System Risks

Malfunction or stoppage of systems developed in-house (including systems developed by systems development subsidiaries).

Are all systems covered?

Have tests been conducted to validate the compliance?

Have tests been done for the century date change period and leap day?

Have tests been done for mission-critical or special business dates (dates specified by the Federation of Bankers Associations of Japan, FFIEC(Federal Financial Institutions Examination Council) of the United States, etc.)?

It is preferable to validate the compliance using equipment normally in use.

Have preparations been made for high-risk dates?

Has procedure been established for monitoring malfunction and data error?

Have contingency plans been developed for each core business?

Have existing manuals for system shutdown been developed?

Have rehearsals of contingency plan been conducted?

Have trigger events for execution been included in contingency plan?

Have manuals been developed for each section?

Have arrangements been made for reserved resources (particularly personnel with necessary skills)?

Has procedure been established against malfunctions?

Malfunction or stoppage of systems supplied by external vendors (including OS and other basic software).

1.

2.

If in-house testing is not feasible:

Malfunction or stoppage of systems under user section.

Are systems under user section subject to compliance?

Are End User Computing systems subject to compliance?

Have appropriate instructions been given for operational confirmation?

Have systems under user section been subjected to the same level of operational confirmation with internal systems?

Is progress in compliance being monitored?

Malfunction caused by external error data.

Is the financial institution participating in external tests within industry?

Have external tests been done for specific data-exchange parties?

Have results of external tests with data-exchange parties been monitored?

If external tests with data-exchange parties have not been done, has the financial institution confirmed the reasons and monitored their Y2K compliance?

Has procedure been established for monitoring malfunction and data error? Have arrangements been made with untested data-exchange parties concerning procedure for checking the first data exchanged after the century date change?

Have plans been prepared for legal risks pertaining to above contingency?

Malfunction or stoppage of systems of group companies (including affiliated companies and overseas offices).

Are group-company systems subject to compliance?

Have instructions been given for the same level of operational confirmation with internal systems?

Is progress in compliance being monitored?

Have contingency plans been developed and rehearsals conducted on the same level with internal systems?

Have contingency plans been developed for reputational risks of group companies (especially overseas offices)?

6.

Have proper operations of facilities been adequately validated?

1.

Have procedures for switching from automatic to manual operations been confirmed? Have rehearsals been conducted?

2.

Have communications means with vendors been established?

3.

Has initial operational confirmation system been established after the century date change?

Operational Risks

Media coverage of Y2K compliance will increase.

1.

2.

3.

4.

1.

2.

Can Technical-question be answered properly?

Questions from customers regarding Y2K compliance will increase.

1.

Has appropriate information on Y2K compliance been included in pamphlets and other materials for customers?

Have branch personnel been trained to respond properly to customer questions?

Has a list of likely customer questions been made and have rehearsal according to the list conducted?

Has information been disclosed properly to keep customer confidence? For example, announcement that data on year-end deposit balances will be secured by bank.

Have maximum capacities for clerical processing been analyzed in case of concentrated work load.

Have countermeasures been prepared for concentrated work load?

Have rehearsals been conducted?

Have preparations been made to meet increasing demand for office supplies and extra personnel available in branches and offices?

Have preparations been made for coping with liquidity risks?

The financial institution may face a shortage of office supplies because of suppliers' failure to achieve Y2K compliance.

Has the compliance status of suppliers been confirmed through questionnaires and other means?

Have questionnaires been collected and analyzed?

Will orders be placed for extra stock of supplies?

If extra orders are not placed, has alternative procurement been arranged?

Have measures been prepared to cope with ill-prepared suppliers?

Inquiries seeking to confirm normal operations will increase after the century date change period.

Have appropriate measures been taken to confirm that systems and facilities will operate normally at the start of business in January 2000?

Has a list been drawn up concerning the systems and facilities which cannot be confirmed during 1999?

Has information been disclosed properly to keep customer confidence?

Has procedures been established for confirming normal operations after the century date change?

Have procedures been prepared for disclosure of information on operations after the start of the year? For example, preparation of "all clear" or "emergency" announcements.

Have appropriate instructions been given not only for system risks but for other management risks?

Have affiliates been instructed to develop contingency plans comparable to internal contingency plans?

Have affiliates been instructed to submit regular reports on progress in compliance?

Are inspections being conducted on Y2K compliance?

Have affiliates prepared contingency plans comparable to internal contingency plans?

Have contingency plans of affiliates been coordinated with internal ones? For example, have triggering standards been established for cases of work backlog at affiliates?

Have joint rehearsals been conducted?

Reputational Risks

Is the financial institution participating (planning to participate) in external tests within industry? (Participation in all tests is desirable.)

Active disclosure concerning compliance status is desirable.

Have appropriate responses been made in questionnaires by rating agencies and others? For example, does person responsible for responding correspond in standing to sender of questionnaire?

Have personnel at counters been trained properly to respond properly to questions? Also, personnel at affiliates and overseas offices?

Will branch manager meetings and other scheduled functions be canceled on high-risk dates?

Has information been properly disclosed to the government, Bank of Japan, and industry associations?

Have policies and measures been prepared to cope with spread of false information during 1999?

Have measures been prepared to cope with liquidity risks', market risks, operation risks resulting from impact of rumors on rating agency evaluations, share prices and customer behavior?

False rumors spread concerning Y2K compliance of affiliates.

