In 2017 the Open Innovation team set goals envisioning Mozilla’s Community Participation Guidelines as a tool not only for consequence, but as a measure and strong influence of community health overall.

Through the lens of hundreds of contributors, to over two-hundred open projects represented in our D&I for Open Source survey, we further recognize the work of 2018 in FOSS is to make inclusive open governance effective, understood —and real.

If your project has a Code of Conduct/CPG, is it effectively enforced?

While 70.3% of survey respondents indicated that yes, their project had a Code of Conduct — only 42.9% believed it was enforced, with a majority unsure or skeptical.

In this post I’ll share our current work (including links to resources) building a framework of processes, standards and best practices for response to Code of Conduct incident reports.

This post will not outline how to write a good Code of Conduct, there are plenty of resources for that. I am also not suggesting that process can trump culture issues.

“Our community has a watered down CoC, it’s not really enforced but everyone likes to say it is” — Anonymous response from FOSS contributor to D&I for Open Source Survey

I am suggesting that by getting response right culture will benfit — we can generate beacon signaling — inclusion matters here, you matter here.

“The Heart of Mozilla is People”

This is the first line of our Community Participation Guidelines — and an nudge to keep empathy at center when designing response processes. Who are you designing for? Who is impacted? What are their needs, expectations, dependencies, potential bias and limitations?

With these questions, and others in mind, we generated the following workflow with process milestones:

Proposed Milestones for Response to Incident Reports

Note: If this is something you are interested in doing for your project — please reach out and I’ll share our Design Thinking for CoC Incident Response Workshop (which is currently in draft).

Discovery

Discover Milestone

Many contributors seek validation from community leaders they know and trust before considering an official process. — Mozilla D&I for Communities & Contributors Research 2017

If people don’t understand and trust the process, it’s very unlikely they will report at all. The Discovery Milestone is about invitation, it’s about ensuring communities can find information about where to report, who has access to that their information, expected timelines and communication.

Reporting & Triage

The Reporting, Triage Milestones might seem obvious, but within it, are important criteria for moving to investigation and acting on urgency where required. Our reporting form was designed to help us isolate and understand reports in short periods of time.

We‘ve designed an issue triage system, using a series of questions and tags to trigger actions. I also use a template to isolate each identified violation which I’ve found super helpful. I’m also working to create templates of communication — like this one .

Some of our Triage Labels

Investigation

The Investigation Milestone varies with every report. Early on we recognized that if we were to generate actionable recommendations we needed to to first understand who was accountable for making that decision, who was impacted, and what consultation was needed to sign-off. We use this template to build RASCIs for decision making, and this has been one of the most successful pieces of our process so far.

Decision Making RASCI — see link for full description of roles

Often, a working group generates a preliminary set of recommendations. The size of that group is purposely kept small — and only of key stakeholders; with consultation expanding and contracting as needed. Where cases are simpler a working group is replaced with a coordinator. In both cases to ensure quality outcomes, we’ve set the coordinators role as a facilitator of decision, and not a decision maker — which better empowers the process.

Recommendations

The Recommendations Milestone, in non-urgent cases is one of iteration and decision making. We’ve been using this Consequence Ladder, that describes both escalation of response and severity of violation. We’re constantly improving this.

Link to full document here

Notify & Follow-Up

We’re building communication templates for each level of the consequence ladder to satisfy important goals in the Notify & Follow-up Milestones, for both reporter, and reported. Something we’re working on is timelines for response dependent on the type of report. This will be embedded in the triage process as well.

Additionally, these milestones include recognition that actionable safety plans exist for people in situations of risk are crucial. This is very case-dependent but we are working on standardizing some of those best practices to share soon.

Resolution

The final milestone ‘Resolution’ signals appropriately, that resolutions are only achieved when all actions of approved recommendations have been completed. That includes, in the case of bans — what we call a CPG Onboarding which is a requirement for reinstatement.