To: The Board of Directors and Chief Executive Officers of all federally supervised financial institutions, service providers, software vendors, federal branches and agencies, senior management of each FFIEC agency, and all examining personnel.
The Federal Financial Institutions Examination Council (FFIEC) has issued numerous interagency statements concerning the Year 2000 project management process and other significant Year 2000 issues. Contingency planning is cited repeatedly in the guidance as a key component to effective Year 2000 risk management. The "Guidance Concerning Contingency Planning in Connection with Year 2000 Readiness" issued in May 1998 describes the process for designing and implementing plans to mitigate the risks associated with the failure to remediate systems (remediation contingency planning) and to respond to failures of core business processes at critical dates due to the Year 2000 problem (business resumption contingency planning). The purpose of this guidance is to answer frequently asked questions and to clarify previous FFIEC Year 2000 policy statements regarding contingency planning.
Establishing meaningful and practical business resumption contingency plans is an essential part of the risk management process for addressing Year 2000 problems. An effective business resumption contingency plan establishes a financial institutionís course of action and helps it to resume core business processes in an orderly way in the event of a system failure. Without business resumption contingency plans, a financial institution may not be prepared to respond quickly and efficiently to Year 2000 disruptions. Senior management and the board of Directors should review and approve Year 2000 contingency plans.
Q.1. How do remediation contingency planning and business resumption contingency planning processes differ?
A.1.Remediation contingency planning involves efforts by financial institutions and their service providers and software vendors to mitigate the Year 2000 risks that are associated with the failure to renovate, validate, and implement mission-critical systems to ensure that they are Year 2000 ready.
Business resumption contingency planning involves efforts by financial institutions and their service providers and software vendors to mitigate operational risks should core business processes fail, regardless of whether mission-critical systems were remediated for the Year 2000. Business resumption contingency planning is critical because, notwithstanding a financial institutionís successful efforts to thoroughly renovate, validate, and implement Year 2000-ready systems, the potential exists that systems will not operate as expected. In order to mitigate this risk, financial institutions should have business resumption contingency plans.
To recap the May 1998 guidance on contingency planning, Year 2000 business resumption contingency planning involves four phases:
establishing organizational planning guidelines that define the business continuity planning strategy;
completing a business impact analysis in which the financial institution assesses the potential impact of mission-critical system failures on the core business processes;
developing a business resumption contingency plan; and
designing a method of validation so the business resumption contingency plans can be tested for effectiveness and viability.
Remediation and business resumption contingency planning differ in a number of respects. One of the most significant differences relates to the type of personnel involved in each type of planning. Remediation contingency planning primarily involves Year 2000 teams, consisting of information technology (IT) specialists and business users working directly with an institutionís software and hardware computer systems and reporting to the institutionís managers and officers. In addition to the type of personnel used for remediation contingency planning, business resumption contingency planning may involve a broader group of IT specialists and non-IT personnel.
Q.2. How extensive should remediation contingency plans be?
A.2. A financial institution is expected to prepare a Year 2000 remediation contingency plan depending on the status of its progress in remediating its systems.
If a mission-critical system or application has been remediated, tested and implemented, no formal written remediation contingency plan is required.
If a financial institution, service provider or software vendor has not completed renovations, testing, and implementation of its mission-critical systems, it should have a written remediation contingency plan. The plan should: (1) consider the alternatives available if remediation efforts are not successful, (2) consider the likelihood that the existing service provider or software vendor will provide Year 2000 ready services and products, (3) consider the availability of alternative service providers and software vendors, and (4) establish trigger dates for activating the remediation contingency plan. If an institution or its service provider or software vendor is not expected to complete renovations, testing and implementation of its mission-critical systems in accordance with FFIEC timeframes, a more comprehensive written remediation contingency plan is necessary.
Business Resumption Contingency Planning
Q.3. The FFIECís "Year 2000 Guidance on Contingency Planning" states that "each financial institution should evaluate the risks associated with the failure of core business processes." How do "core business processes" relate to "mission-critical systems"?
