Given the
potential seriousness and wide scope of Year 2000 problems, it is
important for the management of each AI to attach high priority,
and commit adequate resources, to Year 2000 contingency planning
and regularly monitor its progress. Depending on its size and scale
of operations, each AI should set up a dedicated task force with
well-defined accountability and reporting lines, and involvement
of senior executives, business lines, risk control, IT and facilities
managers to perform Year 2000 contingency planning.
(a) Risks identification and assessment
AIs should identify the possible risks posed by the Year 2000
issues, particularly those associated with the failure of core
business processes, and make assessments of the probability of
each of the risks arising and the impact if they do arise .
Core business functions are those that must be performed to ensure
that the AI continues to be a viable business entity. Regardless
of the methods and basis adopted for the assessments, the main
purpose is to facilitate the AI to prioritise its resources to
the critical areas and plan the necessary prevention and mitigation
measures accordingly.
It will be important for AIs to assess different kinds of risk
including -
System risk such as:
- Failure of financial infrastructure (e.g. payment systems,
exchanges, market data);
- Failure of communications systems;
- Failure of other public infrastructure (e.g. power, transport).
Project risk such as:
- Year 2000 remediation not finished in time or replacement
systems not delivered on schedule;
- Errors not detected by Year 2000 testing;
- Problems with third-parties being either non-compliant or
having adopted an incompatible approach, and which is not detected
by external testing.
Operational risk such as:
- Failure of facilities (e.g. building management systems, access
controls, air conditioning);
- Availability of key and other human resource - ensuring staff
are prepared to work over a holiday period and confirming their
ability to get to work;
- The added complication of year-end processing;
- System failure despite comprehensive testing;
- Financial loss on FX, interest rates and securities exposures
due to inability to perform trading and settlement in a timely
manner, as a result of Year 2000 problems.
Credit and liquidity risk such as:
- Exposure to customers and counterparties, including those
relating to the bank's own investments and investments it manages
on behalf of its clients;
- Country risks;
- Risks arising from the concerns of counterparties including
customers and depositors over Year 2000 readiness of certain
banks leading to liquidity problems, or in the extreme, a bank
run.
Individual task owners responsible for the risk identification
and assessment should be clearly identified.
In identifying the risks, AIs should apply as much lateral thinking
as possible. Risk should not be ignored simply because AIs think
that the probability of occurrence or the impact is low or difficult
to assess. Probability and impact assessments must be substantiated
in writing and reviewed from time to time.
It can be seen from the above that AIs' counterparty assessment
framework should form part of the contingency plan especially
in relation to credit and liquidity risks. The HKMA issued a guidance
note on 7 October 1998 making clear that assessment should be
made not only on individual material counterparties, but also
common dependencies of group of counterparties. AIs should review
their country risks in this context. A possible assessment framework
is provided at Annex
1.
(b) Preventive, mitigation and contingency measures
AIs should plan for appropriate measures to address the risks
identified. Priority should be given to the most critical areas
based on the risk assessments. Since the Year 2000 critical dates
are known, AIs are able to take the following types of measures:
| i. |
measures
taken in advance to prevent the risk scenarios from occurring
("preventive measures"), e.g. arranging
further testing activities on the systems used by the institutions
and their system interfaces;
|
| ii. |
measures
taken in advance to reduce the impact on AIs in case the risk
scenarios really occur ("mitigation measures"),
e.g. staggering the settlement dates of transactions to avoid
falling around the Year 2000 critical dates; and
|
| iii. |
measures
taken upon the occurrence of the scenarios (e.g., system failure,
overreaction of customers) in order to contain the impact
of the events ("contingency measures"). |
In considering the risk scenarios and the appropriate counter
measures, AIs will notice that their ability to take action will
vary. Potential problems will range from matters within the full
control of AIs (e.g. internal systems) on which AIs can take whatever
action they consider appropriate, to those totally outside the
AIs' control (e.g. civil unrest in a foreign country which may
impact on a large group of the institution's existing clients).
However, most scenarios will fall in between, i.e. there will
be no absolute control but some influence can be exerted. Where
this is the case, some kind of preventive measures are possible.
AIs therefore should not lightly dismiss the possibility of preventive
measures simply because the matter seems beyond their control.
e.g. AIs should not assume that the building services system supporting
their rented accommodation is beyond their control. They can exert
pressure on their landlords to conduct a proper Year 2000 programme
to prevent problems from occurring.
AIs' board of directors and senior management should ensure that
the Year 2000 contingency plan is comprehensive and viable to
provide assurance that the mission-critical functions will continue
if one or more systems fail. However, it should be understood
that it may not be always possible to establish a contingency
response that allows normal level of service/operation to continue
in the face of a particular risk. Acceptable responses should
therefore include operating at a reduced service level. AIs should
establish what is the minimum level of activities and services
for each of their core business functions and for how long it
would be viable to maintain such a minimum level. The contingency
plan should include strategies to enable such activities and services
to be maintained e.g. quick fix, partial or full replacement or
use similar facilities owned by another institution. More detailed
guidance on this area is provided at Annex
2.
It is also important to ensure that the measures developed do
not conflict with each other so that one part of the business
does not simply push an emerging problem elsewhere
. On the other hand, if simultaneous failures are probable, the
measures should be able to deal with such situations. Institutions
should predefine priority for the resumption of services should
there be multiple failures so that the most critical services
are restored first.
