Board Risk Committee (RC) – Minutes 7 April 2013

BRC Members: Steve Crocker; Thomas Narten (Non Voting Liaison); Gonzalo Navarro; Mike Silber – Chair; Judith Duavit Vazquez; and Suzanne Woolf (Non Voting Liaison)

Apologies: Ram Mohan (Non Voting Liaison)

Other Board Member Attendees: Bruce Tonkin

Staff Attendees: Akram Atallah, Edward Beck (via telephone), Geoff Bickers, Megan Bishop, Elise Gerich, Dan Halloran, John Jeffrey, Patrick Jones, Denise Michel, Jeff Moss, Erika Randall, Maguy Serad, and Amy Stathos

Invited Attendees: Ed Chavannes (Outside Advisor from Ernst & Young)


The following is a summary of discussions, decisions, and actions identified:

The Meeting was called to order at 2:53 pm local time in Beijing, China.

  1. Approval of Minutes — The BRC approved the minutes from the 31 January 2013 meeting.

  2. IT Best Practices review & recommendations — The BRC reviewed a summary of recommendations made following a review of IT systems and operations and a proposal for incorporating IT Best Practices. The recommendations were categorized as critical, highly recommended and recommended. The recommendations included, among other things, formalizing a strategic or annual IT plan, continuing efforts to consolidate the portfolio of software, and establishing a formal policy on “buy-versus-build” decision process for IT solutions. Staff provided an update on the development of the IT Strategic Plan. To date, staff has created a roadmap of the portfolio of applications, and is evaluating the possibility of consolidating and eliminating redundancies in the applications.

  • Action:

    • Staff to deliver report on IT Best Practices Review to the BRC in April.

    • Staff to develop an implementation plan to present to the BRC, which will also prioritize the recommendations.

    • The BRC to review the strategic plan to ensure alignment of the IT best practices implementation plan with the strategic plan.

  • Enterprise Risk Management Update — Staff lead a discussion on the updated enterprise risk management study performed by an outside consulting firm, which included discussion of past risk management assessments, an overall assessment framework to evaluate each department at ICANN, and an initial assessment of one ICANN Department. The BRC examined the metrics used in the risk evaluation and noted that adjustments are needed to the risk assessment criteria to account for ICANN's specific risk appetite. The BRC also discussed the need to factor in information from previous risk assessments going forward as the enterprise risk management strategy is developed. Staff and the BRC addressed whether additional resources are needed to perform the risk management functions within the organization.

    • Action:

      • Staff to provide more detailed report of the Enterprise Risk Management Update presentation in advance of the May meeting.

      • The BRC to provide feedback on ICANN's risk appetite and strategic plan implications at the May meeting.

      • Staff to develop an action plan to complete risk assessments for the remaining ICANN departments.

      • The BRC to discuss at May meeting the DNS Risk Management Framework developed by Westlake Governance.

  • New gTLD Risk Update — The BRC briefly discussed previous risk assessments of the New gTLD Program and the need to revisit the issue to assess the current status of how risks are being managed.

    • Action:

      • The BRC to discuss at a future meeting the current landscape of risks associated with the New gTLD Program.

  • Any Other Business — The BRC did not bring any further business to the table.

  • The meeting was adjourned at 4:15 pm local time in Beijing, China.