A.3. A core business process may be comprised of one or more mission-critical systems and generally is defined along functional lines. For example, taking deposits is a core business process that could depend on various mission-critical systems (e.g., ACH, proof, and deposit systems). Essentially, mission-critical systems and other business processes make up core business processes. It is important to note that specific mission-critical systems may be components of a number of core business processes and may serve as an interface between and among the operations of core business processes.
Q.4.Why is a Year 2000 business resumption plan necessary if an institution has an existing disaster recovery and/or business continuity plan?
A.4. An institutionís Year 2000 business resumption contingency planning supplements existing disaster recovery and business continuity plans. In most instances, existing plans do not address contingencies unique to the Year 2000 problem. For example, existing disaster recovery plans may contemplate using a back-up site if a problem occurs, but because a Year 2000 problem may involve either software or hardware failures, resorting to a back-up site that uses the same hardware or software may not remedy the problem. Financial institutions, therefore, should augment existing contingency plans, either by revising existing contingency plans or by adopting supplemental Year 2000 business resumption contingency plans, to capture Year 2000-related risks.
Q.5. Should financial institutions implement special training for their Year 2000 business resumption contingency planning?
A.5. As part of the Year 2000 business resumption contingency planning process, management should ensure that appropriate employees are trained to implement the plan. Such training will help to ensure that bank personnel can work together to prioritize core business processes and establish critical paths or timelines to resume operations or implement work-arounds in the event of a disruption. Accordingly, the plan may be used to communicate to employees what is expected of them in the event of a Year 2000 disruption. It should contain sufficient detail so that employees can implement the contingency plan effectively. Information on procedures for responding to Year 2000 events and operational failures should be easily accessible to the employees responsible for implementing them.
Q.6. When does the FFIEC expect financial institutions to complete their Year 2000 business resumption contingency planning? How often should business resumption contingency plans be updated?
A.6. Financial institutions are expected to substantially complete the four phases of the Year 2000 business resumption contingency planning process as soon as possible, but not later than June 30, 1999. The validated Year 2000 business resumption contingency plan should be reviewed and approved by senior management and the board of Directors. Business resumption contingency planning is a dynamic process. Plans should continue to be updated, as needed. A plan that is adequate at a given time may become inadequate at a later date if it is not revised to address current needs.
Business Impact Analysis
Q.7. What factors should be included in a business impact analysis?
A.7. A business impact analysis assesses the effect of potential system failures on each core business process. Financial institutions should perform a risk analysis of each core business process (e.g., deposit taking, lending, fiduciary services), define and document Year 2000 event scenarios and consider the risk of both internal and infrastructure failures on each core business process, and determine the minimum acceptable level of outputs and services for each core business process. The business impact analysis should consider factors such as: the types of risk that may affect core business processes, the likelihood of their occurrence, the probable timing of an occurrence (e.g., quarter end), the cost and duration of operational failure, the impact of multiple system failures, etc. Financial institutions should prioritize risks of potential operational failures and other events that would have the greatest impact on the institutionís core business processes.
Contents of the Plan
Q.8. How extensive should Year 2000 business resumption contingency plans be?
A.8. Each institution is unique and needs to identify its core business processes and the minimal acceptable levels of outputs and services for those processes. Some institutions may develop contingency plans in a decentralized manner, whereas others may not. Also, some institutions may develop one plan for their entire organization, while others may develop multiple plans. Accordingly, each institutionís Year 2000 business resumption contingency plans may vary significantly. The goal for all such plans is to provide a process that will enable an institution to stabilize operations at minimum acceptable levels, and to resume business as quickly and efficiently as possible should problems arise.
