ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Appendix I  -  Risk Information Sheet

1. Introduction

1.1 Background

The Treasury Board of Canada Secretariat (TBS) Year 2000 Project Office requires that Federal Departments and Agencies with Government-Wide Mission-Critical (GWMC) business functions identify, report and manage Year 2000 project risks.

In order to standardize the risk reporting requirements for content and format, a Year 2000 risk information sheet (RIS) is provided to document relevant information about a risk.

1.2 Purpose

The purpose of this appendix is to define and describe the TBS Year 2000 RIS to be used by Federal Departments and Agencies in reporting information regarding the Year 2000 project risks associated with the Government-Wide Mission-Critical (GWMC) and Department-Wide Mission-Critical (DWMC) business functions.

1.3 Scope

This appendix includes a description of "How to use the Year 2000 RIS , a Year 2000 RIS template, a description of the Year 2000 RIS template data elements, and a sample Year 2000 RIS.

1.4 Relationship to Other Documents

This document relates to the following documents as identified:

1. Treasury Board of Canada Secretariat, Steering government into the next millennium: A Guide to Effective Business Continuity in Support of the Year 2000 problem, October 1998.
2. Software Engineering Institute, Continuous Risk Management Guide, Carnegie Mellon University, Pittsburgh, Pennsylvania, 1996.
   The Year 2000 RIS follows the principles of the Risk Information Sheet for the Software Engineering Institute's (SEI) Continuous Risk Management (CRM) Guide, Appendix A-27.
3. Treasury Board of Canada Secretariat, Year 2000 Taxonomy, October 1998.
   The Year 2000 RIS is the means for documenting information about risks that are identified as a result of conducting a risk assessment using the Year 2000 Taxonomy.

2. Year 2000 Risk Information Sheet

2.1 How to Use the Year 2000 Risk Information Sheet

The Treasury Board of Canada Secretariat Business Continuity Guide [Reference 1] provides a detailed section devoted to conducting risk assessments on Year 2000 projects. Risk assessments include the "Identify" and "Analyze" processes of the SEI CRM methodology.

The information captured as a result of the risk assessment activity is to be documented and formatted as per the Year 2000 RIS. The Year 2000 RIS serves as the primary means for documenting and managing information about a risk, and is the main deliverable for the risk assessment activity as depicted in the diagram below.

Communicate = communiquer
Identify = identifier
Analyze = analyser
Plan = planifier
Track = suivre
Control = contrôler

Figure I-1: "Conduct Risk Assessment" Activity

The Year 2000 RIS is comprised of five sections:

1. Risk assessment information;
2. Risk management information;
3. Business information;
4. Status information; and
5. Risk action plan information.

The first four sections are mandatory risk reporting requirements by the TBS. Details of the template data elements are provided in this appendix. Section 5 of the RIS is an optional section that is provided as a guideline for the department/agency to use in developing and implementing risk management activities.

2.2 Year 2000 RIS Template

The following template constitutes the TBS Year 2000 RIS.

Risk Information Sheet (Part 1 - TBS Required)

Department/Agency:
1. Risk Assessment Information
Rank:		Risk Id:								Identified on:
Risk Statement:
Context/background:
Probability:
Project Impact:
Time frame:
Source:
Response:							Escalate:		Other _______________ ¨ TBS ¨ DM ¨ ADM ¨ Steer.Com ¨
2. Risk Management Information
Assigned to:						Action Plan Due Date:
Risk Management Strategy Overview:
Indicators/metrics for risk materialization:						Means collected:
3. Business Information
Business Function(s):								Criticality			Government-Wide ¨ Department-Wide ¨
Business Impact:
Contingency Plan:
Trigger:
4. Status Information
Status:						Status date:
Approval:						Closing date:
Closing rationale:

 

Risk Information Sheet
(Part 2 – Risk Management Details)

Department/Agency:
Rank:		Risk Id:				Identified on:
5. Risk Action Plan Information
Action Item					Responsibility		Date Due		Date Completed
Notes:

2.3 Year 2000 RIS Template Data Element Definition

This table describes the data elements in the TBS Year 2000 RIS.

