Skip to main content

Minutes | Board Risk Committee (RC) Meeting

Posted 19 June 2015

BRC Attendees: Rinalia Abdul Rahim, Ram Mohan- Co-Chair, Mike Silber – Co-Chair, Jonne Soininen, Suzanne Woolf, and Kuo-Wei Wu

Other Board Member Attendees: Fadi Chehadé, Chris Disspain, Markus Kummer, George Sadowsky and Bruce Tonkin

ICANN Executives and Staff Attendees: Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), Xavier Calvez (Chief Operating Officer), David Conrad (Chief Technology Officer), Sally Costerton (Sr. Advisor to the President – Global Stakeholder Engagement), John Jeffrey (General Counsel and Secretary), Daniel Halloran (Deputy General Counsel), Elizabeth Le (Senior Counsel), Ashwin Rangan (Chief Innovation and Information Officer), and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken, and actions identified:

  1. ERM Roadmap – The BRC discussed the focus, governance and structure, methodology, and roadmap for ICANN Enterprise Risk Management (ERM). Staff explained that: (a) the ERM focus includes the Five-Year Strategic & Operating Plans, evaluating the priorities and risk appetite of the organization, and obtaining Board and stakeholder insights; (b) sound governance and structure includes assessing, mitigating, improving and monitoring risks, as well as defining and committing to the roles and accountability of business operations, management assurance, independent assurance, and oversight; and (c) effective methodology includes applying best practices models and utilizing an integrated approach. ICANN has selected the Committee Of Sponsoring Organizations (COSO) Internal Control-Integrated Framework as the preferred methodology, with modification as necessary, in part because it is professionally recognized and accepted globally, it is applicable to ICANN's needs, and it allows for an integrated approach along with other models. The ERM five-year roadmap includes aligning itself annually with the Five-Year Strategic & Operating Plans, currently defining and annually re-evaluating the priorities and risk appetite of the organization, seeking Board and stakeholder input, currently defining and annually re-validating the roles and accountability of the stated groups, and refining and re-evaluating the methodology each year over the five year span.
    • Action: Staff to slightly revise slide re: timing of evaluation.
  2. Modified Top 10 Risk Descriptions – Staff provided an update on the modified descriptions of a few of the top ten risks based on BRC review and comments. The BRC reviewed and discussed the top ten risks, and its plan to share the risks with the community once the risk descriptions and categories have been fully vetted by the BRC.
    • Action – Staff to add risk category to the top ten risks list.
  3. BRC Work Plan – Staff provided an overview of the updated BRC Work Plan for December 2014 thru October 2015, which includes oversight of risk management and operational risks. The BRC reviewed the Work Plan and approved it as the work plan for the BRC going forward.
  4. Quarterly Report – Staff provided an overview of the FY15 Q3 Quarterly Report including changes to Key Success Factors (KSFs), Key Performance Indicators (KPIs), and mitigation status for the top ten risks.
  5. Review of Reserve Fund Risk Assessment – Staff provided a summary of the risk identification from the Reserve Fund Risk Assessment, and how these risks mapped against both the Risk Register as well as the Strategic Plan. Staff explained how these risks translated into consequences or events, to be covered by the reserve fund.
    • Action – Staff to confer with co-chairs re: potentially scheduling BRC call prior to ICANN 53 to address mitigation plans, mapping, and reserve fund scenarios identified by the Reserve Fund Working Group.
  6. Review of SO/AC Risk Assessment – Staff provided a summary of the risks identified by several community groups, including the Business Constituency (BC), the Intellectual Property Constituency (IPC), the Non-Commercial Stakeholder Group (NCSG), the Internet Service Providers & Connectivity Providers (ISPCP), and the ccNSO Strategic and Operational Planning Working Group. The BRC reviewed the summary and provided input regarding whether to include one or more in the top ten risks, whether some of them should be modified and included as a risk, but not one of the top ten, and whether any of the identified risks were already captured by the 30+ enterprise risks that were previously developed and published. Next steps include validation with management, communication with the community groups, and preparation of the final version for review.
    • Action – Staff to modify community groups risk assessment summary based upon BRC comments and input, and then provide to BRC for further consideration.
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."