This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
The Treasury Board of Canada Secretariat (TBS) Year 2000 Project Office requires that Federal Departments and Agencies with Government-Wide Mission-Critical (GWMC) business functions identify, report and manage Year 2000 project risks.
In order to standardize the risk reporting requirements for content and format, a Year 2000 risk information sheet (RIS) is provided to document relevant information about a risk.
The purpose of this appendix is to define and describe the TBS Year 2000 RIS to be used by Federal Departments and Agencies in reporting information regarding the Year 2000 project risks associated with the Government-Wide Mission-Critical (GWMC) and Department-Wide Mission-Critical (DWMC) business functions.
This appendix includes a description of "How to use the Year 2000 RIS , a Year 2000 RIS template, a description of the Year 2000 RIS template data elements, and a sample Year 2000 RIS.
This document relates to the following documents as identified:
The Treasury Board of Canada Secretariat Business Continuity Guide [Reference 1] provides a detailed section devoted to conducting risk assessments on Year 2000 projects. Risk assessments include the "Identify" and "Analyze" processes of the SEI CRM methodology.
The information captured as a result of the risk assessment activity is to be documented and formatted as per the Year 2000 RIS. The Year 2000 RIS serves as the primary means for documenting and managing information about a risk, and is the main deliverable for the risk assessment activity as depicted in the diagram below.
Communicate = communiquer
Identify = identifier
Analyze = analyser
Plan = planifier
Track = suivre
Control = contrôler
Figure I-1: "Conduct Risk Assessment" Activity
The Year 2000 RIS is comprised of five sections:
The first four sections are mandatory risk reporting requirements by the TBS. Details of the template data elements are provided in this appendix. Section 5 of the RIS is an optional section that is provided as a guideline for the department/agency to use in developing and implementing risk management activities.
The following template constitutes the TBS Year 2000 RIS.
Department/Agency: | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
1. Risk Assessment Information | ||||||||||||
Rank: | Risk Id: | Identified on: | ||||||||||
Risk Statement: | ||||||||||||
Context/background: | ||||||||||||
Probability: | ||||||||||||
Project Impact: | ||||||||||||
Time frame: | ||||||||||||
Source: | ||||||||||||
Response: | Escalate: |
Other _______________ ¨
TBS ¨ DM ¨ ADM ¨ Steer.Com ¨ |
||||||||||
2. Risk Management Information | ||||||||||||
Assigned to: | Action Plan Due Date: | |||||||||||
Risk Management Strategy Overview: | ||||||||||||
Indicators/metrics for risk materialization: | Means collected: | |||||||||||
3. Business Information | ||||||||||||
Business Function(s): | Criticality |
Government-Wide ¨
Department-Wide ¨ |
||||||||||
Business Impact: | ||||||||||||
Contingency Plan: | ||||||||||||
Trigger: | ||||||||||||
4. Status Information | ||||||||||||
Status: | Status date: | |||||||||||
Approval: | Closing date: | |||||||||||
Closing rationale: | ||||||||||||
Department/Agency: | |||||||||
---|---|---|---|---|---|---|---|---|---|
Rank: | Risk Id: | Identified on: | |||||||
5. Risk Action Plan Information | |||||||||
Action Item | Responsibility | Date Due | Date Completed | ||||||
Notes: | |||||||||
|
This table describes the data elements in the TBS Year 2000 RIS.
