CONCERNING CONTINGENCY PLANNING IN CONNECTION WITH YEAR 2000 READINESS
The Board of Directors and Chief Executive Officers of all federally
supervised financial institutions, service providers, software vendors,
senior management of each FFIEC agency, and all examining personnel
The Federal Financial
Institutions Examination Council (FFIEC) issued an interagency statement
May 5, 1997, entitled "Year 2000 Project Management Awareness," that
provided guidance for insured financial institutions to manage the
phases of their Year 2000 readiness program. Subsequently, the FFIEC
issued four statements that provided additional guidance on key issues
including business risk, vendor due diligence, customer risk, and
testing. Accordingly, financial institutions should be well into their
Year 2000 readiness plan. The Awareness and Assessment phases should
be completed. The Renovation and Validation Phases are current priorities
and should be in process.
component of preparing for the Year 2000 problem and beyond is developing
options for the board of Directors and senior management if any or
all of the financial institution's systems fail or cannot be made
Year 2000 ready. The interagency statement "Guidance Concerning Institution
Due Diligence in Connection with Service Provider and Software Vendor
Year 2000 Readiness," issued March 17, 1998, recommended that financial
institutions adopt contingency plans for their mission-critical services
and products. That issuance also provided guidance for developing
contingency plans designed for external providers. The FFIEC has also
issued previous guidance on contingency planning.
The guidance provided
in this paper is modeled after the United States General Accounting
Office exposure draft "Year 2000 Computing Crisis: Business Continuity
and Contingency Planning," released in March 1998 (GAO/AIMD-10.1.19
The purpose of
this guidance is to assist the board of Directors and senior management
of financial institutions as they refine the Year 2000 contingency
plans developed during the assessment phase. A financial institution
should design its Year 2000 contingency plan to mitigate the risks
associated with (1) the failure to successfully complete renovation,
validation, or implementation of its Year 2000 readiness plan (Remediation
Contingency Plan), and (2) the failure of systems at critical dates
(Business Resumption Contingency Planning). While Remediation Contingency
Planning has been addressed in previous FFIEC guidances, the last
section of this paper provides clarification of certain aspects of
that guidance. The primary subject of this paper, however, is Business
Resumption Contingency Planning.
The FFIEC recognizes
that each financial institution operates with a unique aggregation
of technological resources within the confines of a predefined operating
structure. Thus, there are no ideal or simple solutions to Year 2000
contingency planning. This policy statement presents guidance and
recommendations, but is not intended to be an all-inclusive Year 2000
contingency planning solution. Each financial institution must evaluate
its own unique circumstances and environment to develop a comprehensive
plan to ensure its ability to continue as a functioning business entity
after January 1, 2000. The board of Directors and senior management
should attach a high priority to the development, validation, and
implementation of the Year 2000 contingency plan.
To produce a viable
Year 2000 business resumption contingency plan in a cost effective
manner, each financial institution should evaluate the risks associated
with the failure of core business processes. Core business functions
or processes of a financial institution are groups of related tasks
that must be performed together to ensure that the financial institution
continues to be viable. Evaluation of these risks should include comparing
the cost, time, and resources needed to implement the contingency
boards of Directors and senior management should ensure that their
institutions' Year 2000 contingency planning process encompasses a
plan of action in the event that there are systems failures at critical
dates. The business resumption contingency planning should be incorporated
into the institutions' overall Year 2000 contingency plan.
The four phases
of the Year 2000 business resumption contingency planning process
Organizational Planning Guidelines that define the business continuity
a Business Impact Analysis where the financial institution assesses
the potential impact of mission-critical system failures;
a Contingency Plan that establishes a timeline for implementation
and action, circumstances, and trigger dates for activation; and
4. Designing a
method of Validation so that the business resumption contingency plan
can be tested for viability.
The phases of
the process are more fully discussed below.
the FFIEC member agencies will address the Year 2000 business resumption
contingency planning process as part of each financial institution's
Year 2000 readiness examination.
2000 readiness is one of the most complex and challenging issues facing
a financial institution's board of Directors and senior management.
Many financial institutions will expend substantial resources to renovate
or replace mission-critical systems, yet despite this effort and commitment,
the risk of disruption to business processes remains. A Year 2000
business resumption contingency plan should be designed to provide
assurance that the mission-critical functions will continue if one
or more systems fail. Furthermore, it should not be viewed as a static
document, but as a process that should be reviewed, updated, and validated
on a continuous basis.
The board of Directors
and senior management must be directly involved in the financial institution's
Year 2000 business resumption contingency planning process. The production
of the contingency plan document may be delegated to staff and implementation
decentralized to segments of the financial institution's operations.
