|
This is worth a chuckle.
What is the contingency plan for a worldwide bank run? Half a billion people come down to the worlds' banks to demand their money, which they have been promised is available on demand. "Demand" barely expresses it!
They understand that there is no cash in the bank, but they want their money anyway. They can see from the long lines that every bank will be bankrupt in 2000, so they want their money now. They recognize that the Millennium Bug threatens all of their savings, as well as all payments by check and all credit cards. They see clearly that almost every business dependent on bank loans and bank transactions will go bankrupt in 2000. They want their money. In cash. Now.
What is the proper continency plan for the local bank under such circumstances? Here is a specific suggestion from the U.S. government:
"For example, an ATM network failure may necessitate increased teller staff to accommodate increased lobby traffic."
That's what this document is all about: insightful, relevant guidance for the last days of fractional reserve banking. It was drawn up by a committee whose members' only familiarity with a bank run is the scene in "It's a Wonderful Life" where Jimmy Stewart hands out his honeymoon money to frantic depositors. And the depositors don't come back the next day, either. Why not? The script writers never said.
The FFIEC (Federal Financial Institutions Examination Council) has now called on bankers to draw up written contingency plans. This document lays out their responsibilities. This is called passing the buck. We're talking about several trillion bucks.
One thing is clear: the senior bureaucracy of FFIEC, by issuing this press release, has done due diligence, and cannot possibly, for any reason, be held liable for anything by anyone under any circumstances. This document has sections and subsections, all properly numbered. But just in case, there will surely be more press releases.
In the final phase of a society or a civilization, those who make official decisions issue lots of official orders. Right down to the day that the lights go out, the orders keep rolling out of offices filled with busy, important-looking people. That way, things won't seem so dark when the lights go out. "We tried! We really did. We issued forms in triplicate. What else could we have done?"
What else, indeed?
And so, when the lights do go out, and the barbarians are at the gate, seek spiritual comfort from these words:
"The guidance provided in this paper is modeled after the United States General Accounting Office exposure draft 'Year 2000 Computing Crisis: Business Continuity and Contingency Planning,' released in March 1998 (GAO/AIMD-10.1.19 at www.gao.gov)."
And should you still feel empty, how about this?
"The FFIEC recognizes that each financial institution operates with a unique aggregation of technological resources within the confines of a predefined operating structure."
We live in a civilization governed by words such as these. How could such a civilization fall?
As you read this, pretend that you are a senior official at a bank. This document tells you that you are responsible: 100% responsible. You search in vain in this document for an answer to this question: "But what, exactly, am I supposed to do?" Here is the document's final answer:
"The Year 2000 contingency plan should be in writing and documented to support the conclusions and procedures therein. The board of directors and senior management are responsible for ensuring that the Year 2000 contingency plan is comprehensive and adapted for the unique attributes of their financial institution."
What is the rational response to this paragraph? A letter of resignation comes to mind.
* * * * * * *
May 13, 1998
To: The Board of Directors and Chief Executive Officer of all federally supervised financial institutions, service providers, software vendors, senior management of each FFIEC agency, and all examining personnel. . . .
Another essential component of preparing for the Year 2000 problem and beyond is developing options for the board of directors and senior management if any or all of the financial institution's systems fail or cannot be made Year 2000 ready. The interagency statement "Guidance Concerning Institution Due Diligence in Connection with Service Provider and Software Vendor Year 2000 Readiness," issued March 17, 1998, recommended that financial institutions adopt contingency plans for their mission-critical services and products. That issuance also provided guidance for developing contingency plans designed for external providers. The FFIEC has also issued previous guidance on contingency planning.²
The guidance provided in this paper is modeled after the United States General Accounting Office exposure draft "Year 2000 Computing Crisis: Business Continuity and Contingency Planning," released in March 1998 (GAO/AIMD-10.1.19 at www.gao.gov).
Purpose
The purpose of this guidance is to assist the board of directors and senior management of financial institutions as they refine the Year 2000 contingency plans developed during the assessment phase. . . .
