In-Depth

Vertical Markets Behind the Eight-Ball as Y2K Compliance Moves to New Realm

• 11/01/1998

With only 14 months to go before the witching hour of January 1, 2000,

companies in all major vertical markets and the government sector are planning

an end game for their Year 2000 compliance efforts that includes contingency

planning. As organizations gear up for the final year before the deadline, a

number of key trends - including assessment of worst-case scenarios - are

emerging in both the government and commercial sectors. These trends will

affect how organizations attack Y2K during the final year’s march to 2000.

Clearly, the focus on Y2K that has spawned a new market sector within the

information technology industry is now moving from testing and remediation of

systems toward validation and planning for worst-case scenarios. No longer are

organizations simply talking about making fixes to their software code to

render them Year 2000 date-compliant, but they are focusing on contingencies

in case they’ve missed something.

"You can’t anticipate everything. You have to be adaptive. As you work on

these issues, the challenges seem to grow and grow. It’s beyond finding

needles in haystacks. It becomes, to a certain extent, finding the haystacks

first before you can look for the needles," says John Ogens, Director of the

Global Year 2000 Program for Monsanto Corp.

With companies in virtually every vertical industry sector reporting they are

still behind the curve on testing, remediation and verification, according to

a quarterly Y2K survey from consultant Cap Gemini America, the key now for

organizations is to cover their bases - especially with mission-critical

business applications that could affect financial bottom lines and bring risk

to people.

Going into 1999, corporations in the private sector are starting to prioritize

what they can or can’t get done, says Stephen Frycki, Managing Director, U.S.

Year 2000 Marketing for DMR Consulting Group Inc. "They will be asking, ‘What

can we do to minimize any impact on humans or environment. Have we missed

anything? What do we need to do?’ You’re going to see a lot of companies

making decisions based on real factors and revenue," Frycki says.

But even with efforts underway to prioritize Y2K tasks, time remains a

formidable adversary. Approaching the one-year-to-go-mark, there is "very

little room for error, very little room for rework," says Howard Rubin, Chief

Executive Officer, Rubin Systems Inc., which surveys Y2K compliance efforts.

In the federal sector, which has been roundly criticized in and out of

government for generally lagging behind industry in Y2K readiness, political

fighting for funds remains the order of the day. Congress, which holds the

purse strings, has been reluctant to release the monies the agencies say they

need, says Robert Deller, President, Market Access International Inc., which

tracks federal IT procurement.

Congress has complained it has not seen adequate General Accounting Office

assessments of where agencies are or where they should be. On the other hand,

federal agencies have politicized the process in order to create a "drama"

about Y2K in order to receive congressional allocations for their

organizations, Deller says.

Although Deller believes the federal sector has taken Y2K as seriously as the

commercial sector, he says the politics of money and the proliferation of

legacy computing systems have caused agencies to struggle on the issue.

By any measurement, resolution of the Y2K problem will not come cheap. The

GartnerGroup, an information technology consultant, has estimated that the

worldwide cost for fixing the Y2K bug among organizations and governments will

ring up a bill of $300 billion to $600 billion. This estimate does not include

costs for product compliance, business modification, bailouts, bankruptcies,

litigation and municipal deficiencies, according to Gartner.

In addition to the focus on contingency planning, some other emerging trends

among industry and government on the Y2K landscape include the following:

* Testing among major companies in commercial sectors is largely expected to

be completed at the end of 1998.

* Organizations are getting tougher with vendors and business partners that

have been slow or secretive on Y2K compliance.

* Emergency response teams are being set up within organizations to resolve

last-minute Y2K problems that might arise.

* More Y2K remediation work is starting to come in-house as organizations are

starting to look more closely at how they spend their Y2K budgets.

* Increasingly, an organization’s Y2K compliance status is starting to show

up in marketing messages as a way to gain strategic advantage over competitors.

* More sharing of information about Y2K testing and remediation is expected

to occur among organizations.

Although much can be said in general terms about the level of Y2K readiness

among corporations and government entities, that preparedness varies greatly

within different vertical markets and the public sector.

The financial services sector ranks at the top among industries in the best

shape for Y2K compliance efforts, many analysts believe. While banks,

brokerage houses, credit unions and other financial institutions will

rightfully claim foresight in recognizing, testing and starting remediation,

information technology observers note that the nature of the problem is

different in financial services compared with other sectors.

