The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal Reserve Bank of DALLAS ROB E RT D. McTE ER, JR. DALLAS, TEXAS 75265-5906 P R E S ID E N T AND C H IE F E X E C U T I V E O F F I C E R November 6, 1998 Notice 98-103 TO: The Chief Executive Officer of each financial institution and others concerned in the Eleventh Federal Reserve District SUBJECT Procedures to Manage the Risks Posed by Changes to Information Systems in 1999 and First Quarter 2000 DETAILS The Board of Governors of the Federal Reserve System has announced procedures to manage changes to its information systems in 1999 and the first quarter of the Year 2000. The change management procedures were developed in conjunction with the Federal Reserve’s Century Date Change Project. The procedures establish guidelines to limit Federal Reserve policy and operational changes as well as internal hardware and software changes during late 1999 and early 2000. The Federal Reserve plans to complete renovation and testing of its critical informa tion systems by year-end 1998. Subsequent changes to Federal Reserve policies, rules, regula tions, and services could impair the Year 2000 readiness of critical information systems. The procedures are designed to balance the need to support changes to critical business processes with the need to limit changes to information systems during this critical period. Governor Edward W. Kelly, Jr., Chairman of the Federal Reserve Board’s Committee on Federal Reserve Bank Affairs, stated, “By limiting these changes to its systems, the Federal Reserve will also minimize changes that its customers could be required to make to their applica tions that interface with Federal Reserve System software. In addition, we intend to coordinate our activities with other institutions that typically generate policy and operational changes in the financial industry.” For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012; Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810. This publication was digitized and made available by the Federal Reserve Bank of Dallas' Historical Library (FedHistory@dal.frb.org) - 2 - In that spirit, the Federal Reserve will disseminate its guidelines to assist other orga nizations that establish rules, regulations, and standards for the financial services industry. ATTACHMENT Attached is a summary of the change management procedures. MORE INFORMATION For more information, please contact Sam Gray at (214) 922-5723. For additional copies of this Bank’s notice, contact the Public Affairs Department at (214) 922-5254. Sincerely yours, Century Date Change Project Procedures to Manage the Risks Posed by Changes to Information Systems in 1999 and First Quarter 2000 October 1998 L Introduction The procedures outlined in this document are for managing the risks associated with making changes to Federal Reserve information systems in 1999 and the first quarter o f2000. The goal of the Federal Reserve System is to complete renovation, testing, and certification of its critical information systems by year-end 1998.1Subsequent changes to Federal Reserve policies, rules, regulations, and services that generate changes to these critical information systems create the risk that systems may no longer be Century Date Change (CDC) compliant. The risks associated with modifying a system will depend on the timing, scope, type, and complexity of the proposed changes. JL Change-M anagement Procedures A Scope o f the Procedures The change-management procedures apply to the systems that fall within the scope of the Federal Reserve’s Systemwide CDC Project Office. Changes will be made to information systems in 1999 for a variety of reasons including (1) to support changes to business processes, (2) to make systems Year 2000 compliant, (3) to modernize systems, (4) to make emergency fixes to systems that have failed, and (5) to support routine maintenance. The CDC change-management procedures augment the existing change-management procedures employed by the Federal Reserve System. The CDC test procedures that have been previously published define Year 2000 testing and internal certification criteria. The CDC change-management procedures do not address specific change scenarios but rather establish a general framework to evaluate risk associated with making changes to information systems. The decision whether to implement a change must balance the following: An assessment of the risk associated with failing to support a change to a critical business process and the business benefit derived from implementing a proposed change • B. An assessment of the operational risk introduced by a proposed change, including the impact on depository institutions, third party servicers, Treasury, and so forth. Timing o f Changes Generally, the closer to January 1,2000, that a change is made, the greater the risk because less time remains to test and observe a modified system in production. To manage risk, new systems pro posed for implementation in the third and fourth quarters of 1999 and the first quarter o f2000 must be approved according to the procedures outlined in this document. Within this window, there is a morato rium on implementing modifications to systems between October 1,1999, and March 31,2000. The 1 Certification requires that a business owner acknowledge that testing has met CDC criteria. Certification o f a system for CDC readiness is an internal process and is not a respresentation or warranty by the Federal Reserve. 1 moratorium generally does not apply to routine maintenance activities. The process outlined in this document of dealing with exceptions will allow critical changes to be made and implemented in produc tion systems during the moratorium. This process allows fixes and product changes to be made in an emergency situation after they have been approved by the Product Manager. Planned changes that are critical to the operation of a business may also be made if approved. Rollouts for new systems that have been tested and certified by the end of March 1999 may continue through the third quarter (for ex ample, the conversion to the Federal Reserve System standard, “client” software suite, etc.). Whether rollouts and conversions will continue in the fourth quarter will be determined in mid-1999. Implementa tion of Year 2000 compliant versions of vendor products may be carried out during the moratorium, but it must be approved. In early March 2000, the benefits of continuing the moratorium through monthend will be reviewed, and if it is deemed appropriate, the moratorium will be lifted. The change-management rules and approval processes are summarized in table 1 (page 4). The Federal Financial Institutions Examination Council (FFIEC) has published an interagency statement, Guidance Concerning Testingfo r Year 2000 Readiness, which includes milestones for testing mission-critical systems. It states that by December 31,1998, “testing of internal mission-critical systems should be substantially complete” and by June 30,1999, “testing of mission-critical systems should