Minutes | Board Risk Committee (RC) Meeting | 24 April 2015
Posted 19 June 2015
BRC Attendees: Rinalia Abdul Rahim, Ram Mohan- Co-Chair, Mike Silber – Co-Chair, Jonne Soininen, Suzanne Woolf, and Kuo-Wei Wu
Other Board Member Attendees: Fadi Chehadé, Chris Disspain, Markus Kummer, George Sadowsky and Bruce Tonkin
ICANN Executives and Staff Attendees: Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), Xavier Calvez (Chief Operating Officer), David Conrad (Chief Technology Officer), Sally Costerton (Sr. Advisor to the President – Global Stakeholder Engagement), John Jeffrey (General Counsel and Secretary), Daniel Halloran (Deputy General Counsel), Elizabeth Le (Senior Counsel), Ashwin Rangan (Chief Innovation and Information Officer), and Amy Stathos (Deputy General Counsel)
The following is a summary of discussions, actions taken, and actions identified:
- ERM Roadmap – The BRC discussed the focus, governance and structure, methodology, and roadmap for ICANN Enterprise Risk Management (ERM). Staff explained that: (a) the ERM focus includes the Five-Year Strategic & Operating Plans, evaluating the priorities and risk appetite of the organization, and obtaining Board and stakeholder insights; (b) sound governance and structure includes assessing, mitigating, improving and monitoring risks, as well as defining and committing to the roles and accountability of business operations, management assurance, independent assurance, and oversight; and (c) effective methodology includes applying best practices models and utilizing an integrated approach. ICANN has selected the Committee Of Sponsoring Organizations (COSO) Internal Control-Integrated Framework as the preferred methodology, with modification as necessary, in part because it is professionally recognized and accepted globally, it is applicable to ICANN's needs, and it allows for an integrated approach along with other models. The ERM five-year roadmap includes aligning itself annually with the Five-Year Strategic & Operating Plans, currently defining and annually re-evaluating the priorities and risk appetite of the organization, seeking Board and stakeholder input, currently defining and annually re-validating the roles and accountability of the stated groups, and refining and re-evaluating the methodology each year over the five year span.
- Action: Staff to slightly revise slide re: timing of evaluation.
- Modified Top 10 Risk Descriptions – Staff provided an update on the modified descriptions of a few of the top ten risks based on BRC review and comments. The BRC reviewed and discussed the top ten risks, and its plan to share the risks with the community once the risk descriptions and categories have been fully vetted by the BRC.
- Action – Staff to add risk category to the top ten risks list.
- BRC Work Plan – Staff provided an overview of the updated BRC Work Plan for December 2014 thru October 2015, which includes oversight of risk management and operational risks. The BRC reviewed the Work Plan and approved it as the work plan for the BRC going forward.
- Quarterly Report – Staff provided an overview of the FY15 Q3 Quarterly Report including changes to Key Success Factors (KSFs), Key Performance Indicators (KPIs), and mitigation status for the top ten risks.
- Review of Reserve Fund Risk Assessment – Staff provided a summary of the risk identification from the Reserve Fund Risk Assessment, and how these risks mapped against both the Risk Register as well as the Strategic Plan. Staff explained how these risks translated into consequences or events, to be covered by the reserve fund.
- Action – Staff to confer with co-chairs re: potentially scheduling BRC call prior to ICANN 53 to address mitigation plans, mapping, and reserve fund scenarios identified by the Reserve Fund Working Group.
- Review of SO/AC Risk Assessment – Staff provided a summary of the risks identified by several community groups, including the Business Constituency (BC), the Intellectual Property Constituency (IPC), the Non-Commercial Stakeholder Group (NCSG), the Internet Service Providers & Connectivity Providers (ISPCP), and the ccNSO Strategic and Operational Planning Working Group. The BRC reviewed the summary and provided input regarding whether to include one or more in the top ten risks, whether some of them should be modified and included as a risk, but not one of the top ten, and whether any of the identified risks were already captured by the 30+ enterprise risks that were previously developed and published. Next steps include validation with management, communication with the community groups, and preparation of the final version for review.
- Action – Staff to modify community groups risk assessment summary based upon BRC comments and input, and then provide to BRC for further consideration.