View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

Federal Reserve Bank
of

DALLAS

ROB E RT D. McTE ER, JR.

DALLAS, TEXAS
75265-5906

P R E S ID E N T
AND C H IE F E X E C U T I V E O F F I C E R

November 6, 1998
Notice 98-103

TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District

SUBJECT
Procedures to Manage the
Risks Posed by Changes to Information Systems in
1999 and First Quarter 2000
DETAILS
The Board of Governors of the Federal Reserve System has announced procedures to
manage changes to its information systems in 1999 and the first quarter of the Year 2000. The
change management procedures were developed in conjunction with the Federal Reserve’s
Century Date Change Project. The procedures establish guidelines to limit Federal Reserve
policy and operational changes as well as internal hardware and software changes during late
1999 and early 2000.
The Federal Reserve plans to complete renovation and testing of its critical informa­
tion systems by year-end 1998. Subsequent changes to Federal Reserve policies, rules, regula­
tions, and services could impair the Year 2000 readiness of critical information systems. The
procedures are designed to balance the need to support changes to critical business processes
with the need to limit changes to information systems during this critical period.
Governor Edward W. Kelly, Jr., Chairman of the Federal Reserve Board’s Committee
on Federal Reserve Bank Affairs, stated, “By limiting these changes to its systems, the Federal
Reserve will also minimize changes that its customers could be required to make to their applica­
tions that interface with Federal Reserve System software. In addition, we intend to coordinate
our activities with other institutions that typically generate policy and operational changes in the
financial industry.”

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

This publication was digitized and made available by the Federal Reserve Bank of Dallas' Historical Library (FedHistory@dal.frb.org)

-

2

-

In that spirit, the Federal Reserve will disseminate its guidelines to assist other orga­
nizations that establish rules, regulations, and standards for the financial services industry.
ATTACHMENT
Attached is a summary of the change management procedures.
MORE INFORMATION
For more information, please contact Sam Gray at (214) 922-5723. For additional
copies of this Bank’s notice, contact the Public Affairs Department at (214) 922-5254.
Sincerely yours,

Century Date Change Project
Procedures to Manage the Risks
Posed by Changes to Information Systems
in 1999 and First Quarter 2000
October 1998
L

Introduction

The procedures outlined in this document are for managing the risks associated with making
changes to Federal Reserve information systems in 1999 and the first quarter o f2000. The goal of the
Federal Reserve System is to complete renovation, testing, and certification of its critical information
systems by year-end 1998.1Subsequent changes to Federal Reserve policies, rules, regulations, and
services that generate changes to these critical information systems create the risk that systems may no
longer be Century Date Change (CDC) compliant. The risks associated with modifying a system will
depend on the timing, scope, type, and complexity of the proposed changes.
JL Change-M anagement Procedures
A

Scope o f the Procedures

The change-management procedures apply to the systems that fall within the scope of the Federal
Reserve’s Systemwide CDC Project Office. Changes will be made to information systems in 1999 for a
variety of reasons including (1) to support changes to business processes, (2) to make systems Year
2000 compliant, (3) to modernize systems, (4) to make emergency fixes to systems that have failed, and
(5) to support routine maintenance. The CDC change-management procedures augment the existing
change-management procedures employed by the Federal Reserve System. The CDC test procedures
that have been previously published define Year 2000 testing and internal certification criteria.
The CDC change-management procedures do not address specific change scenarios but rather
establish a general framework to evaluate risk associated with making changes to information systems.
The decision whether to implement a change must balance the following:
An assessment of the risk associated with failing to support a change to a critical business
process and the business benefit derived from implementing a proposed change
•

B.

An assessment of the operational risk introduced by a proposed change, including the impact
on depository institutions, third party servicers, Treasury, and so forth.

Timing o f Changes

Generally, the closer to January 1,2000, that a change is made, the greater the risk because less
time remains to test and observe a modified system in production. To manage risk, new systems pro­
posed for implementation in the third and fourth quarters of 1999 and the first quarter o f2000 must be
approved according to the procedures outlined in this document. Within this window, there is a morato­
rium on implementing modifications to systems between October 1,1999, and March 31,2000. The
1 Certification requires that a business owner acknowledge that testing has met CDC criteria. Certification o f a
system for CDC readiness is an internal process and is not a respresentation or warranty by the Federal Reserve.
1

