(a) Guiding principles. The Authority must effectively manage risk to prevent conflicts of interest, waste, fraud, embezzlement, and abuse. To manage risk, the Authority must align the enterprise risk-management process to the goals and objectives noted in the Authority's strategic plan. The Authority must assess risks, select risk responses, monitor whether responses are successful, and communicate and report on risks, consistent with § 1.153. The Authority must ensure that all internal controls have appropriate separation of duties (e.g., requester, approver, recorder). In addition, the Authority must develop corrective action plans no later than 90 days after receiving a notice of finding from its auditors or other internal assessments. The Board of Directors (or one of the Authority's standing committees) must review and evaluate identified risks and proposed corrective action plans. The Authority must review regularly its corrective actions identified from all audits and internal assessments and should develop criteria by which to prioritize its response activities. The Authority must ensure that its risk management activities encompass:

(1) Compliance with applicable laws, rules, and regulations;

(2) The avoidance of conflicts of interest, or the appearance thereof, in all aspects of the Authority's operations, including investigation and enforcement, vendor selection, personnel assignments and responsibilities, and actions by the Board of Directors or management; and

(3) Handling funds received and expended by the Authority, including revenue/expense policies, fundraising practices, contracting policies, travel policies, and real and personal property agreements and expenses.

(b) Data security and privacy. The Authority must ensure the privacy and security of data, including all reasonable measures to protect the confidentiality of any sensitive health information (SHI), personally identifiable Information (PII), and sensitive PII (SPII) stored in its systems, including those operated by the anti-doping and medication control program, the Horseracing Integrity and Welfare Unit, and the Authority's third-party contractors. The Authority must ensure a complete annual evaluation of the status of its overall information technology security program and practices, as audited by a qualified, independent, third-party auditor. The Authority must also ensure that it has policies, programs, and practices in place to protect SHI, PII, and SPII. The Authority must send a copy of the annual evaluation to Commission staff.

(c) Vendor selection. Procurement actions estimated at over $10,000 must be accompanied by documented market research (e.g., comparing the prices and other terms offered by the selected vendor against the prices and other terms offered by at least two other vendors) to ensure lowest cost or best value for goods or services to be provided. The Authority should also develop policies and procedures covering procurement activities.

(d) Notice. The Authority must provide advance notice to Commission staff of all significant Authority-planned events (e.g., press conferences, media events, summits, etc.) via a calendar, a list, email, or some other reasonable means. The Authority must also summarize key aspects of all such events on its website within a reasonable timeframe. The Authority must also give Commission staff prompt notice after it has been alerted to significant, adverse events in the horseracing industry (e.g., adverse safety or medical events that might reasonably lead to sanctions, track closures, etc.).