ICANN Resolutions » ICANN Organization Risk Appetite Statement

Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

ICANN Organization Risk Appetite Statement


Resolution of the ICANN Board
Meeting Date: 
Thu, 17 Dec 2020
Resolution Number: 
2020.12.17.09
Resolution Text: 

Whereas, the ICANN Board previously recognized the benefit of and need for a Risk Management Framework to guide the ICANN organization in managing risks it faces.

Whereas, the ICANN Board previously set a target model for the Risk Management Framework including a Risk Appetite Statement.

Whereas, risk management involves the identification of vulnerabilities to the organization and therefore it would not be prudent to publish the Risk Appetite Statement.

Resolved (2020.12.17.09), the Board approves the ICANN Organization Risk Appetite Statement and directs the President and CEO, or his designee(s), to publish a summary of it.

Rationale for Resolution: 

This Risk Appetite Statement articulates the level of risk which ICANN organization is willing to take and retain on a broad level to deliver its mission.

The ICANN Organization Risk Appetite Statement:

Communicates to personnel that they need to pursue objectives within acceptable risk limits.
Provides input for prioritization for planning and budgeting.
Guides the Board and in its decision making and can be considered as part of the rationale that accompanies Board resolutions.
Informs performance management and incentive measurement, and guides personnel to make decisions that are aligned to the organizational risk appetite.
Encourages a risk management, not risk aversion, culture so that risk management is a responsibility shared across the organization and for which all personnel are accountable.
Enhances ICANN's reputation by demonstrating that the organization is committed to proactively managing risk.
The ICANN Board and the ICANN Executive Team require that a robust Risk Management Framework be developed and implemented for ICANN organization. As part of the Target Operating Model for Risk Management, a Risk Appetite Statement is part of a mature framework.

The Board of Directors and the ICANN org Executive Team are responsible for making informed decisions to set the level of accepted risk. The Risk Appetite Statement specifies the risks the organization is willing to take and retain, thereby demonstrating the risk appetite of the leadership of ICANN which can then be used to guide the operations of ICANN.

Note that by design any Risk Appetite Statement is a high-level articulation of the risks faced by an organization. The intention is to provide a concise overview that is accessible to all personnel and the Board. Further, risks often involve vulnerabilities or threats to the organization, and it would be imprudent for any organization to provide public details of such risks.

The Risk Appetite Statement was developed by the organization's Risk Management function in collaboration with representation of every organization function. The Risk Appetite Statement was reviewed by the organization Executive Team and approved by the ICANN President and CEO for consideration by the Board Risk Committee. The Board Risk Committee reviewed and recommended that the Board approve the ICANN organization Risk Appetite Statement. The Board received a presentation on the Risk Appetite Statement earlier in 2020.

Adopting the Risk Appetite Statement is in the public interest and is also fully consistent with ICANN's mission as it articulates the risk appetite of the leadership of ICANN which can then be used to guide the operations of ICANN organization more efficiently and consistently from a risk management perspective.

Adopting the BRC's recommendation has no financial impact on ICANN that was not otherwise anticipated; and it formalizes the Risk Management Framework of ICANN organization, and strengthens its approach to managing the risks it faces, therefore could have a positive impact on the security, stability and resiliency of the domain name system.

This is an Organizational Administrative Function that does not require Public Comment.