Board Risk Committee (BRC) – Meeting Minutes 28 May 2019

BRC Attendees: Harald Alverstrand, Rafael Lito Ibarra (Chair), Merike Kaeo, Akinori Maemura, Kaveh Ranjbar, Matthew Shears, and Tripti Sinha

Other Board Member Attendees: Cherine Chalaby

ICANN Organization Attendees: Michelle Bright (Director, Board Operations Content), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Samantha Eisner (Deputy General Counsel), Vinciane Koenigsfeld (Director, Board Operations), Elizabeth Le (Associate General Counsel), Cyrus Namazi (SVP, Global Domains Division), Wendy Profit (Senior Manager, Board Operations), Amy Stathos (Deputy General Counsel), and Christine Willett (VP, gTLD Operations)

The following is a summary of discussions, actions taken and actions identified:

  1. Draft Risk Report to the Board – The Committee reviewed and discussed materials prepared for a Risk Report to the Board from the Committee to be presented at the Marrakech ICANN meeting. The agenda items for the draft report are: activities of the Board Risk Committee; the Risk Register; and the New gTLD risk assessment associated with the 2012 round of the New gTLD Program. The BRC discussed, among other things, ICANN org's recommendations on the treatment of application fees and auction proceeds from the 2012 New gTLD Program and the risks associated with the Org's recommendations.

    • Action: ICANN org to revise materials for Board workshop to reflect BRC's discussion.
  2. Discussion of Tracking Risks – ICANN org presented a topic for discussion by the BRC regarding how it prefers ICANN org to track, present and provide follow up to the BRC on identified risks. The BRC is responsible for the assessment and oversight of policies implemented by ICANN org designed to manage ICANN's risk profile. While the existing Organization Risk Register that ICANN org discusses with the BRC includes top risks, it does not currently include granularity for those risks or risks specific to certain areas that the BRC has otherwise identified and discussed. Upon discussion, the BRC provided feedback to ICANN org, including that it would be useful for the Organization Risk Register to include more granularity about the risks already included in the register, as well as to add risks other than the top risks, such as short term risks or risks identified in the strategic plan and elsewhere. During the discussion, the BRC also requested ICANN org to consider providing the BRC with a future walk through of the full process being used by ICANN org to identify, evaluate and rate risks, as well as how it accounts for mitigation techniques for the identified risks. Additionally, there was discussion surrounding the existing assessments related to the security of ICANN org's systems and whether ICANN org should also consider conducting additional security reviews related to areas under ICANN org's remit.

Published on 27 August 2019