Minutes – Board Risk Committee (BRC) Meeting 1 October 2018

BRC Attendees: Rafael Lito Ibarra (Co-Chair), Akinori Maemura, Ram Mohan (Co-Chair), Kaveh Ranjbar, and Jonne Soininen

BRC Member Apologies: Matthew Shears

Invited Observers: Tripti Sinha

ICANN Org Attendees: Susanna Bennett (SVP & Chief operating Officer), Michelle Bright (Director, Board Content Coordination), Xavier Calvez (SVP, Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Nigel Hickson (VP, IGO Engagement), Aaron Jimenez (Senior Coordinator, Board Operations), Vinciane Koenigsfeld (Director, Board Operations), Wendy Profit (Senior Manager, Board Operations), Lisa Saulino (Senior Coordinator, Board Operations), Ashwin Rangan (Sr. VP Engineering & Chief Information Officer), and Amy Stathos (Deputy General Counsel)


The following is a summary of discussions, actions taken and actions identified:

  1. BRC Workplan Draft Proposal FY19 – The BRC reviewed the draft workplan for FY19. The committee noted that the draft workplan covers areas of specific oversight by BRC, rather than specific risks. The BRC agreed that specific risks should be included in the workplan.

    • Action: ICANN org to revise the draft workplan for FY19 for review by the BRC at its next meeting.

  2. Review of Barcelona BRC Materials – The BRC reviewed the draft presentation materials for ICANN63. Two BRC meetings are scheduled for ICANN63—two two-hour BRC Workshop sessions on Thursday, 18 October and Sunday, 21 October, and a Risk Report to the Board on Saturday, 20 October. The presentation materials are similarly divided into two parts—a BRC Workshop presentation, and Risk Report to the Board. The Risk Report to the Board includes the Risk Management Framework, the Risk Register update, overview of the BRC's engagement with other Board Committees, and solicitation of feedback from the Board regarding the frequency of the Risk Report to the Board.

    The BRC noted that the Risk Register was reviewed by the organizations Risk Management Committee, which reached consensus on what the risks were and which ones were the top risks. The Risk Register will be used to create the Risk Appetite Statement.

    The BRC discussed the top risks that the Risk Management Committee identified and that would be presented to the Board during ICANN 63. The BRC also noted that a cybersecurity update will also be presented as part of the Risk workshop.

    As part of the briefing on engagement with other Committees and working groups, the BRC considered whether the IDN Working Group and the equivalent of the GDPR working group should be added to this portion of the meeting at ICANN63.

    Further, the BRC discussed the frequency of the Risk Report to the Board. After some dialogue, the BRC concluded it would propose that the Board receive the Report twice a year: once in March and again at the Annual Meeting that takes place around October every year.

    Following discussions of the BRC Risk Report, the BRC briefly discussed the structure and content of the BRC Workshop Meeting. The BRC noted that the Workshop will be broken into two parts, one before, and one after the Risk Report presentation to the full Board. The BRC agreed to include discussions on risk management and the target operating model, followed by discussion of the Risk Register and risk appetite, in the first half of the Workshop. In the second half of the workshop, following its meeting with the full Board, the BRC would again discuss the Risk Register and feedback received from the Board, as well as the Cybersecurity briefing. It was also mentioned that going forward, the cybersecurity risk will be included as the rest of the risks, and not treated separately, unless it is deemed necessary.

    Finally, the BRC discussed the need for further dialogue regarding the presentation on risk appetite, and the need to focus on assisting BRC members in their understanding of what the risk appetite is, and what recommendations should be made for the organization. The aim would be that when the BRC arrives at the workshop in March 2019, the Risk Appetite Statement could be presented to the Board as a whole, giving the BRC four months to develop a robust and clear recommendation for a Risk Appetite Statement.

    • Action:

      • ICANN org to evaluate some of the discussion about the top risk and make revision prior to the sessions scheduled during ICANN63.

Published on 25 October 2018