Legacy systems in other industries present significant challenges for most

other industries as well as for the government sector. For instance,

manufacturing, utilities, pharmaceuticals and telecommunications have had to

cope with the daunting task of identifying and fixing code in embedded chips

and systems. And government has had to cope with the old, outdated but

workable legacy systems in their computing environments, in addition to the

challenge of public-based funding.

Rubin of Rubin Systems Inc., which conducts Y2K tracking surveys for Cap

Gemini America, puts only the software industry ahead of financial services in

Y2K compliance efforts. Generally, industries that appear high on tracking

surveys for Y2K progress started their Y2K testing earlier than other

industries, Rubin says. "Testing is the insurance policy that underwrites the

quality of the Year 2000 projects, and ensures that the problem simply isn’t

under remission," says Jim Woodward, Senior Vice President, Cap Gemini

America.

Tom Wilkie, Director of Risk Management for Household International, a

consumer lending and financial services company that offers credit card

accounts, says the Chicago company began its Y2K planning efforts in late

1995, early 1996 when "some small system errors caused us to take a closer

look at overall exposure."

Household International, which runs 25,000 workstations on its corporate

network and has 1,200 branch locations, identified 2,000 trackable items in

its database that would have Y2K ramifications. Seven-hundred items, Wilkie

says, were determined to be critical to maintaining business continuity.

A key to getting ahead of the problem was getting the ear and endorsement of

senior management in the company, Wilkie says. Household’s IT staff set up a

central repository to substantially document the company’s efforts. "It was

important to develop early and continuous communications with Household senior

management," Wilkie says. "Obviously, they have challenges and priorities

equally as, or more important to, the Year 2000 Project, like shareholder value

and major initiatives. Obviously, we want to be heard and we want to be seen,

and, at the same time, we can’t get in the way of making a profit."

Another factor in the financial industry’s Y2K preparedness has been the clear

focus the industry has received from regulators, observers say. The Securities

and Exchange Commission, for instance, recently issued stricter guidelines on

what publicly traded companies had to report in their quarterly 10-K filings

about their efforts to solve internal Y2K problems. "You can’t just make

blanket statements, like, ‘Yeah, things are good,’" says Frycki of DMR

Consulting. "You have to get down to the nuts and bolts and say what the

potential risks are."

Additionally, the Federal Financial Institutions Examinations Council has

offered firm guidance to banks, credit unions and other similar institutions

about the dire need to rectify Y2K situations. "Time is critical," an April

1998 council brief noted. "The Year 2000 cannot be deferred and neither can

commitments to action and funding." For those desiring a survivalist posture,

the Federal Reserve announced in August 1998, that by the end 1999, it would

place an additional $50 billion cash in government vaults. Normally about $150

billion is held in reserve in the United States by the central bank.

To the credit of financial services companies, the word is out to the public

that the industry is diligently working on Y2K, Frycki says. Rubin notes that

while major financial institutions got started early on Y2K, many secondary

and smaller institutions started later and are farther behind. However, that

position is mitigated by the fact that the scope of their remediation problems

is smaller, he says.

Where the financial services industry has received kudos for its Y2K

compliance efforts, Rubin ranks the manufacturing industry a bit farther down

the Y2K compliance scale. Although the industry has been diligent in its

efforts, Rubin ranks manufacturing fourth in the recent Cap Gemini survey of

Y2K readiness among 12 industry segments. One contributing factor lies in the

sheer complexity of the manufacturing computing environment, which boasts a

plethora of embedded systems.

In the manufacturing environment, companies typically have multiple legacy

systems - some of which may have been around for decades - that are still

critical to the process. "You have a lot of instruments that are collecting

data and then making decisions on what the next step is depending on what that

data shows. Some of these things could be very old, and there has been no

reason to change because they are stable," says Frycki of DMR Consulting.

Unlike some other sectors, manufacturers are also more dependent on suppliers

for raw materials since they create products rather than services. In many

cases, manufacturers are as closely linked with their suppliers’ information

systems as their products are with the raw materials themselves, since the

information about inventory, replenishment and other issues is equally

critical to the manufacturing process. As a result, manufacturers are

vulnerable not only to their own Y2K compliance challenges, but to those of

their suppliers as well. Because of this interdependence, the manufacturing

industry is a leader in the trend of large companies taking a harder stand on

their suppliers and business partners who have lagged on compliance.

