Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Managing the Risk of Year 2000:

How to Protect Your Organization from Over Spending, Failure and Litigation

A White Paper Fourth Quarter 1997

------------------------------------------------------------------------

Executive Overview

The "Year 2000 problem" is the type of business threat a CEO or CIO dreads most. It presents an unavoidable stumbling block, a crisis that must be faced. It is one deadline that no executive or manager can postpone. The date January 1, 2000 will come, and organizations could potentially see their internal IT operations and external business services crippled by old software that cannot process dates beyond 1999.

Experts warn that the cost of fixing the problem will be considerable. Yet, no one can say exactly how much. The estimates are staggering, but probably not exaggerated. And in the end, even after all best efforts to make proactive repairs, some portion of Year 2000 solutions are bound to fail.

Technical problem solvers are already busy determining what software they might have to fix, how long it might take, and who they can call for help. But, at the executive level, CEOs and CIOs are more fiscally focused. They must consider how best to manage the costs associated with Year 2000 remediation projects and, at the same time, prepare themselves and their organizations for the almost certain failure of some remediation efforts.

This white paper discusses the types of risk that executives should be concerned about and how to manage these risks to ensure successful results and to provide protection against remediation failure and litigation.

The Problem from a Business Perspective

As organizations begin to address their needs for Year 2000 remediation, CFOs and CIOs are now realizing that the Year 2000 issue is more of a business problem that masquerades as a technical problem. While most organizations are making measurable progress from a technical standpoint, few have spent time planning how to proactively manage the risks and costs of their Year 2000 project.

Once an organization is busy assessing its technology and employing people to assist with remediation efforts, executives have to consider questions such as:

1.How much will this cost? 2.Are we on budget? 3.How much is completed today? 4.Are we on schedule? 5.When will mission critical systems be completed? 6.What systems will make the deadline? 7.What systems won't? 8.What are our contingency and back-up plans for failure? 9.What is our liability if systems fail? 10.Who is responsible? 11.Can the business survive? 12.What role are outside resources playing in our remediation efforts? 13.What is our protection or remedy if they fail? 14.Will I be sued? 15.Is there a paper trail in the event of litigation?

These are questions that technologists cannot answer with existing systems today, and consequently this will leave many corporations exposed when the year 2000 inevitably arrives.

Unavoidable Risks

There are several factors that make the Year 2000 an especially threatening business problem for executive management. First, the risk of failure is high and the consequences associated with failure could be ruinous. Secondly, most organizations still don't understand the size and complexity of the effort that will be needed, increasing the potential for failure. Lastly, nothing can delay the arrival of January 1, 2000 and organizations simply must be prepared.

Year 2000 remediation is probably one of the larger IT projects that many organizations have ever initiated. Because it requires the same well-executed methodology and discipline that any large IT effort would, it has the same potential to go astray. Executives are keenly aware of the slips in project delivery dates and the unforeseen glitches that characterize IT projects. In fact, a study conducted by the Standish Group found that 96% of all IT projects are either late, reduced in scope, or not delivered at all. Therefore, the number of corporate executives who can feel confident that 100% of their remediation work will be completed on time and 100% error free on January 1, 2000 is extremely low. Even the best-run projects experience unavoidable delays, and many problems that surface take longer to resolve than anticipated.

Corporate executives understand that if the Year 2000 project is delayed or fails, either in whole or in part, the result could be disastrous for the entire corporation and may have personal implications as well. Industry pundits are predicting that 30% of companies will fail to become fully Year 2000 compliant and suffer severe financial consequences, with 1-3% of them declaring bankruptcy. At the same time, there is a very real personal liability issue for officers and directors of large corporations. Publicly held companies that fail in their remediation efforts will risk shareholder suits that not only will involve them, but may personally implicate them as well. Litigants will charge that the boards, CEOs, and CFOs did not adequately disclose the risk to stock holders, and defendants will have a difficult time protecting themselves. Corporate executives have a difficult decision. Do they disclose the risk to shareholders today and risk market reaction and possible drop in share price, or do they let the market assume all is well and risk the chance of suit later.