The Year 2000 business resumption contingency plan should contain the elements described in the May 1998 contingency planning guidance. Specifically, following the completion of its organizational planning and business impact analysis, the institution should develop a plan that: (1) evaluates options and selects the most reasonable contingency strategy; (2) identifies contingency plans and implementation modes for each core business process; (3) establishes trigger dates to activate the contingency plans; (4) assigns responsibility for resumption of core business processes; (5) implements an independent review of the feasibility of the contingency plan; and (6) develops an implementation strategy for the century date change (December 31, 1999 to January 3, 2000) as well as other critical dates. In general, the plan should be designed to minimize disruptions of service to the institution and its customers, minimize financial losses, and ensure a timely resumption of operations in the event of a Year 2000 disruption.
Q.9.Should financial institutions establish a coordinated process for responding to Year 2000 disruptions?
A.9. Financial institutions should establish a coordinated crisis management process for responding to Year 2000 disruptions that addresses communications among appropriate managers, staff, customers and third party suppliers. This plan should assign overall responsibility for implementation to specific individuals; designate key personnel who are responsible for carrying out specific tasks; and outline a program for notification of involved parties, including employees, customers, and third parties. It also should include a strategy to respond promptly to customer and media reaction. Management should consider how to respond to events outside the financial institutionís control that could substantially affect customer confidence.
Q.10. The data retention and recovery requirements outlined in the May guidance on contingency planning listed several types of data that should be retained by financial institutions. Are all types listed required?
A.10. The key to data retention and recovery requirements is that a financial institution must be able to recreate mission-critical data affected by a system failure or other Year 2000 disruption. Management needs to determine what data is necessary to retain in order to ensure that mission-critical data can be recovered in the event of an emergency. Accordingly, the types of data listed in the May guidance on contingency planning should be viewed as illustrative of the type of data that may be needed.
Q.11. What duration of time outages should a Year 2000 business resumption contingency plan address?
A.11. The duration of outages that need to be addressed in Year 2000 business resumption contingency plans will vary depending on an institutionís previously determined minimum levels of outputs and services for core business processes and the availability of the alternatives designated in their business resumption contingency plans. The business resumption contingency plan should address outages of sufficient duration to resume operations at minimum acceptable levels of output and services.
Q.12. Can branches be temporarily closed to respond to a Year 2000 disruption without being in violation of federal or state laws, regulations, or rules?
A.12. Under section 2 (formerly 2) of the Federal Deposit Insurance Corporation Improvement Act of 1991, 12 U.S.C. ß 1831r-1, insured depository institutions closing branch facilities are required to follow certain procedures. However, a temporary interruption caused by a Year 2000 disruption beyond the bank's control would not be subject to the requirements, provided that the institution restores branch services in a timely manner. Financial institutions should consult with legal counsel to determine the applicability of state law to these types of situations. Management also should review its contracts with customers, in consultation with legal counsel, to determine whether temporary branch closings due to Year 2000 problems may affect financial institution obligations regarding the provision of services to these customers.
Q.13. Should a financial institutionís Year 2000 business resumption contingency plans address funding needs that may arise before or shortly after the century date change?
A.13. A financial institution should consider whether it could experience unusual funding needs in late 1999 and early 2000 arising, for example, from a surge in deposit outflows or loan demand. Consideration should be given to scenarios that would result in short or longer term liquidity problems, and the development of plans to manage such funding needs. Early warning measurements could be used to detect changing funding requirements.
A plan may include expanding normal liquidity sources, as well as establishing contingent or alternative sources. Because additional documentation may be needed and collateral requirements may need to be addressed, financial institutions should determine whether such documentation needs to be prepared and placed on file with potential lenders well in advance of the century date change.
Financial institutions may find it necessary to borrow from various governmental and quasi-governmental agencies. For example, one of the primary roles of the Federal Reserve's discount window is to lend to depository institutions in appropriate circumstances when market funding sources are not reasonably available. Depository institutions that plan to use the discount window as a contingent liquidity source should consider filing the appropriate documents and pledging collateral as early as possible in 1999 in order to facilitate processing. Financial institutions that are members of the Federal Home Loan Bank System may seek advances to meet funding needs. Credit unions may use the Corporate Credit Union system and the National Credit Union Administrationís Central Liquidity Facility as contingent liquidity sources.