Table I-1: RIS Data Elements

Field Name	Description
Section 1. Risk Assessment Information
Department/Agency	The Federal Government department or agency that is reporting risks on their Year 2000 project.
Rank	Rank or priority, in numeric format (1 through "N"), assigned to the risk. The rank should reflect the risk ranking within the department/agency at the time that the risk is reported
Risk Id	Unique identifier for the risk, which is generally a combination of a category name for the risk and a sequential numbering scheme (e.g. Management –001).
Identified on	Date when the risk was identified.
Risk Statement	Statement of the risk which is comprised of a description of the condition or circumstance causing concern or uncertainty for a potential loss or negative outcome with respect to the compliance and business continuity objectives. [details for developing a risk statement can be found in the Reference 2 - part2, chapter 4, section 2, p.31]
Context/background	Associated information that clarifies the risk. Context is usually gathered at the time of identification.
Probability	Likelihood of occurrence of the risk – exact value depends on the type of analysis. A suggested approach is to utilize a qualitative description as follows: Low (the risk will unlikely materialize, but could occur), Medium (the risk will likely materialize), High (the risk is almost certain to materialize)
Project Impact	The loss or negative outcome on the project if the risk materializes. One of the following values is required: Low (the impact will be minimal or negligible), Medium (the impact will be moderate), High (the impact will be critical or catastrophical)
Timeframe	Timeframe in which the risk will occur or action is needed. One of the following values is required: Near (30 days), Mid (60 days), Far (the time event horizon for asset failure due to the Year 2000 problem/contingency trigger). Departments can use a timeframe that is more relevant to their environment.
Source	The source of the risk (reason why there is a risk). One of the following values is required: Lack of Information, Lack of control (over budget, human resources, approvals/decisions etc.), Lack of time,
Response	The department's/agency's response to the risk. One of the following values is required: Assume (do nothing), Avoid (take actions prior to risk occurring), Control (take actions after risk occurs), Transfer/Escalate (transfer the responsibility of mitigating the risk to another party within the department/agency)
Escalate	A flag which indicates that the risk is being escalated to another organization/management level such as: Other - Other organizations such as National Planning Group, Emergency Preparedness Canada, etc. - Treasury Board of Canada Secretariat DM - Deputy Minister ADM - Associate Deputy Minister Steer. Com. - Year 2000 Steering Committee
Section 2. Risk Management Information
Assigned to	The person within the department/agency who is responsible for managing the risk.
Action Plan Due Date	The completion date for the activities as identified in the action plan to manage the risk.
Risk Management Strategy Overview	The selected strategy for managing the risk. This strategy is a high-level description that provides a general direction and takes into account the source and the response to the risk. Generally only risks with an "avoid" or "control" response have action plans associated with them. An "assume" response does not require risk management since the department/agency has decided to live with the consequences of the risk materializing. A transfer/escalate will require a response from the receiving party.
Indicators/metrics for risk materialization	An indicator/metric or sign that will clearly let the Year 2000 project stakeholders know that the risk is materializing and becoming an issue or problem. The indicator should be part of progress information that is collected during the "Track" step.
Means collected	The means or manner for collecting the indicators/metrics identified in the risk materialization field.
Section 3. Business Information
Business Function(s)	The business function(s) as identified on the TBS Government-Wide Mission-Critical function list or as identified by the department/agency's Department-Wide Mission-Critical function list. Risks may apply to more than one business function.
Criticality	The mission criticality of the business function associated with the risk in question. The mission criticality is as defined by the TBS mission criticality criteria. Only one of 2 choices is available: Government-wide or Department-wide Mission-critical.
Business Impact	The impact of the risk on the continuity of the business function as opposed to the "Project Impact" defined in section 1 of the Year 2000 RIS.
Contingency Plan	This is a reference to a contingency plan. The contingency plan should contain procedures that will restore the mission- critical business function or an asset within a business function in the event that a Year 2000 problem materializes.
Trigger	The trigger for implementing a contingency plan/procedure. The trigger will generally be the "fact" or "threshold" that indicates that the risk has materialized and/or has become a problem/issue.
Section 4. Status Information
Status	Status of the risk. The following value is required: Open (Risk is still valid), Closed (Risk is no longer valid)
Status date	The date the last status was provided or determined.
Approval	This is a signature for approval for mitigation strategies or closure by the "Assigned To" person from section 2 of the Year 2000 RIS.
Closing date	Date when the risk was closed
Closing rationale	Rationale for closure of the risk
Section 5. Risk Action Plan Information
Action Item	This is a series of action or steps that must be executed in order to mitigate the risk. The action items must support the risk mitigation strategy.
Responsibility	The person assigned to conduct an action item. The same person may conduct all action items on the list. This person may be the same as the "Assigned To" person from section 2 of the Year 2000 RIS or this person may be someone who has been assigned to work on the actions but still must report to the "Assigned To" person.
Date Due	The date the action item is due.
Date Completed	The date the action item was completed.
Notes	An optional field for general notes. This section could identify resources required in order to implement the risk action plan actions.

