Skip to main content

Minutes – Board Risk Committee (BRC) Meeting

Published 5 March 2016

BRC Attendees: Rafael Lito Ibarra, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, George Sadowsky, and Kuo-Wei Wu

BRC Member Apologies: Jonne Soininen and Suzanne Woolf

ICANN Executives and Staff Attendees: Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Operations Coordinator), Xavier Calvez (Chief Financial Officer), and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken, and actions identified:

  1. BRC Work Plan – Staff provided an overview of the updated BRC Work Plan for December 2014 through October 2015, which includes oversight of risk management and operational risks.

    • Action:

      • Staff to develop a 2016 Work Plan and circulate it to the BRC after the feasibility and time/resource assessment is completed (see below).

  2. Risk Workshop – Staff provided background information regarding the topics discussed in the September 2014 Risk Workshop, current status, and next steps. ICANN staff, in coordination with outside consultants, created a model to identify and assess the maturity of the function of seven types of risk management activities. During the course of the Risk Workshop, the participants provided a recommendation as to what the target position should be for each of the seven activities. The BRC reviewed these target positions and discussed the proposed three-year time frame (from the date of the Risk Workshop). The next steps include validation of the target positions, understanding any interdependencies between the activities, and assessment of the time and resource requirements.

    • Action:

      • Staff to send enterprise risk methodology materials to new BRC members.

      • Staff to conduct a feasibility analysis of the target positions (with input from outside consultants), including a first assessment of the time and resource requirements.

  3. Risk Rating Methodology – Staff explained that, over the past two years, ICANN has developed a process to identify risks and update the assessment of those risks on a quarterly basis, though no quantified rating has been performed. The risk rating methodology presented is a systematic approach to rating the risks, which takes into account the prioritization level, the severity, and the likelihood of those risks, along with the effectiveness of the mitigating activities that have been put into place. The resulting rating is directional in nature and helps define the urgency of the risks. This methodology will be applied to ICANN's existing list of risks (which is comprised of approximately 30 identified risks).

    • Action:

      • Staff to apply the risk rating methodology to the list of risks and provide those results to the BRC for review and comment.

  4. IT Update – Staff confirmed that members received the last IT update sent on 28 September 2015 and asked if there were any questions regarding the information contained in the update, which included an IT-specific scope of review of risks and mitigating activities.

    • Action:

      • Staff to send 28 September 2015 IT update to new BRC members.

  5. Approval of Minutes – Staff provided an update on the status of the approval of minutes from the 19 June 2015 BRC meeting, explaining that a preliminary report was circulated to the BRC and certain members provided feedback. The BRC asked staff to circulate a revised draft to the BRC for review and approval as minutes.

    • Action:

      • Staff to revise the preliminary report from the 19 June 2015 BRC meeting and circulate to the BRC members for review and approval.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."