In-Depth

Y2K: Where Should Companies Be?

• 06/01/1999

With the clock ticking down the final months before January 1, 2000, organizations must now focus their Year 2000 efforts on business continuity, including risk management and mitigation, contingency planning and crisis management. This applies to all entities large or small, and regardless of whether they have essentially completed their Year 2000 programs or are, unfortunately, just beginning to focus on the problem.

Those that have been involved with the Year 2000 for several years have experienced the constantly expanding universe of issues and shifting of priorities from the original technical task of assessment and remediation of mainframe applications to today’s focus on maintaining core business functionality. The well-known adage "hindsight is always 20/20" once again proves itself.

What are the key elements contributing to a successful Year 2000 program, and where should companies be at this late date in addressing these elements? The following 21 points are those that have been addressed by organizations on the leading edge of completing their Year 2000 programs.

1. Key executive sponsorship. The Year 2000 must be approached as a business problem, not just a technological problem. The continuity of the business may hinge on the successful execution of its Year 2000 strategies. The active participation of senior management is essential to approve key risk management strategies, to exercise fiduciary responsibility, to allocate organizational resources and to communicate the importance of, and their commitment to, the Year 2000 program to employees and stakeholders.

2. Adequate funding and a direct path to acquire additional funding. Funding the Year 2000 program could represent one of the most costly initiatives undertaken by an organization. Because the deadline for the program is immovable, resources need to be allocated in a more rapid time frame than is usual or customary. So that valuable time is not lost, a process must be put in place to quickly identify the need for financial resources, to prioritize that need and to approve funding.

3. A well-established Program Management Office. To coordinate what may be to many organizations the largest and most difficult initiative ever undertaken, it becomes very important to establish a focused organization, whether real or virtual, to coordinate the myriad tasks and projects required to achieve completion. Experience shows that establishing and empowering a Program Management Office is one of the critical elements required for successful execution of Year 2000 programs. Although certainly not a new concept, the size of Year 2000 projects has led to a resurgence of the Program Office as a way to focus on organization’s business and technical resources on a major initiative. Because of potential liability issues, an organization’s Audit and Legal departments should have representation within the Program Management office.

4. Senior management-approved and well-established internal and external communication channels. The flow of information to an organization’s internal and external stakeholders must be consistent, rapid and understandable. Information that is lacking or inconsistent can cause confusion and concern among stakeholders. A good communications strategy, which includes executive level oversight, is particularly important for communicating plans and progress to employees, suppliers, regulatory agencies, customers and financial markets. There should also be a central point within an organization for answering all external inquiries regarding compliance. This central point should closely coordinate with the organization’s legal counsel regarding responses.

5. Compliance has been defined and a process for compliance certification is in place. Standards have been established for providing due diligence documentation. A definition of compliance needs to be established for both internal and external stakeholders. Those working on compliance within an organization need to know what their targets are, and those external to the organization need to know how and when those targets will be achieved. A process for certifying compliance must also be in place.

This process can vary depending on what is being certified, but in the end someone needs to stand up and say, "this element is compliant according to our definition." Because of the possibility of potential liability in future legal actions, documentation of an organization’s due diligence in achieving Year 2000 compliance must be maintained. Standards need to be established for formatting and documenting information. Key components of this due diligence documentation will be the definition of compliance, the process(es) to achieve it and certification that it was achieved.

6. Assessment and Impact Analysis of Year 2000 on the business, including applications, hardware/software infrastructure, embedded systems and facilities should be completed. The answers to the questions, "What is the extent of our exposure to Year 2000 problems?" and "What should be our approach to address the exposure?" should be known and corrective actions should be nearing completion. The important thing at this late date is to prioritize remaining exposures based on overall risk to the business, and to focus resources on the high priorities.

7. Failure points of critical applications and supporting infrastructure have been identified. One of the major tasks facing an organization that has to tackle the many areas of Year 2000 exposure is how to prioritize and organize remediation efforts. An important input is determining the Time Horizon to Failure, or the earliest date that a failure is expected to occur for a given application, or for its associated supporting infrastructure. Many organizations have already experienced Year 2000 failures. It’s expected that a substantial number of Year 2000 failures will occur before January 1, 2000.

8. Remediation of all critical applications is completed or replacement strategies (e.g., SAP Implementation) are nearing completion. If remediation or replacement is not nearing completion, the risk of running out of time to perform adequate testing is very high. It is generally accepted that adequate testing accounts for more than half of the effort of Year 2000 remediation projects. In the case of a replacement system, not only must it be installed and tested, but there must be adequate time allowed for training as well.

9. Detailed test plans have been developed for critical applications, including all interfaces. An overall test strategy supported by detailed test plans should already be in place. What to test, how much to test, when to test, where to test, development of test scripts and test beds should be in place. Integration testing needs to include all external interfaces.

10. Test environments, facilities and resources are in place. Designing a test environment and acquiring the tools and facilities required to implement test plans need to be in place in advance of remediation or replacement efforts. The rate of code remediation often exceeds the capacity for testing, in which case testing should determine the pace of remediation. Typically, additional maintenance has taken place on operational remediated code, which, unless "clean room" software management has been implemented, becomes increasingly out of synch with the code being tested.

