Minutes | Board Risk Committee (BRC) Meeting 25 September 2019

BRC Attendees: Harald Alverstrand, Rafael Lito Ibarra (Chair), Merike Kaeo, Akinori Maemura, Kaveh Ranjbar, Matthew Shears, and Tripti Sinha

Other Board Member Attendees: Cherine Chalaby

ICANN Organization Attendees: Susanna Bennett (SVP, Chief Operating Officer). Michelle Bright (Director, Board Operations Content), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), David Closson (Director, Data Center & Cloud Operations), Vinciane Koenigsfeld (Director, Board Operations), Elizabeth Le (Associate General Counsel), Ashwin Rangan (SVP Engineering & Chief Information Officer) and Amy Stathos (Deputy General Counsel)

---

The following is a summary of discussions, actions taken and actions identified:

1. E&IT Report on Disaster Recovery Testing and Incident Response Tabletop Exercise - The Committee received a briefing and overview of the annual disaster recovery testing. The Disaster Recovery (DR) Plan is tested every 12 months from the July through September timeframe to ensure that it is still functional and effective. The testing is broken into two main groups. The two test groups are full interruption test group and parallel test group. The 2018 test results, which reflected that all services failed over to an alternate region successfully, have been fully collated and absorbed into the organization. The 2019 tests have been completed but the results are not yet available. The BRC also received an update on the incident response tabletop exercise, which is conducted to ensure incident response best practices are followed and that sufficient information security processes and safeguards are in place. The exercise is conducted every 24 months by an external expert "Red Team." The incident response tabletop exercise was conducted approximately four months ago. The BRC noted that the presentation on the annual disaster recovery testing and the incident response tabletop exercise will be presented to the full Board at the Montreal workshop in November 2019.
2. Organization Risk Register Update – The Committee discussed the updates to the Organization Risk Register. The Committee is reminded that many of the Committee's discussions, including the discussion relating to the Organization Risk Register, contain highly sensitive and confidential information. The BRC reviewed the controls and mitigation in place for these updated risks. The Committee agreed to further discuss face to face whether certain risks belong on the Organization Risk Register.

3. Meeting Materials for ICANN 66 - The Committee reviewed and discussed materials prepared for the full Board at ICANN 66, which includes a draft Board Risk Committee Report and materials for the Risk Management Workshop. The materials for the workshop are being developed and will be distributed to the Committee within the next week. The Committee was presented with a draft agenda for the workshop.

   • Action: ICANN org to prepare and circulate materials for Board workshop.
4. BRC Activities – The Committee reviewed its activities to date, which are on target with the Committee's work plan and which include consistent risk management activities, strengthening the cadence of Committee meetings, and work on the deliverable for Board Operational Priority 3.3 (monitoring and reporting the existential threats and opportunities that may impact ICANN).
5. Mapping Strategic Risks to the Organization Risk Register – The Committee received a briefing on mapping of strategic risks to the risks in the Organization Risk Register. It was noted that while two risks do not map directly to the Organization Risk Register; they are covered in Function Risk Registers.
6. BRC Workplan – The Committee discussed its current workplan, which is on target and the draft workplan for FY20.

Published on 21 November 2019