Strategic Risk Committee Meeting Minutes

25 August 2014 – 11.00am


Julie Hammer (Chair), Adam King, Chris Disspain, Erhan Karabardak, George Pongas, Jo Lim, Josh Rowe, Kartic Srinivasan, Jacki O’Sullivan (Minutes)



1.  Previous Minutes

  • The Committee noted the previously approved and published 14 April 2014 minutes.

2.  Review of Outstanding Action Items:

  • Own Cloud:
    • Adam King gave an update on the Own Cloud implementation which is currently setup and being tested on auDA staff.  Once staff testing is complete, setup/testing will be implemented firstly for the Risk Committee to develop a folder framework and guidelines for use, and subsequently for the auDA Board.
  • Handover Brief, Disaster Recovery and Threat Matrix documents:
    • Adam King noted these documents had been rolled into the Information Security Standard (ISS) accreditation process that auDA is currently implementing.  (The auDA systems will be accredited in accordance with the ISS in the same manner as all Registrars’ systems.) The final documents will be shared via Own Cloud in due course.
  • Reporting proposal:
    • The proposal for reporting going forward was summarised by the Chair:
      • The Risk Committee will focus its attention on strategic risks and will consider each meeting whether there have been any changes to the risk environment.
      • Operational risks will be reviewed by the CEO/COPO prior to each meeting to identify any issues which need to be brought to the Committee’s attention.
      • Only those items on the Risk Action Status Report which have a red or possibly yellow ‘traffic light’ status will be discussed by the Committee.
      • Should risks of an urgent nature be identified, the Committee will either deal with these by email or schedule an additional meeting.
      • The Committee agreed to the reporting approach.

3.  Risk Action Status Report:

  • Risk Actions were reviewed.
  • It was agreed that CD/JL/AK will monitor and conduct an internal staff risk meeting on a regular monthly basis and will report to the Committee on any risks that become red or have significant changes.
  • The Committee was advised the Crisis Communications Plan has been completed and outstanding actions were in the process of being implemented/completed.  It is planned to run an exercise on crisis communications in the office in the near future and a report will circulated to the committee for review before being presented to the auDA Board.

4.  Changes to Risk Environment

  • The following items were identified for review and any possible impact discussed as part of the risk log:
    • New Government and changes in Department arrangements - no change required to the Risk Log.
    • IANA Stewardship Transition – several new risks were identified for inclusion in the Risk Log under Risk Category 7 – International Environment:
      • Risk of the consensus based solution for the USG role transition not being acceptable to auDA.
      • Risk that the Australian Government may wish to impose additional process on auDA.
      • Roll out of new gTLDs – no status change at present – too early to evaluate impact - for discussion at next meeting.
      • Recent Security incidents – JL will update the risk log as required.  New risks need to be added under Risk Categories 4 – Security Threats and Attacks against .au, Risk Category 5 – Registrar Security Breach, and Risk Category 6 – Government Relations.
      • DNSSEC rollout for .au – being reported in CEO report. Now that the rollout is imminent, specific risks need to be included under Risk Category 3 – The Critical Nature of the DNS, specifically under 3.1 and 3.3.  JL/AK will update the Risk Log.

5.  Discussion of Committee's focus on Risk Log

  • The Committee agreed the CEO would review the risk log and identify operational and Strategic risks and will then forward to the committee for further review/discussion.

6.  Board Strategic Planning Retreat

  • The Committee agreed to delay the next meeting until after the December 2014 auDA Board Retreat so that the outcomes could be incorporated into a review of the Risk Log.

7.  Next meeting

  • The next meeting will be held in February 2015 – date and time to be confirmed.