Unavoidable Costs

Another threatening aspect of the Year 2000 problem is the amount of money at stake. The costs are high, whether remediation efforts succeed or fail. Estimates of Year 2000 remediation expenses are staggering regardless of whose numbers you believe. Most estimates are inaccurate due to lack of history for these types of projects, and most organizations have adopted a "blank check" mentality. That mentality usually causes organizations to buy what they need regardless of the cost because they are concerned about getting the problem solved in time. It is easy for other things that are not crucial or even related to Year 2000 to get justified and slip through on Year 2000 budget dollars.

Because Year 2000 budgets are estimates at best, large amounts of money are being held in reserve to repair the mission critical systems an organization currently relies upon simply to stay in business. These dollars are funds that organizations would have used to develop new products, market to new customers, or generate new business. Instead, they must be frozen and held in reserve for Year 2000, putting other initiatives on hold.

In most organizations, the scope of the Year 2000 project is broader than any they have previously tackled and requires managing many resources, both internal and external. Experts estimate that for 10 million lines of code you can expect 300,000 or more dates: 75,000 or more will need expansion, 50,000 or more will be involved in computation, and 1,400 defects will be introduced. The management of resources, modules, systems, lines of code, languages, costs, and status is a huge effort.

Year 2000 will impact every level of the organization internally and externally including contractual relationships, insurance programs, risk financing plans, employee benefits, safety and loss control programs, vendor agreements, suppliers, software and computer systems. Something is bound to fall through the cracks and ultimately fail. In fact, lawyers are counting on it. They are already lining up for litigation and hope to cash in on the business of finding those who are responsible for failed systems and businesses and prosecuting them to the fullest extent. While Gartner has estimated the cost of Year 2000 remediation at $300 - $600 billion, experts say that the cost of litigation will be close to one trillion dollars!

We All Know the Technical Problem

Simply stated, the Year 2000 problem is the result of obsolete programming assumptions. Because of computer resource constraints in the 1960s and 1970s, programmers abbreviated dates using 2-digit numbers for the year (yy) instead of 4-digit numbers (yyyy).

Today, even though 80-column punched cards are extinct and computer storage is abundant, some of the old conventions-as well as some old programs-survive in mission-critical systems. Many mainframe programs, and even some PC programs, still process dates in an abbreviated mm/dd/yy or yyddd Julian format. These programs will have difficulty counting the days that follow December 31, 1999. Some will halt with an error message when they fail to find a 2-digit number that equals 99 + 1. Others will record the date as 01/01/00 or 00001 but process it mathematically as January 1, 1900 rather than January 1, 2000. These programs will generate data that is improperly aged as they calculate values such as expiration dates, payment schedules, and dates-of-birth.

We All Know The Methodology

The technologists clearly understand what they need to do to correct the date problem. It has been the subject of virtually every Year 2000 seminar in the last few years. Simply outlined, these are the steps that they must follow to ensure successful remediation for their organization:

1.Identify what you have through the use of commercially available auto-discovery tools, or physical inventories. 2.Identify interdependencies among software applications and interdependencies between software and hardware. Your goal is to understand how a system is dependent upon or affects other systems and how a disruption might affect internal operations or external dealings with business partners, customers and vendors. 3.Determine your course of action: retire, replace or remediate. 4.Begin the long process of remediation using in-house resources or outside contractors. 5.Build a mirror image of your environment and install all components. 6.Test, test, test!

The Overlooked Elements of Risk

Most organizations are well down the path of inventorying IT assets, identifying those with the date problem, and starting the remediation process from a technical standpoint.

The critical area that they have overlooked is the area of risk management and cost management. As they begin to realize that the Year 2000 project will not end on January 1, 2000 and will live on for several years after, they are beginning to realize that they need a place to create "corporate memory" for the entire Year 2000 initiative. They need to track contracts, costs, penalties, and deliverables that will be used to reconcile the Year 2000 project and to defend themselves in the event of litigation. In most organizations today, this information is still floating around the organization in paper form or in the memories of dozens of individuals involved in the project.

To avoid reconstructing-for reconciliation or litigation purposes-what really happened during several years of the entire remediation process, many organizations today are implementing a risk management technology tool that builds a central repository of Year 2000 remediation information. Before key people leave the project, organizations are beginning to capture detailed information that will ensure they have an accurate record going forward. This corporate memory data provides a way to manage the areas of risk that are issues today, and it also helps provides a foundation for reducing the financial repercussions and penalties beyond January 1, 2000.

