as an issue, Jeff Merkey 
indicated his ability and effort in order to ensure that an off-site 
back-up exists. All this happens against this background of continually 
improving WMF functionality. Clearly risks in this domain are managed 
though not necessarily covered perfectly.

When it comes to financial risks, the WMF will only get grants, funding 
from other parties when it is able and willing to go into a dialogue 
with organisations and people that indicate they are willing to 
contribute / cooperate / collaborate with our organisation. This means 
that our organisation has to be willing to go into a dialogue. It starts 
with a willingness to listen. There are indications that this is improving.

Given the relevance of the Wikimedia Foundation, there are many 
organisations that are really keen to work together with us. Many of 
these organisations have a wealth of data and money that they are 
investing in activities that are complementary to what we do. By 
collaborating, there is the potential that much of these resources will 
be directed to Free information and resources. It may mean that things 
do not happen in our projects. Our aim is to bring information to the 
world, we serve our aim when we make this happen. For Free information 
the one thing that really matters is that these resources are relevant 
and easy to reach. Organisations want to collaborate with the WMF 
because increased traffic for the information they care for is often 
what they want to get out of such a collaboration. The opportunities are 
there, one risk is that we are not able or willing to reach out, another 
is that our community is too inward focused and consequently not willing 
or able to collaborate.

To me security and risk management are really important. The work done 
that is in front of us needs to get done. Anthere indicated that issues 
identified by the board have to be solved within specified time frames 
by the executive. This is only feasible when the means to do this exist. 
When the penalty for not finishing in time has the potential of 
dismissal, it means that the risks become personal as well as 
organisational. The consequence will be that day to day issues will 
suffer and this will bring its own risks.

Thanks,
    GerardM

More information about the foundation-l mailing list