• Agency Chief Information Officer
• Agency Year 2000 Project Manager
• High level agency executive who understands agency mission and political influences
• Budget and business manager or staff
• Computer & networking support team representatives
• Embedded technology and facilities team representatives
• Representative personnel in the trenches, using the technology to provide services

• Internal Threat Assessment: What agency resources are likely to fail because of this threat?
• External Threat Assessment: How will this threat impact those I rely upon?
• Documentation and Planning: Blazing a paper trail leading to a good plan to continue business when systems fail.

• Recording the information you relied upon to decide which agency programs must continue operating after disaster strikes;
• Explaining why some programs can be set aside for a time; and
• Planning how you will communicate your plans for continued operations.

1. Who the key players are in the contingent operation.
2. What resources are necessary to continue business as usual.
3. What events or triggers will activate the continuation plan.
4. How long operations can continue under the alternative plan and what must occur to provide for orderly return to normal operations.
5. Where your continued business operations will be located.
6. Why you’ve made this decision and what will trigger its activation.
7. How you’ll communicate this change to your employees, your executives, and those you do business with.

Internal Threat Assessment

• Identify critical business programs relying on non-compliant technology.

Start with existing lists of Mission critical programs relying on technology.   Don’t overlook embedded chip technology in smart equipment. If not sure if technology is Year 2000 compliant, include here.

• Prioritize programs.

Prevent loss of life/personal injury – provide for public safety.
Preserve quality of life for state’s citizens.
Generate revenue for government operations.
Failing to perform function will lead to lawsuit, fines, and penalties.

Decide which category is most important to your agency and develop a system to weight the priority among competing programs. Don’t overlook the political aspects of any rankings you make.

• Prioritize remediation efforts.

Unlikely to be Year 2000 compliant before December 1999.

These systems must have a plan to continue business until it can be fixed.

Will be tested and back in production by September 1999.
Will be tested and back in production by January 1999.

These systems only need a plan if you doubt the validity of your projected completion dates or failure of the system will have such a huge impact on your agency or others that we cannot afford to do without it.

Already compliant or will be tested and back in production by July 1999.

These systems only need a plan if you believe others feeding into them may cause disruptions in the new millennium.

• Prioritize down time.

How long can you afford to work without the system?
What are the cascading effects of continued unavailability of the system?

• Set critical dates and define triggers.

When will system fail if not remediated?
How long will it take after failure to repair damage and bring back into production?
What foreseeable events will give you advance warning the system is failing to achieve Year 2000 goals?

• Select alternatives that will continue programs in Year 2000 without systems which are likely to fail. Begin with systems supporting the most critical programs. Some options to consider:
  • Can I hire someone else to do this for me? Can I hire a vendor who is willing to certify compliance to run payroll checks for a year?
  • Can I make do by using the existing software and manually correct errors it produces? Can I let people buy an extra year on their license now and manually correct the few that can’t be rolled over.
  • Can I avoid using the system for six months or more? Can I manually renew licenses or extend their life by administrative rule?
  • Can I create backup files or reports that will serve for several months? Do I really need management reports on efficiency of operation every Friday?
  • Can I do some work in advance? Can I run a backup on December 29 or complete work in December that is usually done in January? Can I postpone start-up of some routine projects until March?

• Compare the cost of alternative solutions against the cost of system failure. Recognize the resource needs and limitations your organization has for planning and developing a business continuation plan. That, too, is a factor in choosing the best alternative solution.

Sometimes the best, most economical solution is to do nothing. If that is your choice, clearly document WHY you chose to do nothing.

External Threat Assessment

• Review programs and systems prioritized in the internal threat assessment process. Identify resources you need to accomplish high priority programs and suppliers of those resources.

Don’t overlook key infrastructure resources such as personnel, power, water, and sewer. Review key systems you use that don’t rely upon your technology, but may rely upon someone else’s.

• Prioritize resource needs by necessity to achieve key functions. Consider how long you can work without key functions giving highest priority to those you can least afford to do without:

Can achieve goals without it for 48 hours.
Can achieve goals without it for 1 month.
Can achieve goals without it for 6 months.   