Areas of Risk to Be Managed

1. Risk of over-committing or under-committing funds to Year 2000.

Because of the urgency of Year 2000 remediation, large budgets are allocated to the project. But Year 2000 funding simply allows an organization to stay in business, not grow. Dollars held in reserve for remediation efforts cannot be used for programs that will generate new customers, new channels, new products, or new marketing programs. By tracking estimated and actual costs, budgeting can become more accurate, and certain funds originally allocated for Year 2000 can be released for other projects. Or, for organizations that have underestimated the cost of remediation, better cost tracking provides an opportunity to find additional funding before time runs out.

2. Risk of spending too much.

There is a real risk in overpaying outsourcers that are overwhelmed with work and may or may not be meeting deliverable dates and may or may not be over-billing. Most outsourcers who have seen huge surges in their business due to the enormity of the Year 2000 crisis cannot keep up administratively. As a result, it is very likely that some will under-deliver or over-bill. It is incumbent upon the hiring organization to police deliverables and deadlines to avoid paying for poor work or for missed deadlines. Without an automated method to verify invoices against deliverables, it is easy for projects to lag behind while an organization is still spending money. Not only must the organization verify that milestones are being met, but also that they are being billed for the correct amount of resources. It will become increasing important to inspect each and every invoice to make sure that an organization is being billed at the negotiated rate, for the correct number of hours, and for the correct number of people.

Inevitably, the price for these outsourcing resources will rise as January 1, 2000 comes closer. Resources are scarce today and will be even more scarce tomorrow. The good contract programmers will undoubtedly go to the highest bidders. Organizations need to lock-in resources now and not pay inflated rates for "rush remediation."

3. Risk of critical business functions failing on January 1, 2000.

If a mission-critical system fails, organizations must have a contingency plan or face serious consequences. Depending upon the criticality of the system (for example, a system that processes reservations, electronic fund transfers, interest calculations, or insurance ratings), contingency plans must be developed, tested, and documented in advance. Because these systems are usually large, several programmers may be working on one system. Remember, it only takes one bad coder, or one bad fix, to cause failure. Having a 99% accurate solution does not work in the case of Year 2000.

4. Risk of legal liability for non-working business functions.

Besides the obvious risk of losing customers and consequently revenue, shareholders who experience a decline in investment value because of the organization¼s inability to remediate will be able to file suits against the company, the Board of Directors, and officers claiming that the potential negative impact of Year 2000 was not fully disclosed. If shareholders can prove that other organizations in similar businesses were successful in remediation, it will be incumbent upon your organization to prove that you made diligent attempts to fix your systems. Having a repository of corporate memory will provide the necessary paper trail and prove that the appropriate remediation efforts were made.

5. Risk of legal liability to outside users.

In some cases those who depend upon your organization for IT functions such as EDI partners, EFT recipients, independent agents, or representatives will also feel the impact of failed systems. It is important to understand your liability for affecting their business operations and to plan accordingly. These types of interdependencies should be managed with the risk management tool as well. If your partners sue, you will need a paper trail to prove that the appropriate remediation efforts were made.

6. Risk of lack of remedies.

Particularly in the case of outsourced Year 2000 work that fails, it is important to understand what was originally negotiated in the contract, as well as what deliverables and payments were made to the vendor. Just as important, you should document what recourse your organization has if remediation fails. If the organization is owed funds for failed remediation and your contractor dissolves or declares bankruptcy, not only do you want to be on the creditor list, but you want to understand exactly to which terms they agreed. The repository is an invaluable tool for recording and determining exactly what remedies the vendor must contractually provide.

7. Risk of lack of history for reconciling Year 2000 project.

After remediation is completed and January 1, 2000 arrives, most project leaders will probably leave. As a group they are typically senior and are anxious to retire with the money made from remediation projects. Organizations should not count on these technologists to stay around to hassle with the business of litigation. Rather, organizations should ensure that they have an accurate account of contracts, resources, and costs organized in a logical, accessible, reportable database. The database should also be able to show how much each system, module, and line of code cost your organization. Additionally, scanned images of all contractual documentation should be included in the database.