11. End-to-end testing of applications and supporting infrastructure for critical business processes (health and safety, environment, revenue continuity) is underway. Determining the criticality of business processes and the application systems and infrastructures that support them is an indicator of the sequence, depth and breadth of testing to which these application systems should be subjected. Organizations need to ask, "Would the potential failure or interruption of this process pose a threat to human life or health?"; "Would its failure damage the environment?"; "Would its failure affect the perception of the company in the eyes of the public?"; "Would its failure alter our revenue stream? How much? How long?" Application systems and supporting infrastructure for which the answer to the above questions is "No," are less critical and could be tested later with less rigor.

12. The accuracy of remediated code in applications that will not be thoroughly tested should be verified. Not all applications will require thorough testing, or there may not be enough time to perform thorough testing. In these cases, due diligence may include verifying the accuracy of code that’s been remediated to identify errors of commission or errors introduced during remediation. This verification process is essentially an assessment of remediated code in order to catch remaining errors before going into the testing process.

13. A review of key suppliers and customers has been completed and testing of electronic interfaces with these suppliers/customers is well underway. Every organization is a customer and a supplier, as well as a link in a supply/demand chain, responsible for both inbound and outbound actions. These actions include provision of products, services, data, etc. If the link is broken it can cause a ripple effect throughout the chain. For this reason, all key suppliers of raw materials, utilities and data must be ready to deliver an uninterrupted flow. If the delivery mechanism is electronic, careful coordination to test data compatibility between customer and supplier must take place. In the case of key suppliers and customers, business continuity planning must address alternatives and contingencies where Y2K readiness of a key supplier is in question.

14. A review of key I.T. vendors (hardware, applications and infrastructure software) has been completed and efforts are underway to test, fix, replace and/or replatform. Organizations have come to rely on thousands of vendors who supply them with the hardware and software used in their businesses. This includes computers, workstations, telecommunications, etc., as well as the infrastructure and application software that executes on the hardware. All of this hardware and software must be assessed for Year 2000 compliance. Those elements that are not compliant need to be fixed or replaced with Year 2000-compliant versions. For most organizations, this is a time-consuming and costly process, but yields the benefit of upgrading their hardware and software environments to the most current versions.

15. Facilities and embedded systems reviews have been completed and efforts are underway to test, fix, replace and/or replatform. Embedded chips are pervasive in virtually everything we do today. Embedded systems are used in everything from clocks and locks to environmental control in buildings to the control of entire manufacturing processes. Very often, these embedded systems contain date manipulation functions. They must be inventoried, assessed and possibly fixed or replaced. Contingency plans must address the steps to be taken if any of these critical components malfunction.

16. Well-defined plans and status reporting for regulatory agency reviews (e.g., SEC, FFIEC, NERC, etc.). To the extent that organizations are subject to regulatory review, having a communications strategy and format will preserve the positive image of the organization in the eyes of the regulatory agency, the public and the markets. Regulatory agencies are increasingly involved in auditing the progress of organizations under their domain, and being well prepared will result in favorable reviews. The SEC is requiring publicly traded companies to make Year 2000 disclosures in their financial statements, and the public, as well as the financial markets, will be paying more attention to these disclosures as time progresses.

17. Testing of internal networks (LANs) is well underway. The pervasiveness and complexity of internal networks, usually comprising several layers of hardware and software, requires both the assessment of the components’ compliance, as well as integrated testing of the impact of the date change across all components. This is more critical if components have been replaced.

18. Managing risk and defining contingency plans for key business processes is underway. Business continuity should be the key focus for organizations at this time, regardless of where they are in their Year 2000 program. Determining key business processes and their impact on the organization should they fail or be interrupted, followed by development of crisis management plans for these scenarios, should be given top priority. Determining risks and developing mitigation and contingency plans requires the involvement of business management as the driver. Rapid information channels, crisis management centers and emergency response teams need to be implemented.

19. The original "Triage" Plan has been reviewed and revised. Many months may have elapsed since an organization developed its first triage plan. Assumptions made at that time concerning replacement, replatforming or repair may no longer be valid. For example, an application that was targeted for replacement may be severely behind schedule, requiring a re-evaluation of the necessity, at this point, to fix it. Triage priorities may also have shifted as end-to-end testing of businesses processes, not only applications, come into focus. Or, high priority systems may be well on the way to Year 2000 compliance, permitting a secondary triage to be conducted for the remaining systems.

20. Conduct a third party (external) review of program progress. For due diligence purposes, a third-party review of the organization’s Year 2000 program should be conducted. Potential areas of Y2K exposure might have been overlooked. An external review by an impartial and qualified vendor brings to bear the experiences of many Year 2000 programs across multiple organizations. We often seek second opinions prior to major surgery. Why not the same diligence for Year 2000 programs?

21. Conduct monthly reviews of program progress. As January 1, 2000 approaches, more frequent status reporting becomes mandatory. Decisions on priorities and resource allocation need to be made quickly, as time becomes the gating factor. As work is completed, as assumptions are either proved or disproved, or as priorities change, it becomes important to document and convey this information swiftly and consistently to decision-makers.

Obviously, not all organizations need to address all of the points described here. Others will need to address these points from different perspectives, or at varying levels of detail depending on progress in their individual Year 2000 programs. Others may add new points as the clock ticks down. The important thing is that we all are aware of the many issues that need to be considered for a successful Year 2000 program and that we capitalize, to whatever extent we can, on the investments made in this a once-in-a-lifetime initiative.