ANALYSIS: Controversy and Rewards of Reviews

By Glenn Ericson

Here we are in the middle of a long, hot summer--well into the second and final half of 1999, less than 137 calendar days and counting down to '00'. Since the last column "Minimizing Risk Via Audits and Reviews," I have heard several comments on Year 2000 and responsibilities. Year 2000 ownership falls on both management and IS staffs. A Wall Street Journal article, amongst others, places the matter as fully owned by IS. Just when you felt the newly passed legislation limiting Y2K lawsuits meant you were safe, a shift of problem ownership to include MIS is suggested.

Statements like, "The Y2K crisis would never have occurred if technology professionals had managed their affairs properly. There is nobody else to blame," are commonplace and sometimes ring true.

The Year 2000 crisis was brought on by a series of fully avoidable errors. Bloopers that could have been avoided if more oversight had been in place at the time. Knowing that the whole fiasco could have been avoided in the first place, you have to ask what oversight procedures have been put in place to avoid repeating these types of errors in the future?

No one, not even the Great Wizard of Oz, knows the outcome of all the frightful implications that Y2K carries. We have learned that today's world is very interdependent and tightly coupled through automation. There are several standards that outline the risks in the management of interdependency. Year 2000 has pointed us to be well focused on these risks! Be forewarned--Take action! I for one, do not want to face the public in a time of chaos, owning a part of what they perceive as a mammoth disruption to their lives.

Let's look at a possible scenario: Y2K testing is completed and end users approve the fixes. Senior management wants to implement an Independent Verification and Validation (IV&V). IS thinks the IV&V is a waste of money and time. You must figure out whether IS genuinely feels this is a waste of time and money, or if they feel their work is being attacked.

If this was a regulated industry, such as banking, there would be no choice, and the independent verification would happen. Airlines [especially pilots] want to share their experiences in flight mishaps or ground control errors. Their mission is a common bond to avoid accidents and improve safety. It is a culture thing within the airline industry.

Audits [IV&V] make people uncomfortable, so call them reviews and see if they cause less concern with the IS staff. The true story you are about to read mirrors my own experiences while performing reviews for clients and the benefits of IV&V. [Herbert is not a client nor do we share any business relationship]

Karen D. Herbert, Year 2000 Project Manager for the Arkansas Dept. of Information Systems opens her IV&V experiences by saying:

"I want to promote the IV&V process."

"We ended up undertaking IV&V ourselves because of money, but, however, you choose (or can afford) to do it, I highly recommend that you do. Our managers and project leaders are so thrilled over the results that it's given everyone a lot more confidence in what's going to happen.

I'm sure we will run into some egos, but overall, there is relief when we find something. After all the coding, testing, reviewing, etc., there's still that nagging feeling that you just couldn't have found everything. The IV&V process really helps.

Yes, it requires more work but the things we are finding that turn out to be a real problem, are the kinds that would have really been hard to find. In one instance, we were doing a trial on IV&V products and we had a production problem about the same time.

The funny thing is that the project leader and the customer of that system were just finishing up system testing and were very unhappy that we were going to review their code after all the testing they had done. They commented that it didn't matter what we found, they weren't doing anything else. After we found that problem, they wanted to know when we could do the rest of their code. They are now our biggest supporters.

I know we aren't there yet, but we think this process will further ensure our success."

Herbert's story is a double success story and a strong endorsement for the IV &V Review procedures. Problems were found in a less damaging and less expensive manner [the mission of IV&V], and those resisting ego's were converted painlessly in a single swath. However, the word "independent" is tactically removed from the IV & V process because she recognized the concerns, and was able to retain autonomy to the IV & V staff towards independent levels.

What actually causes this resistance to this second opinion is many fold--pride in quality and completeness of one's work, fear, possible embarrassment and many others. The ultimate reasoning will remain unknown as to why Y2K got this far and seriously complex. Dismiss them all. IV&V is a friendly and economical process that helps, not hurts, your IS staff. Once you accept that, you too can benefit as Herbert did!

I urge you to take your systems through an Independent Verification and Validation Review. You too will be pleased with the findings and reduced concerns of "did I get it all?" The monkey is off your back, as the expression goes!!!

Glenn Ericson is president and founder of Phoenix Consulting LLC, in East Elmhurst, N.Y. He specializes in Year 2000 and risk management issues.