Summary
The FFIEC recognizes that each financial institution operates with a unique aggregation of technological resources within the confines of a predefined operating structure. Thus, there are no ideal or simple solutions to Year 2000 contingency planning. This policy statement presents guidance and recommendations, but is not intended to be an all-inclusive Year 2000 contingency planning solution. Each financial institution must evaluate its own unique circumstances and environment to develop a comprehensive plan to ensure its ability to continue as a functioning business entity after January 1, 2000. The board of directors and senior management should attach a high priority to the development, validation, and implementation of the Year 2000 contingency plan.
To produce a viable Year 2000 business resumption contingency plan in a cost effective manner, each financial institution should evaluate the risks associated with the failure of core business processes. . . .
The four phases of the Year 2000 business resumption contingency planning process should include:
1.Establishing Organizational Planning Guidelines that define the business continuity planning strategy;
2.Completing a Business Impact Analysis where the financial institution assesses the potential impact of mission-critical system failures;
3.Developing a Contingency Plan that establishes a timeline for implementation and action, circumstances, and trigger dates for activation; and
4.Designing a method of Validation so that the business resumption contingency plan can be tested for viability.
The phases of the process are more fully discussed below. . . .
A Year 2000 business resumption contingency plan should be designed to provide assurance that the mission-critical functions will continue if one or more systems fail. Furthermore, it should not be viewed as a static document, but as a process that should be reviewed, updated, and validated on a continuous basis. . . .
Define and document Year 2000 failure scenarios. Consider the risk of both internal and infrastructure failures. The results of tests run on renovated systems may lead to the development of the failure scenarios. For example, an ATM network failure may necessitate increased teller staff to accommodate increased lobby traffic. . . .
Year 2000 Business Resumption Contingency Planning The financial institution should now develop its Year 2000 business resumption contingency plan based on the priorities established during the business impact analysis. The plan should be documented and organized so that it can be easily changed if necessary.
Evaluate options and select the most reasonable contingency strategy.
The strategy should be cost-effective, practical and appropriate for the size, complexity, and type of information systems used. In selecting a strategy, consider the cost and functionality of the strategy and the feasibility of deploying the event timeline. The primary goal should be to maximize the functionality and speed of recovery. Financial institutions serviced by third-parties should develop strategies that take into account the contingency alternatives outlined in those third-party contingency plans.
Identify contingency plans and implementation modes.
Develop a specific recovery plan for each core business process that considers the minimum level of acceptable output. Evaluate the need for specific strategies such as quick fixes, partial replacement outsourcing or other alternatives. The plan could include consideration of whether the systems to support the core business processes could be replaced by manual or automated processes. . . .
Other important review processes to consider include:
Legal counsel reviews of data processing and service providers' contracts where necessary to determine the responsibilities of each of the parties; Comprehensive review of all of data processing insurance coverage;
Public relations responsibilities that are organized and delegated to specific individuals or committees ensuring that appropriate staff make accurate statements;
Review of all Local Area Network (LAN) and Wide Area Network (WAN) access to other systems;
and Review and testing the financial institution's disaster recovery site to ensure that Year 2000 capable hardware is available if needed. . . .
If a mission-critical application or system has been remediated, tested and implemented, a remediation contingency plan is not required. If internal remediation efforts or vendors are expected to provide Year 2000 ready products and services within a short period of time (no later than July 31, 1998), remediation contingency plans may not be necessary for those systems. However, the financial institution should establish a firm date that would trigger completion of the remediation contingency plan should internal efforts or the efforts of the institution's vendor or servicer fail to provide a Year 2000 ready product or service.
If a system is in the process of remediation, and is on schedule to meet FFIEC timeframes, comprehensive remediation contingency plans may not be necessary. At a minimum, financial institutions should develop remediation contingency plans which (1) outline the alternatives available if remediation efforts are not successful, (2) consider the availability of alternative service providers or software vendors, and (3) establish trigger dates for activating the remediation contingency plan, taking into account the time necessary to convert to alternate service providers or software vendors.
The FFIEC understands that ensuring the availability of an alternative servicer or vendor may require payment of a fee. Whether or not to pay this fee is a business decision that the financial institution board of directors and senior management must make. The decision should consider the probability of failure of the institution's internal efforts, or the remediation efforts of existing service providers or software vendors. . . .
The Year 2000 contingency plan should be in writing and documented to support the conclusions and procedures therein. The board of directors and senior management are responsible for ensuring that the Year 2000 contingency plan is comprehensive and adapted for the unique attributes of their financial institution.
|