Minutes | Meeting of the Risk Committee of the Board (BRC) | 30 May 2023

BRC Attendees: Harald Alvestrand (Chair), Becky Burr, Chris Chapman, James Galvin, Wes Hardaker, Christian Kaufmann, Patricio Poblete, and Matthew Shears

ICANN Organization Attendees: Michelle Bright (Board Content Coordination Director), Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Manager), James Caulfield (Vice President, Risk Management), John Crain (SVP, Chief Technology Officer), Matt Larson (VP, Research), Elizabeth Le (Associate General Counsel), Terry Manderson (VP, Information Security and Network Engineering), Ashwin Rangan (SVP, Engineering and Chief Information Officer), and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken, and actions identified:

1. Introduction and Opening Remarks – The Chair opened the meeting and introduced the agenda.
2. Root Server System Security – The Committee received a briefing on potential types of attacks on the Root Server System (RSS), the consequences of such attacks, and the measures to mitigate against such attacks.
3. Org Risk Register Update – The Committee discussed the most recent updates to the Risk Register and reviewed the controls and mitigation measures in place for the updated risks. The updates are a result of a periodic validation of the Risk Register and the Risk Controls Assessment process. The Risk Register was reviewed by the org's CEO Risk Management Committee and approved by the Interim President and CEO.

4. Risk Appetite Statement – The Committee considered proposed updates to the Risk Appetite Statement to reflect a change of risks in the Org Risk Register and the risk profiles as they relate to Risk Appetite Statement. The Committee discussed the purpose of a Risk Appetite Statement, external versus internal risks, and suggested edits to the proposed revisions to the Risk Appetite Statement. The Committee asked ICANN org to revise the draft updates to the Risk Appetite Statement to reflect the Committee's discussion and circulate to the Committee via email for review.

   • Action - ICANN org to revise the draft updates to the Risk Appetite Statement to reflect the Committee's discussion and circulate to the Committee via email for review.

5. Review of Draft Materials for BRC Report to Board – The Committee discussed the materials for the BRC Report to the Board, which is being scheduled for the Board workshop in Washington, D.C., time permitting, or some time thereafter. The Committee noted that the materials will be updated to reflect the current status of revisions to the Risk Appetite Statement based on the Committee's discussion today.

   • Action – ICANN org to continue working on scheduling the BRC Report to the Board session.

6. AOB – The Committee discussed how human resources risks are addressed in the Org Risk Register and Risk Appetite Statement. ICANN org indicated that it would provide the Committee with a comprehensive overview of the human resources risks identified in the Risk Register and the mitigation controls in place for those risks.

   • Action – ICANN org to provide the Committee with a comprehensive overview of the human resources risks identified in the Risk Register and the mitigation controls in place for those risks.