Additional Questions and Answers
Concerning Year 2000 Business Resumption Contingency Planning
To: The Boards of Directors and Chief Executive Officers of all federally supervised
financial institutions, service providers, software vendors, federal branches and
agencies, senior management of each FFIEC agency, and all examining personnel
The Federal Financial Institutions Examination Council (FFIEC) has issued two
interagency statements concerning Year 2000 contingency planning. The "Guidance
Concerning Contingency Planning in Connection with Year 2000 Readiness," issued in
May 1998, describes the process for designing and implementing plans to mitigate the risks
associated with the failure to remediate systems (remediation contingency planning) and to
respond to failures of core business processes at critical dates due to the Year 2000
problem (business resumption contingency planning). The "Questions and Answers
Concerning Year 2000 Contingency Planning," issued in December 1998, answers
frequently asked questions and clarifies previous FFIEC Year 2000 policy statements
regarding contingency planning. The purpose of this issuance is to provide further
clarification regarding FFIEC expectations for the completion of the validation phase of
business resumption contingency planning by June 30, 1999, documentation requirements, and
the role of "event planning" in the development of business resumption
Q1. By June 30, 1999, what does the FFIEC expect financial institutions to do with
respect to the validation phase of the business resumption contingency planning process?
A.1. As stated in the December 11, 1998, FFIEC Q&A guidance on contingency
planning, "[f]inancial institutions are expected to substantially complete the four
phases of the Year 2000 business resumption contingency planning process as soon as
possible, but not later than June 30, 1999." The business resumption contingency
planning process includes four phases: establishing organizational planning guidelines,
completing a business impact analysis, developing the business resumption contingency
plan, and designing a method of validation so that the business resumption contingency
plan can be tested for viability.
In reference to the fourth phase, the FFIEC agencies expect that the design of a method
of validation should be substantially completed by June 30, 1999, and should include the
Review of the business resumption contingency plan and validation processes by a
qualified and independent party. The review may be carried out by any qualified,
independent party, such as an internal auditor, external auditor, or an employee who was
not involved directly in developing the Year 2000 business resumption contingency plan.
Review and approval of the business resumption contingency plan and the method of
validation of the business resumption contingency plan by senior management and the board
of directors. If an institution is unable to arrange for board of directors final
review and approval of the business resumption contingency plan and the method of
validation by June 30, 1999, then the board of directors should review and approve the
plan during a board meeting in the third quarter.
Because business resumption planning is a dynamic process, the FFIEC recognizes that
financial institutions may need to execute tests of business resumption contingency plans
after June 30, 1999. The FFIEC encourages institutions to execute testing of business
resumption contingency plans (using the methodology approved by the board) early enough to
allow ample time to make necessary changes and to retest the business resumption
contingency plan, if necessary. Accordingly, the FFIEC will allow institutions to execute
tests of business resumption contingency plans in the third and fourth quarters, where
appropriate. The FFIEC expects institutions to report to the board of directors on the
outcome of business resumption contingency plan tests.
Q.2. What written documentation is necessary to support completion of the business
resumption contingency planning process?
A.2. An institution is expected to have a written business resumption contingency
plan and written documentation supporting the plans development and validation. At a
minimum, an institution should have written documents that cover the following:
Business resumption contingency plans and methods of implementation, including an
evaluation of business resumption contingency planning options and strategies;
Core business processes and business impact analysis that include failure scenarios and
minimum acceptable service and output levels;
A description of the method of validation, including the specific tests and target dates
for completing the tests;
Results of the testing of the business resumption contingency plans;
Findings of the qualified and independent review of the business resumption contingency
plan and validation processes; and
Review and approval of the validated business resumption contingency plan by senior
management and the board of directors (e.g., minutes of board meeting).
The business resumption contingency plan(s) and all supporting documentation should be
available for review by examiners.
Q.3. What is "event planning"? Should an institution's Year 2000 business
resumption contingency planning include specific "event planning" strategies?
Are institutions expected to complete "event planning" strategies by the June
30, 1999, deadline for the completion of business resumption contingency plans?
A.3. "Event planning" is a loosely defined term used by some financial
institutions involved in Year 2000 contingency planning. Event planning is a proactive and
detailed planning process that covers monitoring specific operations prior to and during
the century roll over or other critical dates, detecting problems and resolving issues
related to whether and how to implement business resumption contingency plans, and
communicating with appropriate bank officials and customers. It also may involve personnel
issues (e.g., vacation/leave policies, the availability of subject matter experts) and
communications issues (e.g., command centers, internal and external notification
procedures, call center scripts).
The FFIEC believes that event planning is a sound risk management practice that can
make Year 2000 business resumption contingency plans more effective. While the FFIEC
encourages all institutions to develop event plans, whether such plans are helpful to a
particular institution and whether an institution develops event plans are decisions for
individual institutions senior management. Operationally complex institutions or
institutions that are especially vulnerable to Year 2000-related risks should give special
consideration to developing event plans. The FFIEC also encourages institutions to train
employees to implement event plans, where appropriate.