Year 2000 Keeps Coming

Last month (May 13, 1998), the bank regulatory agencies issued guidance on contingency planning for Year 2000. It's not enough to plan for Year 2000. Your bank should have a contingency plan in case the Year 2000 project has a problem.

Examiners have already been asking about your Y2K contingency plan. Now we have solid information about what the contingency plan should be.

There are two key elements to the Y2K contingency plan. First, the bank should have a plan for business resumption to address the possible failure of systems at key dates. Second, the bank might need to address remediation planning in the event that it experiences system failures in its Y2K plan.

From the Top
With each issuance, the agencies take the opportunity to send the message that responsibility for Year 2000 sits at the top of the bank. This issuance stresses that "it is imperative that the board of directors and senior management adopt a pro-active role in developing and supervising the contingency planning process."

Not only is the responsibility squarely placed on the top management of the bank; that is where any regulatory consequences will be directed. The agencies remind banks that failure to address Y2K may result in formal or informal supervisory actions, denials of applications, civil money penalties, and reductions in the bank's management component or composite ratings. The message is loud and clear: do not take Y2K lightly. It should be a top priority at the top.

Keeping Options Open
Essentially, a contingency plan is simply a matter of keeping your options open. Betting everything on one process can leave you stranded. To avoid being stranded, keep your options open. The idea of contingency is having an alternative in the event that the plan fails or runs into problems. Compliance managers should be used to this idea.

Contingency planning also means knowing what might go wrong. The trick is anticipating what might go wrong, when, and how. This is a time when having an active imagination is a talent.

In reviewing the Y2K plan, the contingency planner should use this active imagination to identify points at which things can go wrong and what would be needed as a back-up system. The actual elements of the contingency plan will depend on the bank's situation.

The agencies stress that contingency planning is a process. It should not become a static document. It is never a "been there, done that" activity. Actually, it is never done. Contingency planning should evolve along with your Y2K project and be adjusted as there are findings or developments in the Y2K plan.

Essential Elements
Your contingency plan should include four steps. First, establish organizational planning guidelines that define the business continuity planning strategy. This should be directed by the board and senior management. The planning must include assignment of roles and responsibilities (a concept familiar to seasoned compliance managers).

The plan should also include identification of core business processes, including internal and external sources. It should be based on a good working knowledge of the bank, including who, what, when, where, and how things get done. Be practical and use existing procedures to identify responsibilities. Assign responsibilities to people already responsible for the success of that line of business. They'll have a bigger commitment to success if failure means the failure of the business.

Then establish a timeline for resumption for both pre- and post-Year 2000 failures. Finally, this should include a risk management and reporting system, and continuous review and redevelopment, as necessary. Everyone should understand that reporting is critical. Reports should include who knew what, who did or didn't do what, and when.

Second, develop a business impact analysis identifying the potential impact of mission-critical system failures. This step should involve thinking about more than simply computers. Build scenarios around mission critical systems and core businesses. Think through the full impact - phase by phase - of what can happen. In short, this is not a fairy tale. If Cinderella's coach turns into a pumpkin, you need to cope with each detail of getting Cinderella home. Be sure all pieces are in place. Cinderella can't flag down a cab if there are no cabs at that hour, or if she has no money.

Give attention to who needs what information, when they need it, how they use it, and what happens if they don't have it.

Third, develop a contingency plan including a time line and trigger dates. Be realistic and practical. Get a real solution. Walking home in glass slippers is probably not a viable option. Consider the feasibility of what you assume will be a solution.

If you are dealing with vendors, do not rely on the vendor for the solution. After all, the vendor could be the problem. But do take into account the vendor's contingency plans.

Finally, design a method of validation so that the business resumption contingency plan can be tested for viability. These tests should be independent, conducted by skilled individuals who were not a part of the development plan.

Some Practical Tips
In designing your Y2K contingency plan, take some practical considerations into account. First, don't be dependant on anyone outside of the bank. Most important, don't be dependent on your vendor. If you rely on another business as a back-up, your contingency plan is no better than their Y2K plan.

Base your contingency plan on your core business functions. What can you absolutely not allow to fail? What must keep going to keep the bank in business. Establish an independent method to back up those systems. For example, a powerful PC purchased in mid-1999 on which you can back up and run your account data might serve as a contingency plan.

Back up all information. If a system goes down, it is amazing what you can lose. It is much more than customer data and it can take weeks or months to rebuild. That time will not be available in January, 2000. If you work in a small bank, have access to several versions of software in case one fails. Contingency plan assignments must be clear and understood by the people involved. The contingency plan is the bank's fail-safe so it has to work. This makes contingency planning even more vital than Y2K planning. Everyone should know their part and know what they are doing. Communication throughout the bank and the team is essential.

Last, but not least, make sure that the bank has the needed staff present on the key dates. New Years' is a popular time for taking leave and banks often work through the holiday with a skeleton taff. Don't let that happen in 2000!

ACTION STEPS

Draft a board resolution to clearly state that the board understands and undertakes its Y2K responsibilities seriously. Having an official action on the record sends the message two places: to the regulator and to the board members.
Identify core businesses and the key people in those businesses.
Make sure that responsibilities are clearly assigned to key people.
Inventory the information and software on hard drives within the bank. Each person who uses it should identify its importance and suggest a viable contingency plan.
Schedule regular reviews and revisions for your contingency plan. Pick a monthly date that precedes board meetings for updating your plan.
For each board meeting, send the board a brief memo on the status of the Y2K and contingency plans.
Your regulator is most likely to be impressed if this is reflected in the board's minutes.
Warn staff now about 1999-2000 holiday leave restrictions.
While looking at procedures to look for Y2K concerns, use the same process to review procedures for compliance.