2.4 Examples of a Year 2000 Risk Information Sheet

2.4.1 Example A – Organizational/project risk
The following Year 2000 RIS is to be used as an EXAMPLE ONLY. This risk is based on an imaginary scenario where a department X has identified a risk regarding a lack of funding for the Year 2000 project.

Risk Information Sheet (Part 1 – TBS Required)

Department/Agency:				Department X
1. Risk Assessment Information
Rank:	2	Risk Id:			Lack of Funding					Identified on:		5-Jan-1998
Risk Statement:
There is a risk that the funding for Year 2000 activities beyond March 1998 will not be approved in time to allow the timely progression of Year 2000 related activities. The impact of this risk is that the remaining Year 2000 activities will not be conducted, thus affecting the Year 2000 project schedule.
Context/background:
The Treasury Board submission for funding is currently being prepared and is planned to be delivered on March 10, 1998. No Year 2000 susceptible assets have been completely converted as of 5-Jan-1998.
Probability:			High
Project Impact:			High
Time frame:			Near
Source:			Lack of control
Response:			Avoid				Escalate:		Other _______________¨ TBS ¨ DM ¨ ADM ¨ Steer.Com n
2. Risk Management Information
Assigned to:						Action Plan Due Date:
Mr. Y						20-Mar-1998
Risk Management Strategy Overview:
The risk management strategy is aimed at obtaining control over funding.
Indicators/metrics for risk materialization:						Means collected:
1. Schedule slippage 2. An inability to hire subcontractors						1. Master schedule/progress reports 2. Non-approval for procurement requests for hiring subcontractors
3. Business Information
Business Function(s):			All functions that have dependencies on Year 2000 susceptible assets					Criticality			Government-Wide n Department-Wide n
Business Impact:			Year 2000 failures in the Year 2000 susceptible assets will halt operations in the following government-wide and department-wide mission-critical functions: 1. Provide service X (GWMC) 2. Pay employees (DWMC)
Contingency Plan:			Department X contingency plan: 1. Restore "Provide service X" function - Contingency procedure 2.3.1-003 2. Restore "Pay employees" function - Contingency procedure 4.3.1-001
Trigger:			1. If Year 2000 susceptible assets for the "Provide service X" function are not certified Year 2000 compliant by January 1, 1999, then the contingency will be implemented. 2. If Year 2000 conversion for Year 2000 susceptible assets for the "Pay employees" function is not certified Year 2000 compliant by December 15, 1999, then the contingency will be implemented.
4. Status Information
Status:						Status date:
Open						21-Jan-1998
Approval:						Closing date:
Signature of "Mr. Y"
Closing rationale:

 

Risk Information Sheet
(Part 2 – Risk Management Details)

Department/Agency:			Department X
Rank:	2	Risk Id:		Lack of Funding		Identified on:		5-Jan-1998
5. RISK ACTION PLAN INFORMATION
Action Item					Responsibility		Date Due		Date Completed
1. Complete the Treasury Board submission for extra funding					Mr. Y		5-Feb-1998
2. Have the Treasury Board submission signed by the senior executives and delivered to Treasury Board					Mr. Y		20-Feb-1998
3. Obtain Treasury Board approval					Mr. Y		20-Mar-1998
Notes:
It was decided to dedicate Mr. A and Mr. B in order to deliver the Treasury Board submission by 20-Feb-1998 instead of the planned 10-Mar-1998.

2.4.2 Example B – Technical risk
The following Year 2000 RIS is to be used as an example only. This risk is based on an imaginary scenario where a department X has identified a risk regarding an inability to obtain a Year 2000 compliant version of "Equipment A".

>Risk Information Sheet
(PART 1 – TBS Required)

Department/Agency:			Department X
1. Risk Assessment Information
Rank:	3	Risk Id:		Non-Year 2000 compliant Equipment A	Identified on:	12-Apr-1998
Risk Statement:
There is a risk that the "Equipment A" as provided by vendor A will be discontinued since the vendor cannot provide details nor plans for Year 2000 compliance. The impact of this risk is that the existing "Equipment A" will not be certified as Year 2000 compliant.
Context/background:
"Equipment A" was discovered to be Year 2000 susceptible during the assessment phase of the Year 2000 project. The vendor A has not responded to our letter requesting a statement of Year 2000 compliance for a future version of "Equipment A".