Q.14. How should Year 2000 business resumption contingency plans address cash needs that may arise in late 1999 and early 2000?
A.14. As part of the contingency funding planning process for the century date change, financial institutions should consider the cash demands of their customers and determine whether they need to arrange for additional cash reserves. A financial institution also should consider how quickly it can obtain additional amounts of cash should its reserves be reduced unexpectedly. It may be necessary, for example, for institutions to increase cash reserves before the century date change.
A financial institution may wish to evaluate the potential for disruptions in its cash distribution systems and develop plans to meet customer needs throughout its geographical service area. When a financial institution uses a third party to service its cash disbursement requirements (e.g., ATMs, armored car services), it should review the third party providerís plan to ensure that providers of these services and facilities can provide sufficient cash to meet customer needs in late 1999 and early 2000.
A financial institution may need to review its insurance coverage and security processes if it plans to hold additional cash reserves.
Institutions may minimize the impact of unwarrented large cash withdrawals by customers by implementing a customer awareness program that communicates the institutionís efforts to address the Year 2000 problem and assures customers that their funds are safe.
Q.15. What should financial institutions do as part of their business resumption contingency plans to educate customers on their Year 2000 preparedness and to respond to customers if disruptions occur?
A.15. Educating customers about the Year 2000 problem is critical to minimizing unwarrented public alarm that could cause serious problems for financial institutions and their customers. In May 1998, the FFIEC issued guidance advising financial institutions to provide information on Year 2000 readiness efforts and to provide complete and accurate responses to questions and concerns raised by their customers. The customer awareness program should include appropriate communications channels to effectively respond to and anticipate customer concerns. The program also should address how the financial institution will respond to its customers should Year 2000 disruptions occur, whether caused by internal problems or external events.
Financial institutions are in the best position to communicate with their customers. Financial institutions may consider providing informational brochures or other written disclosures in monthly or quarterly statements, establishing toll-free hotlines for customer inquiries, holding educational seminars, and developing Year 2000 Internet sites.
Q.16. How should financial institutions address telecommunications and power company providers as part of their business resumption contingency plans?
A. 16. As part of its Year 2000 project plan, an institution should have inventoried all mission-critical systems that rely on telecommunications and power companies. Financial institutions should obtain information on the Year 2000 readiness of their telecommunications and power companiesí products and services. They also should determine whether telecommunications and power companies will conduct Year 2000 testing with financial institutions or whether their telecommunications and power companies can provide information on proxy tests.
Because disaster recovery plans maintained by financial institutions generally address disruptions in power and telecommunications services, financial institutions should review and augment these plans to respond to unique aspects of Year 2000 disruptions.
Financial institutions should stay apprised of Year 2000 developments of relevant government agencies, trade organizations, and their telecommunications and power companies. Financial institutions also are encouraged to monitor the website of the Presidentís Council on Year 2000 Conversion (www.y2k.gov) for updates on infrastructure readiness issues. This website has links to other helpful sources of information.
Validation of Contingency Plans
Q.17. How should a financial institution validate its Year 2000 business resumption contingency plan?
A.17. A financial institution should develop a method to test its Year 2000 business resumption contingency plan and assign responsibility to an individual or group to execute the validation process. Examples of validation methods include, but are not limited to, simulations, role play, walk-throughs, and alternate site reviews.
Q.18. Who should validate a financial institutionís Year 2000 business resumption contingency plan?
A. 18. Financial institutions should assign responsibility to an individual or group to execute the validation phase. Validation may be carried out by any qualified, independent party, such as an internal auditor, external auditor, or an employee who was not involved directly in developing the Year 2000 business resumption contingency plan. Institutions should not assume that external auditors will validate Year 2000 business resumption contingency plans within the scope of their traditional audits.