be complete.” Modifications to systems after December 1998 that involve changes to dataflows between the Federal Reserve and depository institutions must be carefully evaluated to determine the impact on the institutions. Depending upon the type of change, institutions may need to retest critical systems with the Federal Reserve in order to evaluate these systems for Year 2000 compliance. C. Assessing the Impact o f Changes To assess the impact of changes planned during the limitation window, the Product and Support Offices will be surveyed during the fourth quarter of 1998. The goal of the survey is to identify significant changes planned for critical applications in1999 and the first quarter 2000. Information on implementa tion plans for new systems that are tracked by the national CDC program will also be collected. An update to the survey data will be made in March 1999. The survey data will be analyzed by the CDC Project Office to determine whether proposed changes create unmanageable risk or workload. Changes that are proposed following the March 1999 survey will require a written impact assess ment from the business owner (for example, Product and Function Offices). The assessment will be forwarded to the CDC Project Office, and the request will be analyzed and approved or disapproved as described in the following section. D. Reviewing and Approving Proposed Changes Business owners will provide information regarding the benefits and risks associated with imple menting significant changes to production systems. When performing the analysis, owners will carefully assess the impact of changes on other entities both inside and outside the Federal Reserve System. The CDC Project Office will focus its assessments on the extent to which the business analysis documented in the surveys has adequately identified risks in the broader context (for example, the risks associated with multiple changes occurring simultaneously). The Project Office through the CDC Project Manager will communicate any concerns to the business owners in a timely manner. If material differences cannot be resolved, the business owners will seek review by senior executives. E. Applicability o f the Change-M anagement Procedures to Local Systems The Board and the Reserve Banks will implement procedures for managing change to “district components,” including district-unique systems, local-area networks, “desktop applications,” systems “embedded” in elevators and building control facilities, market data systems, and so forth. The national CDC change-management procedures will serve as a guideline for developing local Year 2000 changemanagement procedures. F. Managing the Backlog A backlog of business initiatives and demand for information systems will be created as a result of the moratorium. In the second half of 1999 a plan will be developed to set priorities to manage the implementation of new and modified systems beginning in April 2000. HI. Managing Internal and External Factors that Create Change Proposals for changes to Federal Reserve policies, rules, regulations, and services that create changes to mission-critical systems operated by the Federal Reserve, depository institutions, third-party servicers, or Treasury will identify CDC risks posed by the changes. The Board and the Reserve Banks will consider the risks in their decisionmaking processes. The change-management rules will be broadcast to institutions that direct or influence the Federal Reserve’s responsibilities and services. Organizations will be educated about the Federal Reserve’s program to manage the risks posed by change and will be asked to consider the risks in their decisionmaking process as well. In addition, the Board will review its regulations and the Reserve Banks and the Board will review the Districts’ operating circulars and other policies to determine whether modifications are warranted (for example, changes to provisions regarding merger transition accounting). The goal is to carefully manage changes that impact the operations and information systems of depository institutions. IV. Maintaining the Change-Management Procedures Proposed revisions to the change-management procedures should be submitted to the Project Office. 3 Table 1 Change-Management Rules -------- M oratorium -----------------------------Lir nitation Window Approval Required Discretionary changes should be postponed to second quarter 2000. Changes to existing systems (internal or vendor supplied) may be implemented. This includes CDC com pliant versions o f vendor products. No changes should be implemented unless critical to a business and approved. No changes unless critical to a business and approved. Rollout o f new systems imple mented prior to third quarter may continue. CDC compliant versions o f vendors products may be implemented if approved. CDC compliant versions o f vendors products may be implemented if approved. Emergency fixes to existing systems may be made. After Dec. 19 emergency fixes must be approved per procedure. After Jan. 15 emergency fixes to existing systems may be made. No approval required. Changes to existing systems do not require approval. All changes proposed require a joint review by the business owner and the CDC Project Office with approval by the business owner. All changes proposed require a joint review by the business owner and the CDC Project Office with approval by the business owner. Im plem entation o f CDC compliant vendors products require a joint review by the business owner and CDC Project Office with approval by the owner. Im plem entation o f CDC compliant vendors products require a joint review by the business owner and CDC Project Office with approval by the owner. Emergency fixes may be authorized by product offices. Emergency fixes may be authorized by product offices through Dec. 19. The CDC Project Office should be notified as soon as possible but no later than two business days following the fixes. Emergency fixes between Jan. 1 and Jan. 15 may be approved per severity-one procedure. After Jan. 15 emergency fixes may be authorized by the Product Office. The CDC Project Office must be notified o f changes as soon as possible but no later than two business days. Routine m ainte nance must receive prior approval starting Dec. 19.' No approval required. 1st Qtr. 2000 New systems proposed for im plem entation require a joint review by the business owner and CDC Project Office with approval by the business owner. Change Actions1 4th Qtr. 1999 Emergency fixes to existing systems may be made. All changes may be made. 3rd Qtr. 1999 Changes including im plem entation o f new systems may be made. 1st Qtr. 1999 After Jan. 15 routine m aintenance may be performed without prior app rov al.1 2n Qtr. 1999 d 1 Change actions include maintenance; enhancements; and the introduction o f new or upgraded hardware, environmental systems, and applications software. Routine maintenance except in the period noted above (Dec. 19, 1999 - Jan. 15, 2000) is exempt from the change-management procedures. 4