1. Making sure that an appropriate strategic approach is developed by determining how best to achieve Year 2000 compliance within an institution's organisational structure represents the first phase. This phase includes an initial, high-level sizing of the issue and developing a plan as to how best introduce the process throughout the organisation. This phase often relies heavily on technical staff knowledge of how information systems and technology are deployed and how business units are organised and interact with limited contact with business line areas. During this initial planning process, particular attention should be paid to assuring that, during the organisational awareness phase, business lines will develop an understanding that the Year 2000 issue is not only a technical issue but a strategic one for each business line and that the business lines have ultimate ownership of the issue.

Creating organisational awareness

2. Making certain that the strategic importance of the Year 2000 as a business objective is understood and appreciated throughout the organisation may be the most important phase in the action plan. This phase has four basic objectives: creating visibility, ensuring commitment, identifying resources, and formulating specific strategic objectives at a business line level.

3. Creating visibility throughout the business organisation is essential. Everyone must be aware of the potential problems posed by the date issue and become sensitive to applications where it might be an issue. Only in this way will all local applications be identified and addressed appropriately.

4. The recognition that the Year 2000 may be a survival issue requires a commitment from top management for its successful resolution as a strategic priority. Senior management and directors need to understand the issue and its implications and monitor progress on a regular basis. Specific responsibility for managing the issue should be clearly assigned. For larger organisations, a project office focused solely on the Year 2000 issue is recommended. Partnerships between technical staff and business lines must be developed with the business line managers accepting ultimate accountability to address the issue successfully.

5. Resource estimates need to be determined and built into budgets. Business lines need to recognise that testing will be the single most important resource intensive part of the project and that responsibility for designing test plans and carrying out the tests rest with the business. Senior management must appreciate that becoming Year 2000 compliant can rarely be achieved as part of normal business operations and budgets. All applications throughout the bank must be addressed but some level of required maintenance and new product development must typically proceed.

6. Strategic decisions must be made at this stage because technology and business line resources will have to be redeployed. Opportunities exist to repair, replace, outsource or eliminate applications. Senior level guidance on how to make these decisions becomes critical.

Assessing actions and developing detailed plans

7. This phase moves the project from concept to concrete actions. Detailed inventories of what must be done are developed covering centralised and decentralised hardware, software and networks as well as equipment with embedded computer chips and logic. Particular care is needed to make sure that applications developed or procured locally at the business line level are included in the inventory. The inventories should include all aspects of business line activities whether internal to the organisation or external to it. Risks should be quantified and priorities set based on these risks.

8. Internal partnerships between technical staff and business lines should be solidified. The responsibilities of each should be clearly defined and timetables agreed upon. Procedures for monitoring progress against schedules should be implemented with appropriate information flowing to senior management and directors on a regular basis.

9. Vendors and service providers should be contacted as to their status and plans for addressing the issue and contracts developed where appropriate. User groups can be helpful in making such contacts and getting information but are no substitute for an organisation following through with the information received. Applications must be able to work within the bank's own operating environment, and responsibility for seeing that appropriate testing is done cannot be delegated to vendors or user groups. Making certain that current versions of software and operating systems are in place is particularly important because compliant applications may not work properly in a dated environment.

10. Vendor management requires special attention and represents a continuous challenge throughout Year 2000 projects. Obtaining meaningful dates for product delivery, testing or other milestones is often particularly difficult as vendors are concerned about the legal liability that may be associated with representations that prove to be in error. Notwithstanding this difficulty, the development of effective communication channels with vendors is essential.

11. During the assessment phase, one or more applications might be made year 2000 compliant on an expedited basis. Such pilots will help staff develop a better understanding of the work that must be done and permit better plans and budgets to be developed. Also, automated tools that help identify where dates are present should be tested as to their effectiveness.

12. This phase also should include a review of legal obligations. In particular, contracts with vendors and service providers should be reviewed as to respective responsibilities of the bank and the third party vendor. Insurance policies should be reviewed to see how Year 2000 problems would be handled if problems were to be encountered under various scenarios.

13. The development of detailed plans for the entire project should be the principal end product of the assessment phase. These plans need to address not only the changes that need to be made but also lay out key milestones, test plans, and communication channels. The plans need to deal with internally developed applications whether centralised or decentralised, with service providers and vendors, and with correspondents and customers. Responsibilities and accountabilities need to be clearly defined for each step in the plans. The critical path within the overall plan needs to be determined, recognising that there will be many interdependencies that must be tested together.

Renovating systems, applications and equipment

14. Renovating systems, applications and equipment is the only phase of the process that is primarily technical. During this phase, the additional resources needed for the project should be acquired or contracted. Operating systems, applications, hardware and equipment needing fixing should be modified, replaced, outsourced or discontinued. Automated tools and outside consultants probably have a role to play in most organisations during this phase.

15. In depth communication with vendors and careful monitoring of their progress occurs during this phase. In particular, a clear understanding of what the vendor means by being Year 2000 compliant must be obtained. This includes detailed knowledge of any environmental assumptions and planned changes in communications protocols. Agreement must be reached regarding the level of assistance the vendor will offer if problems are encountered. While a warranty or certification may be sought or offered, the bank must recognise that such certification will almost certainly not cover interfaces with other applications and that the need for rigorous testing is not obviated by such a warranty or certification.

16. Identifying alternative approaches if renovations lag or fail is an important part of this step. Again, such contingency plans should deal not only with internal renovation work but also address the work of vendors and service providers as well as correspondents and customers with whom the institution interfaces. Contingency plans must include critical milestones for measuring progress or critical delivery dates where decisions must be made to pursue an alternative solution if the objective is not met. Contingency plans need to take into account the mission criticality of applications because, in all likelihood as the time certain deadline approaches, it will become impossible to fully implement all changes for all applications. Contingency plans need to recognise that, in some cases, correspondent relationships may need to be altered or customer relationships severed.

Validating the renovation through testing

17. Testing represents the largest single task in the Year 2000 project. Detailed test schedules must be developed and coordinated with correspondents and customers, particularly with an ever-decreasing number of weekend testing opportunities available. Full validation requires that Year 2000 data conditions be simulated for all elements of the test. Data flows internally and with third parties must be thoroughly tested while both the sender and receiver simulate Year 2000 conditions. Institutions need to participate in tests with service providers both on a bilateral test basis and in multi-user tests, which simulate full production volumes. Contingency plans need to be implemented as needed when renovations are completed by specified cut-off dates.

18. During this phase, support facilities to assure that new or modified applications run properly are also developed. In particular, procedure manuals are written or rewritten and disseminated, training programs provided, and help desks established or retrained.

Implementing tested, compliant systems

19. Implementation requires careful planning to make sure that interrelated applications are coordinated as to when they go into production. Coordination becomes particularly important when files at interfaces are changing in format. While recognising that coordination is necessary, putting compliant applications into production at the earliest possible date simplifies future testing.

20. The implementation phase also requires monitoring of progress by service providers and vendors. Service providers in particular are likely to have two or more versions of an application at any one time in order to meet the needs of institutions in various stages of implementation.

21. The implementation phase also includes reverting to contingency plans when necessary.