Ultimately the board of Directors and senior management are responsible
for the overall process and assure that sufficient resources are made
available to ensure the success of the Year 2000 business resumption
of a continuity project work group and assignment of roles and responsibilities.
on the size and complexity of the financial institution, this may
be an individual; or representatives from all major business segments,
including disaster recovery specialists, and audit representatives,
if available. This individual or group will develop the continuity
plan and later develop and monitor the Year 2000 business resumption
of core business processes.
systems were identified during the assessment phase. Core business
processes that utilize these mission-critical systems may have also
been identified. Beyond the information system relationships, all
aspects of the business process should now be defined.
It is important
to ensure that key internal and external business dependencies
are identified, including infrastructure and information sources.
While the financial institution may have only limited control
of the impact of these elements on the operations, it is essential
that the institution identify these elements in order to establish
of an event timeline.
financial institution should develop a timeline of events that incorporates
the schedule of renovation and testing in the financial institution's
Year 2000 readiness plan. The Year 2000 business resumption contingency
plan should specifically identify a pre-Year 2000 event timeline
as well as a post-Year 2000 event timeline. Critical stages must
be identified, assessed for feasibility of implementation, and updated
of a risk management process and reporting system.
risks should be prioritized with the business resumption contingency
planning efforts focused on the core business processes that, should
they be compromised, pose the greatest risk to the institution.
Year 2000 readiness risks should be identified and a system developed
that provides an adequate means of reporting progress and changes
in the Year 2000 readiness plan.
existing business continuity or contingency plans and disaster recovery
financial institution should assess the strengths and weaknesses
of these programs to determine their continued effectiveness and
to eliminate redundancy and any waste of resources. For example,
a financial institution may consider using an existing contract
for a hot-site that will process mission-critical information systems
in the event of a disaster.
This phase assesses
the potential impact of mission-critical system failures on the core
business processes. The financial institution should assign priority
to the business processes. The results of this analysis provides the
basis for the contingency plan.
risk analysis of each core business process.
Issues to be considered
The status of
Year 2000 readiness renovation or replacement plans for mission-critical
systems, whether administered internally or by service providers;
The financial and marketing impact of the loss of a core business
process, including what impact the loss might have on the viability
of the financial institution; and
The impact of
regulatory requirements. Define and document Year 2000 failure
scenarios. Consider the risk of both internal and infrastructure failures.
The results of
tests run on renovated systems may lead to the development of the
failure scenarios. For example, an ATM network failure may necessitate
increased teller staff to accommodate increased lobby traffic.
minimum acceptable level of outputs and services.
For example, those
responsible should establish the minimum frequency for production
of demand deposit, savings, and loan trial balances.
Year 2000 Business
Resumption Contingency Planning
institution should now develop its Year 2000 business resumption contingency
plan based on the priorities established during the business impact
analysis. The plan should be documented and organized so that it can
be easily changed if necessary.
options and select the most reasonable contingency strategy.
strategy should be cost-effective, practical and appropriate for
the size, complexity, and type of information systems used. In selecting
a strategy, consider the cost and functionality of the strategy
and the feasibility of deploying the event timeline. The primary
goal should be to maximize the functionality and speed of recovery.
Financial institutions serviced by third-parties should develop
strategies that take into account the contingency alternatives outlined
in those third-party contingency plans.
contingency plans and implementation modes.
Develop a specific
recovery plan for each core business process that considers the minimum
level of acceptable output. Evaluate the need for specific strategies
such as quick fixes, partial replacement outsourcing or other alternatives.
The plan could include consideration of whether the systems to support
the core business processes could be replaced by manual or automated
Document the products
of the core business processes that may need to be recovered. Each
financial institution should review its Year 2000 readiness plan to
determine the key dates that tie to this data. In general, the following
items should be included:
copies of the institution's master-files and transaction files;
Printed (or other
similar medium such as microfiche) trial balances;
A master list
of Year 2000 readiness contact points of every client, supplier, bank,
and government agency that shares data with the institution;
copies of all master files and trial balance reports; and
In those instances
where the financial institution's data processing facility is providing
services to other financial institutions, a copy of machine-readable
data files, for all customers.
review processes to consider include:
reviews of data processing and service providers' contracts where
necessary to determine the responsibilities of each of the parties;
review of all of data processing insurance coverage;
responsibilities that are organized and delegated to specific individuals
or committees ensuring that appropriate staff make accurate statements;
Review of all
Local Area Network (LAN) and Wide Area Network (WAN) access to other
Review and testing
the financial institution's disaster recovery site to ensure that
Year 2000 capable hardware is available if needed.
trigger dates to activate the contingency plans.
for the plan should continuously evaluate the progress of the Year
2000 readiness plan and report any deviation from the plan to senior
management. They should monitor critical milestones and establish
trigger dates for implementation of the contingency plans. Those trigger
dates should take into account what would be involved in obtaining
alternative sources of service.
for business resumption of core business processes.