• Identify key suppliers of high priority resources identified above. Beginning with those most critical to continued operations, begin a dialog to determine their efforts to beat Year 2000 problem.
  • If supplier is another state agency or public utility, assume for now their Year 2000 impacts will be minimal. The statewide Year 2000 office is addressing this issue for all of us. But, consider how important that resource is to continuing your business. Example: DAS is working to make the state telephone system compliant for all of us. But, if the whole telecommunications network functions erratically in January 2000 how will you work around it?
  • For all others, focus on establishing a dialog and cooperation, not an adversarial relationship, to solve the Year 2000 threat together. Ask questions like these:
    1. Does the product or service you provide me have any hardware, software or embedded devices? If the answer is no, then there is no Year 2000 problem. If the answer is yes, keep asking questions.
    2. If the product or service itself may have a year 2000 problem,
       • Ask for descriptions of test methodologies and specific results of those tests.
       • Do you have a written plan for addressing the Year 2000 problem in your organization?
       • Who is involved in the process?
       • How can we work together to beat the Year 2000 problem?

• Describe alternatives to achieve goals without these resources. Determine how you can cope without them for varying lengths of time.
  • 48 hours – May already be contained in a disaster recovery or emergency response plan.
  •  1 month – Identify alternative suppliers or resources you’ll rely upon.
  •  6 months – Can you postpone remediation efforts on these functions and redirect resources to other, more vital functions?   

• Select best alternative to work around key external threats so your agency programs will continue. Some examples:
  • Key data interchange partner cannot be Year 2000 compliant in time. Can you build a software bridge to manage their data into the future? If so, how long will you support that bridge?
  • Key paper form you need to operate comes from a supplier whose factory won’t be ready. Can you stockpile that resource? If so, where will you store it, how will you finance purchase? How long after the Year 2000 strikes will the supplier be unable to fill orders?
  • Key resource you need, such as groceries, may not be consistently available in 2000 because of sporadic infrastructure failures. Can you strengthen your relationship with key suppliers to give you priority over other customers? Or, can you spread your orders among several suppliers who offer similar products?
  • Data interchange partner has not responded to requests to test upgraded systems. How will you monitor that interface to prevent corruption of your system when the critical date is reached?

Document the Process

• Document choices made at each step in the process to Year 2000 readiness. Include:

WHO made the choices and when.
 
WHAT made the choices necessary.
 
WHY the choices were right for your organization today.

Include names of others using similar methodologies and processes. Identify who’s recommending it and document their expertise. Have a knowledgeable, independent party verify your options and choices.

If resource availability is an issue, clearly describe your efforts to determine why resources were limited; alternatives you considered; and the impact of limited resources on your ultimate decision. Unbudgeted or no spending limitation, by itself, is not adequate documentation. You need to document resources limits now to convince a skeptical jury in years to come.

• Get it in writing! Use contracts, interagency agreements, meeting minutes, white papers, interim project reports, to memorialize actions and choices you make today.

• Report the facts of your plan and progress toward goals:

To your agency Year 2000 coordinator,
To your agency executives, and
To the Statewide Year 2000 office.
When appropriate, report to the Governor and other elected officials.

• Communicate openly and accurately to the public depending upon you, Other agencies, businesses, and suppliers you interact with.        

Maintain good documentation of press releases, articles, and other information
you release as evidence of your good stewardship.

Make a Plan

• Who the key players are in the contingent operation.
• What resources are necessary to continue business as usual.
• Where your continued business operations will be located.
• Why you’ve made this decision and what will trigger its activation.
• When the contingency plan will be activated and how long operations can continue under the alternative plan, and provide for orderly return to normal operations.
• How you’ll communicate this change to your employees, your executives and those you do business with.
• How you will practice the plan to find any gaps before you really need it.

• Team leader – responsible for overall coordination of the business continuation plan.
• Crisis Spokesperson – responsible for communicating official, accurate information and when appropriate, meeting with the media.
• Team Secretary – someone who answers inquiries during the crisis, records decisions made and actions taken, facilitates communication among various divisions, agencies, and guests.
• Security & Safety – someone who manages security needs and coordinates safety of all on the site.
• Human Resources – someone knowledgeable in human resource & labor relations for organization to address issues arising from employees.
• Legal counsel and/or risk management – someone to advise on legal ramifications of options facing team during the crisis.
• Financial counsel – how will we pay the bill?
• Back up team members – if the team leader or spokesperson is unavailable when trouble strikes who will step into their shoes?