Minutes - Risk Committee (RC) Meeting 24 October 2009

Committee Attendees: Bruce Tonkin – Chair, Steve Crocker, Steve Goldstein, Ray Plzak, Rajasekhar Ramaraj, and Wendy Seltzer

Other Board Attendees: Peter Dengate Thrush – Chair of the Board and Suzanne Woolf

Invited Attendees: George Sadowsky and Jonne Soininen

Staff members present: Doug Brent – COO, John Jeffrey – General Counsel, Greg Rattray – Chief Internet Security Advisor, Theresa Swinehart – VP, Global and Strategic Partnerships, Kevin Wilson – CFO; Samantha Eisner, Patrick Jones, Diane Schroeder, and Amy Stathos

The following is a summary of discussions, actions taken and actions identified:

  1. Received update on and discussed ongoing efforts to formalize a successful risk management process within the organization and the risk identification process, including:
    1. Reviewed the revised risk inventory;
    2. Reviewed the three-year risk identification and compared to the 12-month risk identification;
    3. Reviewed proposed risk mitigation approaches for six key risks;
    4. Discussed the integration of the risk identification process into ICANN’s project process, and received a report that this integration has already begun with the New gTLD program;
    5. Received update on staff’s work to review key scenarios, such as natural disasters, to integrate a non-quantitative approach to risk management; and
    6. Received update on initial list of strategic programs, in addition to the New gTLD program, that have been identified to integration of a project-level risk management process.
      • Actions:
        • Staff to continue to refine work.
        • Staff to continue to refine terminology and determine the relationship among the 20 items reflected on the risk inventory to further refine the list and better describe ICANN’s trust relationship with governments.
        • RC members to review the risk inventory and provide feedback.
        • Staff to provide Board Governance Committee with information on perceived risks of Board member conflicts of interest.
        • Staff to map risk planning to budget to determine if there are any items requiring resources during FY10 that are not currently accounted for in the budget, particularly as they relate to the corporate business continuity program, and also identify budgetary needs for risk mitigation implementation as part of the FY11 planning and budgeting process.
        • Staff to refine list of projects proposed for integration of a project-level risk management process.
        • Staff, working with the CEO, to recommend a structure to provide briefing to RC on risk management work in significant programs, such as the New gTLD Program, and provide best practices for project reporting to include in an Enterprise Risk Management policy.
  2. Received update from Staff on development of a charter for management Risk Oversight Committee.
    • Action:
      • Staff to work with CEO to provide the RC a recommendation and report on management’s risk oversight process.