Retailer's Y2K Rule: Trust, But Verify

Many companies, particularly in the retail industry, depend on supply chain partners to deliver goods and services. That's why Williams-Sonoma Inc. (San Francisco), a nationwide specialty retailer of kitchenware and home and garden products, has set a deadline of February to receive assurance from its partners and suppliers that they are Year 2000 ready.

“The key is to trust, but verify,” emphasizes Sam Singer, CISA, information security and corporate Year 2000 compliance officer for Williams-Sonoma. The company has contacted and sought assurances from 1,400 suppliers, of which 95 were related to information systems.

Recently, the company found that a piece of software was not Year 2000-ready, even though "the software vendor published a certification on their Web site," says Singer. "We found that when we were doing testing of the application, that the software company was not doing appropriate internal regression testing, overlaying their Year 2000 patches."

In another instance in the testing process, Singer found the reverse to be true -- "we found that a piece of software from a vendor was compliant, even though the vendor is saying that it's not," he says. "Even though a company receives a letter of compliance or a product statement from a vendor, it does not relieve you of the responsibility to test that product. It's not good enough to take a product statement from a company."

Williams-Sonoma's own Year 2000 efforts are now entering the critical testing phase, Singer says. The company first began identifying its Year 2000 problems in 1996. With assistance from Keane Inc. (Boston), the company has analyzed about 6,800 programs, with about 60 percent containing date-related code. About 10 percent were not Year 2000 compliant, while the remainder were in compliance, Singer says.

The company maintains store, mail order and merchandising systems on a four-way AS/400 Model 530, with some additional inventory systems running on an RS/6000 Model S70. The business itself runs on financial and human resource from Lawson Software (Minneapolis), which is already Year 2000-compliant.

To inventory, remediate, and test code, Williams-Sonoma staff and Keane consultants are using Gear/2000 from Antrix Corp. (Miami, Fla.). Dates are being windowed, with all years from 00 to 49 read by applications as 21st Century dates.

Currently, the company is conducting unit testing of remediated applications. Early in 1999, Williams-Sonoma will commence a "quasi end-to-end site test" on a separate AS/400 specifically designated for testing and development, Singer says.

Key to this approach is to avoid over testing, Singer, whose background is auditing, relates. "Some companies have such grandiose test plans that they could never complete them. If you've done a good job of unit testing, and the programs are functioning very well back into production, then your overall risk is lower. Plus, the AS/400 platform has gotten very solid recommendations, even from our external auditors."

The key is identifying and testing critical business systems and processes, and have a thorough contingency plan in place, Singer relates.