Institutions should also take into account the possibility of
secondary failure, which is the failure of the standby systems
or arrangements that will be relied upon in the contingency measures
to resume critical business processes. Although the standby system
or arrangements may not be originally critical in nature, institutions
should ensure that such standby system or arrangements will be
functioning properly and able to support the contingency measures
concerned.
As speed of response is paramount to prevent a Year 2000 failure
from degenerating into a crisis situation, contingency measures
should set out clearly step-by-step the actions necessary to respond
to each identified risk scenario. All the details (e.g., the triggering
criteria and the authority required for invocation of the contingency
measures) about the contingency measures should be documented
in Year 2000 contingency plans. Senior management approval for
the contingency plan should be obtained so that the need for further
approval by the senior management before executing the contingency
measures can be minimised as far as possible.
AIs should develop timelines summarising the milestones for developing,
testing and implementing the necessary measures and other preparations
in 1999 up to early 2000. An example of such timeline is provided
at Annex
3. The strategies and measures adopted should be
pragmatic. There will be limited opportunity for a second attempt.
Again individual task owners responsible for the development,
testing and implementation of the measures should be clearly identified.
(c) Year 2000 command centre
AIs will need to establish Year 2000 command centres for management
and co-ordination of quick detection of, and response to, Year
2000 related problems in relation to their internal systems as
well as the external environment during the period of Year 2000
critical dates. At a minimum, these should include 9.9.1999
(Thursday), 1.1.2000 (Saturday), 3.1.2000
(Monday) and 29.2.2000 (Tuesday). The command centre should be
a high-level set up which can make decisive response to risks
or crises, whether or not they are anticipated in the contingency
plan, and which can effectively communicate information with relevant
staff and external parties.
AIs should develop rosters of planned activities, primarily "wellness
checks", during the Year 2000 critical dates. This is to
enable the command centres to monitor and assess the actual performance
of various internal and external systems
to identify whether they are operating as usual. Because of time
zone differences, date changes will take place in New Zealand,
Australia and Japan before Hong Kong. It will also be useful if
institutions could monitor the relevant events in these countries
so as to gain some extra time for preparation.
The command centre should keep track of all the exceptions identified
and co-ordinate their timely resolutions. There should be a pre-agreed
mechanism during the period of Year 2000 critical dates for the
command centres to escalate the issues to the AIs' management
or direct the "crisis management teams" to deal with
the issues. It is important that the activities of the command
centres should be properly documented to provide sufficient audit
trails.
(d) Crisis management teams
AIs will also need to establish "crisis management teams"
which are tasked with speedy resolution of Year 2000 problems
as they occur. The primary responsibility of these teams is to
manage the implementation of the contingency plans and deal with
a wide range of operational problems. Moreover, these teams should
also handle issues for which there are no specific contingency
measures or if the contingency measures become ineffective in
practice. Accordingly, these teams should comprise senior executives,
public relation managers, key business line managers, IT and facilities
staff.
(e) Public relation and communication strategy
As mentioned above, Year 2000 is not only an issue of business
continuity, but also one of public confidence. An effective public
relation and communication strategy is therefore an integral part
of any Year 2000 contingency plans.
A good public relation strategy should aim at preventing panic
from arising in the first place and effectively communicating
with the public should any problems actually occur. AIs should
be aware that 1 January 2000 is a public holiday and 2 January
2000 is a Sunday. These are non-banking days. However, institutions'
retail systems, e.g. ATMs, credit cards, etc will still be operating.
It is important that no disruptions will occur to such systems
during this period. If there is any problem, AIs should be ready
to communicate with the public in a manner designed to minimise
the impact on confidence.
(f) Testing
Year 2000 contingency plans should be thoroughly tested before
they can be considered viable, especially in relation to the contingency
measures and functioning of the Year 2000 command centres and
crisis management teams. Testing (including rehearsals) are crucial
to ensure:
| i. |
identification
of areas which have not been addressed;
|
| ii. |
detection
of errors or underlying assumptions; and
|
| iii. |
appropriate
training of staff involved. |
Realistic test scenarios should be developed which exercise all
key aspects of the contingency plan. The scenarios should be properly
documented and agreed with those directly involved in the tests.
Test results should also be documented. Based on the test results,
modifications should be made to the plan as appropriate.
Every endeavour must be made to make the testing in critical
areas as extreme as possible. Testing should be conducted before
invocation of contingency measures is likely, which may be well
before the end of 1999 e.g., due to liquidity problems caused
by concerns of customers and depositors.
(g) Administrative arrangements
AIs may also need to put in place certain administrative arrangements
in view of the century date change. For example, AIs may need
to ensure that key staff will be available during the period of
Year 2000 critical dates. Standby or additional security measures
may need to be arranged to ensure preservation of security over
all relevant locations.
(h) Regular reviews
All risks, assumptions and contingencies must be regularly reviewed
to ensure that they remain valid for changing business circumstances
and the external environment. Such reviews are key components
of the planning timetable. In addition, it will be useful for
AIs to seek independent review of the work of Year 2000 contingency
planning for quality assurance purposes. This can be done either
by the institution's internal auditor or an external party with
relevant expertise in this area. A checklist of possible criteria
for assessing the adequacy of a Year 2000 contingency plan is
at Annex
4 for AIs' reference.
|