Field Name | Description |
---|---|
Section 1. Risk Assessment Information | |
Department/Agency | The Federal Government department or agency that is reporting risks on their Year 2000 project. |
Rank | Rank or priority, in numeric format (1 through "N"), assigned to the risk. The rank should reflect the risk ranking within the department/agency at the time that the risk is reported |
Risk Id | Unique identifier for the risk, which is generally a combination of a category name for the risk and a sequential numbering scheme (e.g. Management –001). |
Identified on | Date when the risk was identified. |
Risk Statement | Statement of the risk which is comprised of a description of the condition or circumstance causing concern or uncertainty for a potential loss or negative outcome with respect to the compliance and business continuity objectives. [details for developing a risk statement can be found in the Reference 2 - part2, chapter 4, section 2, p.31] |
Context/background | Associated information that clarifies the risk. Context is usually gathered at the time of identification. |
Probability |
Likelihood of occurrence of the risk – exact value depends on the type of analysis. A suggested approach is to utilize a qualitative description as follows:
|
Project Impact |
The loss or negative outcome on the project if the risk materializes. One of the following values is required:
|
Timeframe |
Timeframe in which the risk will occur or action is needed. One of the following values is required:
Departments can use a timeframe that is more relevant to their environment. |
Source |
The source of the risk (reason why there is a risk). One of the following values is required:
|
Response |
The department's/agency's response to the risk. One of the following values is required:
|
Escalate |
A flag which indicates that the risk is being escalated to another organization/management level such as:
|
Section 2. Risk Management Information | |
Assigned to | The person within the department/agency who is responsible for managing the risk. |
Action Plan Due Date | The completion date for the activities as identified in the action plan to manage the risk. |
Risk Management Strategy Overview | The selected strategy for managing the risk. This strategy is a high-level description that provides a general direction and takes into account the source and the response to the risk. Generally only risks with an "avoid" or "control" response have action plans associated with them. An "assume" response does not require risk management since the department/agency has decided to live with the consequences of the risk materializing. A transfer/escalate will require a response from the receiving party. |
Indicators/metrics for risk materialization | An indicator/metric or sign that will clearly let the Year 2000 project stakeholders know that the risk is materializing and becoming an issue or problem. The indicator should be part of progress information that is collected during the "Track" step. |
Means collected | The means or manner for collecting the indicators/metrics identified in the risk materialization field. |
Section 3. Business Information | |
Business Function(s) | The business function(s) as identified on the TBS Government-Wide Mission-Critical function list or as identified by the department/agency's Department-Wide Mission-Critical function list. Risks may apply to more than one business function. |
Criticality | The mission criticality of the business function associated with the risk in question. The mission criticality is as defined by the TBS mission criticality criteria. Only one of 2 choices is available: Government-wide or Department-wide Mission-critical. |
Business Impact | The impact of the risk on the continuity of the business function as opposed to the "Project Impact" defined in section 1 of the Year 2000 RIS. |
Contingency Plan | This is a reference to a contingency plan. The contingency plan should contain procedures that will restore the mission- critical business function or an asset within a business function in the event that a Year 2000 problem materializes. |
Trigger | The trigger for implementing a contingency plan/procedure. The trigger will generally be the "fact" or "threshold" that indicates that the risk has materialized and/or has become a problem/issue. |
Section 4. Status Information | |
Status |
Status of the risk. The following value is required:
|
Status date | The date the last status was provided or determined. |
Approval | This is a signature for approval for mitigation strategies or closure by the "Assigned To" person from section 2 of the Year 2000 RIS. |
Closing date | Date when the risk was closed |
Closing rationale | Rationale for closure of the risk |
Section 5. Risk Action Plan Information | |
Action Item | This is a series of action or steps that must be executed in order to mitigate the risk. The action items must support the risk mitigation strategy. |
Responsibility | The person assigned to conduct an action item. The same person may conduct all action items on the list. This person may be the same as the "Assigned To" person from section 2 of the Year 2000 RIS or this person may be someone who has been assigned to work on the actions but still must report to the "Assigned To" person. |
Date Due | The date the action item is due. |
Date Completed | The date the action item was completed. |
Notes |
An optional field for general notes.
This section could identify resources required in order to implement the risk action plan actions. |
2.4.1 Example A – Organizational/project risk
The following Year 2000 RIS is to be used as an EXAMPLE ONLY. This risk is based on an imaginary scenario where a department X has identified a risk regarding a lack of funding for the Year 2000 project.
Department/Agency: | Department X | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
1. Risk Assessment Information | ||||||||||||
Rank: | 2 | Risk Id: | Lack of Funding | Identified on: | 5-Jan-1998 | |||||||
Risk Statement: | ||||||||||||
There is a risk that the funding for Year 2000 activities beyond March 1998 will not be approved in time to allow the timely progression of Year 2000 related activities.
The impact of this risk is that the remaining Year 2000 activities will not be conducted, thus affecting the Year 2000 project schedule. |
||||||||||||
Context/background: | ||||||||||||
The Treasury Board submission for funding is currently being prepared and is planned to be delivered on March 10, 1998.
