Skip to main content

Minutes – Board Risk Committee (BRC) Meeting

BRC Attendees: Rafael Lito Ibarra (Co-Chair), Akinori Maemura, Ram Mohan (Co-Chair), Kaveh Ranjbar, and Jonne Soininen

BRC Member Apologies: Matthew Shears

Invited Observers: Tripti Sinha

ICANN Org Attendees: Susanna Bennett (SVP & Chief operating Officer), Michelle Bright (Director, Board Content Coordination), Xavier Calvez (SVP, Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Nigel Hickson (VP, IGO Engagement), Aaron Jimenez (Senior Coordinator, Board Operations), Vinciane Koenigsfeld (Director, Board Operations), Wendy Profit (Senior Manager, Board Operations), Lisa Saulino (Senior Coordinator, Board Operations), Ashwin Rangan (Sr. VP Engineering & Chief Information Officer), and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken and actions identified:

  1. BRC Workplan Draft Proposal FY19 – The BRC reviewed the draft workplan for FY19. The committee noted that the draft workplan covers areas of specific oversight by BRC, rather than specific risks. The BRC agreed that specific risks should be included in the workplan.

    • Action: ICANN org to revise the draft workplan for FY19 for review by the BRC at its next meeting.

  2. Review of Barcelona BRC Materials – The BRC reviewed the draft presentation materials for ICANN63. Two BRC meetings are scheduled for ICANN63—two two-hour BRC Workshop sessions on Thursday, 18 October and Sunday, 21 October, and a Risk Report to the Board on Saturday, 20 October. The presentation materials are similarly divided into two parts—a BRC Workshop presentation, and Risk Report to the Board. The Risk Report to the Board includes the Risk Management Framework, the Risk Register update, overview of the BRC's engagement with other Board Committees, and solicitation of feedback from the Board regarding the frequency of the Risk Report to the Board.

    The BRC noted that the Risk Register was reviewed by the organizations Risk Management Committee, which reached consensus on what the risks were and which ones were the top risks. The Risk Register will be used to create the Risk Appetite Statement.

    The BRC discussed the top risks that the Risk Management Committee identified and that would be presented to the Board during ICANN 63. The BRC also noted that a cybersecurity update will also be presented as part of the Risk workshop.

    As part of the briefing on engagement with other Committees and working groups, the BRC considered whether the IDN Working Group and the equivalent of the GDPR working group should be added to this portion of the meeting at ICANN63.

    Further, the BRC discussed the frequency of the Risk Report to the Board. After some dialogue, the BRC concluded it would propose that the Board receive the Report twice a year: once in March and again at the Annual Meeting that takes place around October every year.

    Following discussions of the BRC Risk Report, the BRC briefly discussed the structure and content of the BRC Workshop Meeting. The BRC noted that the Workshop will be broken into two parts, one before, and one after the Risk Report presentation to the full Board. The BRC agreed to include discussions on risk management and the target operating model, followed by discussion of the Risk Register and risk appetite, in the first half of the Workshop. In the second half of the workshop, following its meeting with the full Board, the BRC would again discuss the Risk Register and feedback received from the Board, as well as the Cybersecurity briefing. It was also mentioned that going forward, the cybersecurity risk will be included as the rest of the risks, and not treated separately, unless it is deemed necessary.

    Finally, the BRC discussed the need for further dialogue regarding the presentation on risk appetite, and the need to focus on assisting BRC members in their understanding of what the risk appetite is, and what recommendations should be made for the organization. The aim would be that when the BRC arrives at the workshop in March 2019, the Risk Appetite Statement could be presented to the Board as a whole, giving the BRC four months to develop a robust and clear recommendation for a Risk Appetite Statement.

    • Action:

      • ICANN org to evaluate some of the discussion about the top risk and make revision prior to the sessions scheduled during ICANN63.

Published on 25 October 2018

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."