moratorium generally does not apply to routine maintenance activities. The process outlined in this
document of dealing with exceptions will allow critical changes to be made and implemented in produc­
tion systems during the moratorium. This process allows fixes and product changes to be made in an
emergency situation after they have been approved by the Product Manager. Planned changes that are
critical to the operation of a business may also be made if approved. Rollouts for new systems that have
been tested and certified by the end of March 1999 may continue through the third quarter (for ex­
ample, the conversion to the Federal Reserve System standard, “client” software suite, etc.). Whether
rollouts and conversions will continue in the fourth quarter will be determined in mid-1999. Implementa­
tion of Year 2000 compliant versions of vendor products may be carried out during the moratorium, but
it must be approved. In early March 2000, the benefits of continuing the moratorium through monthend will be reviewed, and if it is deemed appropriate, the moratorium will be lifted. The change-management rules and approval processes are summarized in table 1 (page 4).
The Federal Financial Institutions Examination Council (FFIEC) has published an interagency
statement, Guidance Concerning Testingfo r Year 2000 Readiness, which includes milestones for
testing mission-critical systems. It states that by December 31,1998, “testing of internal mission-critical
systems should be substantially complete” and by June 30,1999, “testing of mission-critical systems
should be complete.” Modifications to systems after December 1998 that involve changes to dataflows
between the Federal Reserve and depository institutions must be carefully evaluated to determine the
impact on the institutions. Depending upon the type of change, institutions may need to retest critical
systems with the Federal Reserve in order to evaluate these systems for Year 2000 compliance.
C. Assessing the Impact o f Changes
To assess the impact of changes planned during the limitation window, the Product and Support
Offices will be surveyed during the fourth quarter of 1998. The goal of the survey is to identify significant
changes planned for critical applications in1999 and the first quarter 2000. Information on implementa­
tion plans for new systems that are tracked by the national CDC program will also be collected. An
update to the survey data will be made in March 1999. The survey data will be analyzed by the CDC
Project Office to determine whether proposed changes create unmanageable risk or workload.
Changes that are proposed following the March 1999 survey will require a written impact assess­
ment from the business owner (for example, Product and Function Offices). The assessment will be
forwarded to the CDC Project Office, and the request will be analyzed and approved or disapproved
as described in the following section.
D. Reviewing and Approving Proposed Changes
Business owners will provide information regarding the benefits and risks associated with imple­
menting significant changes to production systems. When performing the analysis, owners will carefully
assess the impact of changes on other entities both inside and outside the Federal Reserve System.
The CDC Project Office will focus its assessments on the extent to which the business analysis
documented in the surveys has adequately identified risks in the broader context (for example, the risks
associated with multiple changes occurring simultaneously).
The Project Office through the CDC Project Manager will communicate any concerns to the
business owners in a timely manner. If material differences cannot be resolved, the business owners will
seek review by senior executives.

E.

Applicability o f the Change-M anagement Procedures to Local Systems

The Board and the Reserve Banks will implement procedures for managing change to “district
components,” including district-unique systems, local-area networks, “desktop applications,” systems
“embedded” in elevators and building control facilities, market data systems, and so forth. The national
CDC change-management procedures will serve as a guideline for developing local Year 2000 changemanagement procedures.
F.

Managing the Backlog

A backlog of business initiatives and demand for information systems will be created as a result of
the moratorium. In the second half of 1999 a plan will be developed to set priorities to manage the
implementation of new and modified systems beginning in April 2000.
HI. Managing Internal and External Factors that Create Change
Proposals for changes to Federal Reserve policies, rules, regulations, and services that create
changes to mission-critical systems operated by the Federal Reserve, depository institutions, third-party
servicers, or Treasury will identify CDC risks posed by the changes. The Board and the Reserve Banks
will consider the risks in their decisionmaking processes.
The change-management rules will be broadcast to institutions that direct or influence the Federal
Reserve’s responsibilities and services. Organizations will be educated about the Federal Reserve’s
program to manage the risks posed by change and will be asked to consider the risks in their
decisionmaking process as well.
In addition, the Board will review its regulations and the Reserve Banks and the Board will review
the Districts’ operating circulars and other policies to determine whether modifications are warranted
(for example, changes to provisions regarding merger transition accounting). The goal is to carefully
manage changes that impact the operations and information systems of depository institutions.
IV. Maintaining the Change-Management Procedures
Proposed revisions to the change-management procedures should be submitted to the Project
Office.

3

Table 1
Change-Management Rules

-------- M oratorium -----------------------------Lir nitation Window

Approval
Required

Discretionary
changes should be
postponed to
second quarter
2000.

Changes to
existing systems
(internal or vendor
supplied) may be
implemented. This
includes CDC
com pliant versions
o f vendor
products.

No changes should
be implemented
unless critical to
a business and
approved.

No changes unless
critical to a business
and approved.

Rollout o f new
systems imple­
mented prior to
third quarter may
continue.

CDC compliant
versions o f vendors
products may be
implemented if
approved.

CDC compliant
versions o f vendors
products may be
implemented if
approved.

Emergency fixes
to existing systems
may be made.

After Dec. 19
emergency fixes
must be approved
per procedure.

After Jan. 15
emergency fixes to
existing systems
may be made.

No approval
required.

Changes to existing
systems do not
require approval.

All changes
proposed require a
joint review by the
business owner and
the CDC Project
Office with
approval by the
business owner.

All changes
proposed require a
joint review by the
business owner and
the CDC Project
Office with
approval by the
business owner.

Im plem entation o f
CDC compliant
vendors products
require a joint
review by the
business owner and
CDC Project Office
with approval by
the owner.

Im plem entation o f
CDC compliant
vendors products
require a joint
review by the
business owner and
CDC Project Office
with approval by
the owner.

Emergency fixes
may be authorized
by product offices.

Emergency fixes
may be authorized
by product offices
through Dec. 19.
The CDC Project
Office should be
notified as soon as
possible but no later
than two business
days following the
fixes.

Emergency fixes
between Jan. 1 and
Jan. 15 may be
approved per
severity-one
procedure. After
Jan. 15 emergency
fixes may be
authorized by the
Product Office.
The CDC Project
Office must be
notified o f changes
as soon as possible
but no later than
two business days.

Routine m ainte­
nance must receive
prior approval
starting Dec. 19.'

No approval
required.

1st Qtr. 2000

New systems
proposed for
im plem entation
require a joint
review by the
business owner and
CDC Project
Office with
approval by the
business owner.

Change
Actions1

4th Qtr. 1999

Emergency fixes
to existing systems
may be made.

All changes may
be made.

3rd Qtr. 1999

Changes including
im plem entation o f
new systems may be
made.

1st Qtr. 1999

After Jan. 15
routine m aintenance
may be performed
without prior
app rov al.1

2n Qtr. 1999
d

1 Change actions include maintenance; enhancements; and the introduction o f new or upgraded hardware, environmental systems,
and applications software. Routine maintenance except in the period noted above (Dec. 19, 1999 - Jan. 15, 2000) is exempt from
the change-management procedures.

4


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102