Either an individual
or team should be responsible for managing the implementation of the
an independent review of the feasibility of the contingency plan.
Who conducts the
review will depend on the size and complexity of the financial institution.
The party responsible should be independent of the contingency plan
implementation strategy for the physical rollover.
ensure that there are plans in place and staff available for the period
December 30, 1999, and January 3, 2000, and the other key milestone
the Business Resumption Contingency Plan
document, contingency planning has been referred to as a process.
Modifications or corrections to the financial institution's Year 2000
readiness plan may prompt modifications or corrections to the contingency
plan. Periodic tests of the contingency plan will ensure that these
changes are considered and that the level of support for the core
business processes is adequate. The frequency and sophistication of
testing should be consistent with the size and complexity of the financial
should develop and document business resumption contingency test plans
approved by senior management. The test plans should be independently
validated in order to judge the effectiveness and reasonableness of
the proposed contingency plan. This independent validation should
be performed by knowledgeable individuals who were not involved in
the formulation of the plans. If the financial institution does not
have the expertise in-house, they should secure the expertise from
other sources. Based on those test results, modifications should be
made to ensure that the business continuity plan remains valid.
Thus far, guidance
in this paper has addressed the planning efforts needed to mitigate
the operational risks should systems fail at critical dates. Other
key aspects of the broader contingency planning concept have been
discussed in previous FFIEC guidance papers related to the Year 2000
computer problem. These aspects included planning that mitigates the
risks associated with the failure to successfully complete renovation,
validation and implementation of mission-critical systems. This facet
of contingency planning is referred to as remediation contingency
planning and pertains to mission-critical systems developed in-house,
by third party service providers, and by software vendors. The following
guidance is intended to clarify supervisory expectations as outlined
in the Interagency Statement issued May 5, 1997, "Year 2000 Project
If a mission-critical
application or system has been remediated, tested and implemented,
a remediation contingency plan is not required. If internal remediation
efforts or vendors are expected to provide Year 2000 ready products
and services within a short period of time (no later than July 31,
1998), remediation contingency plans may not be necessary for those
systems. However, the financial institution should establish a firm
date that would trigger completion of the remediation contingency
plan should internal efforts or the efforts of the institution's vendor
or servicer fail to provide a Year 2000 ready product or service.
If a system is
in the process of remediation, and is on schedule to meet FFIEC timeframes,
comprehensive remediation contingency plans may not be necessary.
At a minimum, financial institutions should develop remediation contingency
plans which (1) outline the alternatives available if remediation
efforts are not successful, (2) consider the availability of alternative
service providers or software vendors, and (3) establish trigger dates
for activating the remediation contingency plan, taking into account
the time necessary to convert to alternate service providers or software
The FFIEC understands
that ensuring the availability of an alternative servicer or vendor
may require payment of a fee. Whether or not to pay this fee is a
business decision that the financial institution board of Directors
and senior management must make. The decision should consider the
probability of failure of the institution's internal efforts, or the
remediation efforts of existing service providers or software vendors.
Management should also consider the following:
The extent to
which the existing service provider or software vendor has met milestones
established by the financial institution;
The amount of
time necessary to migrate to an alternate service provider or software
of alternative service providers or software vendors; and
about the alternate servicer provider or software vendor available
from user groups or others.
The FFIEC realizes
that the complexity of a financial institution's Year 2000 business
resumption contingency plan will vary depending upon the complexity
of its information system structure; however, the FFIEC expects financial
institutions to develop, implement, and validate Year 2000 contingency
plans designed to mitigate the risks associated with the Year 2000
date change. The Year 2000 contingency plan should be in writing and
documented to support the conclusions and procedures therein. The
board of Directors and senior management are responsible for ensuring
that the Year 2000 contingency plan is comprehensive and adapted for
the unique attributes of their financial institution.
1. Any problem
which prevents information technology from accurately processing,
calculating, comparing, or sequencing date or time data from, into,
or between the 20th and 21st centuries; or the years 1999 and 2000,
or with regard to leap year calculations.
2. On March
26, 1997, the FFIEC issued a policy statement entitled "Corporate
Business Resumption and Contingency Planning." Although not specific
to the Year 2000 readiness issue, the statement emphasized the importance
of the business resumption and information systems contingency planning
functions, including planning for critical information systems and
operations supported by service providers. Financial institutions
were encouraged to ensure that contingency plans were comprehensive
and thoroughly tested. (The paper can be obtained at /news/news/financial/1997/fil9768.html