Additional Questions and Answers
Concerning Year 2000 Business Resumption Contingency Planning
To: The Boards of Directors and Chief Executive Officers of all federally supervised financial institutions, service providers, software vendors, federal branches and agencies, senior management of each FFIEC agency, and all examining personnel
The Federal Financial Institutions Examination Council (FFIEC) has issued two interagency statements concerning Year 2000 contingency planning. The "Guidance Concerning Contingency Planning in Connection with Year 2000 Readiness," issued in May 1998, describes the process for designing and implementing plans to mitigate the risks associated with the failure to remediate systems (remediation contingency planning) and to respond to failures of core business processes at critical dates due to the Year 2000 problem (business resumption contingency planning). The "Questions and Answers Concerning Year 2000 Contingency Planning," issued in December 1998, answers frequently asked questions and clarifies previous FFIEC Year 2000 policy statements regarding contingency planning. The purpose of this issuance is to provide further clarification regarding FFIEC expectations for the completion of the validation phase of business resumption contingency planning by June 30, 1999, documentation requirements, and the role of "event planning" in the development of business resumption contingency planning.
Q1. By June 30, 1999, what does the FFIEC expect financial institutions to do with respect to the validation phase of the business resumption contingency planning process?
A.1. As stated in the December 11, 1998, FFIEC Q&A guidance on contingency planning, "[f]inancial institutions are expected to substantially complete the four phases of the Year 2000 business resumption contingency planning process as soon as possible, but not later than June 30, 1999." The business resumption contingency planning process includes four phases: establishing organizational planning guidelines, completing a business impact analysis, developing the business resumption contingency plan, and designing a method of validation so that the business resumption contingency plan can be tested for viability.
In reference to the fourth phase, the FFIEC agencies expect that the design of a method of validation should be substantially completed by June 30, 1999, and should include the following:
- Review of the business resumption contingency plan and validation processes by a qualified and independent party. The review may be carried out by any qualified, independent party, such as an internal auditor, external auditor, or an employee who was not involved directly in developing the Year 2000 business resumption contingency plan.
- Review and approval of the business resumption contingency plan and the method of validation of the business resumption contingency plan by senior management and the board of directors. If an institution is unable to arrange for board of directors’ final review and approval of the business resumption contingency plan and the method of validation by June 30, 1999, then the board of directors should review and approve the plan during a board meeting in the third quarter.
Because business resumption planning is a dynamic process, the FFIEC recognizes that financial institutions may need to execute tests of business resumption contingency plans after June 30, 1999. The FFIEC encourages institutions to execute testing of business resumption contingency plans (using the methodology approved by the board) early enough to allow ample time to make necessary changes and to retest the business resumption contingency plan, if necessary. Accordingly, the FFIEC will allow institutions to execute tests of business resumption contingency plans in the third and fourth quarters, where appropriate. The FFIEC expects institutions to report to the board of directors on the outcome of business resumption contingency plan tests.
Q.2. What written documentation is necessary to support completion of the business resumption contingency planning process?
A.2. An institution is expected to have a written business resumption contingency plan and written documentation supporting the plan’s development and validation. At a minimum, an institution should have written documents that cover the following:
- Business resumption contingency plans and methods of implementation, including an evaluation of business resumption contingency planning options and strategies;
- Core business processes and business impact analysis that include failure scenarios and minimum acceptable service and output levels;
- A description of the method of validation, including the specific tests and target dates for completing the tests;
- Results of the testing of the business resumption contingency plans;
- Findings of the qualified and independent review of the business resumption contingency plan and validation processes; and
- Review and approval of the validated business resumption contingency plan by senior management and the board of directors (e.g., minutes of board meeting).
The business resumption contingency plan(s) and all supporting documentation should be available for review by examiners.
Q.3. What is "event planning"? Should an institution's Year 2000 business resumption contingency planning include specific "event planning" strategies? Are institutions expected to complete "event planning" strategies by the June 30, 1999, deadline for the completion of business resumption contingency plans?
A.3. "Event planning" is a loosely defined term used by some financial institutions involved in Year 2000 contingency planning. Event planning is a proactive and detailed planning process that covers monitoring specific operations prior to and during the century roll over or other critical dates, detecting problems and resolving issues related to whether and how to implement business resumption contingency plans, and communicating with appropriate bank officials and customers. It also may involve personnel issues (e.g., vacation/leave policies, the availability of subject matter experts) and communications issues (e.g., command centers, internal and external notification procedures, call center scripts).
The FFIEC believes that event planning is a sound risk management practice that can make Year 2000 business resumption contingency plans more effective. While the FFIEC encourages all institutions to develop event plans, whether such plans are helpful to a particular institution and whether an institution develops event plans are decisions for individual institution’s senior management. Operationally complex institutions or institutions that are especially vulnerable to Year 2000-related risks should give special consideration to developing event plans. The FFIEC also encourages institutions to train employees to implement event plans, where appropriate.