8. Risk of no paper trail for remediation efforts.

In the event of litigation, lawyers will need a paper trail to defend the organization. With most of the work outsourced, and most of the project leaders retired, the paper trail for the lawyers will be difficult to trace. Because other organizations like yours will succeed in remediation efforts, they will be held up as successful examples. Your organization will have to prove that you made a substantial effort to become compliant in order to avoid liability. It will be an expensive proposition to hire lawyers to search throughout your organization finding and reviewing all documentation that might help defend your organization and key executives. It is cheap insurance to invest in database technology today to ensure against expensive discovery processes in the future.

The Problem Will Go Beyond 1/1/2000

Most organizations will still be managing Year 2000 efforts well beyond January 1, 2000. In the best-case scenario, organizations will undertake a reconciliation process that evaluates what worked and what didn't and then determine how much remediation really cost compared to what was budgeted.

The worst-case scenario is that organizations end up in litigation with one or more of their outsourcers or that the corporation and its executives are in litigation with shareholders for remediation efforts that did not work. If either of these unfortunate situations arise, the risk management repository will prove to be extremely valuable. The corporate history of all remediation efforts, deliverables, contracts, costs, and contingencies are accessible by your legal staff, reducing their discovery process to a matter of days rather than a matter of months or even years.

A Risk Management Solution

New technology tools have been designed to help manage the risk of many remediation factors discussed in this paper including cost, milestones, deliverables, vendors, human resources, and software and hardware interdependencies.

These relational database tools serve as a corporate database for all contract and cost information for Year 2000 remediation efforts as well as the framework to manage risk. Such tools will help you prioritize remediation efforts, record contingency plans, and establish accurate records for possible litigation. Additionally, they will build corporate memory for the project and help you with the outstanding issues and clean-up that will extend well beyond January 1, 2000.

Managing Risk With Technology

By employing new technology tools, organizations can now manage the elements of risk discussed earlier. The grid below outlines how technology can help avoid the hidden elements of risk.

RiskTechnology FeaturesOver-committing or under- committing funds to Year 2000Accurate budgeting and actual cost reportingOver-spending Invoice reconciliation and reminders for deliverable due datesCritical business functions failing on January 1, 2000Contingency plansLegal liability for non-working business functionsAutomated paper trail for contracts, agreements, and remediesLegal liability regarding loss of access by outside usersInterdependencies trackedLack of remedies from failed contractorsOnline legal terms and conditionsLack of history for reconciling Year 2000 projectAutomated paper trail of inventory costs and contract informationNo paper trail for remediation efforts in the event of litigationAutomated paper trail of inventory costs and contract information

Loading the Repository With Your Information

Getting started shouldn't be difficult if you choose a repository tool with an automated loading utility. By using simple spreadsheet data and employing the vendor¼s automated conversion utility, an organization should be able to be up and running in a matter of weeks. Adding information as you go, and updating contracts, pricing, deliverables and testing results, your organization will begin to lay the foundation for corporate memory. The important thing is to get started. Delaying will only make it harder to recreate the details of your Year 2000 efforts.

About Janus Technologies

Founded in 1992, Janus Technologies, Inc. is headquartered in Pittsburgh, Pennsylvania with international representation in the UK, France, Italy, Nordic countries, and Australia. Its best-of-breed ARGISÆ asset management repository allows IT organizations to achieve significant savings and control over hardware and software assets throughout the enterprise by managing inventory, cost, and legal/license information about IT assets. The ARGIS product is currently licensed at 75 sites worldwide. Janus' newest product, Y2KManager, released in October 1997, is designed to help organizations manage the risk of Year 2000 remediation.

North American Headquarters

Suite 400, 2000 Cliff Mine Road

Pittsburgh, PA 15275-1008 USA

Fax: +1-412-787-3099

Phone: +1-412-787-3030

Email: info@janus-tech.com

Web: http://www.janus-tech.com

In the UK

Software Europe Ltd.

Phone: +44 (01522) 881300

In France

Large System Management

Phone: +33-1-40-50-64-34

In Italy

DBA Sistemi

Phone: +55-68-11-201

In Australia/New Zealand

Ubiquity Pty. Ltd.

Phone: +61 (03)-9699 1300

Denmark, Finland, Iceland, Norway, Sweden

Scan-Systems A/S

Phone: +45 44 92 14 14

ARGIS® software is a registered trademark and the ArgisConnectTM API is a trademark of Janus Technologies, Inc.

© Copyright 1997 Janus Technologies, Inc. All rights reserved. All trademarks cited are the property of their respective owners.