False rumors spread concerning Y2K compliance of overseas offices.

Doubts cast on compliance of the whole industry or specific financial business category.

Credit Risks

Borrowers has trouble making repayments due to Y2K problems.

Have selection standards been established for borrowers to be confirmed for compliance?

Have questionnaires and interviews been conducted for borrowers on Y2K compliance?

Have contents been verified by systems department?

Has contents been checked by legal department?

Have personal conducting questionnaire received proper training to evaluate borrower conditions?

Has ranking system been established for Y2K compliance of borrowers?

Have measures and trigger events for execution been established based on Y2K compliance rankings?

Have responses been established for cases of failure to comply which become known before 2000 through disclosure by borrower?

Borrowers fail to achieve Y2K compliance, leading in worst case to failure to recover principal.

Legal Risks

Suffer damages caused by Y2K problems of business partners.

Have business operations and systems been identified which are prone to losses resulting from failure of business partners to achieve Y2K compliance?

Have contracts been reviewed from the perspective of Y2K compliance?

Has compliance status of business partners been checked and ranked according to progress?

Have preparations been made for legal measures corresponding to ranking of Y2K compliance status, and have trigger events for execution been established?

Suffer damages caused by Y2K problems of systems supplied by external vendors.

Have contracts with vendors been reviewed from the perspective of Y2K compliance?

Have warrantees been received from vendors, and have those contents been checked for legal content?

Have tests to validate the compliance been conducted within in-house as far as possible?

If in-house testing is not possible, have test procedure and results been received from vendors?

For systems whose operations cannot be confirmed, has procedure been established for operational confirmation at the beginning of 2000, and have alternatives been prepared in case of failure?

Suffer damages caused by Y2K problems pertaining to malfunction of facilities.

Cause damages to business partners and customers resulting from failure to achieve Y2K compliance.

Have the financial institution classified business partners and customers which may suffer losses if the financial institution fails to achieve Y2K compliance?

Have appropriate actions been taken to ensure compliance of systems supplied by the financial institutions?

Have materials been prepared supporting due diligence?

Have materials been prepared supporting appropriate implementation of operational confirmation as vendor? Have emergency preparations been made for after the start of the year 2000?

Top management will be exposed to legal claims.

Has top management given appropriate directions for Y2K systems risks as well as other Y2K risks?

Has top management received reports on responses to risks other than systems risks?

Has top management given appropriate directions to all parties, including affiliates and overseas entities, and has a system been created for prompt reporting?

Have the checklists and guidelines issued by the authorities been properly understood? Have comprehensive measures been planned and implemented?

Have timetables for various measures been adhered to?

It is preferable to undergo third-party (internal and external) verification of Y2K compliance.

Liquidity Risks

Withdrawal (or cancellation) of deposits may reduce liquidity on hand.

Has information been disclosed properly to keep customer confidence?

Have measures been taken to reduce operational risks?

Have preparations been made for procurement of funds for year-end and year-start?

Is contact maintained with Bank of Japan and industry associations regarding procurement of liquidity?

Institutional investors, as sources of funds, may avoid investing as 2000 nears.

Market Risks

Concern regarding Y2K compliance expressed by rating agencies

Has information been actively and appropriately disclosed to rating agencies and others?

Have questionnaires from rating agencies been appropriately responded to?

Have questionnaires and interviews been conducted on Y2K compliance of issuers of the securities portfolio?

Have measures been prepared in case of unreasonable assessment by rating agencies?

Have measures been prepared against market fluctuations ofthe securities portfolio?

Have measures been prepared against valuation losses at the end of the fiscal year?

Effect on fund availability from the market.

Effect on own stock prices.

Effect on stock prices of the securities portfolio.

Project Risks

Delays in revised systems may lead to failure in Y2K compliance.

Are revised systems subject to more rigorous schedule for compliance management?

Has compliance schedule specified cut-off date for deciding whether or not to suspend development of revised system?

Have alternative plans been developed in case delays are expected in revised system, such as modification of existing system?

Have trigger events for execution been established for suspending development and switching to alternative plan?

External vendor systems validated Y2K compliant are reported to have failed compliance.

Have risk-reduction measures been taken for vendor-supplied systems?

Has system been established for confirmation of vendors regularly?

It is preferable that operational confirmation of vendor-supplied systems be conducted internally as far as possible.

Have alternatives been prepared for systems whose operations are to be confirmed at the beginning of 2000, or for which problems are expected?

Have alternative plans been prepared in case reports are received of compliance failure?

Testing does not proceed smoothly, leading to expectations that Y2K compliance will fail.

Has sufficient testing period been allocated in case testing does not go smoothly?

Have arrangements been made for sufficient reserved resources (particularly personnel)?

Have arrangements been made for procurement of personnel (skilled personnel) in case of personnel shortage?

To allow for personnel shift, have priorities been established for interruption of system development projects?

Systemic Risks

Malfunction occurs in financial infrastructure.

Have measures been taken to reduce systems risks by participating in external tests within the industry and outside the industry?

Have contingency plans been developed for systems risks?

Malfunction occurs in other social infrastructure (communications, electric power, etc.)

Is information on compliance conditions affecting the social infrastructure being collected regularly?

Have contingency plans been developed for problems arising from the social infrastructure?

Other Risks

Other possible risks affecting the financial institution.

Have measures been taken to reduce other possible risks?

Have contingency plans been developed for other possible risks?