Board Risk Committee (RC) Meeting – Minutes
RC Attendees: Steve Crocker, Bill Graham, Ram Mohan, Mike Silber – Chair, Jonne Soininen, Kuo-Wei Wu, Gonzalo Navarro, and Suzanne Woolf
Executive and Staff Attendees: Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), John Jeffrey (General Counsel and Secretary), Jacks Khawaja (Enterprise Risk Director), Randy Watanabe (Enterprise Risk Manager), Christine Willett (Vice President, gTLD Operations), John Crain (Chief Security, Stability & Resiliency Officer), and Amy Stathos (Deputy General Counsel)
Invited Attendees: Rinalia Abdul Rahim, and Asha Hemrajani
The following is a summary of discussions, actions taken, and actions identified:
- Action items Staff provided a recap of the action items stemming from the Board Workshop in Istanbul and indicated that most of the noted action items will be addressed in this RC meeting.
DNS Risk Assessment Staff provided an update on the DNS Risk Assessment, noting that 23 risks were identified via the DNS Risk Assessment Project. Staff is currently assessing and categorizing each risk regarding: (a) areas within ICANN's direct control; (b) areas where ICANN can have direct influence; and (c) areas outside of ICANN's control. Staff intends to write whitepapers regarding each of the identified risks that can then be discussed. The whitepapers regarding denial of service, IP transition from IPv4 to IPv6, and DNS resolving are being drafted for discussion during ICANN 51.
- Staff to consider gathering data from APNIC regarding the usage of IPv6 and utilizing the data in the President and CEO's Community Report.
- Staff to consider preparing whitepapers on the 23 risks identified in the DNS Risk Assessment.
- Staff to review and report on the approach and challenges between the risk management model and the Universal Acceptance approach.
- Staff to update the Committee on the results of the ICANN 51 DNS Risk Community Session.
Enterprise Risk Management Update Staff provided an update on the progress of the ERM Dashboard, which includes prioritization of risks and refinement of the Key Performance Indicators (KPIs). In its 10 September 2014 meeting, the RC tasked staff with: (i) gathering the 2015 risk ratings; (ii) ranking the risks according to likelihood and severity of that risk; (iii) creating a summary of the most critical risks affecting ICANN; and (iv) identifying applicable KPIs for each identified risk. Staff provided an overview of the top 10 ranked risks along with recommended KPIs. The RC discussed the identification of the top risks, the prioritization of those risks, and the refinement of the KPIs to measure the progress and expected outcome of each risk.
- Staff to confirm the identification and prioritization of the enterprise risks with the global leaders to there is consensus regarding the top ranked risks.
- Staff to review the recommended KPIs with the global leaders to determine whether and what further refinement is needed.
- New gTLD Risk Update Staff provided an overview of the new gTLD risk quantification update, identifying: (i) the Key Risks of the New gTLD Program; (ii) the mitigation efforts and existing controls applicable to each risk; (iii) the potential impact of each risk; and (iv) the likelihood of occurrence of each risk. Next steps include quantification of the costs of the identified risks, and creation of a communications plan.
Published on 6 February 2015