 

Risk Information Sheet (Part 1 - TBS Required)

Department/Agency	Department X
Probability:	High
Project Impact:	High
Time frame:	Mid
Source:	Lack of information
Response:	Avoid		Escalate:		Other _______________¨ TBS ¨ DM ¨ ADM ¨ Steer.Com ¨
2. Risk Management Information
Assigned to:		Action Plan Due Date:
Mr. Z
Risk Management Strategy Overview:
The risk management strategy is aimed at obtaining better information regarding the ability of vendor A to provide a Year 2000 compliant version of "Equipment A".
Indicators/metrics for risk materialization:		Means collected:
1. Schedule slippage for the Year 2000 conversion of "Equipment A".		1. Master schedule/progress reports
3. Business Information
Business Function(s):	"Provide service C"			Criticality		Government-Wide ¨ Department-Wide n
Business Impact:	A Year 2000 failure for "Equipment A" will degrade the "Provide service C" function to 25% capacity.
Contingency Plan:	Department X contingency plan: 1. Restore "Provide service C" function - Contingency procedure 10.2.5-002
Trigger:	1. A Year 2000 compliant version of "Equipment A" is not obtained by
4. Status Information
Status:		Status date:
Open		12-Apr-1998
Approval:		Closing date:
Signature of "Mr. Z"
Closing rationale:

 

Risk Information Sheet

Part 2 – Risk Management Details
Department/Agency:			Department X
Rank:	3	Risk Id:		Non-Year 2000 compliant Equipment A		Identified on:		12-Apr-1998
5. Risk Action Plan Information
Action Item					Responsibility		Date Due		Date Completed
1. Attempt a second contact with vendor A					Mr. Z		10-May-1998
2. Conduct an options analysis for a replacement equipment or substitute for "Equipment A"					Mr. Z		1-Jun-1998
3. Select replacement equipment or substitute for "Equipment A"					Mr. Z		1-Jul-1998
4. Integrate the replacement equipment or substitute for "Equipment A"					Mr. Z		2-Oct-1998
5. Test the replacement equipment or substitute for "Equipment A" for the Year 2000 problem					Mr. Z		10-Jan-1999
6. Certify/validate the replacement equipment or substitute for "Equipment A" as being Year 2000 compliant					Mr. Z		3-Feb-1999
Notes:
None

 

Risk Information Sheet
(Part 1 – TBS Required)

Department/Agency:				Department X
1. Risk Assessment Information
Rank:	4	Risk Id:			Inability to pay benefits					Identified on:		8-Oct-1998
Risk Statement:
There is a risk that benefits will not be paid to eligible beneficiaries beyond January 2000. The impact of this risk is that the economic well being of thousands of Canadians may be impacted.
Context/background:
Department X is paying benefits to over 1Million Canadians in support of Program "Y". These benefits represent the main source of income to many of these beneficiaries and are essential to these individuals. Department X depends on several business partners to pay these benefits and has currently no control over their progress in addressing the Year 2000 problem.
Probability:			Medium
Project Impact:			High
Time frame:			Near
Source:			Lack of control
Response:			Avoid				Escalate:		Other _______________¨ TBS ¨ DM n ADM ¨ Steer.Com ¨
2. Risk Management Information
Assigned to:						Action Plan Due Date:
Mr. Y						15-Nov-1998
Risk Management Strategy Overview:
The risk management strategy is aimed at obtaining control over some key business partners by formalizing their engagement to pay benefits through special legal agreements.
Indicators/metrics for risk materialization:						Means collected:
1. Variances in partner's plans 2. Missed payments complaints from beneficiaries						1. progress reports 2. complaint department
3. Business Information
Business Function(s):			Pay benefits					Criticality			Government-Wide n Department-Wide ¨
Business Impact:			Inability to pay benefits
Contingency Plan:			Manually produce cheques for beneficiaries and have them delivered through special courier service.
Trigger:			1. Clear indication that some partners will not be ready. 2. Complaints from beneficiaries
4. Status Information
Status:						Status date:
Open						14-Oct-1998
Approval:						Closing date:
Signature of "Mr. Y"
Closing rationale:

• Previous Page
• Table of Contents
• Next Page