Attachment 2 to UIPL No. 46-98
Business Continuity Planning Matrix
| Business Function | Risk/Threat | Time Horizon to Failure | Business Priority | Risk Mitigation Strategy | Trigger Events/Dates and Alternative Solutions | ||||
| Risk Assessment | Impact | Score | Strategy | Milestone Date | Action Org. | ||||
| 1. Initial Claims | 1. Local Offices use PCs to input claims. PCs are old; not tested for Y2K compliance. | Jan. 1, 2000 | (high due to age of computers) |
8 | 5.6 | Test all PCs; install BIOS fix if
not compliant.
Develop contingency solution and plan. |
start: 9/1/98
end: 10/30/98 |
(List unit or organization responsible for mitigation efforts) | If PC fix not completed by 11/30/98, then implement contingency solution plan. |
| 2. Making mon/non-mon determinations | 1. Requires access to central Benefits system, not Y2K compliant. Remediation efforts underway on system are behind schedule. | Jan. 1, 1999 | (labeled "at risk" by National Office) |
Closely monitor progress. If
remediation schedule slips,
have contractor add 3 more
programmers.
Develop full contingency solution and plan. |
10/15/98 | (List unit or organization responsible for mitigation efforts) | If Benefits system not compliant by Dec. 1, 1998, then implement contingency solution plan. | ||
| (#2 Continued) | 2. Requires access to Wage Records. Database indexes have embedded dates and are not Y2K compliant. Remediation efforts are underway. | Jan. 1, 1999 | (work is almost completed) |
Closely monitor progress.
Develop preliminary contingency solution. |
9/1/98
to finish testing |
(List unit or organization responsible for mitigation efforts) | If system not compliant by Dec. 1, 1998, then develop full contingency solution and implement. | ||
| 3. (Continue with other business functions) | |||||||||
NOTES: All mission critical functions should be listed in the 1st column. Risks or threats that might negatively impact the organization's ability to perform the listed function need to be included in the next column. There may be multiple risks associated with a function; if so, each needs to be listed in a separate row. The business priority score is used to determine the most critical areas to which resources should be applied to prepare for a potential failure. It is represented as a numerical score; the higher the number, the higher the priority. The business priority score is derived by multiplying two factors: (1) the risk assessment and (2) impact of a failure on the SESAs' ability to continue to do business. Risk assessment is the probability that the risk or threat will occur, and is expressed numerically, on a scale of 0 (low or no probability ) to 1.0 (highest probability). Impact also expresses a numeric range of values, from 1 to 10. It reflects the estimated degree of damage to the SESAs' ability to deliver service to its customers if the risk or threat occurs. The higher the value, the more adverse is the potential impact on service delivery. The business priority may change as the year 2000 nears. Thus, the Contingency Plan is a dynamic document, and must be reviewed and updated, as needed, to reflect new or changed information. Business priority scores will vary among the SESAs as individual situations vary greatly with respect to risks, threats and year 2000 remediation compliance efforts. Every risk/threat should have an associated mitigation strategy. The purpose of the strategy is to define a set of activities or actions that the organization can take to alleviate the likelihood of the occurrence of the risk/threat. The point in time at which the actions are invoked is then included in the Milestone Date column. The last column is used to list trigger events or dates that will invoke actions relating to the implementation of alternative contingency solutions. These solutions are invoked when the mitigation strategies fail and it is likely that a risk or threat will be realized, or when a Y2K-related failure actually occurs.