Minutes | Board Risk Committee (BRC) Meeting 12 November 2020

BRC Attendees: Rafael Lito Ibarra (Chair), Merike Kaö, Akinori Maemura, Kaveh Ranjbar, Matthew Shears, and Nigel Roberts

BRC Member Apologies: Harald Alverstrand

Other Board Member Attendees: León Sánchez

ICANN Organization Attendees: Michelle Bright (Director, Board Operations Content), Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Vinciane Koenigsfeld (Director, Board Operations), Elizabeth Le (Associate General Counsel), Terry Manderson (Sr. Director, Security and Network Engineering), Ashwin Rangan (SVP, Engineering & Chief Information Officer) and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken and actions identified:

  1. CyberSecurity Update – The Committee received a cybersecurity update from ICANN org, which included updates on annual disaster recovery testing, penetration testing, and incident response tabletop exercises, which are conducted to ensure incident response best practices are followed and that sufficient information security processes and safeguards are in place. The BRC received an update on the Information Security Ambassador Program which allows the Information Security team to cascade information to the org by providing monthly topical updates to representatives for each function within ICANN org, and these representatives would in turn share the information with the members in their function. The BRC also received an update on employee educational training programs including the annual mandatory information security awareness training, regular policy reviews, information security risk assessments, and security audits.
  2. Organization Risk Register Update – The Committee discussed the updates to the Organization Risk Register. The Committee was reminded that many of the Committee's discussions, including the discussion relating to the Organization Risk Register, contain highly sensitive and confidential information. The BRC reviewed the controls and mitigation in place for the updated risks.
  3. Risk Appetite Statement – The Committee received a briefing on a proposal to the Board to adopt the Risk Appetite Statement and reviewed the relevant materials. The Risk Appetite Statement articulates the level of risk which ICANN org is willing to take and retain on a broad level to deliver its mission; fulfils the Risk Management Framework target model as set by the Board; and informs the operations of ICANN organization. The BRC approved a recommendation to the Board to adopt the Risk Appetite Statement. Management Framework target model as set by the Board; and informs the

    • Actions: ICANN org to schedule the presentation of the Board Paper to the Board.
  4. BRC Workplan – The Committee discussed its current workplan, which is on target and the draft workplan through December 2021. The Committee noted that governance activities are presented more granularly. The Committee further noted that the workplan should be updated to include the Chair of the Audit Committee in a joint meeting of certain committee chairs.

    • Actions: ICANN org to update workplan as discussed. 
  5. Board Risk Workshop Draft Presentation Materials – The Committee reviewed the presentation materials for the upcoming Board Risk Workshop.
  6. BRC Report to the Board – The Committee reviewed a draft of the BRC Report to the Board, which is presented twice a year.
  7. AOB – There were no AOB items discussed.

The Chair then called the meeting to a close.

Published on 21 December 2020