Monsanto’s Ogens says the multinational corporation has determined that 10

percent of its suppliers and partners are at risk of non-Y2K readiness. For

partners deemed essential to Monsanto’s business operations, the corporation

will work with those suppliers to try to help get them up to speed. For

others, the company will make a business decision on a case-by-case basis on

whether to continue the relationships and for how long, Ogens says.

"The area of business continuity and contingency planning is critical for our

success," says Ogens. "If there’s a small or mid-size company that’s a

critical supplier that’s not easy to replace, then it’s our view that we need

to have a dialogue and partnership with them and provide whatever assistance

we can within reason to make them successful." Ogens says Monsanto has

determined that 42 percent of its partners are already compliant or are on a

good path for compliance. Thirty-six percent of suppliers have been reluctant

to communicate their status with the company. "We basically say that anybody

we’re doing business with who can’t be compliant by the end of the first

quarter of 1999 is putting us at risk," he says.

Monsanto, which runs 100 IT organizations in 33 countries, says its

applications portfolio numbers 1,200 applications, including process control

devices, embedded systems devices and laboratory systems. Thirty-five percent

of applications are currently compliant and 19 percent of the portfolio is

considered compliant or awaiting testing for confirmation. Thirty-one percent

of the portfolio will be replaced via major upgrades and 3 percent

retired.

Frycki says he expects the supply-chain issue to come to a head in 1999. While

federal regulations curtail the amount of information competitive companies

can share, the consultant believes some rules may be eased to allow large

corporations to trade information on supplier-compliance status. "Obviously if

someone is out there and they have 20,000 suppliers and they’ve evaluated

them, why shouldn’t that information be made available to other companies,

even if it is sold to them. You see more and more of that now with companies

offering things on embedded chips. Suppliers become another issue," he says.

The Clinton Administration has sponsored so-called "Good Samaritan legislation

that would ease liability on companies sharing information on Y2K solutions

but fall short. The bipartisan Year 2000 Readiness Act, which also is being

considered in Congress, largely would do the same thing but offer companies

greater immunity.

No vertical sector has been as maligned on the Y2K compliance front as the

federal government. According to Cap Gemini America’s tracking survey,

government ranks at the bottom of the 12 sectors judged for Y2K readiness.

Some of the criticism is deserved and some undeserved, Deller of Market Access

International contends. Municipal governments, which have been aggressive at

pursuing cooperative Y2K solutions with other governmental entities and

vendors, seemed to have fared better.

As with most things in Washington, the issue of Y2K preparedness has political

overtones. While acknowledging that federal government agencies by and large

are behind the curve in Y2K readiness because of starting too late - which

Deller says is largely due to political wrangling over funds - he notes that

the market spawned by Y2K remediation work has created additional angst for

agencies. "They have been bullied and pressured by a lot of people on the

outside who have the feeling that the government will be unable to solve its

problem," Deller says, adding that the IT industry has zeroed in on agencies

"because they want to promote their own business."

Observers credit the work U.S. Rep. Steven Horn, (R-Calif.), for bringing the

government’s Y2K woes to the public. Since Horn began his work, the White

House has taken a much more proactive stance on readiness, even appointing

John Koskinen as a sort of Y2K czar to coordinate efforts among the agencies.

The highest ranking agency in terms of testing and readiness, according to

Horn’s evaluations, has been the Social Security Administration. Horn has

ranked the efforts at the Defense Department and Transportation Department

among the lowest.

"In the federal government, the organizations that have an engaged leadership

at the highest levels seem to be doing better with more of a focus than the

organizations that don’t," says Wes Naqvi, Division Vice President for Y2K for

the Federal Division of Computer Associates International Inc., which sells

business-critical software systems.

Even so, Lt. Gen. (Ret.) Otto Guenther, Director of Strategic Planning for

Computer Associates’ Federal Division and a former chief information officer

of the U.S. Army, says he expects that federal agencies will have their

critical systems tested and remediated by Jan. 1, 1999. The concept of setting

up emergency response teams to ensure that unforeseen things don’t cause

monumental problems is gaining momentum in government circles, Guenther says.

Deller believes that the federal government’s task has been more difficult

than that facing the commercial sector, given the large numbers of legacy

computing systems that have been deployed in agencies. Because funds are being

shifted over to Y2K efforts, modernization projects have been placed on hold

at a number of agencies, he says. "There are a number of major infrastructure

operational problems in the federal government that are going unaddressed

because of the preoccupation with the Y2K problem," Deller says. "If you look

in the commercial markets, they can replace a whole system and they don’t have

all these archaic technologies sitting around that have to be converted."

