|Subject:||Guidance on Year 2000 Contingency Planning|
|Date of Memorandum:||01/29/1999|
|Expiration Date:|| |
|Signed By:||Smith, Roland|
|FCA Contact Person:||Glenn, Thomas|
|List of Attachments:|
January 29, 1999
To: Chairman, Board of Directors
Chief Executive Officer
All Farm Credit System Institutions
From: Roland E. Smith, Director /s/
Office of Examination
Subject: Guidance on Year 2000 Contingency Planning
The Farm Credit Administration (FCA) has issued numerous Informational Memorandums concerning the Year 2000 project management process and other significant Year 2000 issues. Contingency planning is cited repeatedly in the guidance as a key component to effective Year 2000 risk management. The memorandum entitled "Contingency Planning for Business Continuity,” issued on June 30, 1998, describes the process for designing and implementing plans to mitigate the risks associated with the failure to remediate systems (remediation contingency planning) and to respond to failures of core business processes at critical dates due to the Year 2000 problem (business resumption contingency planning). The attached document was developed to answer frequently asked questions and to clarify previous memorandums regarding contingency planning.
Business resumption contingency planning is an essential component of adequate preparation for Year 2000 readiness. Despite reasonable internal remediation, testing, and implementation efforts, each Farm Credit System institution must consider the potential impact of disruptions from within and from third-party business partners and infrastructure providers. An effective business resumption plan establishes a financial institution's course of action and helps it to resume core business processes in an orderly way in the event of a system failure. Without business resumption contingency plans, a financial institution may not be prepared to respond quickly and efficiently to Year 2000 disruptions. The board of directors and senior management should review and approve Year 2000 remediation and business resumption contingency plans.
The answers provided in the attached document address contingency planning issues in general terms. Please direct institution-specific questions to the Director of your assigned FCA Field Office. If you have any questions regarding this document or similar previous documents, please call Thomas M. Glenn at (703) 883-4412, or correspond on the Internet at e-mail address firstname.lastname@example.org.
Questions and Answers Concerning
Year 2000 Contingency Planning
Q.1. How do remediation contingency planning and business resumption contingency planning processes differ?
A.1. Remediation contingency planning involves efforts by financial institutions and their service providers and software vendors to mitigate the Year 2000 risks that are associated with the failure to renovate, validate, and implement mission-critical systems to ensure that they are Year 2000 ready.
Business resumption contingency planning involves efforts by financial institutions and their service providers and software vendors to mitigate operational risks should core business processes fail, regardless of whether mission-critical systems were remediated for the Year 2000. Business resumption contingency planning is critical because, notwithstanding an institution’s or its service provider’s successful efforts to thoroughly renovate, validate, and implement Year 2000-ready systems, the potential exists that systems will not operate as expected. In order to mitigate this risk, institutions should have business resumption contingency plans
Remediation and business resumption contingency planning differ in a number of respects. One of the most significant differences relates to the type of personnel involved in each type of planning. Remediation contingency planning primarily involves Year 2000 teams, consisting of information technology (IT) specialists and business users working directly with an institution’s software and hardware computer systems and reporting to the institution’s managers and officers. In addition to the type of personnel used for remediation contingency planning, business resumption contingency planning may involve a broader group of IT specialists and non-IT personnel.
Q.2. How extensive should remediation contingency plans be?
A.2. An institution is expected to prepare a Year 2000 remediation contingency plan depending on the status of its progress in remediating its systems.
· If a mission-critical system or application has been remediated, tested and implemented, no formal written remediation contingency plan is required.
· If an institution, service provider or software vendor has not completed renovations, testing, and implementation of its mission-critical systems, it should have a written remediation contingency plan. The plan should: (1) consider the alternatives available if remediation efforts are not successful, (2) consider the likelihood that the existing service provider or software vendor will provide Year 2000 ready services and products, (3) consider the availability of alternative service providers and software vendors, and (4) establish trigger dates for activating the remediation contingency plan. If an institution or its service provider or software vendor is not expected to complete renovations, testing and implementation of its mission-critical systems in accordance with FCA timeframes, a more comprehensive written remediation contingency plan is necessary.
Business Resumption Contingency Planning
Q.3. The FCA’s "Contingency Planning for Business Continuity" states that the institution will need to assess the potential impact of mission-critical system failures on the core business processes. How do "core business processes" relate to "mission-critical systems"?
A.3. A core business process may be comprised of one or more mission-critical systems and generally is defined along functional lines. For example, closing loans is a core business process that could depend on various mission-critical systems (e.g., credit delivery and loan accounting systems). Essentially, mission-critical systems and other business processes make up core business processes. It is important to note that specific mission-critical systems may be components of a number of core business processes and may serve as an interface between and among the operations of core business processes.
Q.4. Why is a Year 2000 business resumption plan necessary if an institution has an existing disaster recovery and/or business continuity plan?
A.4. An institution’s Year 2000 business resumption contingency planning supplements existing disaster recovery and business continuity plans. In most instances, existing plans do not address contingencies unique to the Year 2000 problem. For example, existing disaster recovery plans may contemplate using a back-up site if a problem occurs, but because a Year 2000 problem may involve either software or hardware failures, resorting to a back-up site that uses the same hardware or software may not remedy the problem. Institutions, therefore, should augment existing contingency plans, either by revising existing contingency plans or by adopting supplemental Year 2000 business resumption contingency plans, to capture Year 2000-related risks.
Q.5. Should institutions implement special training for their Year 2000 business resumption contingency planning?
A.5. As part of the Year 2000 business resumption contingency planning process, management should ensure that appropriate employees are trained to implement the plan. Such training will help to ensure that personnel can work together to prioritize core business processes and establish critical paths or timelines to resume operations or implement work-arounds in the event of a disruption. Accordingly, the plan may be used to communicate to employees what is expected of them in the event of a Year 2000 disruption. It should contain sufficient detail so employees can implement the contingency plan effectively. Information on procedures for responding to Year 2000 events and operational failures should be easily accessible to the employees responsible for implementing them.
Q.6. When does the FCA expect System institutions to complete their Year 2000 business resumption contingency planning? How often should business resumption contingency plans be updated?
A.6. FCA’s Informational Memorandum entitled “Contingency Planning for Business Continuity” stated that FCS Year 2000 business resumption contingency plan must be in place by December 31, 1998. The plan should be reviewed and approved by senior management and the board of directors. However, business resumption contingency planning is a dynamic process. Plans should continue to be updated, as needed. A plan that is adequate at a given time may become inadequate at a later date if it is not revised to address current needs.
Contents of the Plan
Q.7. How extensive should Year 2000 business resumption contingency plans be?
A.7. Each institution has unique characteristics and needs to identify its core business processes and the minimal acceptable levels of outputs and services for those processes. Accordingly, each institution’s Year 2000 business resumption contingency plans may vary significantly. The goal for all such plans is to provide a process that will enable an institution to stabilize operations at minimum acceptable levels, and to resume business as quickly and efficiently as possible should problems arise.
Q.8. What duration of time outages should a Year 2000 business resumption contingency plan address?
A.8. The duration of outages that need to be addressed in Year 2000 business resumption contingency plans will vary depending on an institution’s previously determined minimum levels of outputs and services for core business processes and the availability of the alternatives designated in their business resumption contingency plans. The plan should address outages of sufficient duration to resume operations at minimum acceptable levels of output and services.
Q.9. Should an institution’s Year 2000 business resumption contingency plans address funding needs that may arise before or shortly after the century date change?
A.9. An institution should consider whether it could experience unusual funding needs in late 1999 and early 2000 arising from a surge in loan demand. Consideration should be given to scenarios that would result in short or longer-term liquidity needs, and the development of plans to manage such funding needs. A plan may include expanding normal liquidity sources, as well as establishing contingent or alternative sources. Because additional documentation may be needed and collateral requirements may need to be addressed, institutions should determine whether such documentation needs to be prepared and placed on file with potential lenders well in advance of the century date change.
Q.10. How should Year 2000 business resumption contingency plans address cash needs that may arise in late 1999 and early 2000?
A.10. As part of the contingency funding planning process for the century date change, institutions should consider the loan demands of their customers and determine whether they need to arrange for additional cash availability. An institution should consider how quickly it can obtain additional amounts of cash should its primary source become unavailable unexpectedly. It may be necessary, for example, for institutions to establish secondary sources of cash before the century date change.
Q.11. What should institutions do as part of their business resumption contingency plans to educate customers on their Year 2000 preparedness and to respond to customers if disruptions occur?
A.11. Educating customers about the Year 2000 problem is critical to minimizing unwarranted public alarm that could cause serious problems for institutions and their customers. Institutions should provide customers information on their Year 2000 readiness efforts and provide complete and accurate responses to questions and concerns raised by customers. Institutions should also be prepared to address how they will respond to customers should Year 2000 disruptions occur, whether caused by internal problems or external events. Financial institutions are in the best position to communicate with their customers and may consider providing informational brochures or other written disclosures in monthly or quarterly statements or newsletters, establishing toll-free hotlines for customer inquiries, holding educational seminars, and providing Year 2000 information via Internet sites.
Q.12. How should institutions address telecommunications and power company providers as part of their business resumption contingency plans?
Q.12. As part of its Year 2000 project plan, an institution should have inventoried all mission-critical systems that rely on telecommunications and power companies. Institutions should obtain information on the Year 2000 readiness of their telecommunications and power companies’ products and services. They also should determine whether telecommunications and power companies will conduct Year 2000 testing with financial institutions or whether their telecommunications and power companies can provide information on proxy tests. Because disaster recovery plans generally address disruptions in power and telecommunications services, institutions should review and augment these plans to respond to unique aspects of Year 2000 disruptions.
Validation of Contingency Plans
Q.13. How should an institution validate its Year 2000 business resumption contingency plan?
A.13. An institution should develop a method to test its Year 2000 business resumption contingency plan and assign responsibility to an individual or group to execute the validation process. Examples of validation methods include, but are not limited to, simulations, role play, walk-throughs, and alternate site reviews. Optimally, validation should be carried out by a qualified independent party, such as an internal auditor, external auditor, or an employee who was not involved directly in developing the Year 2000 business resumption contingency plan. Institutions should not assume that external auditors will validate Year 2000 business resumption contingency plans within the scope of their traditional audits.