No Year 2000 susceptible assets have been completely converted as of 5-Jan-1998. |
||||||||||||
Probability: | High | |||||||||||
Project Impact: | High | |||||||||||
Time frame: | Near | |||||||||||
Source: | Lack of control | |||||||||||
Response: | Avoid | Escalate: |
Other _______________¨
TBS ¨ DM ¨ ADM ¨ Steer.Com n |
|||||||||
2. Risk Management Information | ||||||||||||
Assigned to: | Action Plan Due Date: | |||||||||||
Mr. Y | 20-Mar-1998 | |||||||||||
Risk Management Strategy Overview: | ||||||||||||
The risk management strategy is aimed at obtaining control over funding. | ||||||||||||
Indicators/metrics for risk materialization: | Means collected: | |||||||||||
1. Schedule slippage
2. An inability to hire subcontractors |
1. Master schedule/progress reports
2. Non-approval for procurement requests for hiring subcontractors |
|||||||||||
3. Business Information | ||||||||||||
Business Function(s): | All functions that have dependencies on Year 2000 susceptible assets | Criticality |
Government-Wide n
Department-Wide n |
|||||||||
Business Impact: |
Year 2000 failures in the Year 2000 susceptible assets will halt operations in the following government-wide and department-wide mission-critical functions:
1. Provide service X (GWMC) 2. Pay employees (DWMC) |
|||||||||||
Contingency Plan: |
Department X contingency plan:
1. Restore "Provide service X" function - Contingency procedure 2.3.1-003 2. Restore "Pay employees" function - Contingency procedure 4.3.1-001 |
|||||||||||
Trigger: |
1. If Year 2000 susceptible assets for the "Provide service X" function are not certified Year 2000 compliant by January 1, 1999, then the contingency will be implemented.
2. If Year 2000 conversion for Year 2000 susceptible assets for the "Pay employees" function is not certified Year 2000 compliant by December 15, 1999, then the contingency will be implemented. |
|||||||||||
4. Status Information | ||||||||||||
Status: | Status date: | |||||||||||
Open | 21-Jan-1998 | |||||||||||
Approval: | Closing date: | |||||||||||
Signature of "Mr. Y" | ||||||||||||
Closing rationale: | ||||||||||||
Department/Agency: | Department X | ||||||||
---|---|---|---|---|---|---|---|---|---|
Rank: | 2 | Risk Id: | Lack of Funding | Identified on: | 5-Jan-1998 | ||||
5. RISK ACTION PLAN INFORMATION | |||||||||
Action Item | Responsibility | Date Due | Date Completed | ||||||
1. Complete the Treasury Board submission for extra funding | Mr. Y | 5-Feb-1998 | |||||||
2. Have the Treasury Board submission signed by the senior executives and delivered to Treasury Board | Mr. Y | 20-Feb-1998 | |||||||
3. Obtain Treasury Board approval | Mr. Y | 20-Mar-1998 | |||||||
Notes: | |||||||||
It was decided to dedicate Mr. A and Mr. B in order to deliver the Treasury Board submission by 20-Feb-1998 instead of the planned 10-Mar-1998. |
2.4.2 Example B – Technical risk
The following Year 2000 RIS is to be used as an example only. This risk is based on an imaginary scenario where a department X has identified a risk regarding an inability to obtain a Year 2000 compliant version of "Equipment A".
Department/Agency: | Department X | |||||
---|---|---|---|---|---|---|
1. Risk Assessment Information | ||||||
Rank: | 3 | Risk Id: | Non-Year 2000 compliant Equipment A | Identified on: | 12-Apr-1998 | |
Risk Statement: | ||||||
There is a risk that the "Equipment A" as provided by vendor A will be discontinued since the vendor cannot provide details nor plans for Year 2000 compliance. The impact of this risk is that the existing "Equipment A" will not be certified as Year 2000 compliant. |
||||||
Context/background: | ||||||
"Equipment A" was discovered to be Year 2000 susceptible during the assessment phase of the Year 2000 project. The vendor A has not responded to our letter requesting a statement of Year 2000 compliance for a future version of "Equipment A". |
Department/Agency | Department X | |||||
---|---|---|---|---|---|---|
Probability: |
High | |||||
Project Impact: | High | |||||
Time frame: | Mid | |||||
Source: | Lack of information | |||||
Response: | Avoid | Escalate: |
Other _______________¨
TBS ¨ DM ¨ ADM ¨ Steer.Com ¨ |
|||
2. Risk Management Information | ||||||
Assigned to: | Action Plan Due Date: | |||||
Mr. Z | ||||||
Risk Management Strategy Overview: | ||||||