State and municipal governments, meanwhile, say they are pleased with their

positioning on Y2K. A survey from the National Association of State

Information Resource Executives shows that 35 states are more than 75 percent

of the way through their Y2K assessments and more than 27 states are 30

percent complete in their implementation efforts.

The biggest problems for municipalities is securing IT talent within their MIS

organizations to address Y2K problems, says Eli Cortez, Chief Information

Officer, San Bernardino County, Calif, which has 50,000 workers, 48

departments and 8,000 workstations. "One of our main problems is the issue of

staff retention and recruitment. We have quite a bit of competition in the IT

industry. In government, we don’t pay as competitive as we do in the private

sector," Cortez says.

The unique complexity of the health care industry - both in terms of the wide

range of packaged software and the proliferation of biomedical equipment - is

a key reason the industry lags at the bottom of consultants’ assessments of

Y2K readiness. Although most industries are behind to some degree, health

care has its own sets of problems. While the industry doesn’t have the vexing

problems with legacy systems or embedded chips, the nature of health and

medical products means that there has been an over-reliance on the packaged

software industry.

That reliance is so prevalent that it has caused health care companies and

hospitals to lag on the remediation efforts of the multitude of products they

use, says Frycki of DMR Consulting. While some individual health care

organizations have sought to offer leadership to the industry through their

own readiness efforts, by and large the industry’s Y2K positioning is

precarious, adds Nigel Martin-Jones, Vice President, Corporate Development for

Y2K consultant, Data Dimensions Inc.

"The hospitals and health care providers are not in good shape," says Frycki.

"They have not really considered the problem because most of them use a lot of

packaged software. They’re making the assumption that, ‘Well, my vendor is

going to provide me with the appropriate software.’ But that’s not necessarily

true."

Martin-Jones says that the more complex the health care organization - such

as hospital companies with extensive laboratories and research facilities -

the more difficult the Y2K task. "You have this incredible inventory of

biomedical devices and other kinds of hospital devices. If you are a health

care company that’s essentially a management organization and you have no

hospital labs, etc., then you’re probably in good shape," Martin-Jones says.

According to a GartnerGroup survey, as recently as 1997, the Year 2000 computer

crisis "was not even on the radar screen" of 340 integrated health care

delivery systems it surveyed. In 1998, Y2K has become health care’s number 1

computing systems issue, the GartnerGroup says. Because of the industry’s late

start, the survey notes that 87 percent of U.S. health care organizations are

in danger of computing systems failures over the next two years.

The medical products division of Hewlett-Packard Co. has sought to be

productive on Y2K, including setting up a Web site to disseminate information

to its clients and others. HP tracks some 2,000 medical products tracking in

its database that relate to Y2K compliance, says Roger Stein, Year 2000

program manager for HP’s medical products unit. Ninety-eight percent of all

products in the HP portfolio have been tested and 85 percent are either

compliant or have no date processing requirement.

In health care, the prevalent approach to evaluation of systems is through the

process of triage - remediating the most critical systems first, then going

to less crucial operations in decreasing importance. For instance,

defibrillator devices, which help start the heart in an emergency, are at the

top of the triage process because if the equipment fails a patient could die.

Patient monitors and imaging equipment are viewed as less critical devices.

"The hospital goes through the entire inventory of its products and assesses

what’s mission critical and triage what’s next beyond that," says Stein.

"Because there are so many dependencies on parties outside your own

organization, that’s where all of the due diligence comes in. That’s probably

the biggest challenge for all of us, whether you are the vendor or the

recipient."

As industry sectors that rank lower on readiness surveys reach what Martin-

Jones calls the "end-game" of the process in 1999, their decisions

increasingly will be more difficult. Companies that started early with

testing and remediation, are approaching the last year with confidence by

moving into a validation stage of their critical systems. Another group, like

the health care industry, will be confronted by a danger of lethargy,

particularly as funding sources from the CEO’s office are being more fully

scrutinized. Compounding any lethargy is the fact that Y2K efforts to this

point really have not involved forward processing, so organizations haven’t

experienced significant failure rates in date-related software code.

"We are seeing people slow down, and, in fact, we’re seeing people cancel

components of projects because funding is tightening," Martin-Jones says. "The

people who have been very slow to move to this, as opposed to the end game

being more of an inspiration to them, are basically not moving and saying it’s

business as usual."

ABOUT THE AUTHOR: