[Foundation-l] Risks

Fred Bauder fredbaud at waterwiki.info
Thu Apr 19 12:14:11 UTC 2007

Only a partial answer, many other aspects are in operation, but please consider thinking about

Wikipedia:Error management


>-----Original Message-----
>From: Gerard Meijssen [mailto:gerard.meijssen at gmail.com]
>Sent: Thursday, April 19, 2007 01:46 AM
>To: 'Wikimedia Foundation Mailing List'
>Subject: [Foundation-l] Risks
>Risk management is an activity that has a forerunner. This is risk 
>analysis. From everything I understand from what is happening, the 
>situation in the management and operations of the WMF is fluid. Many 
>aspects of risk aversion are hard or impossible to do because they are 
>like shooting at a moving target. When you engage in risk management, it 
>is like many other aspects of security; something you have to integrate 
>it into your organisational operations to do it well. Risk assessment 
>and analysis should be part of the implementation of and the changes to 
>The question: "Who is willing to take responsibility?" is imho not 
>necessarily valid at this time. Risk management is an essential part of 
>the whole management and operations set up and consequently the 
>responsibility  remains with every manager for the security issues in 
>his domain. When you have a security officer in your organisation, in 
>essence all he can do is coordinate and integrate the efforts in all 
>domains and coordinate and monitor how well relevant issues are handled. 
>As security is often seen as key to the health of the organisation, the 
>security officer is necessarily a senior manager in an organisation. It 
>is important to note that many of the tasks that need to be done in the 
>WMF are not filled in. This is a consequence of the seriously 
>underfunded and understaffed organisation that is the WMF. The question 
>is, is it more important to get the base work done or is having someone 
>tasked for security the priority. This is a management question and 
>When an organisation takes security serious, the risk factors are taken 
>serious. This already happens. Brion has stated repeatedly that the 
>quality of the back-ups has a high priority for him. He has reported 
>repeatedly on improvements made in order to improve its quality. David 
>Gerard has raised the quality of back-ups as an issue, Jeff Merkey 
>indicated his ability and effort in order to ensure that an off-site 
>back-up exists. All this happens against this background of continually 
>improving WMF functionality. Clearly risks in this domain are managed 
>though not necessarily covered perfectly.
>When it comes to financial risks, the WMF will only get grants, funding 
>from other parties when it is able and willing to go into a dialogue 
>with organisations and people that indicate they are willing to 
>contribute / cooperate / collaborate with our organisation. This means 
>that our organisation has to be willing to go into a dialogue. It starts 
>with a willingness to listen. There are indications that this is improving.
>Given the relevance of the Wikimedia Foundation, there are many 
>organisations that are really keen to work together with us. Many of 
>these organisations have a wealth of data and money that they are 
>investing in activities that are complementary to what we do. By 
>collaborating, there is the potential that much of these resources will 
>be directed to Free information and resources. It may mean that things 
>do not happen in our projects. Our aim is to bring information to the 
>world, we serve our aim when we make this happen. For Free information 
>the one thing that really matters is that these resources are relevant 
>and easy to reach. Organisations want to collaborate with the WMF 
>because increased traffic for the information they care for is often 
>what they want to get out of such a collaboration. The opportunities are 
>there, one risk is that we are not able or willing to reach out, another 
>is that our community is too inward focused and consequently not willing 
>or able to collaborate.
>To me security and risk management are really important. The work done 
>that is in front of us needs to get done. Anthere indicated that issues 
>identified by the board have to be solved within specified time frames 
>by the executive. This is only feasible when the means to do this exist. 
>When the penalty for not finishing in time has the potential of 
>dismissal, it means that the risks become personal as well as 
>organisational. The consequence will be that day to day issues will 
>suffer and this will bring its own risks.
>    GerardM
>foundation-l mailing list
>foundation-l at lists.wikimedia.org

More information about the foundation-l mailing list