Skip to main content

Board Risk Committee (RC) – Minutes

BRC Members: Steve Crocker; Thomas Narten (Non Voting Liaison); Gonzalo Navarro; Mike Silber – Chair; Judith Duavit Vazquez; and Suzanne Woolf (Non Voting Liaison)

Apologies: Ram Mohan (Non Voting Liaison)

Other Board Member Attendees: Bruce Tonkin

Staff Attendees: Akram Atallah, Edward Beck (via telephone), Geoff Bickers, Megan Bishop, Elise Gerich, Dan Halloran, John Jeffrey, Patrick Jones, Denise Michel, Jeff Moss, Erika Randall, Maguy Serad, and Amy Stathos

Invited Attendees: Ed Chavannes (Outside Advisor from Ernst & Young)

The following is a summary of discussions, decisions, and actions identified:

The Meeting was called to order at 2:53 pm local time in Beijing, China.

  1. Approval of Minutes — The BRC approved the minutes from the 31 January 2013 meeting.

  2. IT Best Practices review & recommendations — The BRC reviewed a summary of recommendations made following a review of IT systems and operations and a proposal for incorporating IT Best Practices. The recommendations were categorized as critical, highly recommended and recommended. The recommendations included, among other things, formalizing a strategic or annual IT plan, continuing efforts to consolidate the portfolio of software, and establishing a formal policy on “buy-versus-build” decision process for IT solutions. Staff provided an update on the development of the IT Strategic Plan. To date, staff has created a roadmap of the portfolio of applications, and is evaluating the possibility of consolidating and eliminating redundancies in the applications.

  • Action:

    • Staff to deliver report on IT Best Practices Review to the BRC in April.

    • Staff to develop an implementation plan to present to the BRC, which will also prioritize the recommendations.

    • The BRC to review the strategic plan to ensure alignment of the IT best practices implementation plan with the strategic plan.

  • Enterprise Risk Management Update — Staff lead a discussion on the updated enterprise risk management study performed by an outside consulting firm, which included discussion of past risk management assessments, an overall assessment framework to evaluate each department at ICANN, and an initial assessment of one ICANN Department. The BRC examined the metrics used in the risk evaluation and noted that adjustments are needed to the risk assessment criteria to account for ICANN's specific risk appetite. The BRC also discussed the need to factor in information from previous risk assessments going forward as the enterprise risk management strategy is developed. Staff and the BRC addressed whether additional resources are needed to perform the risk management functions within the organization.

    • Action:

      • Staff to provide more detailed report of the Enterprise Risk Management Update presentation in advance of the May meeting.

      • The BRC to provide feedback on ICANN's risk appetite and strategic plan implications at the May meeting.

      • Staff to develop an action plan to complete risk assessments for the remaining ICANN departments.

      • The BRC to discuss at May meeting the DNS Risk Management Framework developed by Westlake Governance.

  • New gTLD Risk Update — The BRC briefly discussed previous risk assessments of the New gTLD Program and the need to revisit the issue to assess the current status of how risks are being managed.

    • Action:

      • The BRC to discuss at a future meeting the current landscape of risks associated with the New gTLD Program.

  • Any Other Business — The BRC did not bring any further business to the table.

  • The meeting was adjourned at 4:15 pm local time in Beijing, China.

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."