The risk management strategy is aimed at obtaining better information regarding the ability of vendor A to provide a Year 2000 compliant version of "Equipment A". | ||||||
Indicators/metrics for risk materialization: | Means collected: | |||||
1. Schedule slippage for the Year 2000 conversion of "Equipment A". | 1. Master schedule/progress reports | |||||
3. Business Information | ||||||
Business Function(s): | "Provide service C" | Criticality |
Government-Wide ¨
Department-Wide n |
|||
Business Impact: | A Year 2000 failure for "Equipment A" will degrade the "Provide service C" function to 25% capacity. | |||||
Contingency Plan: |
Department X contingency plan:
1. Restore "Provide service C" function - Contingency procedure 10.2.5-002 |
|||||
Trigger: | 1. A Year 2000 compliant version of "Equipment A" is not obtained by | |||||
4. Status Information | ||||||
Status: | Status date: | |||||
Open | 12-Apr-1998 | |||||
Approval: | Closing date: | |||||
Signature of "Mr. Z" | ||||||
Closing rationale: | ||||||
Part 2 – Risk Management Details |
|||||||||
---|---|---|---|---|---|---|---|---|---|
Department/Agency: | Department X | ||||||||
Rank: | 3 | Risk Id: | Non-Year 2000 compliant Equipment A | Identified on: | 12-Apr-1998 | ||||
5. Risk Action Plan Information | |||||||||
Action Item | Responsibility | Date Due | Date Completed | ||||||
1. Attempt a second contact with vendor A | Mr. Z | 10-May-1998 | |||||||
2. Conduct an options analysis for a replacement equipment or substitute for "Equipment A" | Mr. Z | 1-Jun-1998 | |||||||
3. Select replacement equipment or substitute for "Equipment A" | Mr. Z | 1-Jul-1998 | |||||||
4. Integrate the replacement equipment or substitute for "Equipment A" | Mr. Z | 2-Oct-1998 | |||||||
5. Test the replacement equipment or substitute for "Equipment A" for the Year 2000 problem | Mr. Z | 10-Jan-1999 | |||||||
6. Certify/validate the replacement equipment or substitute for "Equipment A" as being Year 2000 compliant | Mr. Z | 3-Feb-1999 | |||||||
Notes: | |||||||||
None |
Department/Agency: | Department X | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
1. Risk Assessment Information | ||||||||||||
Rank: | 4 | Risk Id: | Inability to pay benefits | Identified on: | 8-Oct-1998 | |||||||
Risk Statement: | ||||||||||||
There is a risk that benefits will not be paid to eligible beneficiaries beyond January 2000.
The impact of this risk is that the economic well being of thousands of Canadians may be impacted. |
||||||||||||
Context/background: | ||||||||||||
Department X is paying benefits to over 1Million Canadians in support of Program "Y". These benefits represent the main source of income to many of these beneficiaries and are essential to these individuals.
Department X depends on several business partners to pay these benefits and has currently no control over their progress in addressing the Year 2000 problem. |
||||||||||||
Probability: | Medium | |||||||||||
Project Impact: | High | |||||||||||
Time frame: | Near | |||||||||||
Source: | Lack of control | |||||||||||
Response: | Avoid | Escalate: |
Other _______________¨
TBS ¨ DM n ADM ¨ Steer.Com ¨ |
|||||||||
2. Risk Management Information | ||||||||||||
Assigned to: | Action Plan Due Date: | |||||||||||
Mr. Y | 15-Nov-1998 | |||||||||||
Risk Management Strategy Overview: | ||||||||||||
The risk management strategy is aimed at obtaining control over some key business partners by formalizing their engagement to pay benefits through special legal agreements. | ||||||||||||
Indicators/metrics for risk materialization: | Means collected: | |||||||||||
1. Variances in partner's plans
2. Missed payments complaints from beneficiaries |
1. progress reports
2. complaint department |
|||||||||||
3. Business Information | ||||||||||||
Business Function(s): | Pay benefits | Criticality |
Government-Wide n
Department-Wide ¨ |
|||||||||
Business Impact: | Inability to pay benefits | |||||||||||
Contingency Plan: | Manually produce cheques for beneficiaries and have them delivered through special courier service. | |||||||||||
Trigger: | 1. Clear indication that some partners will not be ready. 2. Complaints from beneficiaries |
|||||||||||
4. Status Information | ||||||||||||
Status: | Status date: | |||||||||||
Open | 14-Oct-1998 | |||||||||||
Approval: | Closing date: | |||||||||||
Signature of "Mr. Y" | ||||||||||||
Closing rationale: | ||||||||||||